Any advice or samples available available for me to create the 2022 required WISP?
I am a sole proprietor with no employees, working from my home office.
Received an offer from Tech4 Accountants email@Office TemplatesOnline.com, offering to prepare the Plan for a fee and would need access to my computer in order to do so.
They estimated a fee from $500 to $1,500 with a minimum annual renewal fee of $200 plus.
Declined the offer and now reaching out to you "Wise Ones" for your valuable input and recommendations.
Intuit provided a pretty good article:
If you received an offer from someone you had not contacted, I would ignore it. That's a cold call. You cannot verify it.
Do you have, or are you a member of, a professional organization, such State CPAs? They should have referrals and/or cautionary notes. Check with peers in your area. Someone might be offering this, if they already have it inhouse and are large enough to have an IT person/Dept.
Thank you for your detailed reply!
Do you have a link for that IRS Sample?
Thanking you in advance.
Hello,
I got an offer from Tech4Accountants ... too but I decided to decline their offer as you did. I don't know where I can find someone to help me with this. I am a sole proprietor as well. Have you ordered it yet?
I hope someone here can help me. It is time to renew my PTIN but I need to do this first.
Thank you in advance for your valuable input.
Thank you!
As of this time and date, I have not been successful in locating an alternate provider for the required WISP reporting.
Tech4 Accountants have continued to send me numerous email prompts to get me to sign-up, this a.m. they are offering a $500 reduction to their $1200 fee.
Had hoped to get more feedback from those in the community, at the least some feedback as to how they approached the new requirements.
I lack the time and expertise to follow the IRS WISP instructions and as the deadline approaches, it looks like I will be forced to pay Tech4.
Good luck and will share with you any positive information that comes my way.
HAVE YOU TRIED TO GET PTIN
THERE HAS TO BE SOMEONE OUT THERE TO SET UP A PLAN FOR YOU
I am also an individual tax preparer and have had the same experience. Did you ever find a reasonable way to get this done. The link for the IRS template doesn't work and has been giving an error message every time. Any help would be appreciated. I was very surprised that Intuit doesn't provide a solution for all of us that use their software.
Maybe this link will work for the IRS Wisp info. https://www.irs.gov/pub/irs-pdf/p5708.pdf I have told my husband's tech consulting firm this would be a big market for them.
DUH! Look one line above your question for the IRS link. No 🐟 🐠🐡 today, just a 🎣
(LOL, George 🙂
Start with what the IRS put in the publication and make it YOURS:
Sample Template
Written Information Security Plan (WISP)
For
Mikey's tax Service
This Document is for general distribution and is available to all employees. This Document is available to Clients by request and with consent of the Firm’s Data Security Coordinator.
Last Modified/Reviewed January 27,2023
[Should review and update at least annually]
Written Information Security Plan (WISP)
Our objective, in the development and implementation of this comprehensive Written Information Security Plan (WISP), is to create effective administrative, technical, and physical safeguards for the protection of the Personally Identifiable Information (PII) retained by Mikey's tax Service, (hereinafter known as the Firm). This WISP is to comply with obligations under the Gramm-Leach-Bliley Act and Federal Trade Commission Financial Privacy and Safeguards Rules to which the Firm is subject. The WISP sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PII retained by the Firm. For purposes of this WISP, PII means information containing the first name and last name or first initial and last name of a Taxpayer, Spouse, Dependent, or Legal Guardianship person in combination with any of the following data elements retained by the Firm that relate to Clients, Business Entities, or Firm Employees:
PII shall not include information that is obtained from publicly available sources such as a Mailing Address or Phone Directory listing; or from federal, state or local government records lawfully made available to the general public.
The purpose of the WISP is to:
III. SCOPE
The Scope of the WISP related to the Firm shall be limited to the following protocols:
[The Firm] has designated [Employee’s Name] to be the Data Security Coordinator (hereinafter the DSC). The DSC is the responsible official for the Firm data security processes and will implement, supervise, and maintain the WISP. Accordingly, the DSC will be responsible for the following:
electronic transmission of tax returns to implement and maintain appropriate security measures for the PII to
which we have permitted them access, and
WISP. All attendees at such training sessions are required to certify their attendance at the training and
their familiarity with our requirements for ensuring the protection of PII. See Employee/Contractor Acknowledgement of Understanding at the end of this document
[The Firm] has designated [Employee’s Name] to be the Public Information Officer (hereinafter PIO). The PIO will be the firm’s designated public statement spokesperson. To prevent misunderstandings and hearsay, all outward-facing communications should be approved through this person who shall be in charge of the following:
To reduce internal risks to the security, confidentiality, and/or integrity of any retained electronic, paper, or other records containing PII, the Firm has implemented mandatory policies and procedures as follows:
PII Collection and Retention Policy
attachment to this WISP.
Personnel Accountability Policy
reviewing supporting NISTIR 7621, NIST SP-800 18, and Pub 4557 requirements]
retained PII.
to their account.
compliance.
protecting the security of PII.
termination of employment.
PII Disclosure Policy
sources.
Reportable Event Policy
other inquirers.
To combat external risks from outside the firm network to the security, confidentiality, and/or integrity of electronic, paper, or other records containing PII, and improving - where necessary - the effectiveness of the current safeguards for limiting such risks, the Firm has implemented the following policies and procedures.
Network Protection Policy
Firm User Access Control Policy
Firm employee at any time.
Electronic Exchange of PII Policy
call or SMS text message (out of stream from the data sent).
Wi-Fi Access Policy
Remote Access Policy
The DSC and the Firm’s IT contractor will approve use of Remote Access utilities for the entire Firm.
Remote access is dangerous if not configured correctly and is the preferred tool of many hackers.
Remote access using tools that encrypt both the traffic and the authentication requests (ID and Password) used will be the standard. Remote Access will not be available unless the Office is staffed and systems
are monitored. Nights and Weekends are high threat periods for Remote Access Takeover data
theft. Remote access will only be allowed using 2 Factor Authentication (2FA) in addition to username and password authentication.
Connected Devices Policy
Information Security Training Policy
All employees will be trained on maintaining the privacy and confidentiality of the Firm’s PII. The DSC will conduct training regarding the specifics of paper record handling, electronic record handling, and Firm security procedures at least annually. All new employees will be trained before PII access is granted, and periodic reviews or refreshers will be scheduled until all employees are of the same mindset regarding Information Security. Disciplinary action may be recommended for any employee who disregards these policies.
VII. IMPLEMENTATION
Effective [date of implementation], [The Firm] has created this Written Information Security Plan (WISP) in compliance with regulatory rulings regarding implementation of a written data security plan found in the GrammLeach-Bliley Act and the Federal Trade Commission Financial Privacy and Safeguards Rules.
Signed: ______________________________________ Date: __________________
Title: [Principal Operating Officer/Owner Title]
Signed: ______________________________________ Date: __________________
Title: Data Security Coordinator
Added Detail for Consideration When Creating your WISP
Use this additional detail as you develop your written security plan. Review the description of each outline item and consider the examples as you write your unique plan.
Define the WISP objectives, purpose, and scope
Objective Statement: This defines the reason for the plan, stating any legal obligations such as compliance with the provisions of GLBA and sets the tone and defines the reasoning behind the plan. The Objective Statement should explain why the Firm developed the plan. It also serves to set the boundaries for what the document should address and why.
Purpose Statement: The Purpose Statement should explain what and how taxpayer information is being protected with the security process and procedures.
Scope Statement: The scope statement sets the limits on the intent and purpose of the WISP. Since you should
not be legally held to a standard that was unforeseen at the writing or periodic updating of your WISP, you should set reasonable limits that the scope is intended to define.
Identify responsible individuals
Identify by name and position persons responsible for overseeing your security programs. Explain who will act in the roles of Data Security Coordinator (DSC) and Public Information Officer (PIO). In most firms of two or more practitioners, these should be different individuals. These roles will have concurrent duties in the event of a data security incident. Be sure to define the duties of each responsible individual.
Assess Risks
step in evaluating risk. Some types of information you may use in your firm includes taxpayer PII, employee records, and private business financial information. For example, do you handle paper and
electronic documentation containing client or employee PII? List all types.
List all potential types of loss (internal and external). Evaluate types of loss that could occur, including
unauthorized access and disclosure and loss of access. Be sure to include any potential threats
and vulnerabilities, such as theft, destruction, or accidental disclosure. Examples might include physical theft of paper or electronic files, electronic data theft due to Remote Access Takeover of your computer network, and loss due to fire, hurricane, tornado or other natural cause.
Outline procedures to monitor your processes and test for new risks that may arise.
Inventory Hardware
It is imperative to catalog all devices used in your practice that come in contact with taxpayer data. This could be anything from a computer, network devices, cell phones, printers, to modems and routers.
Example:
of information
Sample Attachment E - Firm Hardware Inventory containing PII Data
Document Safety Measures
This section sets the policies and business procedures the firm undertakes to secure all PII in the Firm’s custody of clients, employees, contractors, governing any privacy-controlled physical (hard copy) data, electronic data, and handling by firm employees.
List policies for the following:
Data collection and retention
met their data retention life cycle
Data disclosure
Professional prior to installation.
Reportable Incidents
Create both an Incident Response Plan & a Breach Notification Plan
In the event of an incident, the presence of both a Response and a Notification Plan in your WISP reduces the unknowns of how to respond and should outline the necessary steps that each designated official must take to both address the issue and notify the required parties.
enforcement agencies
Draft Employee Code of Conduct
Determine a personnel accountability policy including training guidelines for all employees and contractors, guidelines for behavior, and employee screening and background checks. Address any necessary non- disclosure agreements and privacy guidelines. Be sure to include information for terminated and separated employees, such as scrubbing access and passwords and ending physical access to your business.
Draft an Implementation Clause
When all appropriate policies and procedures have been identified and included in your plan, it is time for the final steps and implementation of your WISP. An Implementation clause should show the following elements:
Rule
date of implementation
Ancillary Attachments
Attach any ancillary procedures as attachments. These are the specific task procedures that support firm policies, or business operation rules. For example, a separate Records Retention Policy makes sense. If regulatory records retention standards change, you update the attached procedure, not the entire WISP. Other potential attachments are Rules of Behavior and Conduct Safeguarding Client PII, as recommended in Pub 4557. Another good attachment would be a Security Breach Notifications Procedure.
Sample Attachment A - Record Retention Policy
Determine the firm’s procedures on storing records containing any PII.
How long will you keep historical data records, different firms have different standards? There are some
Federal and state guidelines for records retention periods.
How will you destroy records once they age out of the retention period?
Best Practice: Keeping records longer than the minimum record retention period can put clients at some additional risk for deeper audits. By common discovery rules, if the records are there, they can be audited back as far as the statutes of limitations will allow. Promptly destroying old records at the minimum required timeframe will limit any audit or other legal inquiry into your clients’ records to that time frame only.
Sample Attachment B - Rules of Behavior and Conduct Safeguarding Client PII
Having some rules of conduct in writing is a very good idea. It standardizes the way you handle and process information for everyone in the firm. This attachment can be reproduced and posted in the breakroom, at desks, and as a guide for new hires and temporary employees to follow as they get oriented to safe data handling procedures. These sample guidelines are loosely based on the National Institute of Standards guidelines and have been customized to fit the context of a Tax & Accounting Firm’s daily operations.
Best Practice: At the beginning of a new tax season cycle, this addendum would make good material for a monthly security staff meeting. Keeping security practices top of mind is of great importance. Other monthly topics could include how phishing emails work, phone call grooming by a bad actor, etc. SANS.ORG has great resources for security topics. The Ouch! Newsletter can be used as topical material for your Security meetings.
Sample Attachment C - Security Breach Procedures and Notifications
It is a good idea to have a guideline to follow in the immediate aftermath of a data breach. To be prepared for the eventuality, you must have a procedural guide to follow. This attachment will need to be updated annually for accuracy. Subscribing to IRS e-news and topics like the Protect Your Clients, Protect Yourselves series will inform you of changes as fraud prevention procedures mature over time.
Sample Attachment D - Employee/Contractor Acknowledgement of Understanding
It is a good idea to have a signed acknowledgment of understanding. This is particularly true when you hire new or temporary employees, and when you bring a vendor partner into your business circle, such as your IT Pro, cleaning service, or copier servicing company. They need to know you handle sensitive personal data and you take the protection of that data very seriously.
Best Practice: It is important that employees see the owners and managers put themselves under the same
rules as everyone else. When you roll out your WISP, placing the signed copies in a collection box on the office
manager’s desk for a time for anyone to see, for example, is a good way for everyone to see that all employees are accountable. Placing the Owners and Data Security Coordinator’s signed copy on the top of the stack prominently shows you will play no favorites and are all pledging to the same standard of conduct. This acknowledgement process should be refreshed annually after an annual meeting discussing the Written Information Security Plan and any operational changes made from the prior year.
Sample Attachment E - Firm Hardware Inventory containing PII Data
Keeping track of data is a challenge. A good way to make sure you know where everything is and when it was put in service or taken out of service is recommended. This is especially true of electronic data.
Best Practice: Set a policy that no client PII can be stored on any personal employee devices such as personal (not
firm owned) memory sticks, home computers, and cell phones that are not under the direct control of the firm. This ensures all devices meet the security standards of the firm, such as having any auto-run features turned off, and
they are standardized for virus and malware scans.
Sample Attachment F - Firm Employees Authorized to Access PII
Having a list of employees and vendors, such as your IT Pro, who are authorized to handle client PII is a good idea. You should not allow someone who may not fully understand the seriousness of the secure environment your firm operates in to access privacy-controlled information. Additionally, an authorized access list is a good place to start the process of removing access rights when a person retires or leaves the firm. Having a systematic process for closing down user rights is just as important as granting them.
Best Practice: If a person has their rights increased or decreased It is a good idea to terminate the old access rights on one line, and then add a new entry for the new access rights granted. This shows a good chain of custody
for rights and shows a progression. For the same reason, it is a good idea to show a person who goes into semi-
retirement and has less rights than before and the date the status changed.
Sample Attachment A: Record Retention Policies
Designated retained written and electronic records containing PII will be destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements.
It is Firm policy to retain no PII records longer than required by current regulations, practices, or standards.
III. Electronic records shall be securely destroyed by deleting and overwriting the file directory or by reformatting the drive where they were housed or destroying the drive disks rendering them inoperable if they have reached the end of their service life.
Sample Attachment B: Rules of Behavior and Conduct Safeguarding Client PII
Create and distribute rules of behavior that describe responsibilities and expected behavior regarding computer information systems as well as paper records and usage of taxpayer data. Have all information system users complete, sign, and comply with the rules of behavior. NISTIR 7621, Small Business Information Security: The Fundamentals, Section 4, has information regarding general rules of Behavior, such as:
Be careful of email attachments and web links
Do not click on a link or open an attachment that you were not expecting. If it appears important, call the sender to verify they sent the email and ask them to describe what the attachment or link is. Before you click a link (in an email or on social media, instant messages, other webpages), hover over that link to see the actual web address it will take you to. Train employees to recognize phishing attempts and who to notify when one occurs.
This is especially important if other people, such as children, use personal devices. Do not conduct business or any sensitive activities (like online business banking) on a personal computer or device and do not engage in activities such as web surfing, gaming, downloading videos, etc., on business computers or devices. Do not send sensitive business information to personal email
addresses.
Do not connect personal or untrusted storage devices or hardware into computers, mobile devices,
or networks.
Do not share USB drives or external hard drives between personal and business computers or devices. Do not connect any unknown/untrusted hardware into the system or network, and do not insert any unknown CD, DVD, or USB drive. Disable the “AutoRun” feature for the USB ports and optical drives like CD and DVD drives on business computers to help prevent such malicious
programs from installing on the systems.
Be careful downloading software
Do not download software from an unknown web page. Be very careful with freeware or shareware.
Watch out when providing personal or business information
the system.
Watch for harmful pop-ups
When connected to and using the Internet, do not respond to popup windows requesting that users click “OK.” Use a popup blocker and only allow popups on trusted websites.
Good passwords consist of a random sequence of letters (upper- and lower-case), numbers, and special characters. The NIST recommends passwords be at least 12 characters long. For systems or applications that have important information, use multiple forms of identification
(called “multi-factor” or “dual factor” authentication).
Conduct online business more securely
Sample Attachment C: Security Breach Procedures and
Notifications
If the Data Security Coordinator determines that PII has been stolen or lost, the Firm will notify the following entities, describing the theft or loss in detail, and work with authorities to investigate the issue and to protect the victim’s
identity and credit.
Read this IRS Newswire Alert for more information Examples:
Go to IRS e-Services and check your EFIN activity report to see if more returns have been filed on your
EFIN than you transmitted.
Typically, a thief will remotely steal the client data over the weekend when no one is in the office to notice. They then rework the returns over the weekend and transmit them on a normal business workday just after the weekend.
Sample Attachment 😧 Employee/Contractor Acknowledgement of Understanding
I, [Employee Name], do hereby acknowledge that I have been informed of the Written Information Security Plan used by [The Firm]. I have undergone training conducted by the Data Security Coordinator. I have also been able to have all questions regarding procedures answered to my satisfaction so that I fully understand the importance of maintaining strict compliance with the purpose and intent of this WISP.
I also understand that there will be periodic updates and training if these policies and procedures change for any reason. It has been explained to me that non-compliance with the WISP policies may result
in disciplinary actions up to and including termination of employment.
I understand the importance of protecting the Personally Identifiable Information of our clients, employees, and contacts, and will diligently monitor my actions, as well as the actions of others, so that [The Firm] is a safe repository for all personally sensitive data necessary for business needs.
Signed,
[Employee Name] Date: [Date of Initial/Last Training]
Title: [Employee Title Description]
Sample Attachment E: Firm Hardware Inventory containing PII Data
Below is the enumerated list of hardware and software containing client or employee PII that will be periodically audited for compliance with this WISP.
Sample Attachment F: Firm Employees Authorized to Access PII
Reference A. The Glossary of Terms
Anti-virus software - software designed to detect and potentially eliminate viruses before damaging the system. Can also repair or quarantine files that have already been infected by virus activity.
Attachment - a file that has been added to an email. It could be something useful to you, or something harmful to
your computer.
Authentication - confirms the correctness of the claimed identity of an individual user, machine, software
component or any other entity.
Breach - unauthorized access of a computer or network, usually through the electronic gathering of login credentials of an approved user on the system.
Clear desk Policy - a policy that directs all personnel to clear their desks at the end of each working day, and file everything appropriately. Desks should be cleared of all documents and papers, including the contents of the “in” and “out” trays - not simply for cleanliness, but also to ensure that sensitive papers and documents are not exposed to unauthorized persons outside of working hours.
Clear screen Policy - a policy that directs all computer users to ensure that the contents of the screen are
protected from prying eyes and opportunistic breaches of confidentiality. Typically, the easiest means of compliance is to use a screensaver that engages either on request or after a specified brief period.
Cybersecurity - the protection of information assets by addressing threats to information processed, stored, and transported by internetworked information systems.
Data Security Coordinator (DSC) - the firm-designated employee who will act as the chief data security officer for the firm. The DSC is responsible for all aspects of your firm’s data security posture, especially as it relates to the PII of any client or employee the firm possesses in the course of normal business operations.
Data breach - an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
Encryption - a data security technique used to protect information from unauthorized inspection or alteration.
Information is encoded so that it appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using a decryption key.
Firewall - a hardware or software link in a network that inspects all data packets coming and going from a computer,
permitting only those that are authorized to reach the other side. It is helpful in controlling external access to a
computer or network.
GLBA - Gramm-Leach-Bliley Act. Administered by the Federal Trade Commission. Establishes safeguards for all privacy-controlled information through business segment Safeguards Rule enforced business practices.
Hardware firewall - a dedicated computer configured to exclusively provide firewall services between another computer or network and the internet or other external connections.
Malware - (malicious software) any computer program designed to infiltrate, damage or disable computers.
Network - two or more computers that are grouped together to share information, software, and hardware. Can be a local office network or an internet-connection based network.
Out-of-stream - usually relates to the forwarding of a password for a file via a different mode of communication separate from the protected file. Example: Password protected file was emailed, the password was relayed to the recipient via text message, outside of the same stream of information from the protected file.
Patch - a small security update released by a software manufacturer to fix bugs in existing programs.
Phishing email - broad term for email scams that appear legitimate for the purpose of tricking the recipient into sharing sensitive information or installing malware.
PII - Personally Identifiable Information. The name, address, SSN, banking or other information used to establish official business. Also known as Privacy-Controlled Information.
Public Information Officer (PIO) - the PIO is the single point of contact for any outward communications from the firm related to a data breach incident where PII has been exposed to an unauthorized party. This position allows the firm to communicate to affected clients, media, or local businesses and associates in a controlled manner while allowing the Data Security Coordinator freedom to work on remediation internally.
Risk analysis - a process by which frequency and magnitude of IT risk scenarios are estimated; the initial steps of risk management; analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats.
Security awareness - the extent to which every employee with access to confidential information understands their responsibility to protect the physical and information assets of the organization.
Service providers - any business service provider contracted with for services, such as janitorial services, IT Professionals, and document destruction services employed by the firm who may come in contact with sensitive
client PII.
Software firewall - an application installed on an existing operating system that adds firewall services to the existing programs and services on the system.
VPN (Virtual Private Network) - a secure remote network or Internet connection encrypting communications between a local device and a remote trusted device or service that prevents en-route interception of data.
Written Information Security Plan -a documented, structured approach identifying related activities and procedures that maintain a security awareness culture and to formulate security posture guidelines. Mandated for Tax & Accounting firms through the FTC Safeguards Rule supporting the Gramm-Leach-Bliley Act privacy law.
This is a wisp from IRS. Make it yours. Do some work and simplify and have it reprsent what you can do to keep your data save!!!!!
Finally!
Thank you very much.
Finally?
Did you look at the post by @CMcCullough and follow the link?
Since trying to teach users to fish was not working, I reeled in the guts out of the referenced post and gave it to you. DO NOT EXPECT EVERYTHING TO BE HANDED TO YOU. Use your noggin and think about what you are doing and READ everything you can about that issue.
@George4Tacks I've seen some long posts, but I think you just set the record.
Sad that you had to spell it out this way.
@Mountain Accountant You couldn't help yourself in 5 months?
HA!
Very true!
And a downloaded template is no substitute for a professional IT person to evaluate and document your information security risk and policies.
Did you ever find a company that could do your WISP plan?
Thanks for any help you can give.
Sibilo
I did it my self.
I just followed the one they posted and changed what it needed to be changed.
🙏🏻
Oh, I did add staff too.
good luck to you !
🙏🏻
Did you assess security risks yourself?
Did you design and implement a safeguards program?
Did you select service providers that can maintain appropriate safeguards?
These are areas that (most if not all) tax preparers don't have expertise in.
I know of two companies in California that will help you assess security risks, design and implement a safeguards program, and select service providers that can maintain appropriate safeguards. Feel free to ask me.
Did you find somebody?
The AICPA has useful guidance.
You have clicked a link to a site outside of the Intuit Accountants Community. By clicking "Continue", you will leave the community and be taken to that site instead.