If your stores sell cars, you’re already a “financial institution” in the eyes of the FTC. That means you need a Written Information Security Program, or WISP. But most templates read like a law school final. This post gives you a dealership-native way to write a WISP you can actually use on the showroom floor, in the F&I office, and in the service drive.
Note: Practical guidance, not legal advice. Confirm specifics with counsel and your carrier.
What a WISP is really for
A WISP isn’t a binder for an auditor’s bookshelf. It’s your playbook for keeping deals moving and customer data protected. When the Controller asks, “Can we prove MFA is on?” or the GM asks, “Who shuts off a terminated salesperson’s access?” the WISP answers with names, timelines, and evidence. In a multi-rooftop group, it keeps everyone playing the same game across Reynolds, CDK, Dealertrack, VinSolutions, your menu tool, texting platform, and digital retailing stack.
Start with a simple promise
Open your WISP with one paragraph any GM will sign:
“We protect customer data so we can keep selling, servicing, and getting funded. We will use multi-factor authentication, keep our systems patched, back up critical data, train our people, and verify vendors. The Qualified Individual (QI) owns this program and reports results quarterly.”
That’s it. No acronyms soup. Just the promise.
Name one owner and the few things only they can do
Dealers move fast. Ownership prevents drift. In your WISP, name a Qualified Individual and give them specific authority:
The QI can require access changes, pause risky vendor integrations, mandate role-based training, and run incident drills. They publish a simple scorecard each quarter: phishing failure rate, offboarding speed, EDR coverage, backup test results, and vendor attestations received.
Now the QI isn’t a policy librarian. They’re accountable for outcomes the Dealer Principal cares about.
Tell the story of a normal Tuesday
Make the policy real by walking through a day your people recognize:
Morning in F&I: An email pings the Finance Manager with “urgent funding issue.” Because your WISP blocks auto-forwarding and requires MFA, the attacker can’t pivot even if the email gets clicked. The Report Phish button sends it to IT, and the QI reviews the alert trend on Friday.
Service lane by lunch: An advisor snaps a photo for a video MPI. Your WISP says no driver’s license or full VIN in photos, and your approved texting app watermarks messages and captures consent. The Service Director knows they’re on the hook for adherence, because the WISP says so.
Accounting by 3 p.m.: A vendor emails new bank details. Your WISP demands dual control and an out-of-band callback using the number in the vendor master, not the email thread. The Controller signs the wire only after the callback log is attached to the AP checklist.
Close of business: HR terminates a salesperson. Your WISP requires accounts disabled within 24 hours; IT documents the disable in M365, AD, and DMS/CRM. The QI’s weekly spot check compares HR’s list to system exports. No stragglers, no surprises.
That’s a living WISP. Not theory—workflow.
Write in short, clear sections people will actually read
Here’s the structure that works in 6–10 pages without the legal fog, with language you can paste directly:
Purpose and scope
Protect customer and employee data, reduce downtime, and meet regulatory and insurer expectations across all rooftops and departments.
Roles and responsibilities
QI owns the WISP, risk assessment, vendor oversight, incident coordination, and reporting. IT/MDR runs tooling, patching, EDR, backup integrity, and containment. Controller owns wire controls and vendor master hygiene. HR owns joiner/mover/leaver signals. GMs enforce training and access approvals. Everyone reports suspicious activity immediately.
Access and authentication
Managers request access in writing; least privilege by role. Disable accounts within 24 hours of termination. MFA required for email, remote access, and any admin access in DMS/CRM. Admin accounts are separate and not used for daily work.
Workstations and servers
EDR on all endpoints and servers. Screen lock at 10 minutes. Critical patches within 14 days. Full-disk encryption on laptops. Local admin rights restricted.
Email and phishing
Inbound phishing and impersonation filters on. External tag enabled. Report Phish button required. Monthly simulations with coaching, not shaming. Block auto-forward to external domains.
Network and Wi-Fi
Guest Wi-Fi segmented. Payment devices segmented where applicable. Remote access only via VPN with MFA. Least-privilege firewall rules for servers.
Vendors and third parties
Maintain a list of systems and vendors that touch NPI: DMS, CRM, menu, digital retailing, recon, texting, marketing, forms, lenders, HR/payroll. Collect security attestations annually from the top risk vendors and at onboarding. Contracts require encryption at rest/in transit and timely breach notice. Remove vendor accounts when services end.
Data retention and disposal
Set retention timelines for credit apps, deal jackets, RO history, and photo/video assets per state and lender expectations. Paper goes to locked bins for certified shredding. Electronic media wiped with proof.
Backups and recovery
Daily backups for critical systems with at least one immutable, off-domain copy. Test restores quarterly and document results. Define recovery time and recovery point goals for DMS, CRM, file shares, and finance systems.
Logging and reviews
Keep identity and email audit logs at least 12 months. Quarterly privileged access review. QI and IT meet weekly to clear exceptions.
Physical controls
Lock finance offices and deal storage. Escort visitors in back-of-house. Cable-lock laptops and secure desktops in open areas. Alarm and camera coverage for document storage.
Training
New hire privacy and security within 7 days. Quarterly role-based micro-training for Sales, F&I, Service, Parts, and Accounting. Monthly phishing tests; managers are accountable for completion.
Incident response
Declare on suspected ransomware, wire fraud attempt, unauthorized access, or lost device with NPI. Contain first, preserve evidence, notify QI and IT, begin call tree. Within 24 hours: scope, reset credentials, notify insurer and consult counsel as needed, and engage forensics if required. Conduct a lessons-learned within 10 business days and update the WISP.
Wire fraud safeguards
Dual control for all wires and bank changes. Out-of-band callback using a known number from the vendor master. Positive pay enabled. Daily bank reconciliation. No payment changes accepted from email instructions without verification.
Keep it provable with a one-page scorecard
Policies are only as strong as your evidence. Your WISP should point to a shared “Safeguards” folder with quarterly subfolders. Store screenshots or exports for: MFA settings, EDR coverage, backup test logs, phishing results, training completion, access reviews, and vendor attestations. The QI turns those into a single green/yellow/red scorecard the Dealer Principal can skim in 3 minutes.
Suggested KPIs: phishing failure rate under 4 percent, terminated accounts disabled within 24 hours, 98 percent EDR coverage, weekly backup test passes, critical patches under 14 days, top-risk vendor attestations on file, two tabletop exercises per quarter.
Make it yours in one afternoon
Pick a template, paste the sections above, and fill the brackets: [Dealership Group], [State], [DMS/CRM], [Texting Platform], [Top Vendors]. Run a 30-minute review with the Controller, IT, and one GM. Then publish version 1.0 and put the evidence checklist on the calendar. You can tune the edges later; momentum beats perfection.
A final word for Dealer Principals
A usable WISP is good business. It keeps the lights on in the lane, reduces rekeys and redraws in F&I, shortens month-end in Accounting, and earns better conversations with your insurer. Most importantly, it gives you confidence that if something goes wrong, your team knows exactly what to do and you can prove it.
Need Additional Help?
Want this WISP as a Word file with a prebuilt evidence binder index and a one-page GM summary Insert your group name and I’ll send a clean, branded version you can publish today.