https://www.irs.gov/pub/opr-taxpros/2023-10-careful-wisp%28er%29-professional-responsibility-and-data-security.pdf
Professional Responsibility and Data
Security: Practitioners’ Obligation to Have a Written
Information Security Plan
A good WISP should identify the risks of date
loss for the types of information handled by a firm or company and
focus on employee management and training, information systems and
detecting and managing system failures There is no stake,
"one-size-fits-all" solution to tax practitioners date security
challenges. Rather, a security plan should be scaled to the
busines 's size, scope of activities, complexity, and the
sensitivity of the customer data it handles and should be updated
as business or technology changes dictate. That said, as a
general matter, certain protocols should be considered:
• Do not collect more Personally Identifiable
Information (Pll) of clients
than is necessary for your business operations, and do not retain
Pll
longer than necessary or legally required for business purposes
• Protect the PII you collect, use, disclose, and retain. For
example
store Pll in a locked room or file cabinets (with information
secured at
the end of each workday).
• Restrict access to Pll to only those individuals with a business
need to
access the information.
• Dispose of Pll appropriately, such as shredding documents and
wiping
(or destroying) old hard drives, fax machines, printers, and other
equipment.
• Use qualified and vetted contractors, including physical and
data
security consultants.
• Instill awareness and train employees (professional and
nonprofessional alike) on properly handling Pll.
• Establish security protocols for electronic programs and files,
including
server locks, password policies * , guidance on phishing / malware
schemes, and laptop and mobile device security.
* Tax professionals should generally observe
the following guidelines concerning passwords:
• use strong
passwords. Never share usernames or passwords with others. Strong
passwords consist ofa random sequence ofupper and lower-case
letters that include numbers and special characters. Ideally,
passwords should be at least 14 characters long. For systems or
applications that have sensitive information, use multiple forms
ofidentify verification (multifactor or dual-factor
authentication).
• change default password. Many devices come with
default administrative passwords. Change them immediately and
regularly thereafter. Default passwords are easily found or known
by hackers.
• change passwords often. Every three months is
recommended. Consider using a password management application to
store passwords. Passwords to devices and applications that
contain business information should not be reused.
• Develop and enforce email policies and procedures that comply
with federal and state laws.
• Continually monitor computer networks to identify and redress potential security issues (e.g., software updates, antivirus
software,
firewalls, security patches, scan
engines).
• Establish guidelines related to Internet browsing, use of smart devices, and use of social media and professional networking
sites.
• Establish security policies related to physical files and other
records kept at home.
• Maintain good records and have policies and procedures in place
for what to do in case of a data breach (including timely notification
of the business's insurance carrier). If your employees work
remotely, adopt policies relating to the of:
○ virtual private networks (VPNs) to securely conduct business;
○ separate personal and business computers, mobile devices, and email accounts; and
○ "smart" devices.
Here’s a comprehensive template for tracking
the implementation of WISP daily operational protocols, with
designated responsibilities and a date column for logging:
|
Procedure Description
|
Yes (Implemented)
|
No (Not Implemented)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date
|
|
Verify daily system access controls
|
|
|
|
|
|
|
|
Monitor data access logs
|
|
|
|
|
|
|
|
Ensure encryption protocols are
active
|
|
|
|
|
|
|
|
Conduct daily security checks
|
|
|
|
|
|
|
|
Review and address any system alerts
|
|
|
|
|
|
|
|
Confirm employee adherence to data
handling policies
|
|
|
|
|
|
|
|
Backup and secure data as per WISP
|
|
|
|
|
|
|
|
Report daily on WISP compliance
|
|
|
|
|
|
|
This template allows for daily tracking of
WISP procedures, including fields to log completion status,
responsibilities, and the specific date each protocol was checked.
Add rows for additional daily protocols as needed.
Here’s a template to track the identification
and designation of the firm’s data repositories as Secured Assets
with Restricted Access, per WISP protocols, with fields for
responsibility assignment and date:
|
Data Repository/Asset
Description
|
Yes (Secured & Restricted
Access)
|
No (Not Secured)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date
|
|
Customer Personal Data Storage
|
|
|
|
|
|
|
|
Financial Records Database
|
|
|
|
|
|
|
|
Employee Records Repository
|
|
|
|
|
|
|
|
Intellectual Property Storage
|
|
|
|
|
|
|
|
Archived Data Files
|
|
|
|
|
|
|
|
Backup Storage Locations
|
|
|
|
|
|
|
|
Cloud Storage for Sensitive Data
|
|
|
|
|
|
|
|
Physical Document Storage
|
|
|
|
|
|
|
This template provides a structured way to
verify each data repository's security status, designate
responsibilities, and log the date of assessment. Additional rows
can be added for more data repositories as required.
Here’s a template for tracking the completion
of recurring Information Security Plan Training for each employee,
including columns for responsibility designation and date:
|
Employee Name
|
Yes (Training Completed)
|
No (Not Completed)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date of Verification
|
| 1 |
|
|
|
|
|
|
| 2 |
|
|
|
|
|
|
| 3 |
|
|
|
|
|
|
| 4 |
|
|
|
|
|
|
| 5 |
|
|
|
|
|
|
| 6 |
|
|
|
|
|
|
This template allows the Data Security
Coordinator to verify and record each employee’s training status,
assign responsibility, and log the date when verification was
completed. Add rows for each employee in the firm as needed.
Here’s a template for tracking the monitoring
and testing of employee compliance with the Information Security
Plan’s policies and procedures, with fields for responsibility
assignment and date:
|
Employee Name
|
Yes (Compliant)
|
No (Non-Compliant)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date of Monitoring/Testing
|
| 1 |
|
|
|
|
|
|
| 2 |
|
|
|
|
|
|
| 3 |
|
|
|
|
|
|
| 4 |
|
|
|
|
|
|
| 5 |
|
|
|
|
|
|
| 6 |
|
|
|
|
|
|
This template provides a structured way for
the Data Security Coordinator to monitor and document each
employee's compliance status, specify responsibilities, and log
the date of monitoring or testing. Additional rows can be added
for each employee as needed.
Here’s a template for tracking the evaluation
of third-party service providers' ability to implement and
maintain appropriate security measures for Personally Identifiable
Information (PII), including fields for responsibility designation
and date:
|
Third-Party Service Provider
Name
|
Yes (Security Measures
Verified)
|
No (Not Verified)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date of Evaluation
|
| 1 |
|
|
|
|
|
|
| 2 |
|
|
|
|
|
|
| 3 |
|
|
|
|
|
|
| 4 |
|
|
|
|
|
|
| 5 |
|
|
|
|
|
|
| 6 |
|
|
|
|
|
|
This template allows the Data Security
Coordinator to document the evaluation of each third-party service
provider’s security measures, specify responsibilities, and log
the date of evaluation. Add rows as needed for each relevant
third-party provider.
Here’s a template for tracking the
requirement for third-party service providers to implement and
maintain security measures in compliance with the WISP, with
fields for responsibility assignment and date:
|
Third-Party Service Provider
Name
|
Yes (Security Measures
Implemented)
|
No (Not Implemented)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date of Verification
|
| 1 |
|
|
|
|
|
|
| 2 |
|
|
|
|
|
|
| 3 |
|
|
|
|
|
|
| 4 |
|
|
|
|
|
|
| 5 |
|
|
|
|
|
|
| 6 |
|
|
|
|
|
|
This template allows the Data Security
Coordinator to document each third-party provider’s compliance
with WISP security measures, assign responsibilities, and record
the date of verification. Add rows as needed for additional
third-party service providers.
Here’s a template for tracking the review of
the scope of security measures in the WISP, including fields for
responsibility designation and date:
|
Review Description
|
Yes (Reviewed)
|
No (Not Reviewed)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date of Review
|
|
Annual review of WISP security
measures
|
|
|
|
|
|
|
|
Review due to material change in
business practices
|
|
|
|
|
|
|
|
Review after changes in data storage
practices
|
|
|
|
|
|
|
|
Review after updates in regulatory
requirements
|
|
|
|
|
|
|
|
Review after a security incident or
breach
|
|
|
|
|
|
|
|
Review due to changes in third-party
access
|
|
|
|
|
|
|
This template allows the Data Security
Coordinator to document each review of the WISP's scope, designate
responsibilities, and log the date of each review. Add rows as
needed for other specific review instances based on business
needs.
Here’s a template for tracking the completion
of annual training sessions for all individuals with access to
PII, including fields for responsibility designation,
certification status, and date:
|
Attendee Name
|
Yes (Training Completed)
|
No (Not Completed)
|
N/A (Not Applicable)
|
Firm Responsibility
|
Data Security Coordinator
Responsibility
|
Date of Training
|
| 1 |
|
|
|
|
|
|
| 2 |
|
|
|
|
|
|
| 3 |
|
|
|
|
|
|
| 4 |
|
|
|
|
|
|
| 5 |
|
|
|
|
|
|
| 6 |
|
|
|
|
|
|
This template allows the Data Security
Coordinator to document each attendee’s training completion,
assign responsibilities, and log the date of the training.
Additional rows can be added for each owner, manager, employee,
and contractor who attended the session.
Information resources to create and complete your Written
Information Security Plan (WISP):
