January 16, 2024

What’s a WISP? Getting Started on a Written Information Security Plan

Accounting firms handle vast amounts of sensitive client data, and protecting this information is paramount. Many accountants and PTIN holders, however, remain unaware of the legal obligations surrounding client data security. In this article, we shed light on the essential concept of a Written Information Security Plan (WISP) and the fundamental steps accounting firms must take to ensure compliance.

What is a WISP?

A WISP is a comprehensive and tailored information security plan that outlines the specific measures and protocols an organization, including CPA agencies, has implemented to protect sensitive information. It includes risk assessments, employee training, physical and electronic security measures, and incident response plans. 

A number of accountants and tax preparers remain uninformed about the statutory requirements for their agency that could require them to establish and implement a Written Information Security Program.

Background of Legal Requirements

The Gramm-Leach-Bliley Act (GLBA), the FTC Safeguards Rule, and IRS Publication 4557 collectively create some of the main measures ensuring the security and protection of client data for financial firms.  

The GLBA holds importance for tax professionals and CPAs to safeguard nonpublic personal information related to financial activities. A WISP is required for all PTIN or tax preparers, regardless of how many clients they may have, in conjunction with the FTC Safeguards rule. Firms must attest to it during their PTIN renewal.

Understanding the implications of GLBA and the Safeguards Rule is essential. State boards of accountancy, overseeing the licensure process, emphasize compliance with data security regulations, reinforcing the need for a comprehensive WISP.

IRS Publication 4557 provides guidelines and recommendations to enhance the security of sensitive client data. This resource is a valuable tool for accounting professionals, offering insights into developing and implementing effective security measures, including creating a WISP.

Despite their importance, many accountants seem unaware of the legal obligations stipulated by the Safeguards Rule and its counterparts. This lack of awareness poses a potential risk, as it may lead to inadequate data security practices and (inadvertent) non-compliant status.

These knowledge gaps pose significant risks to firms, ranging from damage to reputation to costly breaches and potential FTC penalties. Given the increasing frequency and sophistication of cyber threats, having robust security measures in place is not just a legal requirement but a best practice in the long run. 

What Firms Must Include in a WISP

So, you've established that you need a WISP. How do you go about creating one in the first place? Unbeknownst to many, the IRS has already outlined the steps to create a WISP. Their official requirements state that firms must:

  • Designate one or more employees to coordinate its information security program.
  • Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
  • Design and implement a safeguards program, and regularly monitor and test it.
  • Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information.
  • Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Begin your WISP by offering a comprehensive overview of your firm's information security systems and hardware. At least one employee must be designated to coordinate and report on information security. This section should also encompass details about background checks conducted on personnel working with key software and hardware and how you ensure the integrity of data security efforts to this end.

Proceed with a risk assessment for each relevant component of your agency's operations, evaluating how effective current safeguards around customer information are. Then, create a data handling inventory to pinpoint potential shortcomings within those safeguards. This step is pivotal in comprehending the landscape of data vulnerabilities within your firm, paving the way for targeted risk mitigation strategies.

Following the assessment and documentation phase, shift focus to the design of a program dedicated to protecting data. This entails drafting a well-defined employee/contractor code of conduct and an implementation clause. These components are pivotal in ensuring that your WISP clarifies each employee's role in maintaining the security of customer information.

Once the data safeguards program has been designed, the implementation phase begins. This includes ensuring staff are aware of security policies. More practical terms of the WISP are important, too, such as practices for strong passwords and limiting privileged access to only those who need it.

Make regular monitoring and testing of WISP-defined protocols part of this by incorporating an annual review of the WISP to keep it up-to-date. All data security measures should evolve in tandem with emerging threats, operational changes, and industry best practices.

Finally, make sure service providers are compliant with your established safeguards. Contracts with third parties and clients need to specify how they are required to handle customer data in a way that is safe and avoids compromising your internal safeguards as delineated in and established by the WISP. 

Additional Measures for FTC Safeguards Rule Compliance

Firms that fall under the FTC Safeguards Rule must embrace additional measures to support their WISP creation.

First, thoroughly vetting third-party vendors is paramount for accounting firms to meet the Safeguards Rule's robust security measures. This involves assessing the security protocols and responsible vendors' personnel. Compliance under the FTC Safeguards Rule also demands a nuanced understanding of the broader definitions of customer data. Accounting firms must consider the full range of what could constitute sensitive information within their organization to prevent oversight in their WISP.

Outsourcing to Managed Service Providers (MSPs) like Cetrom often proves strategically beneficial for accounting firms. Leveraging the expertise of MSPs provides valuable assistance in navigating the intricacies of WISP implementation.

Client Engagement and Cybersecurity

Informing clients about secure communication protocols is integral to maintaining data security. Accounting firms should proactively communicate the mechanisms to ensure secure data transmission, fostering trust and transparency. However, client cooperation is a two-way street in data security. Firms should actively engage with clients, encouraging cooperation in adhering to secure practices. This collaborative effort enhances overall data security hygiene.

Beyond just clients, firms that develop and implement a WISP may benefit from easing the documentation process for cyber insurance providers. Reviewing your firm's size, clients, and cybersecurity measures is similar to what you'll need to document when seeking a cyber insurance policy, so it certainly helps to have this information already on hand.

Conclusion

Creating a WISP to outline your firm's data security schematics takes time, but it is worth knowing what is necessary if you require one. The awareness deficit among tax preparers underscores the need for further knowledge and promoting adherence to these legal mandates.

A Written Information Security Policy is not just a legal requirement but a cornerstone of client data protection. For those navigating the complexities, Managed Service Providers like Cetrom offer services and expert guidance to ensure continual compliance with robust cybersecurity practices.

Contact Cetrom today to see how we can take your firm's IT and cybersecurity to the next level.

Contact Us

Why More Accounting Firms are Moving to the Cloud

Cloud computing provides many benefits for CPA firms. Transitioning from traditional on-site setups to cloud computing is becoming increasingly..
February 01,2024

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like this, it would be a better world...

- Mid-sized
View All

One of the things we appreciate wholeheartedly about working with Cetrom is how great the people in the service area are and the high-level of responsiveness we have received. I’ve been very pleased..

- Mid-sized
View All

Cetrom’s services and support really stood out against the other cloud vendors. We thought their Citrix delivery platform would have a higher level of adoption because our employees would have the..

- Mid-sized
View All

Our accounting services users working in the field have greatly benefited from our migration to the cloud. They’re now able to be much more efficient while working in a client’s office because they..

- Mid-sized
View All

The decision to migrate to the cloud was one of the best business decisions Rub & Brillhart has made. It required an investment, but we have determined that our year two IT costs will be reduced by..

- Midwest
View All

Our migration process with Cetrom was very smooth and we had an excellent experience with their support during the demo process. We have 24/7 monitoring on our onsite equipment and they have the..

- Small
View All

We are extremely happy with the service and support we receive from Cetrom. Our staff is more efficient overall in our day-to-day activities and we don’t have any downtime. It’s a good feeling..

- Mid-sized
View All

Cetrom is an extremely cost-effective option for IT services. Not only do we receive significantly improved customer service, but we were also able to add a new VoIP system, better internet service,..

- Mid-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- Mid-sized
View All

We use two programs that often posed a challenge for our previous IT providers. Cetrom handled the situation professionally, coordinated with the software vendors, did all the backend testing, and..

- Mid-sized
View All

After interviewing and reviewing the proposals from various IT providers, it was really a night and day comparison about price, service, and performance—Cetrom was just outshining the others on every..

- Mid-sized
View All

I just want to drop you a line and let you know how pleased we are with our move to Cetrom. Your people knocked it out of the park for us and are doing a great job getting us up and working. On our..

- Small-sized
View All

Because we use specialized software for CPAs, we were concerned about the migration process. Cetrom’s CEO reassured us that there’s no concern because they understand how the software operates in the..

- 97%
View All

Cetrom’s Cloud Computing offers a high-quality, reliable and secure alternative to traditional IT management and provides immediate access to all my IT resources whether I’m in the office, at home or..

- High-quality,
View All

blog Archives

See all

Why More Accounting Firms are Moving to the Cloud

Cloud computing provides many benefits for CPA firms. Transitioning from traditional on-site setups to cloud computing is becoming increasingly..
February 01,2024

Cetrom Support fixed all of my problems, their engineers are very professional, courteous, friendly and very efficient. If all customer service out there was like...

- Mid-sized
View All

Blog Archives

See all
Is Cetrom Your Cloud Services Solution?