Tag: multifactor authentication

An IRS WISP: Your PTIN is Riding on It

Posted on by Writing for Results

IRS WISP: Protect Your PTIN

An IRS WISP: No Longer Optional

2024 PTIN Renewal Season Is Underway

If you prepare or assist in preparing federal tax returns for compensation, you must have a valid 2025 PTIN before preparing returns. If you are an enrolled agent, you must also have a valid PTIN.  What you also must have is an IRS WISP.  If you checked number 11 on your Form W-12 Renewal, Data Security Responsibilities, and you have a WISP in place, you are compliant.  If you inadvertently checked it but don’t have one or you knowingly checked it but don’t have one, read on.  

What Difference Does It Make If I Don’t Have an IRS WISP?

While it is unlikely you would serve jail time, you could be risking your PTIN and it could be costly as well:

Compliance with the Gramm Leach Bliley Act (GLBA Law) mandates that financial institutions safeguard their customers’ non-public personal information (NPI). 

The penalties for Gramm Leach Bliley Act non-compliance can be significant. GLBA privacy rules are enforced by state attorneys general and the Federal Trade Commission (FTC). Each violation penalty can vary from $100 to $100,000 per day.

If found guilty of willful or careless disregard for GLBA regulations, people and organizations may also be subject to criminal prosecution, fines, and possibly jail time. Comprehensive risk assessments, policies, and ongoing staff training are necessary for effective compliance.  

Contact us About Our IRS WISP 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam eu dignissim tortor, sit amet bibendum lacus.

Whether you are trying to meet the 12/31 deadline or just meet the PTIN requirement, Contact us About Our Compliant IRS WISP 

Our IRS WISP Ensures Compliance

We create custom IRS WISPs for business of all sizes.   Each one is company-specific. This document protects you and it protects your clients and it protects you.  The information below contains not only the IRS requirements or WISP content but the elements in our IRS WISPs that make them exceptional, compliant and comprehensive.
Content Customized For Your Company
Automatic Network Asset Discovery
Risk Assessment and Recommendations
WISP Summaries for Clients and Employees

IRS WISP Requirements

A Written Information Security Plan (WISP) is a valuable asset for organizations for several key reasons:

  • Define the WISP objectives, purpose, and scope
  • Designate a qualified individual
    -List the qualified individual who will coordinate the security programs as well as responsible
    persons.
    -List authorized users at your firm, their data access levels, and responsibilities.
  • Assess Risks
    -Identify Risks
    ▪ List types of information your office handles
    ▪ List potential areas for data loss (internal and external)
    ▪ Outline procedures to monitor and test risks
  • IT Asset Inventory
    -List description and physical location of each item
    -Record types of information stored or processed by each item
  • Document Safety Measures in place
    -Suggested policies to include in your WISP:
    ▪ Data collection and retention
    ▪ Data disclosure
    ▪ Network protection
    ▪ User access
    ▪ Electronic data exchange
    ▪ Wi-Fi access
    ▪ Remote access
    ▪ Connected devices
    ▪ Reportable Incidents
    -Draft Employee Code of Conduct
  • Draft an implementation clause
  • Attachments

Why Our IRS WISP?

Our IRS WISPs contain all of requisite content listed in the adjacent column.   But ours differ from other offerings because a comprehensive, custom document results from as little disruption to your operation as is possible.   These are some of the features of our IRS WISPs.

  • Automatic Network Asset Discovery: Unless you have IT Network Administrator on your staff, finding the IT assets on your network can be difficult.  We have created a way to enable you to do this easily and with no network architecture knowledge required, if you have fewer than 100 assets.  This is usually time-consuming and can be of questionnable accuracy.  It can be tedious enough, in fact, that this critical element is just skipped.
  • Risk Assessment and Recommendations: Once we receive your answers to our questionnaire and the results from your IT Asset Discovery, we will do a risk assessment and make risk mitigation revcommendations for inclusion in your WISP. 
  • Content Customized for Your Company: Whatever the size and nature of your praactice, we create a customized WISP based on your location, your size, your clientele, and how you operate.
  • WISP Summaries for Clients and Employees:  WISP summaries enable you to share with clients and employees the parts of your WISP that are most pertinent to them.  Not all elements of your WISP need to be shared with your clients.  We will create one-page summaries for clients and employees that will provide them with the information they need to have at hand–with the understanding that they can always obtain more if they have questions.

Once you have placed your order, we will get you started with a questionnaire and your IT asset discovery.  

The New Version of IRS Publication 5708

In August, the IRS released an update to Publication 5708Creating a Written Information Security Plan for your Tax and Accounting Practice. In News Release IR-24-208, the IRS notified tax professionals of two significant changes.

  1. A requirement to implement multi-factor authentication
  2. The need to report any “security event” that affects 500 or more people
Order Your IRS WISP 

IRS deadlines are approaching but the imperative for a comprehensive WISP is already here.  Protect yourself and your clients from a devastating, expensive breach of any kind.

Hooked by Spear Phishing Bait: An Easy Catch

Posted on by Writing for Results

 

 

phishing, business case study, zero trust, written information security plans, WISP, risk management, risk analysis, spear phishing, legal, multifactor authentication, business impact analysis, business continuity plan, remote work, distributed staff, data breach

 

We thought our client information was secure–until it wasn’t…

Xavier Otero, Partner, XO Legal

Hooked with Spear Phishing Bait

XO Legal, a small legal firm with an entirely distributed team, was lured into an insidious spear phishing snare by a seemingly harmless email.  The attack targeted the firm with carefully crafted emails that appeared to come from legitimate and trusted internal sources.  This sleight of email was virtually undetectable.  XO Legal had no idea how to pick up the pieces because they didn’t know what the pieces were.

Spear phishing involves targeting specific individuals or organizations with personalized and convincing messages designed to trick the recipient into taking a particular action or providing sensitive information.

Anatomy of a Spear Phishing Attack

Spear Phishing Prey

The Setting

phishing, buisness case study, zero trust, written information security plans, WISP, risk management, risk analysis, spear phishing, legal, multifactor authentication, business impact analysis, business continuity plan, remote work, distributed staff, data breach


The law firm had four attorneys and two paralegals, all of whom worked remotely.  Client files were stored in an encryped cloud account.  All six could upload and download files, which meant that all six individuals had credentials necessary to allow them to access the account at some level.

 

The Bait

Once the phisher had decided on a law firm target, XO Legal, they did what any highly-skilled phisher would do:  They patiently researched the firm, its employees, clients, and ongoing cases to gather information that would make their phishing email(s) appear authentic and relevant.

Excellent dossiers were created on all the firm’s employees. From the information acquired, partners Xavier Otero and Rogelio Tejada seemed to be the most potentially profitable targets.  The phisher decided to reference a high-profile client as part of the deception.  They had learned that there was a hearing the following week, which provided the opportunity to introduce urgency and authenticity into an email.

It was this meticulous preparation that enabled the phisher to craft the personalized emails that would become the bait and make this plot so successful.  Their chances of success were greatly improved because the plot was entirely specific to the XO Legal firm.

 

 

Download the PDF version of this business case study.  No information capture form required for download.

CONTACT US

Hooked by Spear Phishing Bait: An Easy Catch Case Study Download

 

 

 

 

 

 

 

 

 
 
The Hook

An email was sent to one of the paralegals, Ana Mathieson, from Xavier Otero.  The email made reference to an upcoming hearing the next day, for which Xavier Otero was the lead attorney.  It requested that she look for a file in the client’s folder.  If it was there, he needed the link to it right away. He was on his smartphone right now and had no way to access the file.  The email contained details about the hearing that she knew to be true.  She hesitated but the first one was followed by two other emails, each more frantic than the last.  Ana found the file and sent the link to the folder.

The Aftermath

This spear phisher was content with access to this one client’s information.  What they wanted was enough information to enable identity theft.  There was plenty of information in the file to allow them to do that.  XO Legal was forced to pay for all of the client’s identity theft remediation, lost the client (which was a substantial part of their revenue).  And in the end, they still did not know if any other client information had been breached.  But, it could have been far worse and far more costly.

 

 

Our Role in The Spear Phishing Recovery

zero trust, written information security plans, WISP, risk management, risk analysis, spear phishing, phishing, business case study, legal, multifactor authentication, business impact analysis, business continuity plan, remote work, distributed staff, data breach

We documented the existing information security status and provided the written framework for the new security plan.  We created zero trust standard operating procedures; a written information security plan; an incident response plan; and a business continuity plan.  


A Roadmap to Zero Trust

From Trust to Zero Trust

Protecting client data–whether dictated by law or not–was of paramount concern at XO Legal.  But, as with many firms, the intention of the staff to guard the sanctity of client data was not enough.  Transformation into a team with a zero trust mindset was essential.   So, XO Legal closed the gaping voids in their security protocols with the following actions (non-inclusive):

  • Incident Response Plan based on ABA Formal Opinion No. 483, which defines the lawyer’s ethical and legal obligations to be prepared to protect against and respond to a cyber security incident.
  • Written Information Security Plan (WISP) to define what the firm’s information assets are and how they will be protected–including the policies and procedures that will be used.
  • Standard Operating Procedures were created for the Incident Response Plan and Written Information Security Plan, as required.  One of the first ones written is how internal communications were treated, no matter who wrote them.
  • Ongoing Evaluation of Access and Authentication Protocols to ensure that permissions are appropriate and are updated, as necessary.
  • User and Device Security is enforced by ensuring that all users and devices (including mobile devices) have the same level of protection as they access resources, regardless of location.
  • Multifactor Authentication is mandatory for all staff who access files.  In this case, fingerprint identification is used.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) email authentication protocol is used to protect against email phishing.
  • Application and Data Security is used to prevent unauthorized access within app environments no matter where they are hosted.

The Way Forward

The Zero Trust mindset is a new one for this firm because it is so small and the staff knows one another so well.  But, now they know that zero trust is critical if they are going to protect themselves and their clients.

Southwest Business Services, LLC, Writing for Results, professional, due diligent, affordable, free sample, technical writing, forecasting, abstracts, white papers, product manuals, user manuals, systems analysis, logitivity, STE, simplified technical english, ASD STE100, controlled language, technical texts, technical documentation, ASD Simplified Technical English Specification, non-native English speakers, ASD-STE100 Rules, ASD-STE100 Issue 7 free download

Let Us Help You With:

CONTACT US