Welcome back! Ask questions, get answers, and join our large community of tax professionals.
cancel
Showing results for 
Search instead for 
Did you mean: 

Cyber security and the written data security plan that is now required by IRS

Just-Lisa-Now-
Level 15
Level 15

https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security...

I see Drake is offering somthing for their customers to meet this requirement, is this something Intuit will be doing as well?

Reading the requirements, I still dont fully understand what I need to have for a one person office, and who is the service provider than IRS references here?

I have an anti-virus, I keep logins and strong unique passwords secure, I use two factor authorizations on anything that gives me the option, I password protect anything I send clients in email, maintain backups securely offsite, destroy or wipe all devices with client data that are no longer being used, Im in the process of securing cyber insurance...maybe the cyber insurance company will provide this?

Tax pros must create a written security plan to protect their clients’ data. In fact, the law requires them to make this plan.

Creating a data security plan is one part of the new Taxes-Security-Together Checklist. The IRS and its Security Summit partners created this checklist. It helps tax professionals protect sensitive data in their offices and on their computers.

Many tax preparers may not realize they are required under federal law to have a data security plan. Each plan should be tailored for each specific office. When creating it, the tax professional should take several factors into consideration. This includes things like the company’s size, the nature of its activities, and the sensitivity of its customer information.

Creating a plan
Tax professionals should make sure to do these things when writing and following their data security plans:

Include the name of all information security program managers.
Identify all risks to customer information.
Evaluate risks and current safety measures.
Design a program to protect data.
Put the data protection program in place.
Regularly monitor and test the program.


Selecting a service provider
Companies should have a written contract with their service provider. The provider must:

Maintain appropriate safety measures.
Oversee the handling of customer information review.
Revise the security program as needed.


♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪
0 Cheers

This discussion has been locked. No new contributions can be made. You may start a new discussion here

1 Best Answer

Accepted Solutions
Terry53029
Level 14
Level 14

Lisa, here is a plan that is simple and covers the IRS requirements. I can't take credit for it, as I got it from a tax preparer on another site.

* Include the name of all information security program managers.

Terry

* Identify all risks to customer information.

Fire, theft, flood, earthquake, government seizure of property, software malfunction, mis-addressed or mis-delivered communications. No risk from employees because I have none.

* Evaluate risks and current safety measures.

Yes, they are all risks. Current safety measures include physical locks, up to date professional computer software with all vendor supplied security patches applied within one week of release, and encryption of customer data in digital form.

* Design a program to protect data.

Immediately scan client paper documents into secure encrypted digital storage, then return or shred the paper. Use unique passwords for each login requiring a password. Do not share passwords. Use MFA for tax software access.

* Put the data protection program in place.

Yes.

* Regularly monitor and test the program.

Take this plan off the shelf once per year and read it. Test: get a colleague to come over and promise to buy them a meal if they access customer information in my tax office without my help, within 30 minutes.

View solution in original post

18 Comments 18
Terry53029
Level 14
Level 14

Lisa, here is a plan that is simple and covers the IRS requirements. I can't take credit for it, as I got it from a tax preparer on another site.

* Include the name of all information security program managers.

Terry

* Identify all risks to customer information.

Fire, theft, flood, earthquake, government seizure of property, software malfunction, mis-addressed or mis-delivered communications. No risk from employees because I have none.

* Evaluate risks and current safety measures.

Yes, they are all risks. Current safety measures include physical locks, up to date professional computer software with all vendor supplied security patches applied within one week of release, and encryption of customer data in digital form.

* Design a program to protect data.

Immediately scan client paper documents into secure encrypted digital storage, then return or shred the paper. Use unique passwords for each login requiring a password. Do not share passwords. Use MFA for tax software access.

* Put the data protection program in place.

Yes.

* Regularly monitor and test the program.

Take this plan off the shelf once per year and read it. Test: get a colleague to come over and promise to buy them a meal if they access customer information in my tax office without my help, within 30 minutes.

Just-Lisa-Now-
Level 15
Level 15

Thank you so much!  Exactly what I was looking for, simple and to the point no legealese and fluff that nobody understands....who is the intended reading audience for this written plan?  Are clients suppose to have access to this?


♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪
Terry53029
Level 14
Level 14

Hi Lisa, it is my understanding that we just have the plan in place at our office, but we don't have to make it public.

Just-Lisa-Now-
Level 15
Level 15
Thanks!

PS. And just a note to @IntuitAustin Im no longer seeing the little bell notifications in the top corner!

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪
abctax55
Level 15

LIsa - I have the Drake version, if you want me to send it to you.

Anna

HumanKind... Be Both
IRonMaN
Level 15

@abctax55 wrote:

LIsa - I have the Drake version, if you want me to send it to you.

Anna


As long as you are sending things, can you send one my way?  I'm curious how they are laying it out.


Slava Ukraini!
IntuitAustin
Intuit Alumni

@Just-Lisa-Now- wrote:
Thanks!

PS. And just a note to @IntuitAustin Im no longer seeing the little bell notifications in the top corner!

Are you on desktop or mobile? 


**Say "Thanks" by clicking the thumb icon in a post
**Mark the post that answers your question by clicking on "Accept as solution"
0 Cheers
Just-Lisa-Now-
Level 15
Level 15
OK, I was on my Iphone...the notifications DO appear on my PC, but no little bell shows up on my Iphone using Safari browser.

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪
0 Cheers
Just-Lisa-Now-
Level 15
Level 15
That would be great Anna! Youve got my email, its still the same.

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪
IntuitAustin
Intuit Alumni

@Just-Lisa-Now- wrote:
OK, I was on my Iphone...the notifications DO appear on my PC, but no little bell shows up on my Iphone using Safari browser.

I'll look into it and see what I can do to fix it Smiley Happy


**Say "Thanks" by clicking the thumb icon in a post
**Mark the post that answers your question by clicking on "Accept as solution"
0 Cheers
Terry53029
Level 14
Level 14

just google "drake data security plan" when results pop up, scroll down and you will see drakes plan as pdf

Ernie
Level 9

@abctax55 wrote:

LIsa - I have the Drake version, if you want me to send it to you.

Anna


If you could, please send a copy my way.

Thanks

PS:  If Intuit does offer this it will cost half an arm and a foot.

abctax55
Level 15

To those that asked, I've emailed the Office Security Plan.  Let me know if I missed anyone.

HumanKind... Be Both
0 Cheers
IRonMaN
Level 15

"PS:  If Intuit does offer this it will cost half an arm and a foot."

Plus a fast foot fee.


Slava Ukraini!
Alicia
Level 2

Hi

I am completely confused on the requirement of data security. Do I need to purchase a program other then my anti virus?  This is my first year out on my own. Does ProSeries have an encryption program?

Can you send me what you have on office security? I am actually losing sleep over this.

Thanks

Alicia

[email address removed]

 

0 Cheers
Terry53029
Level 14
Level 14

Alicia, I wouldn't lose sleep over it, The IRS just wants us to keep our clients info safe and secure. If you have antivirus software, and passwords on your computer that should do it. ProSeries is password protected and encrypted. You just need to write a plan down as I showed mine earlier it dose't have to be complicated, as long as the IRS guide lines are followed  

Alicia
Level 2

Can you email me the office security plan? Thanks in advance.

Alicia

0 Cheers
gspearson
Level 1

So a few questions.

Do you encrypt your hard drives? What happens when someone comes into the office and grabs the CPU. Anyone can get software on the web to wipe the login password to gain access to the client's data. 

Are you using a business email address or a personal email address. Most people pick a very weak password on personal email addresses whereas business emails have complexity rules that are enforced

Do you have a company perform phishing exercises to you. What about annual training of cybercrimes to keep up to date with trends.

Do you use a password management system to make sure that passwords are complex and are not used by different accounts.

Do you have security software installed that just incase something gets past the virus software, you would get an alert. What happens when someone brings in an affected computer to your establishment and installs software on the backside of your computer remotely to encrypt all of your files. Do you have backups 

0 Cheers