IRS WISP Compliance

Summary: The I.R.S. requires all tax preparers and accountants handling sensitive financial data to have a Written Information Security Plan (WISP).

If you are using Torian Group maintenance, many requirements are already met, and we can assist you with completing the necessary documentation to comply.


What is WISP?

The Written Information Security Plan is the I.R.S. guide to complying with the laws which address protecting sensitive financial data. This comes from the F.T.C. Safeguards rule, which implements the Gramm-Leach-Bliley Act (GLBA).

It is intended to protect sensitive financial and personal data handled by financial institutions – including tax preparers.

From the F.T.C.:

The Safeguards Rule applies to financial institutions subject to the F.T.C.’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”

What matters are the types of activities your business undertakes, not how you or others categorize your company. [This includes] mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors.

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

the F.T.C. has exempted from certain provisions of the Rule financial institutions that “maintain customer information concerning fewer than five thousand consumers.” [Under the GLBA, tax and accounting professionals are considered financial institutions, regardless of size.]

Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

  • to ensure the security and confidentiality of customer information;
  • to protect against anticipated threats or hazards to the security or integrity of that information; and
  • to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

The IRS WISP is a guide to help tax preparers comply with these regulations.

In addition, you may be required to comply with other data protection laws:

HIPAA – If you have access to protected health information.

PCI – If you process credit cards, your bank will require that you secure “protected information”.

Red Flag – If you handle protected information that could lead to identity theft.

Fair Credit Reporting Act – If you handle information about employee or customer credit.

Records retention – various laws require that you keep accurate records of your activities for a specific time.

If you have remote access to clients’ computers or data, you may need to meet the requirements of your clients that must comply.

Fortunately, many of the requirements overlap. They are designed to verify that you are following security best practices -something you should already be doing.

What you need to do

Determine who will be responsible.

All security frameworks suggest determining who will be the “security officer” – the person responsible for compliance. In some cases, this role comes with some legal liability.

WISP also suggests appointing a “public information officer” – the person who will talk to the clients and press if needed.

From the IRS WISP template:

The Data Security Coordinator is the person tasked with the information security process, from securing the data while remediating the security weaknesses to training all firm personnel in security measures.

The Public Information Officer is the “one voice” that speaks for the firm for client notifications and outward statements to third parties, such as local law enforcement agencies, news media, and local associates and businesses inquiring about their own risks.

This person does not need to do the work- just be responsible.

Determine  the scope

This will be done by the assigned person (above). We can advise.

Do you want to meet the minimum requirement for the I.R.S.? Are there other security requirements that could also be fulfilled at this time?

Do you need any of the following:

Computer use or acceptable use policy – sometimes part of the employee handbook.

Data retention policy

Backup plan/testing

Disaster recovery plan

I.T. policy/plan

Security policy/plan

Incident response plan

Specific procedures:

Employee onboarding/ termination

Vendor contract/ security agreement


Equipment setup /disposal

Remote access procedures and policy

Vendor onboarding /termination (onsite visits, remote access)

Client procedures: remote access, login data, sensitive data handling

Password management, M.F.A. implementation

Take inventory

We can assist, or do most of this for you with help from your staff. Much of the needed information is already in our systems for maintenance and monitoring.

  1. What information do you have:

Where does information come from;

How is it stored;

How is it used – who should have access;

How is it protected;

What would happen if it was exposed or damaged.

The result of this is:

A data flow map or list.

An access control list – who has access and how.

A list of auditing logs /methods.

Start of risk assessment list.

  1. What I.T. equipment do you have, and what does it do?


Device inventory.

Network map.

  1. Who does what, and how?


A user and device list.

An access control list:

methods used to access devices and data;

people who are granted access;

and how it is protected.

An inventory of remote access methods, sources.

A list of vendors with access to data and how it is protected.

  1. What procedures/policies do you have?

We can work with your I.T. admin or appropriate staff to gather this.


List of existing I.T. related procedures and policies.

List of gaps – what is needed.

  1. Inventory of auditing methods in place and auditing needed.

Risk assessment

We can create a draft, then review it with you.

What could go wrong?

What would the consequences be?

What mitigations exist, and what could be added?


List of risks, potential consequences and cost, current protections, possible additional protections.

Security plan

We can create a draft, then review it with you.

Identify recurring tasks, and who will do them.

Determine what auditing/monitoring is needed and how it will be done.

Identify needed training for staff and how it will be done.

Determine what to do about the gaps identified, who will do it, and when.

Policies and procedures

Create any additional documentation needed based on inventory/assessment.

Suggested policies to include in your WISP:

▪ Data collection and retention

▪ Data disclosure

▪ Network protection

▪ User access

▪ Electronic data exchange

▪ Wi-Fi access

▪ Remote access

▪ Connected devices

▪ Reportable Incidents

One way to deal with this complexity is to indicate that your policy that you plan to  comply with the NIST 800-53 Cybersecurity standards where applicable. The National Institute of Standards and Technology (NIST) maintains recommendations for security for the government in great detail. It is often used as the basis for other cybersecurity standards and recommendations.

Incident response plan

A written incident response plan is a requirement. It doesn’t have to be complex.

We can create a draft, then review it with you.

Business continuity plan

Although not required, we recommend having or updating a business continuity plan.

This identifies who will do what if specific disasters or outages occur. It also helps plan for access to critical systems and data.

Additional information

I.R.S. Publication 5709 – WISP summary

I.R.A. publication 5708 – WISP sample plan

I.R.S. Publication 4557 – safeguarding taxpayer data

F.T.C. Data Breach Response guide

F.T.C. on Privacy

GLBA (Gramm-Leach-Bliley Act)

F.T.C. Safeguards rule

Records Retention

HIPAA Security Rule

NIST Cybersecurity framework

NIST 800-53 Standard

NIST 800-53 Controls by security level