How to Create a Written Information Security Plan (WISP) for your Tax & Accounting Practice (+ a Free WISP Template)
Secure your clients’ data with a well structured WISP and stay compliant with the IRS and FTC.
Working with client and company data comes with a host of cyber security challenges when working in the tax and accounting profession. Client, employee, and company data must be safeguarded from external threats and internal mismanagement. Every tax and accounting professional with a PTIN must have a Written Information Security Plan (WISP) to comply with the Gramm-Leach-Bliley Act and Federal Trade Commission (FTC) Financial Privacy and Safeguards Rules. The WISP is a security framework meant to identify and protect against the theft or release of Personally Identifiable Information (PII). It’s your playbook for identifying risks to sensitive data and the measures that you’ve taken to ensure client security is maintained. Creating a WISP on your own can seem daunting. That’s why we’ll be breaking down the major components that comprise a WISP so that you can create your own with confidence.
Ready Made Wisp
Want to ensure your WISP meets all necessary requirements? We’ve developed a comprehensive WISP template for tax professionals that you can customize for your practice. Our free WISP template walks you through each required component while allowing you to tailor the plan to your specific needs. Simply fill out the form above to access your free WISP template and take the first step toward better protecting your practice and your clients.
The Foundations of Your WISP
Your WISP should begin with the following clearly defined areas: Objectives, Purpose, and Scope.
Objectives establish what the WISP aims to achieve – primarily, creating effective administrative, technical, and physical safeguards for protecting Personally Identifiable Information (PII). PII comes in the form of information like first name and last name, birth date, income and tax data, social security numbers.
Purpose outlines specific goals: ensuring confidentiality of PII, protecting against anticipated threats, and preventing unauthorized access. The purpose is merely an address of what your WISP intends to accomplish, not how.
Scope sets reasonable limits on what the WISP covers as pertains to your WISP’s outlined purpose, including identifying risks to electronic and paper records, assessing potential damages, and evaluating existing safeguards.
These foundational elements in creating your WISP flow out into the body of your plan. As a rule, if the information is not publicly accessible from government or public directories, consider that information PII.
Identify Your Responsible Parties
The next section of your WISP should be centered around the designation and responsibilities of two parties, a Data Security Coordinator (DSC) and Public Information Officer (PIO). The IRS WISP template outlines in extensive detail the responsibilities of the DSC and PIO. We’ll give you the abridged version.
Every WISP needs a designated Data Security Coordinator (DSC). The DSC is the party responsible for implementing and maintaining your WISP. This party is to be named as the DSC within the WISP and listed as overseeing data security protocols, maintaining documentation of data storage locations, verifies employee training completion, and monitors third-party compliance. Effectively, the DSC is your practice’s data security detail, actively working to guard against threats to PII. The DSC’s responsibilities may vary depending on the needs of your practice, but they will always be to implement, maintain, and update data security protocols and services laid out in your WISP.
Appointing a Public Information Officer (PIO) to handle external communications during security incidents is crucial. This is your practice’s spokesperson. The PIO should also be named in the WISP with a list of what they are responsible for. They prevent confusing messaging to external entities during a crisis. These entities can include clients, law enforcement, the media, and business associates. Create a list of potential external entities that the PIO would be responsible for communicating with.
Internal Risk Management
Internal risk mitigation forms the core of your WISP’s operational guidance. This section should detail your policies for data collection, retention, and handling. Start with a clear policy on what PII you’ll collect and who can access it. Document where and how you store PII, including both physical and electronic locations. List the circumstances in which PII is accessed. Establish procedures for secure destruction of records when they’re no longer needed. Be sure to attach your practice’s retention and destruction protocols to your WISP.
Create and list comprehensive personnel policies covering everything from initial security training to procedures for terminated employees. Remember to include specific protocols for how you’ll share PII with authorized third parties like tax authorities or service providers.
External Risk Management
Your WISP should detail network protection policies that keep PII secured from threats outside of your practice. The protection policies can include firewall requirements, security software standards, remote access policies, and authentication protocols. These policies will ensure that data cannot be easily obtained within your immediate network. Include specific requirements for wireless security, device management, and connected devices. These requirements can look like two factor authentication, encryption of communications, and more. Be specific and intentional with your protection. Address how your DSC will handle security patches and updates.
Create a personal accountability policy in line with behavioral guidelines for PII protection based on IRS Publication 4557 standards.
The DSC should be listed as the responsible party for external risk management protocols. Alternatively, these protocols can be handled by your IT service, under the direction of the appointed DSC.
Consider Your Implementations
Your WISP should contain a short section where you summarize the implementations for your practice as outlined by your WISP. These can fall under, planning, security assessment, data security training for staff, and more. Lastly, the practice’s owner and the appointed DSC should sign the document, putting the stamp of approval by both parties into the WISP.
Conclusions
Remember, your WISP isn’t just a regulatory requirement – it’s a living document that should evolve with your practice. Regularly review and update your WISP as security threats and business practices change. By following our structured approach, you can create a robust security plan that protects your clients’ data and your practice. Download our template today and start building a stronger security foundation for your practice. For coursework on data security, check out Cybersecurity for Your Tax Practice and Keeping Tax Payer Data Secure.
TRUSTED BY:





