WISP Components – What CPAs Should Be Aware Of

Data security is a top priority for every business in the modern world. This is especially important for CPA firms that handle clients’ financial data. One of the best ways to achieve this is through a Written Information Security Plan, also known as a WISP.

The IRS published publication 5708 with guidelines for drafting a WISP, which outlines procedures to protect sensitive information. Understanding WISP concepts is crucial for CPAs to meet legal standards and mitigate cyber threats.

Let’s discuss the components of a WISP that CPAs should know.

Defining the WISP Objectives, Purpose, and Scope

The core of a WISP is formed by its objectives, purpose, and scope. Therefore, CPAs need to ensure that their organization’s WISP sets the major goals it aims to take, such as protecting client data, maintaining compliance with state and federal regulations, and reducing risks.

Objectives

The main objectives of a Written Information Security Plan include:

• Data Preservation: Protecting PII (personally identifiable information) from unauthorized access through physical, technical, and administrative safeguards.
• Rule Compliance: Ensuring adherence to the Gramm-Leach-Bliley Act (GLBA) and FTC Financial Privacy and Safeguards Rules as required by law.
• Risk Prevention: Identifying and addressing potential cybersecurity threats.

Scope

A WISP should clearly outline its scope of coverage. It should describe which departments, employees, and systems are covered. Since third-party vendors or contractors may access a company’s data, it must also determine their access permissions. The scope should cover:

• Threat Identification
• Risk Assessment
• Analyzing current security policies and safeguards
• Compliance with the Gramm-Leach-Bliley Act and the Federal Trade Commission Financial Privacy and Safeguards Rule
• Deployment of continuous monitoring and internal controls

Designating a Qualified Individual

WISP requires you to appoint a Data Security Coordinator (DSC). The DSC is responsible for overseeing and maintaining the WISP. DSC must also ensure that security protocols are followed, updated, and applied throughout the company.

DSC will be responsible for:

• Implementing the WISP and overseeing the operations in compliance with all security protocols.
• Identify and point out where repositories of sensitive data that are restricted can be used as assets.
• Periodically check to confirm that all staff have had information security training.
• Train all staff members as well as outsiders involved in PII regularly.
• Monitoring and testing employee compliance with security policies and procedures.
• Evaluating third-party service providers’ ability to implement and maintain appropriate security measures for PII (Personally Identifiable Information) they have access to.

The WISP also requires you to assign a Public Information Officer (PIO) to handle external communications. This will ensure all formal and client communications with law enforcement follow due process.

Risk Assessment

A comprehensive risk assessment enables your security team to find vulnerabilities and develop strategies to address them. CPAs should ensure that their firm’s WISP includes a systematic risk assessment process.

Components of Risk Assessment

• Identifying Assets: Understanding what data, systems, and hardware need protection.
• Recognizing Threats: Analyzing potential cyber threats, such as phishing attacks, ransomware, and insider threats.
• Evaluating Vulnerabilities: Identifying weaknesses in the firm’s IT infrastructure and employee security awareness.
• Assessing Impact: Determining the potential consequences of a data breach.
• Developing Mitigation Strategies: Implementing security measures such as encryption, multi-factor authentication, and employee training.

Hardware Inventory

CPAs should document all hardware assets used to store or process sensitive data. Firms must also record the data being processed or stored in such devices. An accurate inventory can help identify security risks and ensure compliance with security policies.

Fundamental Inventory Components

• PCs and Servers: Track all workstations, laptops, and servers used for processing financial information.Networking Hardware: Keep track of routers, switches, and firewalls.
• Storage Information Devices: Document USB drives, external hard drives, and backup servers.
• Mobile Devices: Includes company-issued smartphones and tablets.
• Third-Party Hardware: Document any hardware used by vendors or contractors with access to firm data.

Keeping an accurate inventory of hardware and software dedicatedly allows you to keep security patches updated, making devices less vulnerable.

Document Safety Measures

Provide a detailed account of the security measures in your WISP to protect sensitive data. CPAs should ensure that the security protocols for all members of their firm are set here. For example:

Data Collection & Retention

• Collect and store only the necessary PII.
• Define the employees who can access it, where you will keep files, and when they should be securely deleted.
• Define the format in which data will be stored.

Data Disclosure

• Define the identity verification process for anyone receiving PII.
• When PII is stored off-premise, it must be protected.
• Make sure cloud providers adhere to stringent security guidelines.
• Define the external parties you want the data to be shared with

Network Protection

• Firewalls, anti-virus programs, and anti-malware should be implemented.
• Adopt strong password policies (e.g., don’t share passwords, change them regularly, restrict access by job function).
• Keep systems updated and monitor for unusual activity.

User Access & Remote Work

• Set actions for a situation where a user fails to log in too many times
• Deploy a Multi-Factor Authentication (MFA) policy.
• Restrict all after-hours remote access.

Connected Devices

• Security inspection before installing new computers, servers, or software
• Shut off risky features like USB auto-running
• Only employ security software approved by the firm.

Incident Response & Breach Notification

• Create a Response & Notification Plan to deal with security breaches.
• Describe who will be responsible for maintaining any insurance, Cyber Theft policies, and legal counsel retainer if appropriate
• Describe how the Data Security Coordinator (DSC) will inform bodies like the IRS or FTC.

Establish Employee Code of Conduct

• Train workers on privacy rules and the safe use of PCs.
• Conduct background checks and demand Non-Disclosure Agreements (NDAs) be signed and honored.
• Implement policies like data scrubbing for terminated employees.
• Distribute WISP to all employees, including part-time and contract workers.
• Employees must follow rules for protecting Personally Identifiable Information (PII).
• Regular security awareness training should be provided to all employees.
• Employees must sign an acknowledgment of understanding the WISP policies.

Using these best practices, your company will be able to stay one step ahead of cyber threats and protect sensitive information.

Drafting an Implementation Clause

WISP is only useful when enforced and reviewed regularly. The implementation clause describes how a WISP should be enforced and reassessed over time.

Key Elements of an Implementation Clause

Once all relevant policies and procedures are included, finalize your WISP with an Implementation clause stating:

• Date of Implementation
• Firm name
• Adherence with the Safeguards Rule of GLBA and FTC
• Relevant state laws
• Signatures of the principal operating officer/owner and DSC, dated accordingly

Fast Track WISP Implementation with Pre-defined Templates

These are the major components that will help you draft an effective written information security plan for your CPA firm.

However, every CPA firm caters to different clients, geographies, and security challenges. Therefore, you need to analyze your business thoroughly before coming up with a robust WISP.

At Ace Cloud Hosting, we help you become WISP compliant by providing you with a free assessment/gap analysis WISP report in 48 hours, ensuring you meet all IRS and FTC guidelines. Still need help? For further assistance, you can contact our experts anytime for a free consultation at 855-223-4887.