IRS Releases Guide for Tax Pros’ Information Security Plan
The IRS and its Security Summit partners recently released a sample security plan and guide designed to help tax professionals, especially those with smaller practices, protect their data and information.
The sample plan, called a Written Information Security Plan or WISP, is outlined in a 29-page guide that has been worked on by members of the Security Summit, including tax professionals, software and industry partners, representatives from state tax groups and the IRS. The Summit partners said they worked to make the guide as easy to use as possible, including special sections to help tax professionals get to the information they need.
Federal law requires all professional tax preparers to create and implement a WISP. A WISP is meant to secure all client personally identifiable information (PII) received or retained by a firm and prevent unauthorized access to it that could create a substantial risk of identity theft or fraud. A WISP should cover administrative, technical and physical safeguards of PII.
The guide describes the requirements of a WISP and also includes procedures and details for creating and implementing a plan, recommendations for the plan's contents and scope and a template. The guide also outlines recommended attachments to a WISP, including procedures for the notification of a data security breach, a record retention policy, an inventory of all physical and electronic storage of PII and rules for firm members' conduct in safeguarding PII.
The Summit partners advise that a security plan should be appropriate to the company's size, scope of activities, complexity and the sensitivity of the customer data it handles. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm, which is reflected in the new sample WISP.
For more information on security recommendations, see IRS Publication 4557, Safeguarding Taxpayer Data, IRS Publication 5293, Data Security Resource Guide for Tax Professionals and the IRS Identity Theft Central webpages.