If you prepare or assist in preparing federal tax returns for compensation, you must have a valid 2025 PTIN before preparing returns. If you are an enrolled agent, you must also have a valid PTIN. What you also must have is an IRS WISP. If you checked number 11 on your Form W-12 Renewal, Data Security Responsibilities, and you have a WISP in place, you are compliant. If you inadvertently checked it but don’t have one or you knowingly checked it but don’t have one, read on.
What Difference Does It Make If I Don’t Have an IRS WISP?
While it is unlikely you would serve jail time, you could be risking your PTIN and it could be costly as well:
Compliance with the Gramm Leach Bliley Act (GLBA Law) mandates that financial institutions safeguard their customers’ non-public personal information (NPI).
The penalties for Gramm Leach Bliley Act non-compliance can be significant. GLBA privacy rules are enforced by state attorneys general and the Federal Trade Commission (FTC). Each violation penalty can vary from $100 to $100,000 per day.
If found guilty of willful or careless disregard for GLBA regulations, people and organizations may also be subject to criminal prosecution, fines, and possibly jail time. Comprehensive risk assessments, policies, and ongoing staff training are necessary for effective compliance.
Contact us About Our IRS WISP
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus.
Whether you are trying to meet the 12/31 deadline or just meet the PTIN requirement, Contact us About Our Compliant IRS WISP
Our IRS WISP Ensures Compliance
We create custom IRS WISPs for business of all sizes. Each one is company-specific. This document protects you and it protects your clients and it protects you. The information below contains not only the IRS requirements or WISP content but the elements in our IRS WISPs that make them exceptional, compliant and comprehensive.
Content Customized For Your Company
Automatic Network Asset Discovery
Risk Assessment and Recommendations
WISP Summaries for Clients and Employees
IRS WISP Requirements
A Written Information Security Plan (WISP) is a valuable asset for organizations for several key reasons:
Define the WISP objectives, purpose, and scope
Designate a qualified individual
-List the qualified individual who will coordinate the security programs as well as responsible
persons.
-List authorized users at your firm, their data access levels, and responsibilities.
Assess Risks
-Identify Risks
▪ List types of information your office handles
▪ List potential areas for data loss (internal and external)
▪ Outline procedures to monitor and test risks
IT Asset Inventory
-List description and physical location of each item
-Record types of information stored or processed by each item
Document Safety Measures in place
-Suggested policies to include in your WISP:
▪ Data collection and retention
▪ Data disclosure
▪ Network protection
▪ User access
▪ Electronic data exchange
▪ Wi-Fi access
▪ Remote access
▪ Connected devices
▪ Reportable Incidents
-Draft Employee Code of Conduct
Draft an implementation clause
Attachments
Why Our IRS WISP?
Our IRS WISPs contain all of requisite content listed in the adjacent column. But ours differ from other offerings because a comprehensive, custom document results from as little disruption to your operation as is possible. These are some of the features of our IRS WISPs.
Automatic Network Asset Discovery: Unless you have IT Network Administrator on your staff, finding the IT assets on your network can be difficult. We have created a way to enable you to do this easily and with no network architecture knowledge required, if you have fewer than 100 assets. This is usually time-consuming and can be of questionnable accuracy. It can be tedious enough, in fact, that this critical element is just skipped.
Risk Assessment and Recommendations: Once we receive your answers to our questionnaire and the results from your IT Asset Discovery, we will do a risk assessment and make risk mitigation revcommendations for inclusion in your WISP.
Content Customized for Your Company: Whatever the size and nature of your praactice, we create a customized WISP based on your location, your size, your clientele, and how you operate.
WISP Summaries for Clients and Employees: WISP summaries enable you to share with clients and employees the parts of your WISP that are most pertinent to them. Not all elements of your WISP need to be shared with your clients. We will create one-page summaries for clients and employees that will provide them with the information they need to have at hand–with the understanding that they can always obtain more if they have questions.
Once you have placed your order, we will get you started with a questionnaire and your IT asset discovery.
The New Version of IRS Publication 5708
In August, the IRS released an update to Publication 5708, Creating a Written Information Security Plan for your Tax and Accounting Practice. In News Release IR-24-208, the IRS notified tax professionals of two significant changes.
A requirement to implement multi-factor authentication
The need to report any “security event” that affects 500 or more people
IRS deadlines are approaching but the imperative for a comprehensive WISP is already here. Protect yourself and your clients from a devastating, expensive breach of any kind.
“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries.
It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…” -Task Force on Cyber Deterrence [DSB 2017], the Defense Science Board (DSB)
While WISPs are often thought to be the preserve of larger businesses, we include businesses with fewer than 500 employees that also require the protection afforded by a WISP.
Our custom NIST-based WISP Written Information Security Plans identify the policies and procedures for protecting your company’s confidential data, assessing how it’s being protected, and identifying who is ensuring it’s protected.
This WISP document enables you to proactively plans for the “what ifs” and is fundamental to your organization’s security. It can be the basis for risk management measures. It also enables you to be compliant with State requirements, where necessary.
Whether they are included as part of the WISP or simply referred to as part of an abbreviated description, we provide complete policies and procedures referenced in the WISP. We also offer our compliance documentation in two formats: The first is focused on the what (NIST policies) and the other is focused on how (company-specific policies based on NIST standards). See samples of the two approaches below.
Several industries and organizations are governed by cybersecurity regulations that require a WISP. If your organization is bound by the Health Insurance Portability and Accountability Act (HIPAA), then it is required to have a WISP. Recently, the 16 CFR Part 313: Privacy of Consumer Financial Information Rule under the Gramm-Leach-Bliley Act was amended. The American Institute of Certified Public Accountants (AICPA)developed Service Organization Controls to manage data securely with AICPA TSC 2017 SOC 2 which also requires a WISP as does the National Institute of Standards and Technology (NIST) Cybersecurity Framework, recently updated to CSF 2.0.
Are you an accountant? Do you have a WISP?
The FTC’s Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) says you need one.
The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”
How do you know if your business is a financial institution subject to the Safeguards Rule? First, consider that the Rule defines “financial institution” in a way that’s broader than how people may use that phrase in conversation. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company.
To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC. The 2021 amendments to the Safeguards Rule add a new example of a financial institution – finders. Those are companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction.
If you live in one of these States, you are required to have a WISP that conforms to State requirements: Alabama, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Illinois, Indiana, Kansas, Louisiana, Maryland, Massachusetts, Minnesota, Nebraska, Nevada, New Mexico, New York, Ohio, Oregon, Rhode Island, South Carolina, Texas, Utah, Vermont, District of Columbia.
Alabama: 2018 SB 318
Arkansas: Ark. Code § 4-110-104(b)
California: Calif. Civil Code § 1798.91.04
Colorado: Colo. Rev. Stat. § 6-1-713 to -713.5
Connecticut: Conn. Gen. Stat. § 38a-999b, Conn. Gen. Stat. § 4e-70
South Carolina: S.C. Code § 38-99-10 to -100. (2018 HB 4655)
Texas: Tex. Bus. & Com. Code § 521.052
Utah: Utah Code §§ 13-44-101, -201, 301
Vermont: 9 V.S.A § 2446-2447 (2018 HB 764)
District of Columbia: 2020 B 215
We create custom State- and NIST-compliant WISP Written Information Security Plans for business of all sizes. This document protects you and it protects your customers or clients or patients. These affordable documents include standalone versions of all policies and procedures that are referenced in your WISP. For example, your WISP access control policy would be provided also as a separate document that you can use in other documents such as training manuals or employee handbooks or as standard operating procedures.
Every WISP is different–some are less comprehensive and some are more so depending on the situation. In general, however, WISPs contain the following elements:
Designation of the employee or employees responsible for the security program
Identification and assessment of security risks
Policies for storage of data, as well as access and transportation of personal information
Disciplinary measures imposed on WISP violators
Limiting access by/to terminated employees
Managing the security practices of third-party vendors and contractors
Methods of restricting physical and digital access to records
Monitoring and reviewing the scope and effectiveness of the WISP
Documentation of data security incidents and responses
WISP Format Choices
How you choose to format your WISP is a matter of choice, as long as it conforms to State guidelines wherever applicable.
Writing and implementing a WISP requires assessing company business processes, an understanding of the laws and regulations that apply to the those processes, identifying potential information security gaps and weaknesses, finding the right balance between business practices and security, and educating end users about the policy once it is approved by company management.
NIST Framework
This WISP version is mapped to NIST standards and the terminology.
IR-4(2): INCIDENT HANDLING/DYNAMIC RECONFIGURATION Control Objective: Include organization-defined types of dynamic reconfiguration for organization-defined system components as part of the incident response capability.
Standard: Where technically feasible and justified by a valid business case, ACME must implement automated mechanisms to enable dynamic reconfiguration of information systems as part of incident response remediation actions.
Guidelines: Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers and isolate components of systems, thus limiting the extent of the damage from breaches or compromises.
Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.
This WISP version uses narrative, company-specific policies.
RISK ASSSESSMENT
The Program Coordinator shall conduct a risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information that could result in its unauthorized disclosure, misuse, alteration, destruction or other compromise, and assess the sufficiency of any safeguards in place to control these risks. The risk assessment shall cover all relevant areas of the Dealership’s operations. At a minimum, the risk assessment shall cover the following:
• Employee training and management;
• Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
• Detecting, preventing and responding to attacks, intrusions or other systems failures.
Once the Program Coordinator has identified the reasonably foreseeable risks, the Program Coordinator will determine whether current policies and procedures in these areas sufficiently mitigate the potential risks identified. If not, the Program Coordinator shall design new policies and procedures that meet the objectives of the Program. Final policies and procedures that meet the objectives of the Program will be part of the Program.
FTC Standards for Safeguarding Customer Information
16 CFR Part 314: Standards for Safeguarding Customer Information (https://www.ftc.gov/business-guidance/blog/2023/10/ftc-announces-new-safeguards-rule-provision-your-company-whats-required)
October 2023 marks the 20th anniversary of the effective date of the Gramm-Leach-Bliley Safeguards Rule. Its purpose then – and its purpose now – is to protect consumers by requiring entities covered by the Rule to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
The amendment announced today requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.
The FTC revised the Safeguards Rule in October 2021 to strengthen protections for consumers’ information maintained by non-banking financial institutions – for example, mortgage brokers and payday lenders. Also announced was a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The agency just approved an amendment that will require notification.
The focus is on “notification events” – defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” If a notification event “involves the information of at least 500 consumers,” the covered entity must contact the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website.
Here are some of the things the notice must include:
the name and contact information of the financial institution;
a description of the types of information involved;
the date or date range of the notification event, if it’s possible to determine;
the number of consumers affected; and
a general description of the notification event.
Ig1 – Implementation Group 1
From the Center for Internet Security:
Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Critical Security Controls (CIS Controls). CIS Controls v8 defines Implementation Group 1 (IG1) as essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises. IG1 is the on-ramp to the CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.
In most cases, an IG1 enterprise is typically small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. A common concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime.
The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software.
Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software.
But no matter the size or complexity of your business, we recommend that all organizations begin with IG1. We also refer to IG1 as Essential Cyber Hygiene because it provides the actions necessary for an organization to defend itself against the major attack types being used by cybercriminals. IG1 is not just another list of good things to do; it’s an essential set of steps that helps all enterprises defend against real-world threats. And it provides a strong foundation for your cyber maturity growth, or as your security needs change. This is a strong claim, but we back it up with our use of the best-available summaries of attacks (like the Verizon DBIR), and an open, shared methodology (the CIS Community Defense Model v2.057).
NIST Cybersecurity Framework (CSF) 2.0
The agency has finalized the framework’s first major update since its creation in 2014
February 26, 2024
“The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF), its landmark guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.
The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.
The updated framework anticipates that organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools. New adopters can learn from other users’ successes and select their topic of interest from a new set of implementation examples and quick-start guides designed for specific types of users, such as small businesses, enterprise risk managers, and organizations seeking to secure their supply chains.
A new CSF 2.0 Reference Tool now simplifies the way organizations can implement the CSF, allowing users to browse, search and export data and details from the CSF’s core guidance in human-consumable and machine-readable formats.“
Read More Here:NIST Releases Version 2.0 of Landmark Cybersecurity Framework https://www.nist.gov/news-events/news/2024/02/nist-releases-version-20-landmark-cybersecurity-framework
NIST Special Publication 800-53 Revision 5 Full Text
This free download is the full text of the NIST Revision 5, September 2020. This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.
We are creative, believers in critical thought. Our layouts are sophisticated and appropriate, effective. Our work is due diligent, informative and engaging. Let our technical writing services save you time, money, revisions and failed presentations.
