The IRS has released a new template for creating a Written Information Security Plan, which is required for all tax professionals under the Gramm-Leach-Bliley Act.
The new template is intended to provide sample information and to help tax professionals, particularly smaller practices, develop a Written Information Security Plan (WISP). The law requires financial institutions (which includes tax professionals) to protect customer data. As part of that protection, tax professionals must create and maintain a WISP. A WISP must be written and accessible, and requires each firm to:
- Designate a qualified individual to coordinate its information security program,
- Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks,
- Design and implement a safeguards program, and regularly monitor and test it,
- Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information,
- Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring,
- Implement multi-factor authentication for any individual accessing any information system, unless your qualified individual has approved in writing the use of reasonably equivalent or more secure access controls,
- Report a security event affecting 500 or more people to the FTC as soon as possible, but no later than 30 days from the date of discovery.
The new template is found in IRS Publication 5708 (Revised August of 2024), Creating a Written Infonnation Security Plan for your Tax & Accounting Practice. Click this link to view this IRS publication along with the new template.
