Frequently Asked Questions
What is the difference between basic and tax practice?
The only difference with our plans is the number of users you can add to your WISP Builder account. The Basic package would be best suited for small firms of only a couple employees.
How long will it take me to fill out the WISP?
The template is based off the IRS WISP template, but we unfortunately would be unable to offer any specific guidance with what content a specific firm needs to include in it's information security plan as it’s largely dependent on what systems various firms use, how clients and vendors do business with the firm, access the systems, how firms safeguard client information, etc.. We suggest looking over IRS publication 5708 to ensure all your firms bases are covered when creating your WISP which you view with the following link: https://www.irs.gov/pub/irs-pdf/p5708.pdf
Just taking a snippet from the IRS pub, here’s the section on what the IRS is requiring as part of your written security plan, which may involve adding additional information to the WISP template we provide:
IRS Requirements
The Gramm-Leach-Bliley Act (GLBA) is a U.S. law that requires financial institutions to protect customer data. In its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule to outline measures that are required to be in place to keep customer data safe. Under the GLBA and Safeguards Rule, tax and accounting professionals are considered financial institutions, regardless of size.
A requirement of the Safeguards Rule is implementing and maintaining a WISP. Your WISP must be written and accessible.
As a part of the plan, the FTC requires each firm to:
Designate a qualified individual to coordinate its information security program
Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
Design and implement a safeguards program, and regularly monitor and test it
Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information
Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring
Implement multi-factor authentication for any individual accessing any information system, unless your qualified individual has approved in writing the use of reasonably equivalent or more secure access controls.
Report a security event affecting 500 or more people to the FTC as soon as possible, but no later than 30 days from the date of discovery.
What does an e-signature sign off mean?
Signatures are required for any designated individuals who coordinate your information security plan. For example; with a small single owner firm, you would designate yourself as the firm Owner, Data Security Coordinator and Public Information Officer on your WISP. The IRS still requires your signature on the WISP regardless of if it’s you or someone else who is managing the data security of your firm. Signatures would additionally be collected as acknowledgements from staff you have if you were a large firm for example.
What are the free document downloads for? Do they get attached to my WISP?
The document downloads wouldn’t necessarily be attached to your WISP (although you can) but are free templates that you are able to download to modify to fit your firm’s needs. Any additional documents you have can be securely stored in your documents section of your WISP builder account for easy access in the event of an audit by the IRS.
Document template examples that are offered through our site are:
PII Hardware Inventory
Your firm’s PII Access List ( who has access to PII at your firm)
Terminated Employee checklist (list of items to be done when someone leaves to ensure PII access is locked down)
Record Retention Guide (possible WISP attachment outlining your firm’s document retention policy)
Disater Recovery Topics (Your firm should have a disaster recovery plan in case of emergencies. This document contains a list of topics to cover as you develop your plan
Incident Report: Potential Data Breach Notification (Use this form to document any potential incidents exposing client information (PII).
Is there a live support person who I can speak to?
While we primarily do all our support through email, we can setup a call with you to discuss further if you’d like. You can let us know what day / time works best for you and we can set something up.