How to Develop a Federally Compliant Written Information Security Plan (WISP) + A Checklist to Get You Started

Tax and accounting professionals are at significant risk for cyberattacks because they have the data hackers want. Thieves can impersonate the victims and file fraudulent tax returns with information like names, social security numbers, financial data, and addresses. And with a cyberattack happening every 39 seconds, the chances of your practice getting attacked continue to grow, especially if you’re not prioritizing data security. 

Implementing cybersecurity measures is not just a matter of best practice. It’s the law. Paid accounting and tax practices are required by IRS regulation 5293 and by law to create and implement a Written Information Security Plan (WISP).  

What is a Written Information Security Plan (WISP)? 

The Gramm-Leach-Bliley Act (GLBA) is the United States law that requires financial institutions to protect client data. As the Federal Trade Commission (FTC) implemented GLBA, it also issued the Safeguards Rule—a list of requirements financial institutions must follow. Tax and accounting professionals, real estate appraisers, lenders, check-cashing businesses, universities, and mortgage brokers are considered financial institutions under GLBA. 

The FTC requires each financial institution to: 

• Choose at least one employee to coordinate their information security program 
• Identify and assess risks to their clients’ data 
• Evaluate the effectiveness of their current safeguarding measures 
• Create, implement, monitor, and routinely test a safeguarding program 
• Ensure vendors and service providers maintain appropriate safeguards 
• Update the program as needed (like when business operations or regulations change) 

To help tax and accounting professionals accomplish the above tasks, the IRS joined forces with 42 state tax agencies and various members of the tax community (firms, payroll processors, financial institutions, and more) to create the Security Summit. The Summit released a WISP template in August 2022.  

What Should be Included in the Written Information Security Plan (WISP)? 

When writing your WISP, consider your company’s size, complexity, and scope. A large firm will have a longer, more robust plan than a smaller accounting firm—so there isn’t a one-size-fits-all approach. However, there are three key areas each WISP should include: 

• Employee management and training 
• Information systems and technology 
• Detecting and managing system failures 

The Summit’s template recommends each practice have an Employee/Contractor Acknowledgement of Understanding document. This document helps keep track of training and is beneficial if you need to prove compliance and/or show accountability for your practice. 

Here is the WISP outline the Summit recommends: 

• Define the objectives, purpose, and scope of your WISP 
• Designate who is responsible for creating, coordinating, and implementing your program, as well as list your authorized staff, their responsibilities, and what data they can access 
• Assess current risks and detail the types of information your firm handles, if you have any areas of potential data loss, and how you monitor and test these risks 
• List the hardware you use for work and where each piece is located (on the cloud, in your primary office, at a staff member’s home, etc.) 
• Detail your Employee Code of Conduct and your document safety policies, including those for: 
  • Data collection, retention, and disclosure 
  • User access on-site and remotely 
  • Network protection, Wi-Fi access, and connected devices 
  • Electronic data exchange  
  • Reportable incidents 
• Include a signed implementation clause that states when you executed the WISP 

Download this free checklist to learn more about each section and ensure you’re writing a compliant WISP. 

Built with bank-level security, SmartVault is the most secure way to store and share your documents. Schedule a 15-minute demo to see why over two million people trust SmartVault with their data.