A Practice Note discussing written information security programs (WISPs) under the Massachusetts data security regulation (201 Code Mass. Regs. 17.01). This Note also discusses reasons for adopting a WISP, preliminary considerations, and the Massachusetts Attorney General's enforcement actions.