What is the IRS Written Information Security Plan (WISP)?

The Written Information Security Plan (WISP) is a special security plan that helps tax professionals protect their sensitive data and information. It is especially tailored to smaller firms.

It is a 29-page document that was created by members of the security summit, software and industry partners, representatives from state tax groups, and the IRS.

Federal law states that all tax professionals must have a data security plan in place. But many struggle to develop an effective plan. As a result, the Summit, which is led by the Tax Professionals Working Group, spent months creating a sample document that helps tax professionals set their focus when developing their security plans.

The sample will guide tax professionals through the security plan development process so they can consider the various aspects involved in keeping their business safe. It helps them come up with an action plan in the event of a security breach or data loss. It is written in simple ‘no jargon’ language that is easy for tax preparers to understand.

While the sample lays the guidelines for the plan, there is no ‘one size fits all solution’. Plans will vary according to the business size and the complexity and sensitivity of the customer data it handles.

Once the plan is completed, tax preparers are advised to keep it in the office in a PDF or Word format. This will make it accessible to employees and customers if needed. It’s also advisable to store it on the cloud or in a separate location in the event of a natural disaster or another type of emergency.

What Should Tax Preparers Know About Creating a Data Security Plan?

The WISP will take you through the steps you must take to create your data security plan. But here are a few things to keep in mind. 

• Include the name and contact information of all your security program managers
  
  
• Identify risks to customer information
  
  
• Evaluate all risks and state the safety measures currently in place
  
  
• Develop policies for the storage, access, and transportation of sensitive information
  
  
• Ensure terminated employees cannot access sensitive data
  
  
• Oversee security practices of third-party vendors and contractors
  
  
• Impose disciplinary measures for violating the policy
  
  
• Create and enact a program that protects data
  
  
• Monitor and test the program regularly. Make improvements as needed.

 You may also want to update your technology to include the following:

• Finding a system to secure user credentials
  
  
• Restricting access to PII to a need-to-know basis
  
  
• Encrypting the transmission and storage of personal information
  
  
• Monitoring security systems
  
  
• Updating anti-virus and anti-malware software, security patches and firewalls
  
  
• Training employees on security practices and the proper use of security systems

The company should also have a written contract in place with their service provider to further ensure safety measures are taken. The provider will: 

• Maintain the handling of safety measures
  
  
• Oversee the handling of customer information
  
  
• Revise the program as needed 

The Security Six

The IRS recommends that tax professionals and anyone else that handles sensitive data should be equipped with the ‘Security Six”. This includes the following hardware and software items. 

• Anti-Virus Software: Anti-virus software looks for patterns of known malware from cybercriminals. It finds new issues and malware to keep systems safe. Once anti-virus software is installed, it should be configured to automatically scan for breaches. You can also manually scan files such as attachments, web downloads, and portable media before opening them.
  
  
• Firewalls: Firewalls shield computers and networks from outside attacks. They block out suspicious activities while allowing necessary data to pass through. There are both hardware and software firewalls. The hardware firewalls are positioned between the computer and the internet and can be used to protect multiple computers. Software firewalls are built in and can be used alongside external firewalls or on their own.
  
  
• Two Factor Authentication: Two factor authentication offers a second layer of protection before access is granted to online accounts and sensitive information. So rather than simply logging in, a two-factor authentication may also require you to retrieve a code from a phone or email.
  
  
• Backup Software: Sensitive information should be routinely backed up to an encrypted source cloud storage and/or an external device. This way it can be accessed if a breach occurs.
  
  
• Drive Encryption: Drive encryption transforms data into files that are unreadable by unauthorized individuals. It may come in the form of standalone security software or removable media such as a thumb drive.
  
  
• Virtual Private Network: Tax practitioners that work remotely should consider adding a Virtual Private Network (VPN) to their technology suite. It provides a secure, encrypted tunnel for the transmission of data. 

Handling Employees and Management Styles

If you have employees working beneath you, it’s important to implement proper management styles, training, and guidelines to ensure everyone is on the same page when it comes to reaching cybersecurity goals. Here are a few recommended procedures to follow:

• Invest in Employee Training: It’s essential to train your employees so they know how to identify suspicious behavior and what to do in the event of a breach or threat occurring.
  
  
• Share News of Breaches: It may be surprising to find out how often breaches occur and don’t get publicized. It’s important to raise awareness so your employees understand how real the threat is. You can do this by sending out articles you find about cybersecurity issues, particularly in the tax industry.
  
  
• Make Employees Aware of Security Practices and Best Practices: Employees should understand how important it is to come up with passcodes hackers won’t crack. Passcodes should be long, they should use a mix of character sets, and they should not use complete words. They should be changed regularly, and they should not be shared across accounts.
  
  
• Train Employees to Recognize Phishing and Social Engineering Attacks: Teach employees to look out for things like spoofed sender email names and addresses, unusual requests sent via email, strange emails formats, and requests for sensitive information. They must also learn to hover over links to make sure they go where they are supposed to go, to scan attachments before opening them, and to check file extensions for anything unusual.
  
  
• Include Cybersecurity in Onboarding: Employees should be taught about the importance of cybersecurity from day 1. This will enforce its importance and ensure everyone is well trained in addressing threats moving forward.
  
  
• Conduct Breach Drills: Ensure your employees are well prepared for an attack by conducting real-life ‘breach drills’. This will help your workers adopt the right mental state for dealing with attacks. It will also allow you to identify practices that can be improved.
  
  
• Don’t Blame Your Employees: Anyone can fall for a cybersecurity scam and it’s important not to blame your employees if they fall victim to an attack. Instead, use it as a teachable moment to decide how you can improve practices moving forward.

Benefits of a WISP

A WISP will benefit your company in the following ways:

• Helps keep sensitive data safe
  
  
• Prepares you in the case of a data breach
  
  
• Makes clients feel better about working with your company
  
  
• Ensures you are in-line with current legislation and prevents you from getting fined

A WISP is a beneficial and necessary part of doing business as a tax preparer. The IRS sample will take you through the steps ensuring you are doing all you can to keep your company and clients safe. Good luck protecting your sensitive information from hackers.