A successful tax and accounting firm is subject to countless of regulations, laws, and industry requirements. It is difficult to keep track of them all, but there is an important law with which you should always remain in compliance. The GLBA. This law enables your firm to protect your client data by providing guidance to identify risks, implement safeguards, and evaluate service providers.
What is a WISP?
A Written Information Security Plan (WISP) is a document outlining your security plan to meet client data safety requirements set by the FTC.
Why does a tax and accounting practice need a WISP?
You need a WISP because it is required by law and protects your business and clients. The Gramm-Leach-Bliley Act (GLBA) is the U.S. law that requires a financial institution to protect customer data via a WISP.
Under the GLBA, tax and accounting professionals are considered financial institutions, regardless of size. Financial institutions subject to the Safeguards Rule include mortgage brokers, real estate appraisers, universities, nonbank lenders, and check cashing businesses.
What’s involved in creating your WISP?
The FTC requires each firm to:
- Designate one or more employees to coordinate its information security program
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
- Design and implement a safeguards program, and regularly monitor and test it
- Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information
- Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring
Getting started with your WISP
Any time compliance with federal laws or regulations become an issue, you must start by familiarizing yourself with issues the law addresses.
A good place to start is here:
WISPs – One size does not fit all
There is no such thing as a one size fits all WISP. You will need to consider your company’s size, scope of activities, complexity, and the sensitivity of the data it handles.
Start by focusing on three areas:
- Employee management and training
- Information systems
- Detecting and managing system failures
It is also advisable to create an employee Acknowledgement of Understanding. Every employee or contractor must review and sign this document. This gives you a record of training and understanding of the policies and procedures your firm has established.
Make your WISP readily available to your employees in PDF or un-editable Word format and store it in the cloud for safe keeping. Know that this document should be reviewed and updated quarterly as technology and your business changes.
What should I put in my WISP?
Below we list the minimum requirements for your WISP. The size of your firm will determine much of the information you need to include but these are the basics. You should review the IRS and FTC publications to be sure you have included all that is required.
This may be a good point to turn to a managed service provider with experience to help you define, identify, and assess all that is needed for compliance.
- Define the WISP objectives, purpose, and scope
- Identify responsible individuals
- List individuals who will coordinate the security programs as well as responsible persons.
- List authorized users at your firm, their data access levels, and responsibilities.
- Assess Risks
- Identify Risks
- List types of information your office handles
- List potential areas for data loss (internal and external)
- Outline procedures to monitor and test risks
- Identify Risks
- Inventory Hardware
- List description and physical location of each item
- Record types of information stored or processed by each item
- Document Safety Measures in place
- Suggested policies to include in your WISP:
- Data collection and retention
- Data disclosure
- Network protection
- User access
- Electronic data exchange
- Wi-Fi access
- Remote access
- Connected devices
- Reportable Incidents
- Draft Employee Code of Conduct
- Suggested policies to include in your WISP:
- Draft an Implementation plan
The length of a typical WISP will be a minimum of 50 pages. Depending on the complexity and size of your business, it could be longer.
Third party resources
Here are links to resources from the FTC, NIST, FCC and IRS, they provide helpful information for the creation of your WISP.
Federal Trade Commission
National Institute of Standards
- Cybercrime & Cyber Threats to Small Business
- NIST Computer Security Resource Center
- NIST Cybersecurity Framework examples
Federal Communications Commission
Internal Revenue Service
What to do if this is overwhelming
Not all companies have an internal compliance department to create all the documents, policies, and procedures required by law. A managed IT service provider is a great place turn to for a small- and medium-sized businesses struggling to meet requirements such as these.
T3 Audit – When compliance is something you think about every day
A T3 Audit is a comprehensive IT audit of your organization’s adherence to regulatory guidelines. It identifies areas of vulnerability and then guides you to establishing and maintaining policies and procedures to put you in compliance with laws, standards, and best practices.
Learn more here.
CONTACT US TODAY
Begin your journey to a secure, modern and affordable IT platform with a FREE 30 Minute IT Consultation.