A crucial part of managing data security is your Written Information Security Plan (WISP). But why is it important for accounting businesses?

What is a WISP & Why Should Your Business Have One?

From phishing scams to data breaches, businesses lose thousands of dollars from cybersecurity risks—and thousands more just to recover. Cybercriminals won’t spare anything from your emails to your project management tools and software.

This is where security management comes in. Protecting your sensitive data keeps your business safe. However, this entails putting the necessary policies, procedures, and protections in place.

One of the most basic and crucial parts of your security management is your WISP (Written Information Security Plan). But what is a WISP, why is it important, and what does it have to do with accounting firms and tax professionals?

What is a WISP?

Written Information Security Plan, or WISP, is a document that details your organization’s security controls, procedures, and policies. It also explains how confidential data is protected within the organization and who safeguards all that information. Think of it as a guide or a roadmap for your security processes, data and IT management.

The reason it has become such an essential topic is ever since the Internal Revenue Service (IRS) issued its requirement during its Security Summit. It demanded all business who deal with accounting or provide tax preparation services to have one in place by the end of 2022.

Over 25 states in the US currently require businesses to have a WISP or a similar alternative in place. This includes Florida, California, New York, Rhode Island, Massachusetts, and Texas.

Moreover, a WISP typically includes administrative and technical security measures your company has in place, similarly to the Gramm-Leach-Bliley Act from 1999. Anyone or any organization with access to customer or employee information must ensure that they implement the appropriate IRS administrative and technical safeguards.

Remember that anyone with access to your company’s data needs to be aware of your WISP. The IRS WISP requirement is meant to educate all employees on implementing data security at the appropriate levels for all data.

Why is it Important to Have a WISP?

A WISP is vital for any business, especially accounting firms, healthcare providers, and other companies that deal with sensitive client data. This is because:

  • Depending on your state, it is a legal requirement to have one. Being out of IRS compliance can be a costly and embarrassing risk you wouldn’t want to take.
  • With data breaches being all too common nowadays, WISPs can act as a defense against liability.
  • Failure to have a WISP might bite you back in the future, as it can be evidence of negligence. Plaintiffs can use WISP requirements as evidence of duty to support a working theory of blame for a claim against an IT company or business that experiences a data breach and can lead to their reputation being ruined for good.
  • It’s just good practice! Having actual procedures to protect PII, or Personal Identifiable Information, and other pertinent data written down can help businesses avoid compliance and litigation risks, thus minimizing the fallout from a data breach in the event that one does occur.

With it being almost a year and a half since the IRS’ requirement came into effect, anyone that doesn’t have one in place should stop dragging their feet like this one uncoordinated tax professional.

What does a WISP Cover?

WISPs vary significantly in the security controls they cover. The level of comprehensiveness of your WISP will depend on factors such as the size of your business, the scope of your activities, the industry you operate in, and the state laws you must comply with.

A WISP is a legal necessity from the IRS for tax professionals and most businesses, as it ensures your company has enough administrative, technical, and physical safeguards to protect personally identifiable information or PII. If you’re partnered with a Managed Security Services Provider (MSSP), it’s important that you know they can provide such a service for you while also regularly updating the documentation.

What should be included in a Written Information Security Plan?

WISPs need to address the following security areas:

  • Assigning the person in charge of the security program
  • Identifying and evaluating security risks
  • Creating policies and procedures for the storage, access, and transportation of personal data
  • Imposing sanctions for WISP infractions
  • Restricting access to terminated employees
  • Monitoring both contractors’ and third-party providers’ security procedures
  • Limiting contractors’ and third-party providers’ access to physical and digital records
  • Evaluating the WISP’s scope and effectiveness
  • Documenting data security incidents and responses

Additionally, WISPs may be required to meet the following technical specifications:

  • Protecting the user’s login information with a Zero Trust Policy
  • Limiting access to PII to those who need to know
  • Encrypting the exchange and storage of sensitive and personal information
  • Monitoring security systems and accounting applications such as Drake, Lacerte and Thomson Reuters’ UltraTax
  • Updating all software, from firewalls to security patches
  • Teaching employees about your company’s security policies and the correct use of computer security systems

Lastly, WISPs may also be required to have the following physical safeguards:

  • Creating guidelines for the safe storage and protection of physical data
  • Putting standards in place for moving physical data or duplicating it
  • Limiting physical access to stored records
  • Ensuring that all physical access points, such as doors and filing cabinets, are locked and protected
  • Updating physical security equipment like closed-circuit cameras and key cards for access

Have a Plan in Place

A WISP isn’t just a legal responsibility; having one lowers your risk of a data security incident. Plus, it allows for prompt action in the event of an emergency.

There's no one-size-fits-all WISP. Scale yours based on your company's size, scope of activities, complexity & customer data sensitivity.

The more thorough and complete your WISP, the less likely you will have problems during a cyber security disaster. Just make sure to regularly test and upgrade your WISP. A security program with only a “paper plan” is still better than no program at all.

Make sure to ask your MSSP if they have one in place for you. If not, their legitimacy in regards to data security & compliance should be highly questioned and scrutinized. Is it included with their regular services, and is it updated or reviewed on a regular basis? Finding the right IT for accounting provider can be the difference between disaster and a sigh of relief.

Take Your Business’ Security Seriously with A WISP

Having a WISP in place shows your company takes IRS compliance and cybersecurity seriously for employees, customers, partners, law enforcement, and the general public. It demonstrates to everyone that you as a tax professional or business value their data’s safety and that your company is ready to keep it secure in the event of a disaster in every way possible. That said, it is not as simple as a single checkbox. It is a living, breathing document that is meant to be updated regularly as your business and security evolves.

If you need help reviewing or building your Written Information Security Plan, contact us today for a free consultation. Nerds Support is IRS and SOC compliance certified, so we have the processes and templates in place to prove we do what we say we do to help your business be secure and successful!

Check out Nerds Support's Google reviews!
Check out Nerds Support's Google reviews!
This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies. Your data will not be shared or sold.