What is WISP, and Why is it Crucial for Tax & Accounting Professionals?

WISP, or Written Information Security Plan, is a comprehensive document outlining how a business collects, handles, and protects sensitive information. In California, with its stringent data protection laws, WISP is crucial for tax preparers and accountants who manage confidential financial and personal data.

What are the consequences of non-compliance with IRS WISP requirements?

Non-compliance with IRS WISP requirements can result in severe penalties, including monetary fines and legal actions. Additionally, non-compliance can damage the reputation and trust of your organization, leading to potential loss of clients or business opportunities.

When and Why is WISP Mandatory?

California residents should be familiar with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). While these acts don't explicitly mandate WISP, they underscore the state's commitment to data privacy. Adhering to WISP helps businesses align with these laws and avoid legal consequences.

Example: California, being a privacy-forward state, emphasizes the importance of protecting consumer data. WISP acts as a proactive measure, ensuring businesses handle personal information responsibly and in compliance with state regulations.

Who is required to comply with IRS WISP requirements?

Any individual or entity that handles taxpayer information, including tax preparers, accounting firms, and financial institutions, is required to comply with IRS WISP requirements. This includes maintaining adequate security measures to protect taxpayer data.

“There's no way around it for anyone running a tax business. Having a written security plan is a sound business practice – and it's required by law, said Jared Ballew of Drake Software, co-lead for the Summit tax professional team and incoming chair of the Electronic Tax Administration Advisory Committee (ETAAC)."

What Constitutes a Comprehensive WISP for Tax Professionals?

A robust WISP in California typically includes:

• Data Risk Assessment: Identifying and evaluating potential risks to sensitive information.
• Security Policies: Clearly defined policies on data classification, handling, and storage.
• Employee Training: Ensuring employees are well-versed in security protocols and the protection of client data.
• Incident Response Plan: A documented strategy for addressing and mitigating security incidents.

How Can Accounting and Tax Professionals Achieve WISP Compliance?

• Thorough Risk Analysis: Begin with a comprehensive risk assessment to identify vulnerabilities.
• Policy Development: Develop and implement security policies in line with California's data protection landscape.
• Ongoing Training: Regularly educate staff on security protocols and keep them updated on emerging threats.
• Regular Audits: Conduct periodic audits to ensure continual compliance and identify areas for improvement.

What do I need for my WISP Audit?

For a Written Information Security Program (WISP) audit in a company that specializes in bookkeeping and tax preparation, you should focus on ensuring the security of sensitive financial and personal information. Here are key elements to consider:

‍

• Data Classification: Clearly define and classify the types of data your company handles. In your case, this would include Personally Identifiable Information (PII), financial data, tax-related information, and any other sensitive data.
• Risk Assessment: Conduct a thorough risk assessment to identify potential threats and vulnerabilities to the confidentiality, integrity, and availability of the data you handle.
• Access Controls: Implement and enforce access controls to ensure that only authorized personnel have access to sensitive information. This includes user authentication, role-based access, and regular access reviews.
• Physical Security: Secure physical access to servers, data centers, and any locations where sensitive information is stored. This includes implementing measures such as surveillance, access cards, and restricted access areas.

• Network Security: Ensure that your network is secure through firewalls, intrusion detection/prevention systems, and encryption. This is crucial for protecting data during transmission and within the local network.
• Employee Training: Train employees on security policies and procedures, emphasizing the importance of safeguarding sensitive information. This includes data handling practices, secure login procedures, and awareness of phishing threats.
• Incident Response Plan: Develop and maintain an incident response plan to address any security incidents promptly. This plan should outline steps to take in the event of a data breach or other security incidents.
• Encryption: Implement encryption for data both in transit and at rest. This adds an extra layer of protection, especially for sensitive financial and personal information.
• Compliance with Regulations: Ensure compliance with relevant regulations governing the handling of financial and personal data, such as IRS guidelines, Gramm-Leach-Bliley Act (GLBA), and any other applicable industry standards.

• Security Audits and Monitoring: Regularly conduct security audits and monitoring to identify and address any security weaknesses or suspicious activities. This includes log monitoring, intrusion detection, and periodic security assessments.
• Documented Policies: Have well-documented security policies and procedures. This includes your WISP document, which should be comprehensive and up-to-date.
• Vendor Management: If you use third-party vendors for any services, ensure they adhere to security and privacy standards. This is particularly important for cloud-based services.
• Continuous Improvement: Regularly review and update your WISP based on changes in technology, regulations, and the evolving threat landscape.

How much does it cost to get WISP Compliance?

• Software Investment: Obtaining WISP compliance often involves investing in robust security software. This includes tools for encryption, firewall protection, intrusion detection/prevention systems, and data management platforms. You can check our Security and Windows Patching solution here.
• Hardware Investment: Securing your network and physical infrastructure is vital for WISP compliance. This may entail investing in secure servers, routers, and other hardware components designed to protect sensitive data.
• IT Professional Audit Service: Engaging the services of IT professionals for a thorough audit is a key aspect of WISP compliance. IT professionals can assess your existing systems, identify vulnerabilities, and recommend security measures. The cost of such services depends on the scope of the audit, the complexity of your network, and the depth of analysis required. View Pricing
• Associated Costs: Beyond software, hardware, and professional services, there are associated costs to consider. This includes employee training programs to ensure staff are well-versed in security protocols, as well as ongoing monitoring and maintenance expenses. Additionally, budgetary considerations should be made for potential upgrades or expansions to your security infrastructure as technology evolves.