Answered: Re: Cyber security and the written data security plan that is now required by IRS

Just-Lisa-Now- · ‎12-19-2019

https://www.irs.gov/newsroom/heres-what-tax-professionals-should-know-about-creating-a-data-security...

I see Drake is offering somthing for their customers to meet this requirement, is this something Intuit will be doing as well?

Reading the requirements, I still dont fully understand what I need to have for a one person office, and who is the service provider than IRS references here?

I have an anti-virus, I keep logins and strong unique passwords secure, I use two factor authorizations on anything that gives me the option, I password protect anything I send clients in email, maintain backups securely offsite, destroy or wipe all devices with client data that are no longer being used, Im in the process of securing cyber insurance...maybe the cyber insurance company will provide this?

Tax pros must create a written security plan to protect their clients’ data. In fact, the law requires them to make this plan.

Creating a data security plan is one part of the new Taxes-Security-Together Checklist. The IRS and its Security Summit partners created this checklist. It helps tax professionals protect sensitive data in their offices and on their computers.

Many tax preparers may not realize they are required under federal law to have a data security plan. Each plan should be tailored for each specific office. When creating it, the tax professional should take several factors into consideration. This includes things like the company’s size, the nature of its activities, and the sensitivity of its customer information.

Creating a plan
Tax professionals should make sure to do these things when writing and following their data security plans:

Include the name of all information security program managers.
Identify all risks to customer information.
Evaluate risks and current safety measures.
Design a program to protect data.
Put the data protection program in place.
Regularly monitor and test the program.

Selecting a service provider
Companies should have a written contract with their service provider. The provider must:

Maintain appropriate safety measures.
Oversee the handling of customer information review.
Revise the security program as needed.

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪

Terry53029 · ‎12-19-2019

Lisa, here is a plan that is simple and covers the IRS requirements. I can't take credit for it, as I got it from a tax preparer on another site.

* Include the name of all information security program managers.

Terry

* Identify all risks to customer information.

Fire, theft, flood, earthquake, government seizure of property, software malfunction, mis-addressed or mis-delivered communications. No risk from employees because I have none.

* Evaluate risks and current safety measures.

Yes, they are all risks. Current safety measures include physical locks, up to date professional computer software with all vendor supplied security patches applied within one week of release, and encryption of customer data in digital form.

* Design a program to protect data.

Immediately scan client paper documents into secure encrypted digital storage, then return or shred the paper. Use unique passwords for each login requiring a password. Do not share passwords. Use MFA for tax software access.

* Put the data protection program in place.

Yes.

* Regularly monitor and test the program.

Take this plan off the shelf once per year and read it. Test: get a colleague to come over and promise to buy them a meal if they access customer information in my tax office without my help, within 30 minutes.

View solution in original post

Terry53029 · ‎12-19-2019

Lisa, here is a plan that is simple and covers the IRS requirements. I can't take credit for it, as I got it from a tax preparer on another site.

* Include the name of all information security program managers.

Terry

* Identify all risks to customer information.

Fire, theft, flood, earthquake, government seizure of property, software malfunction, mis-addressed or mis-delivered communications. No risk from employees because I have none.

* Evaluate risks and current safety measures.

Yes, they are all risks. Current safety measures include physical locks, up to date professional computer software with all vendor supplied security patches applied within one week of release, and encryption of customer data in digital form.

* Design a program to protect data.

Immediately scan client paper documents into secure encrypted digital storage, then return or shred the paper. Use unique passwords for each login requiring a password. Do not share passwords. Use MFA for tax software access.

* Put the data protection program in place.

Yes.

* Regularly monitor and test the program.

Take this plan off the shelf once per year and read it. Test: get a colleague to come over and promise to buy them a meal if they access customer information in my tax office without my help, within 30 minutes.

Just-Lisa-Now- · ‎12-19-2019

Thank you so much! Exactly what I was looking for, simple and to the point no legealese and fluff that nobody understands....who is the intended reading audience for this written plan? Are clients suppose to have access to this?

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪

Terry53029 · ‎12-19-2019

Hi Lisa, it is my understanding that we just have the plan in place at our office, but we don't have to make it public.

Just-Lisa-Now- · ‎12-19-2019

Thanks!

PS. And just a note to @IntuitAustin Im no longer seeing the little bell notifications in the top corner!

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪

abctax55 · ‎12-19-2019

LIsa - I have the Drake version, if you want me to send it to you.

Anna

HumanKind... Be Both

IRonMaN · ‎12-19-2019

@abctax55 wrote:
LIsa - I have the Drake version, if you want me to send it to you.
Anna

As long as you are sending things, can you send one my way? I'm curious how they are laying it out.

Slava Ukraini!

IntuitAustin · ‎12-19-2019

@Just-Lisa-Now- wrote:
Thanks!

PS. And just a note to @IntuitAustin Im no longer seeing the little bell notifications in the top corner!

Are you on desktop or mobile?

**Say "Thanks" by clicking the thumb icon in a post
**Mark the post that answers your question by clicking on "Accept as solution"

Just-Lisa-Now- · ‎12-19-2019

OK, I was on my Iphone...the notifications DO appear on my PC, but no little bell shows up on my Iphone using Safari browser.

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪

Just-Lisa-Now- · ‎12-19-2019

That would be great Anna! Youve got my email, its still the same.

♪♫•*¨*•.¸¸♥Lisa♥¸¸.•*¨*•♫♪

IntuitAustin · ‎12-19-2019

@Just-Lisa-Now- wrote:
OK, I was on my Iphone...the notifications DO appear on my PC, but no little bell shows up on my Iphone using Safari browser.

I'll look into it and see what I can do to fix it

**Say "Thanks" by clicking the thumb icon in a post
**Mark the post that answers your question by clicking on "Accept as solution"

Terry53029 · ‎12-19-2019

just google "drake data security plan" when results pop up, scroll down and you will see drakes plan as pdf

Ernie · ‎12-19-2019

@abctax55 wrote:
LIsa - I have the Drake version, if you want me to send it to you.
Anna

If you could, please send a copy my way.

Thanks

PS: If Intuit does offer this it will cost half an arm and a foot.

abctax55 · ‎12-19-2019

To those that asked, I've emailed the Office Security Plan. Let me know if I missed anyone.

HumanKind... Be Both

IRonMaN · ‎12-19-2019

"PS: If Intuit does offer this it will cost half an arm and a foot."

Plus a fast foot fee.

Slava Ukraini!

Alicia · ‎01-01-2020

Hi

I am completely confused on the requirement of data security. Do I need to purchase a program other then my anti virus? This is my first year out on my own. Does ProSeries have an encryption program?

Can you send me what you have on office security? I am actually losing sleep over this.

Thanks

Alicia

[email address removed]

Terry53029 · ‎01-01-2020

Alicia, I wouldn't lose sleep over it, The IRS just wants us to keep our clients info safe and secure. If you have antivirus software, and passwords on your computer that should do it. ProSeries is password protected and encrypted. You just need to write a plan down as I showed mine earlier it dose't have to be complicated, as long as the IRS guide lines are followed

Alicia · ‎01-25-2020

Can you email me the office security plan? Thanks in advance.

Alicia

gspearson · ‎03-27-2022

So a few questions.

Do you encrypt your hard drives? What happens when someone comes into the office and grabs the CPU. Anyone can get software on the web to wipe the login password to gain access to the client's data.

Are you using a business email address or a personal email address. Most people pick a very weak password on personal email addresses whereas business emails have complexity rules that are enforced

Do you have a company perform phishing exercises to you. What about annual training of cybercrimes to keep up to date with trends.

Do you use a password management system to make sure that passwords are complex and are not used by different accounts.

Do you have security software installed that just incase something gets past the virus software, you would get an alert. What happens when someone brings in an affected computer to your establishment and installs software on the backside of your computer remotely to encrypt all of your files. Do you have backups

Cyber security and the written data security plan that is now required by IRS

©1997-2024 Intuit, Inc. All rights reserved.

Intuit, QuickBooks, QB, TurboTax, and Mint are registered trademarks of Intuit, Inc. Terms and conditions, features, support, pricing and service options subject to change without notice.

By accessing and using this page you agree to the Terms and Conditions.