1
Table of Contents
Creating a Written Information Security Plan (WISP) for your Tax & Accounting Practice 2
Requirements 2
Getting Started on your WISP 3
WISP - Outline 4
Sample Template 5
Written Information Security Plan (WISP) 5
Added Detail for Consideration When Creating your WISP 13
Dene the WISP objectives, purpose, and scope 13
Identify responsible individuals 13
Assess Risks 13
Inventory Hardware 14
Document Safety Measures 14
Draft an Implementation Clause 16
Ancillary Attachments 16
Sample Attachment A: Record Retention Policies 19
Sample Attachment B: Rules of Behavior and Conduct Safeguarding Client PII 20
Sample Attachment C: Security Breach Procedures and Notications 22
Sample Attachment D: Employee/Contractor Acknowledgement of Understanding 23
Sample Attachment E: Firm Hardware Inventory containing PII Data 24
Sample Attachment F: Firm Employees Authorized to Access PII 25
Reference A. The Glossary of Terms 26
Resource Links: 28
2
Creating a Written Information Security Plan (WISP) for your
Tax & Accounting Practice
This document was prepared by the Security Summit, a partnership of the Internal Revenue Service, state tax
agencies, private-sector tax groups as well as tax professionals. The mission of the Security Summit is to ght
identity theft and tax refund fraud.
This document is intended to provide sample information and to help tax professionals, particularly smaller
practices, develop a Written Information Security Plan or WISP. It is not an exhaustive discussion of everything
related to WISPs and it is not intended to replace your own research, to create reliance or serve as a
substitute for developing your own plan based upon the specic needs and requirements of your business
or rm. A written information security plan is just one part of what tax professionals need to protect their clients and
themselves. Given the rapidly evolving nature of threats, the Summit also strongly encourages tax professionals to
consult with technical experts to help with security issues and safeguard their systems.
There are many aspects to running a successful business in the tax preparation industry, including reviewing tax
law changes, learning software updates, and managing and training staff. Creating a Written Information Security
Plan or WISP is an often overlooked but critical component. Not only is a WISP essential for your business and a
good business practice, the law requires you to have one. For many tax professionals, knowing where to start when
developing a WISP is difcult. This guide provides multiple considerations necessary to create a security plan to
protect your business, and your clients and comply with the law.
Requirements
The Gramm-Leach-Bliley Act (GLBA) is a U.S. law that requires nancial institutions to protect customer data.
In its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule to outline
measures that are required to be in place to keep customer data safe. Under the GLBA and Safeguards Rule,
tax and accounting professionals are considered nancial institutions, regardless of size. A requirement of the
Safeguards Rule is implementing and maintaining a WISP. Your WISP must be written and accessible.
As a part of the plan, the FTC requires each rm to:
y
Designate a qualied individual to coordinate its information security program
y
Identify and assess the risks to customer information in each relevant area of the company’s operation, and
evaluate the effectiveness of the current safeguards for controlling these risks
y
Design and implement a safeguards program, and regularly monitor and test it
y
Select service providers that can maintain appropriate safeguards by ensuring your contract requires them
to maintain safeguards and oversee their handling of customer information
y
Evaluate and adjust the program considering relevant circumstances, including changes in the rm’s
business or operations, or the results of security testing and monitoring
y
Implement multi-factor authentication for any individual accessing any information system, unless your
qualied individual has approved in writing the use of reasonably equivalent or more secure access controls.
y
Report a security event affecting 500 or more people to the FTC as soon as possible, but no later than 30
days from the date of discovery.
3
Getting Started on your WISP
Before you begin writing your WISP, take time to familiarize yourself with compliance requirements and your
professional responsibilities. Some good resources to review before beginning include:
y
IRS Publication 4557
y
IRS Publication 1345
y
FTC Data Breach Response Guide
A security plan should be appropriate to the company’s size, scope of activities, complexity, and the sensitivity of
the customer data it handles. There is no one-size-ts-all WISP. For example, a sole practitioner can use a more
abbreviated and simplied plan than a 10-partner accounting rm. A good WISP should focus on three areas:
y
Physical Safeguards: Keep your data safe from physical threats
y
Technical Safeguards: Ensure that your device(s) and network are not compromised
y
Administrative Safeguards: Manage and train your staff
It is a good idea to create an Employee/Contractor Acknowledgment of Understanding document for all personnel to
keep a record of training and understanding of the policies in your WISP. Signing and dating training leaves a good
documentation trail you can keep on le for several reasons – to show your adherence to the spirit of compliance
and to have an enforceable accountability point in the event of a negligent employee. It is recommended that these
acknowledgments be updated at annual training intervals and kept on le.
Once completed, keep your WISP in a format that others can easily read, such as PDF or Word. Making your WISP
available to employees for training purposes is encouraged. Storing a copy offsite or in the cloud is a recommended
best practice in the event of a physical disaster.
It is important to understand that a WISP is intended to be an evergreen document that is regularly reviewed, tested,
and updated along with changes to the size, scope, and complexity of your business.
4
WISP - Outline
The bare essentials of a Written Information Security Plan are outlined below. Be sure you incorporate all the
required elements in your plan, but scale the comprehensiveness to your rm’s size and type of operation. The
elements in the outline are there to provide your rm a narrower scope of purpose and dene the limitations the
document is meant to cover. Therefore, many elements also provide your rm with a level of basic legal protections
in the event of a data breach incident. For a detailed explanation of each section, please review the detailed outline
provided in this document.
I. Dene the WISP objectives, purpose, and scope
II. Designate a qualied individual
a. List the qualied individual who will coordinate the security programs as well as responsible persons.
b. List authorized users at your rm, their data access levels, and responsibilities.
III. Assess Risks
a. Identify Risks
▪
List types of information your ofce handles
▪
List potential areas for data loss (internal and external)
▪
Outline procedures to monitor and test risks
IV. Inventory Hardware
a. List description and physical location of each item
b. Record types of information stored or processed by each item
V. Document Safety Measures in place
a. Suggested policies to include in your WISP:
▪
Data collection and retention
▪
Data disclosure
▪
Network protection
▪
User access
▪
Electronic data exchange
▪
Wi-Fi access
▪
Remote access
▪
Connected devices
▪
Reportable Incidents
b. Draft Employee Code of Conduct
VI. Draft an implementation clause
VII. Attachments
5
Sample Template
Written Information Security Plan (WISP)
For
[Your Firm Name Here]
This Document is for general distribution and is available to all employees.
This Document is available to Clients by request and with consent of the Firm’s Data Security Coordinator.
Last Modied/Reviewed [Last Modied Date]
[Should review and update at least annually]
6
Written Information Security Plan (WISP)
I. OBJECTIVE
Our objective, in the development and implementation of this comprehensive Written Information Security Plan
(WISP), is to create effective administrative, technical, and physical safeguards for the protection of the Personally
Identiable Information (PII) retained by [Your Firm Name], (hereinafter known as the Firm). This WISP is to
comply with obligations under the Gramm-Leach-Bliley Act and Federal Trade Commission Financial Privacy and
Safeguards Rules to which the Firm is subject. The WISP sets forth our procedure for evaluating our electronic and
physical methods of accessing, collecting, storing, using, transmitting, and protecting PII retained by the Firm. For
purposes of this WISP, PII means information containing the rst name and last name or rst initial and last name
of a Taxpayer, Spouse, Dependent, or Legal Guardianship person in combination with any of the following data
elements retained by the Firm that relate to Clients, Business Entities, or Firm Employees:
A. Social Security number, Date of Birth, or Employment data
B. Driver’s license number or state-issued identication card number
C. Income data, Tax Filing data, Retirement Plan data, Asset Ownership data, Investment data
D. Financial account number, credit or debit card number, with or without security code, access code,
personal identication number; or password(s) that permit access to a client’s nancial accounts
E. E-mail addresses, non-listed phone numbers, residential or mobile or contact information
PII shall not include information that is obtained from publicly available sources such as a Mailing Address or Phone
Directory listing; or from federal, state or local government records lawfully made available to the general public.
II. PURPOSE
The purpose of the WISP is to:
A. Ensure the Security and Condentiality of all PII retained by the Firm.
B. Protect PII against anticipated threats or hazards to the security or integrity of such information.
C. Protect against any unauthorized access to or use of PII in a manner that creates a substantial risk of
Identity Theft or Fraudulent or Harmful use.
III. SCOPE
The Scope of the WISP related to the Firm shall be limited to the following protocols:
A. Identify reasonably foreseeable internal and external risks to the security, condentiality, and/or
integrity of any electronic, paper, or other records containing PII.
B. Assess the potential damage of these threats, taking into consideration the sensitivity of the PII.
C. Evaluate the sufciency of existing policies, procedures, customer information systems, and other
safeguards in place to control identied risks.
D. Design and implement this WISP to place safeguards to minimize those risks, consistent with the
requirements of the Gramm-Leach-Bliley Act, the Federal Trade Commission Financial Privacy
and Safeguards Rule, and National Institute of Standards recommendations.
E. Regular monitoring and assessment of the effectiveness of aforementioned safeguards.
7
IV. IDENTIFIED RESPONSIBLE OFFICIALS
[The Firm] has designated [Employee’s Name] to be the Data Security Coordinator (hereinafter the DSC). The
DSC is the responsible ofcial for the Firm data security processes and will implement, supervise, and maintain the
WISP. Accordingly, the DSC will be responsible for the following:
y
Implementing the WISP including all daily operational protocols
y
Identifying all the Firm’s repositories of data subject to the WISP protocols and designating them as Secured
Assets with Restricted Access
y
Verifying all employees have completed recurring Information Security Plan Training
y
Monitoring and testing employee compliance with the plan’s policies and procedures
y
Evaluating the ability of any third-party service providers not directly involved with tax preparation and
electronic transmission of tax returns to implement and maintain appropriate security measures for the PII to
which we have permitted them access, and
y
Requiring third-party service providers to implement and maintain appropriate security measures that
comply with this WISP
y
Reviewing the scope of the security measures in the WISP at least annually or whenever there is a material
change in our business practices that affect the security or integrity of records containing PII
y
Conducting an annual training session for all owners, managers, employees, and independent contractors,
including temporary and contract employees who have access to PII enumerated in the elements of the
WISP. All attendees at such training sessions are required to certify their attendance at the training and
their familiarity with our requirements for ensuring the protection of PII. See Employee/Contractor
Acknowledgement of Understanding at the end of this document
[The Firm] has designated [Employee’s Name] to be the Public Information Ofcer (hereinafter PIO). The PIO will
be the Firm’s designated public statement spokesperson. To prevent misunderstandings and hearsay, all outward-
facing communications should be approved through this person who shall be in charge of the following:
y
All client communications by phone conversation or in writing
y
All statements to law enforcement agencies
y
All releases to news media
y
All information released to business associates, neighboring businesses, and trade associations to which
the Firm belongs
V. INSIDE THE FIRM RISK MITIGATION
To reduce internal risks to the security, condentiality, and/or integrity of any retained electronic, paper, or other
records containing PII, the Firm has implemented mandatory policies and procedures as follows:
8
PII Collection and Retention Policy
A. We will only collect the PII of clients, customers, or employees that is necessary to accomplish our
legitimate business needs, while maintaining compliance with all federal, state, or local regulations.
B. Access to records containing PII is limited to employees whose duties, relevant to their job descriptions,
constitute a legitimate need to access said records, and only for job-related purposes.
C. The DSC will identify and document the locations where PII may be stored on the Company premises:
a. Servers, disk drives, solid-state drives, USB memory devices, removable media
b. Filing cabinets, securable desk drawers, contracted document retention and storage rms
c. PC Workstations, Laptop Computers, client portals, electronic Document Management
d. Online (Web-based) applications, portals, and cloud software applications such as Box
e. Database applications, such as Bookkeeping and Tax Software Programs
f. Solid-state drives, and removable or swappable drives, and USB storage media
D. Designated written and electronic records containing PII shall be destroyed or deleted at the earliest
opportunity consistent with business needs or legal retention requirements.
a. Paper-based records shall be securely destroyed by shredding or incineration at the end of their
service life.
b. Electronic records shall be securely destroyed by deleting and overwriting the le directory or by
reformatting the drive on which they were housed.
c. Specic business record retention policies and secure data destruction policies are in an
attachment to this WISP.
Personnel Accountability Policy
A. A copy of the WISP will be distributed to all current employees and to new employees on the beginning
dates of their employment. It will be the employee’s responsibility to acknowledge in writing, by signing
the attached sheet, that he/she received a copy of the WISP and will abide by its provisions. Employees
are actively encouraged to advise the DSC of any activity or operation that poses risk to the secure
retention of PII. If the DSC is the source of these risks, employees should advise any other Principal or the
Business Owner.
a. The Firm will create and establish general Rules of Behavior and Conduct regarding policies
safeguarding PII according to IRS Pub. 4557 Guidelines. [complete and attach after
reviewing supporting NISTIR 7621, NIST SP-800 18, and Pub 4557 requirements]
b. The Firm will screen the procedures prior to granting new access to PII for existing employees.
c. The Firm will conduct Background Checks on new employees who will have access to
retained PII.
d. The Firm may require non-disclosure agreements for employees who have access to the PII
of any designated client determined to have highly sensitive data or security concerns related
to their account.
9
B. The DSC or designated authorized representative will immediately train all existing employees on the
detailed provisions of the Plan. All employees will be subject to periodic reviews by the DSC to ensure
compliance.
C. All employees are responsible for maintaining the privacy and integrity of the Firm’s retained PII. Any
paper records containing PII are to be secured appropriately when not in use. Employees may not keep
les containing PII open on their desks when they are not at their desks. Any computer le stored on the
company network containing PII will be password-protected and/or encrypted. Computers must be locked
from access when employees are not at their desks. At the end of the workday, all les and other
records containing PII will be secured by employees in a manner that is consistent with the Plan’s rules for
protecting the security of PII.
D. Any employee who willfully discloses PII or fails to comply with these policies will face immediate
disciplinary action that includes a verbal or written warning plus other actions up to and including
termination of employment.
E. Terminated employees’ computer access logins and passwords will be disabled at the time of termination.
Physical access to any documents or resources containing PII will be immediately discontinued.
Terminated employees will be required to surrender all keys, IDs or access codes or badges, and
business cards that permit access to the Firm’s premises or information. Terminated employees’ remote
electronic access to personal information will be disabled; voicemail access, e-mail access, Internet
access, Tax Software download/update access, accounts and passwords will be inactivated. The DSC
or designee shall maintain a highly secured master list of all lock combinations, passwords, and keys,
and will determine the need for changes to be made relevant to the terminated employee’s access rights.
PII Disclosure Policy
A. No PII will be disclosed without authenticating the receiving party and without securing written
authorization from the individual whose PII is contained in such disclosure. Access is restricted for areas
in which personal information is stored, including le rooms, ling cabinets, desks, and computers with
access to retained PII. An escort will accompany all visitors while within any restricted area of stored PII data.
B. The Firm will take all possible measures to ensure that employees are trained to keep all paper and
electronic records containing PII securely on premises at all times. When there is a need to bring records
containing PII offsite, only the minimum information necessary will be checked out. Records taken offsite
will be returned to the secure storage location as soon as possible. Under no circumstances will
documents, electronic devices, or digital media containing PII be left unattended in an employee’s car,
home, or in any other potentially insecure location.
C. All security measures included in this WISP shall be reviewed annually, beginning [annual calendar
review date] to ensure that the policies contained in the WISP are adequate and meet all applicable
federal and state regulations. Changes may be made to the WISP at any time they are warranted. When
the WISP is amended, employees will be informed in writing. The DSC and principal owners of the Firm
will be responsible for the review and modication of the WISP, including any security improvement
recommendations from employees, security consultants, IT contractors, and regulatory sources.
D. [The Firm] shares Employee PII in the form of employment records, pension and insurance information,
and other information required of any employer. The Firm may share the PII of our clients with the state
and federal tax authorities, Tax Software Vendor, a bookkeeping service, a payroll service, a CPA rm,
10
an Enrolled Agent, legal counsel, and/or business advisors in the normal course of business for any Tax
Preparation rm. Law enforcement and governmental agencies may also have customer PII shared with them
in order to protect our clients or in the event of a lawfully executed subpoena. An IT support company may
occasionally see PII in the course of contracted services. Access to PII by these third-party organizations will
be the minimum required to conduct business. Any third-party service provider that does require access to
information must be compliant with the standards contained in this WISP at a minimum. The exceptions are
tax software vendors and e-Filing transmitters; and the state and federal tax authorities, which are already
compliant with laws that are stricter than this WISP requires. These additional requirements are outlined in
IRS Publication 1345.
Reportable Event Policy
A. If there is a Data Security Incident that requires notications under the provisions of regulatory laws such as
The Gramm-Leach-Bliley Act, there will be a mandatory post-incident review by the DSC of the events and
actions taken. The DSC will determine if any changes in operations are required to improve the security of
retained PII for which the Firm is responsible. Records of and changes or amendments to the Information
Security Plan will be tracked and kept on le as an addendum to this WISP.
B. The DSC is responsible for maintaining any Data Theft Liability Insurance, Cyber Theft Insurance Riders, or
Legal Counsel on retainer as deemed prudent and necessary by the principal ownership of the Firm.
C. The DSC will also notify the IRS Stakeholder Liaison, and state and local Law Enforcement Authorities in the
event of a Data Security Incident, coordinating all actions and responses taken by the Firm. The DSC or
person designated by the coordinator shall be the sole point of contact with any outside organization not
related to Law Enforcement, such as news media, non-client inquiries by other local rms or businesses and
other inquirers.
VI. OUTSIDE THE FIRM RISK MITIGATION
To combat external risks from outside the Firm network to the security, condentiality, and/or integrity of
electronic, paper, or other records containing PII, and improve - where necessary - the effectiveness of the
current safeguards for limiting such risks, the Firm has implemented the following policies and procedures.
Network Protection Policy
A. Firewall protection, operating system security patches, and all software products shall be up to date and
installed on any computer that accesses, stores, or processes PII data on the Firm’s network. This includes
any Third-Party Devices connected to the network.
B. All system security software, including anti-virus, anti-malware, and internet security, shall be up to date and
installed on any computer that stores or processes PII data or the Firm’s network.
C. Secure user authentication protocols will be in place to:
a. Control username ID, passwords and Two-Factor Authentication processes
b. Restrict access to currently active user accounts
c. Require strong passwords in a manner that conforms to accepted security standards (using upper-
and lower-case letters, numbers, and special characters, eight or more characters in length)
d. Change all passwords every 365 days, or under specic conditions, such as user requests or when
there is evidence of a compromise
e. Firm related passwords must not be used on other sites; or personal passwords used for Firm business.
Firm passwords will be for access to Firm resources only and not mixed with personal passwords
11
D. All computer systems will be continually monitored for unauthorized access or unauthorized use of PII data.
Event Logging will remain enabled on all systems containing PII. Review of event logs by the DSC or IT
partner will be scheduled at random intervals not to exceed 90 days.
E. The Firm will maintain a rewall between the internet and the internal private network. This rewall will be
secured and maintained by the Firm’s IT Service Provider. The Firewall will follow rmware/software updates
per vendor recommendations for security patches. Workstations will also have a software-based rewall enabled.
F.
Operating System (OS) patches and security updates will be reviewed and installed continuously. The DSC will
conduct a top-down security review at least every 30 days.
Firm User Access Control Policy
A. The Firm will adhere to Federal Trade Commission 15 U.S.C § 6805. Section 314.4(c.5) regarding the
implementation of multi-factor authentication.
B. The Firm will use multi-factor authentication (MFA) for remote login authentication via a cell phone text
message, or an app, such as Google Authenticator or Duo, to ensure only authorized devices can gain
remoteaccess to the Firm’s systems.
C. All users will have unique passwords to the computer network. The Firm will not have any shared passwords
or accounts to our computer systems, internet access, software vendor for product downloads, etc. Passwords
can be changed by the user without disclosure of the password to the DSC or any Firm employee at any time.
D. Passwords will be refreshed in accordance with the National Institute of Standards and Technology (NIST)
guidelines. The DSC will notify employees when accelerated password reset is necessary.
E. If a Password Utility program, such as LastPass or Password Safe, is utilized, the DSC will rst conrm that:
a. Username and password information is stored on a secure encrypted site.
b. Multi-factor authentication of the user is enabled to authenticate new devices.
Electronic Exchange of PII Policy
A. It is Firm policy that PII will not be in any unprotected format, such as e-mailed in plain text, rich text, html, or
other e-mail formats unless encryption or password protection is present. Passwords MUST be
communicated to the receiving party via a method other than what is used to send the data; such as by phone
call or SMS text message (out of stream from the data sent).
B. The Firm may use a Password Protected Portal to exchange documents containing PII upon approval of data
security protocols by the DSC.
C.
MS BitLocker or similar encryption will be used on interface drives, such as a USB drive, for les containing PII.
Wi-Fi Access Policy
A. Wireless access (Wi-Fi) points or nodes, if available, will use strong encryption. Firm Wi-Fi will require a
password for access. If open Wi-Fi for clients is made available (guest Wi-Fi), it will be on a different network
and Wi-Fi node from the Firm’s Private work-related Wi-Fi.
B. All devices with wireless capability such as printers, all-in-one copiers and printers, fax machines, and smart
devices such as TVs, refrigerators, and any other devices with Smart Technology will have default factory
passwords changed to Firm-assigned passwords. All default passwords will be reset or the device will be
disabled from wireless capability or the device will be replaced with a non-wireless capable device.
12
VII. IMPLEMENTATION
Effective [date of implementation], [The Firm] has created this Written Information Security Plan (WISP) in
compliance with regulatory rulings regarding implementation of a written data security plan found in the Gramm-
Leach-Bliley Act and the Federal Trade Commission Financial Privacy and Safeguards Rules.
Signed: ______________________________________ Date: __________________
Title: [Principal Operating Ofcer/Owner Title]
Signed: ______________________________________ Date: __________________
Title: Data Security Coordinator
Remote Access Policy
The DSC and the Firm’s IT contractor will approve use of Remote Access utilities for the entire Firm.
Remote access is dangerous if not congured correctly and is the preferred tool of many hackers.
Remote access using tools that encrypt both the trafc and the authentication requests (ID and Password)
used will be the standard. Remote Access will not be available unless the Ofce is staffed and systems are
monitored. Nights and Weekends are high threat periods for Remote Access Takeover data theft.
Remote access will only be allowed using multi-factor Authentication (MFA) in addition to username and
password authentication.
Connected Devices Policy
A. Any new devices that connect to the Internal Network will undergo a thorough security review before
they are added to the network. The Firm will ensure the devices meet all security patch standards and
login and password protocols before they are connected to the network.
B. “AutoRun” features for USB ports and optical drives like CD and DVD drives on network computers
and connected devices will be disabled to prevent malicious programs from self-installing on the
Firm’s systems.
C. The Firm or a certied third-party vendor will erase the hard drives or memory storage devices the Firm
removes from the network at the end of their respective service lives. If any memory device is unable
to be erased, it will be destroyed by removing its ability to be connected to any device, or circuitry will be
shorted, or it will be physically rendered unable to produce any residual data still on the storage device.
D. The Firm runs approved and licensed anti-virus software, which is updated on all servers continuously.
Virus and malware denition updates are also updated as they are made available. The system is tested
weekly to ensure the protection is current and up to date.
Information Security Training Policy
All employees will be trained on maintaining the privacy and condentiality of the Firm’s PII. The DSC will
conduct training regarding the specics of paper record handling, electronic record handling, and Firm security
procedures at least annually. All new employees will be trained before PII access is granted, and periodic
reviews or refreshers will be scheduled until all employees are of the same mindset regarding Information
Security. Disciplinary action may be recommended for any employee who disregards these policies.
13
Added Detail for Consideration When Creating your WISP
Use this additional detail as you develop your written security plan. Review the description of each outline item and
consider the examples as you write your unique plan.
Dene the WISP objectives, purpose, and scope
Objective Statement: This denes the reason for the plan, stating any legal obligations such as compliance with
the provisions of GLBA and sets the tone and denes the reasoning behind the plan. The Objective Statement
should explain why the Firm developed the plan. It also serves to set the boundaries for what the document should
address and why.
Purpose Statement: The Purpose Statement should explain what and how taxpayer information is being protected
with the security process and procedures.
Scope Statement: The scope statement sets the limits on the intent and purpose of the WISP. Since you should
not be legally held to a standard that was unforeseen at the writing or periodic updating of your WISP, you should
set reasonable limits that the scope is intended to dene.
Identify responsible individuals
Identify by name and position persons responsible for overseeing your security programs. Explain who will act in
the roles of Data Security Coordinator (DSC) and Public Information Ofcer (PIO). In most rms of two or more
practitioners, these should be different individuals. These roles will have concurrent duties in the event of a data
security incident. Be sure to dene the duties of each responsible individual.
y
The Data Security Coordinator is the person tasked with the information security process, from securing the
data while remediating the security weaknesses to training all rm personnel in security measures.
y
The Public Information Ofcer is the “one voice” that speaks for the rm for client notications and outward
statements to third parties, such as local law enforcement agencies, news media, and local associates and
businesses inquiring about their own risks.
Assess Risks
y
Identify Risks: While building your WISP, take a close look at your business to identify risks of unauthorized
access, use, or disclosure of information. Carefully consider your rm’s vulnerabilities.
y
List types of information your ofce handles. Identifying the information your practice handles is a critical
step in evaluating risk. Some types of information you may use in your rm includes taxpayer PII,
employee records, and private business nancial information. For example, do you handle paper and
electronic documentation containing client or employee PII? List all types.
y
List all potential types of loss (internal and external). Evaluate types of loss that could occur, including
unauthorized access and disclosure and loss of access. Be sure to include any potential threats
and vulnerabilities, such as theft, destruction, or accidental disclosure. Examples might include physical
theft of paper or electronic les, electronic data theft due to Remote Access Takeover of your computer
network, and loss due to re, hurricane, tornado or other natural cause.
y
Outline procedures to monitor your processes and test for new risks that may arise.
14
Inventory Hardware
y
It is imperative to catalog all devices used in your practice that come in contact with taxpayer data. This could
be anything from a computer, network devices, cell phones, printers, to modems and routers.
} List description and physical location of each item
} Record types of information stored or processed by each item
Example:
} Jane Doe Business Cell Phone, located with Jane Doe, processes emails from clients
} John Doe PC, located in John’s ofce linked to the rms’ network, processes tax returns, emails,
company nancial information.
} Network Router, located in the back storage room and is linked to ofce internet, processes all types
of information
Sample Attachment E - Firm Hardware Inventory containing PII Data
Document Safety Measures
y
This section sets the policies and business procedures the Firm undertakes to secure all PII in the Firm’s
custody of clients, employees, contractors, governing any privacy-controlled physical (hard copy) data,
electronic data, and handling by rm employees.
List policies for the following:
y
Data collection and retention
} Precisely dene the minimal amount of PII the Firm will collect and store
} Dene who shall have access to the stored PII data
} Dene where the PII data will be stored and in what formats
} Designate when and which documents are to be destroyed and securely deleted after they have
met their data retention life cycle
y
Data disclosure
} You should dene any receiving party authentication process for PII received
} Dene how data containing PII will be secured while checked out of designated PII secure storage area
} Determine any policies for the internet service provider, cloud hosting provider, and other services
connected to any stored PII of the rm, such as 2 Factor Authentication requirements and compatibility
} Spell out whom the Firm may share stored PII data with, in the ordinary course of business, and any
r
equirements that these related businesses and agencies are compliant with the Firm’s privacy standards
y
Network protection (List how your system and devices are protected)
} Firewall protection
15
} All security software, anti-virus, anti-malware, anti-tracker, and similar protections
} Secure user protocols
▪
User IDs
▪
Restricted access by job role
▪
Password selection policy
▪
Password controls to ensure no passwords are shared
▪
Password change interval policy
▪
Restriction on using rm passwords for personal use, and personal passwords for rm use
} Monitoring all computer systems for unauthorized access via event logs and routine event review
} Operating System patch and update policies by authorized personnel to ensure uniform security
updates on all workstations
y
User access (How users access devices)
} Will your rm implement an Unsuccessful Login lockout procedure?
} Multi-factor Authentication Policy controls
} Determine any unique Individual user password policy
} Approval and usage guidelines for any third-party password utility program
y
Remote access (How employees access data remotely)
} Set policy requiring multi-factor authentication for remote access connections.
} Consider a no after-business-hours remote access policy. Historically, this is prime time for hackers,
since the local networks they are hacking are not being monitored by employee users.
y
Connected devices (How new devices or software is added to the network)
} New network devices, computers, and servers must clear a security review for compatibility/
conguration
} Congure access ports like USB ports to disable “autorun” features
} Set policy on rm-approved anti-virus, anti-malware, and anti-tracking programs and require their use
on every connected device.
} Require any new software applications to be approved for use on the Firm’s network by the DSC or IT
Professional prior to installation.
y
Reportable Incidents
Create both an Incident Response Plan & a Breach Notication Plan
In the event of an incident, the presence of both a Response and a Notication Plan in your WISP reduces
the unknowns of how to respond and should outline the necessary steps that each designated ofcial must
take to both address the issue and notify the required parties.
} At a minimum, plans should include what steps will be taken to re-secure your devices, data,
passwords, networks and who will carry out these actions
16
} Describe how the Firm Data Security Coordinator (DSC) will notify anyone assisting with a reportable
data breach requiring remediation procedures
} Describe who will be responsible for maintaining any data theft liability insurance, Cyber Theft Rider
policies, and legal counsel retainer if appropriate
} Describe the DSC duties to notify outside agencies, such as the IRS Stakeholder Liaison, Federal
Trade Commission, State Attorney General, FBI local eld ofce if a cybercrime, and local law
enforcement agencies
y
Draft Employee Code of Conduct
Determine a personnel accountability policy including training guidelines for all employees and contractors,
guidelines for behavior, and employee screening and background checks. Address any necessary non-
disclosure agreements and privacy guidelines. Be sure to include information for terminated and separated
employees, such as scrubbing access and passwords and ending physical access to your business.
Draft an Implementation Clause
When all appropriate policies and procedures have been identied and included in your plan, it is time for the nal
steps and implementation of your WISP. An Implementation clause should show the following elements:
} Date of implementation
} Firm Name
} That the plan is emplaced in compliance with the requirements of the GLBA
} That the plan is in compliance with the Federal Trade Commission Financial Privacy and
Safeguards Rule
} Also add if additional state regulatory requirements apply
} The plan should be signed by the principal operating ofcer or owner, and the DSC and dated the
date of implementation
Ancillary Attachments
Attach any ancillary procedures as attachments. These are the specic task procedures that support rm policies,
or business operation rules. For example, a separate Records Retention Policy makes sense. If regulatory records
retention standards change, you update the attached procedure, not the entire WISP. Other potential attachments
are Rules of Behavior and Conduct Safeguarding Client PII, as recommended in Pub 4557. Another good
attachment would be a Security Breach Notications Procedure.
Sample Attachment A - Record Retention Policy
Determine the rm’s procedures on storing records containing any PII.
y
How long will you keep historical data records, different rms have different standards? There are some
Federal and state guidelines for records retention periods.
y
How will you destroy records once they age out of the retention period?
} How will paper records are to be stored and destroyed at the end of their service life
} How will electronic records be stored, backed up, or destroyed at the end of their service life
17
Best Practice: Keeping records longer than the minimum record retention period can put clients at some additional
risk for deeper audits. By common discovery rules, if the records are there, they can be audited back as far as the
statutes of limitations will allow. Promptly destroying old records at the minimum required timeframe will limit any
audit or other legal inquiry into your clients’ records to that time frame only.
Sample Attachment B - Rules of Behavior and Conduct Safeguarding Client PII
Having some rules of conduct in writing is a very good idea. It standardizes the way you handle and process
information for everyone in the rm. This attachment can be reproduced and posted in the breakroom, at desks, and
as a guide for new hires and temporary employees to follow as they get oriented to safe data handling procedures.
These sample guidelines are loosely based on the National Institute of Standards guidelines and have been
customized to t the context of a Tax & Accounting Firm’s daily operations.
Best Practice: At the beginning of a new tax season cycle, this addendum would make good material for a monthly
security staff meeting. Keeping security practices top of mind is of great importance. Other monthly topics could
include how phishing emails work, phone call grooming by a bad actor, etc. SANS.ORG has great resources for
security topics. The Ouch! Newsletter can be used as topical material for your Security meetings.
Sample Attachment C - Security Breach Procedures and Notications
It is a good idea to have a guideline to follow in the immediate aftermath of a data breach. To be prepared for
the eventuality, you must have a procedural guide to follow. This attachment will need to be updated annually for
accuracy. Subscribing to IRS e-news and topics like the Protect Your Clients, Protect Yourselves series will inform
you of changes as fraud prevention procedures mature over time.
Sample Attachment D - Employee/Contractor Acknowledgement of Understanding
It is a good idea to have a signed acknowledgment of understanding. This is particularly true when you hire new or
temporary employees, and when you bring a vendor partner into your business circle, such as your IT Pro, cleaning
service, or copier servicing company. They need to know you handle sensitive personal data and you take the
protection of that data very seriously.
Best Practice: It is important that employees see the owners and managers put themselves under the same
rules as everyone else. When you roll out your WISP, placing the signed copies in a collection box on the ofce
manager’s desk for a time for anyone to see, for example, is a good way for everyone to see that all employees are
accountable. Placing the Owners and Data Security Coordinator’s signed copy on the top of the stack prominently
shows you will play no favorites and are all pledging to the same standard of conduct. This acknowledgement
process should be refreshed annually after an annual meeting discussing the Written Information Security Plan and
any operational changes made from the prior year.
Sample Attachment E - Firm Hardware Inventory containing PII Data
Keeping track of data is a challenge. A good way to make sure you know where everything is and when it was put in
service or taken out of service is recommended. This is especially true of electronic data.
y
Include paper records by listing ling cabinets, dated archive storage boxes, and any alternate locations of
storage that may be off premises.
y
List all desktop computers, laptops, and business-related cell phones which may contain client PII.
y
List storage devices, removable hard drives, cloud storage, or USB memory sticks containing client PII.
18
Best Practice: Set a policy that no client PII can be stored on any personal employee devices such as personal (not
rm owned) memory sticks, home computers, and cell phones that are not under the direct control of the rm. This
ensures all devices meet the security standards of the rm, such as having any auto-run features turned off, and
they are standardized for virus and malware scans.
Sample Attachment F - Firm Employees Authorized to Access PII
Having a list of employees and vendors, such as your IT Pro, who are authorized to handle client PII is a good idea.
You should not allow someone who may not fully understand the seriousness of the secure environment your rm
operates in to access privacy-controlled information. Additionally, an authorized access list is a good place to start
the process of removing access rights when a person retires or leaves the rm. Having a systematic process for
closing down user rights is just as important as granting them.
y
List name, job role, duties, access level, date access granted, and date access Terminated
y
Be sure to include contractors, such as your IT professionals, hosting vendors, and cleaning and
housekeeping, who have access to any stored PII in your safekeeping, physical or electronic.
y
List any other data access criteria you wish to track in the event of any legal or law enforcement request
due to a data breach inquiry. Examples:
} John Smith - Ofce Manager / Day-to-Day Operations / Access all digital and paper-based data /
Granted January 2, 2018
} Jane Robinson - Senior Tax Partner / Tax Planning and Preparation / Access all digital and paper-
based data / Granted December 01, 2015
} Jill Johnson - Receptionist / Phones/Scheduling / Access ABC scheduling software / Granted
January 10, 2020 / Terminated December 31, 2020
} Jill Johnson - Tax Preparer / 1040 Tax Preparation / Access all digital and paper-based data /
Granted January 2, 2021
Best Practice: If a person has their rights increased or decreased It is a good idea to terminate the old access
rights on one line, and then add a new entry for the new access rights granted. This shows a good chain of custody
for rights and shows a progression. For the same reason, it is a good idea to show a person who goes into semi-
retirement and has less rights than before and the date the status changed.
19
Sample Attachment A: Record Retention Policies
Designated retained written and electronic records containing PII will be destroyed or deleted at the earliest
opportunity consistent with business needs or legal retention requirements.
It is Firm policy to retain no PII records longer than required by current regulations, practices, or standards.
I. In no case shall paper or electronic retained records containing PII be kept longer than ____ Years.
II. Paper-based records shall be securely destroyed by cross-cut shredding or incineration at the end of
their service life.
III. Electronic records shall be securely destroyed by deleting and overwriting the le directory or by
reformatting the drive where they were housed or destroying the drive disks rendering them inoperable
if they have reached the end of their service life.
20
Sample Attachment B: Rules of Behavior and Conduct Safe-
guarding Client PII
Create and distribute rules of behavior that describe responsibilities and expected behavior regarding computer
information systems as well as paper records and usage of taxpayer data. Have all information system users
complete, sign, and comply with the rules of behavior. NISTIR 7621, Small Business Information Security: The
Fundamentals, Section 4, has information regarding general rules of Behavior, such as:
y
Be careful of email attachments and web links
} Do not click on a link or open an attachment that you were not expecting. If it appears important,
call the sender to verify they sent the email and ask them to describe what the attachment or link is.
Before you click a link (in an email or on social media, instant messages, other webpages), hover over
that link to see the actual web address it will take you to. Train employees to recognize phishing
attempts and who to notify when one occurs.
y
Use separate personal and business computers, mobile devices, and email accounts
} This is especially important if other people, such as children, use personal devices. Do not
conduct business or any sensitive activities (like online business banking) on a personal computer
or device and do not engage in activities such as web surng, gaming, downloading videos, etc.,
on business computers or devices. Do not send sensitive business information to personal email
addresses.
y
Do not connect personal or untrusted storage devices or hardware into computers, mobile devices,
or networks.
} Do not share USB drives or external hard drives between personal and business computers or
devices. Do not connect any unknown/untrusted hardware into the system or network, and do not
insert any unknown CD, DVD, or USB drive. Disable the “AutoRun” feature for the USB ports and
optical drives like CD and DVD drives on business computers to help prevent such malicious
programs from installing on the systems.
y
Be careful downloading software
} Do not download software from an unknown web page. Be very careful with freeware or shareware.
y
Watch out when providing personal or business information
} Social engineering is an attempt to obtain physical or electronic access to information by
manipulating people. A very common type of attack involves a person, website, or email that
pretends to be something it’s not. A social engineer will research a business to learn names, titles,
responsibilities, and any personal information they can nd; calls or sends an email with a believable
but made-up story designed to convince you to give certain information.
} Never respond to unsolicited phone calls that ask for sensitive personal or business information.
Employees should notify their management whenever there is an attempt or request for sensitive
business information.
} Never give out usernames or passwords. No company should ask for this information for any reason.
Also, beware of people asking what kind of operating system, brand of rewall, internet browser, or
what applications are installed. This is information that can make it easier for a hacker to break into
the system.
21
y
Watch for harmful pop-ups
} When connected to and using the Internet, do not respond to popup windows requesting that users
click “OK.” Use a popup blocker and only allow popups on trusted websites.
y
Use strong passwords
} Good passwords consist of a random sequence of letters (upper- and lower-case), numbers,
and special characters. The NIST recommends passwords be at least 12 characters long.
For systems or applications that have important information, use multiple forms of identication
(called “multi-factor” or “dual factor” authentication).
} Many devices come with default administration passwords – these should be changed immediately
when installing and regularly thereafter. Default passwords are easily found or known by hackers
and can be used to access the device. The product manual or those who install the system should
be able to show you how to change them.
} NIST guidelines recommend password reset every 365 days, or when a compromise has occurred.
} Passwords to devices and applications that deal with business information should not be re-used.
} You may want to consider using a password management application to store your passwords for you.
y
Conduct online business more securely
} Online business/commerce/banking should only be done using a secure browser connection.
This will normally be indicated by a small lock visible in the lower right corner or upper left of the web
browser window
.
} Erase the web browser cache, temporary internet les, cookies, and history regularly. Ensure to
erase this data after using any public computer and after any online commerce or banking session.
This prevents important information from being stolen if the system is compromised. This will also
help the system run faster. Typically, this is done in the web browser’s “privacy” or “security”
menu. Review the web browser’s help manual for guidance.
22
Sample Attachment C: Security Breach Procedures and
Notications
I. Notications
If the Data Security Coordinator determines that PII has been stolen or lost, the Firm will notify the following entities,
describing the theft or loss in detail, and work with authorities to investigate the issue and to protect the victim’s
identity and credit.
y
The IRS Stakeholder Liaison who coordinates IRS divisions and other agencies regarding a Tax
Professional Ofce data breach.
y
The state Attorney General’s Ofce
y
State tax agencies - Visit the Federal Tax Administrators’ “Report a Breach” for state-by-state information
y
The FBI’s Internet Crime Complaint Center if it is a cyber-crime involving electronic data theft
y
The Federal Trade Commission, in accordance with GLB Act provisions as outlined in the Safeguards Rule.
Report security events affecting 500 or more people within 30 days of discovery through the FTC’s online
Safeguards Rule Security Event Reporting Form.
y
Local law enforcement
y
Tax software vendor (can assist with next steps after a data breach incident)
y
Liability insurance carrier who may provide forensic IT services
y
Legal counsel
y
To the extent required by regulatory laws and good business practices, the Firm will also notify the
victims of the theft so that they can protect their credit and identity. The FTC provides guidance for identity
theft notications in: Information Compromise and the Risk of Identity Theft: Guidance for Your Business
II. Procedures
Read this IRS Newswire Alert for more information
Examples:
y
Go to IRS e-Services and check your EFIN activity report to see if more returns have been led on your
EFIN than you transmitted.
y
Check to see if you can tell if the returns in question were submitted at odd hours that are not during normal
hours of operation, such as overnight or on weekends.
y
Were the returns transmitted on a Monday or Tuesday morning?
} Typically, a thief will remotely steal the client data over the weekend when no one is in the ofce to
notice. They then rework the returns over the weekend and transmit them on a normal business
workday just after the weekend.
23
Sample Attachment D: Employee/Contractor Acknowledgement
of Understanding
I, [Employee Name], do hereby acknowledge that I have been informed of the Written Information Security
Plan used by [The Firm]. I have undergone training conducted by the Data Security Coordinator. I have also
been able to have all questions regarding procedures answered to my satisfaction so that I fully
understand the importance of maintaining strict compliance with the purpose and intent of this WISP.
I also understand that there will be periodic updates and training if these policies and procedures change
for any reason. It has been explained to me that non-compliance with the WISP policies may result
in disciplinary actions up to and including termination of employment.
I understand the importance of protecting the Personally Identiable Information of our clients, employees,
and contacts, and will diligently monitor my actions, as well as the actions of others, so that [The Firm] is a
safe repository for all personally sensitive data necessary for business needs.
Signed,
[Employee Name] Date: [Date of Initial/Last Training]
Title: [Employee Title Description]
24
Sample Attachment E: Firm Hardware Inventory containing PII Data
Below is the enumerated list of hardware and software containing client or employee PII that will be periodically
audited for compliance with this WISP.
Hardware Item Location Principal User In-Service Date Last Inventoried
25
Sample Attachment F: Firm Employees Authorized to Access PII
Name Role Job Duties Access Level
Date access
Granted
Date Access
Terminated
John Doe DSC Ofce Manager
Full access to all PII
01/01/2015
26
Reference A. The Glossary of Terms
Anti-virus software - software designed to detect and potentially eliminate viruses before damaging the system.
Can also repair or quarantine les that have already been infected by virus activity.
Attachment - a le that has been added to an email. It could be something useful to you, or something harmful to
your computer.
Authentication - conrms the correctness of the claimed identity of an individual user, machine, software
component or any other entity.
Breach - unauthorized access of a computer or network, usually through the electronic gathering of login
credentials of an approved user on the system.
Clear desk Policy - a policy that directs all personnel to clear their desks at the end of each working day, and le
everything appropriately. Desks should be cleared of all documents and papers, including the contents of the “in”
and “out” trays - not simply for cleanliness, but also to ensure that sensitive papers and documents are not exposed
to unauthorized persons outside of working hours.
Clear screen Policy - a policy that directs all computer users to ensure that the contents of the screen are
protected from prying eyes and opportunistic breaches of condentiality. Typically, the easiest means of compliance
is to use a screensaver that engages either on request or after a specied brief period.
Cybersecurity - the protection of information assets by addressing threats to information processed, stored, and
transported by internetworked information systems.
Data Security Coordinator (DSC) - the rm-designated employee who will act as the chief data security ofcer for
the rm. The DSC is responsible for all aspects of your rm’s data security posture, especially as it relates to the PII
of any client or employee the rm possesses in the course of normal business operations.
Data breach - an incident in which sensitive, protected, or condential data has potentially been viewed, stolen
or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI),
personally identiable information (PII), trade secrets or intellectual property.
Encryption - means the transformation of data into a form that results in a low probability of assigning meaning
without the use of a protective process or key, consistent with current cryptographic standards and accompanied by
appropriate safeguards or cryptographic key material. It is a data security technique used to protect information from
unauthorized inspection or alteration..
Firewall - a hardware or software link in a network that inspects all data packets coming and going from a computer,
permitting only those that are authorized to reach the other side. It is helpful in controlling external access to a
computer or network.
GLBA - Gramm-Leach-Bliley Act. Administered by the Federal Trade Commission. Establishes safeguards for all
privacy-controlled information through business segment Safeguards Rule enforced business practices.
Hardware rewall - a dedicated computer congured to exclusively provide rewall services between another
computer or network and the internet or other external connections.
Malware - (malicious software) any computer program designed to inltrate, damage or disable computers.
27
Multi-factor authentication - A security system that requires returning users to enter more than just credentials
(username and password) to access an account or device, such as two-factor or three-factor authentication.
The FTC Safeguards Rule requires authentication through verication of at least two of the following types of
authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3)
Inherence factors, such as biometric characteristics.
Network - two or more computers that are grouped together to share information, software, and hardware. Can be
a local ofce network or an internet-connection based network.
Out-of-stream - usually relates to the forwarding of a password for a le via a different mode of communication
separate from the protected le. Example: Password protected le was emailed, the password was relayed to the
recipient via text message, outside of the same stream of information from the protected le.
Patch - a small security update released by a software manufacturer to x bugs in existing programs.
Phishing email - broad term for email scams that appear legitimate for the purpose of tricking the recipient into
sharing sensitive information or installing malware.
PII - Personally Identiable Information. The name, address, SSN, banking or other information used to establish
ofcial business. Also known as Privacy-Controlled Information.
Public Information Ofcer (PIO) - the PIO is the single point of contact for any outward communications from the
rm related to a data breach incident where PII has been exposed to an unauthorized party. This position allows
the rm to communicate to affected clients, media, or local businesses and associates in a controlled manner while
allowing the Data Security Coordinator freedom to work on remediation internally.
Risk analysis - a process by which frequency and magnitude of IT risk scenarios are estimated; the initial steps of
risk management; analyzing the value of assets to the business, identifying threats to those assets and evaluating
how vulnerable each asset is to those threats.
Security awareness - the extent to which every employee with access to condential information understands their
responsibility to protect the physical and information assets of the organization.
Service providers - any business service provider contracted with for services, such as janitorial services, IT
Professionals, and document destruction services employed by the rm who may come in contact with sensitive
client PII.
Software rewall - an application installed on an existing operating system that adds rewall services to the
existing programs and services on the system.
VPN (Virtual Private Network) - a secure remote network or Internet connection encrypting communications
between a local device and a remote trusted device or service that prevents en-route interception of data.
Written Information Security Plan -a documented, structured approach identifying related activities and
procedures that maintain a security awareness culture and to formulate security posture guidelines. Mandated for
Tax & Accounting rms through the FTC Safeguards Rule supporting the Gramm-Leach-Bliley Act privacy law.
28
Resource Links:
Below are helpful links from within the WISP creation guide above and also from outside sources like the Federal
Communications Commission (FCC), and the National Institute of Standards and Technology (NIST). These
resources in addition to IRS and Federal Trade Commission resources will support your efforts to create a durable
Written Information Security Plan for your rm.
Federal Trade Commission
y
FTC Financial Institution How to Comply
y
FTC Safeguards Rule
y
FTC Data Breach Response Guide
y
FTC Safeguards Rule Security Event Reporting Form
National Institute of Standards
y
Cybercrime & Cyber Threats to Small Business
} Cybercrime its worse we thought
} Cybercrime existential threat small business
y
NIST Computer Security Resource Center
y
NIST Cybersecurity Framework examples
Federal Communications Commission
y
FCC Cyber Threat Resources
Internal Revenue Service
} IRS Publication 4557
}
}
}
} IRS Stakeholder Liaison
} IRS Data Theft Reporting Process
IRS Publication 5280
IRS Publication 5709
IRS Publication 1345
