Creating a Data Security Plan: Tips for Tax Professionals

Tax professionals are required by law to create a Written Information Security Plan – or WISP – to protect their clients’ data. The IRS and the Security Summit partners have created an easy-to-follow Written Information Security Plan that outlines the basics and walks tax professionals through how to get started on a plan and understand security compliance requirements and professional responsibilities.

Creating a WISP

A WISP protects client information most effectively when tailored to the size, scope, complexity and sensitivity of the customer data it handles. A WISP should focus on:

• Employee training and management.
• Information systems.
• System failure detection and management.

WISP Requirements

Tax professionals are required by law to have a WISP in place to protect customer data.  As a part of their security plan, each tax professional needs to:

• Designate one or more employees to coordinate its information security program.
• Identify and assess risks to customer information in each relevant area of the company's operation.
• Evaluate the effectiveness of the current safeguards for controlling those risks.
• Design and implement a safeguards program and regularly monitor and test it.
• Contract a service provider that maintains safeguards and handling of customer information.

Tax professionals should always be evaluating and adjusting their WISP based on relevant circumstances, changes in the firm's business or operations or the results of security testing and monitoring. For more on security awareness and WISPs, check out National Tax Security Awareness Week 2024.