Create an IRS-Compliant WISP Annually Using Key IRS Publications and FTC Safeguards

Key References and Regulatory Framework

• IRS Publication 1345: Handbook for Authorized IRS e-file Providers
  Provides requirements and recommendations on safeguarding taxpayer e-file data, including proper authentication, data transmission security, and handling of sensitive information.
• IRS Publication 4557: Safeguarding Taxpayer Data – A Guide for Your Business
  Offers a comprehensive overview of best practices and requirements for protecting taxpayer information, including risk assessments, security controls, and breach response.
• IRS Publications 5708 and 5709 (If Provided by the IRS Security Summit or Industry Partners)
  These resources typically focus on advanced security measures, incident prevention, and updated threat information for tax professionals. While not as widely referenced as 1345 and 4557, they may provide additional checklists, guidance, or technical recommendations to enhance your security posture.
• FTC Safeguards Rule (16 CFR Part 314)
  Requires financial institutions—including tax preparers and other entities handling sensitive financial data—to develop, implement, and maintain a comprehensive, written information security program. Aligning your WISP with this rule ensures compliance with the Gramm-Leach-Bliley Act (GLBA).

1. Designate a WISP Coordinator and Obtain Executive Support

Action Items:

• Assign a dedicated individual (e.g., Security Officer) or a small committee to oversee and implement the WISP, ensuring accountability and effective management of the program.
• Secure buy-in from senior management to provide the necessary resources, training, and authority.

References:

• IRS Pub 1345 & 4557: Emphasize internal controls and oversight.
• FTC Safeguards Rule: Requires designation of one or more employees to coordinate the information security program.

2. Conduct an Annual Risk Assessment

Action Items:

• Identify new internal and external threats that could compromise taxpayer data. Consider changes in technology (e.g., new e-file software or cloud solutions), business processes, and emerging cyber threats (ransomware, phishing, supply chain attacks).
• Evaluate the effectiveness of current safeguards and identify any gaps.

References:

• IRS Pub 4557: Recommends regular risk assessments to adapt to evolving threats.
• IRS Pub 5708/5709: May provide updated threat intelligence or checklists for assessing risks to IT systems.
• FTC Safeguards Rule: Requires periodic assessment of risks to customer information.

3. Update and Formalize Security Policies and Procedures

Action Items:

• Develop or refine policies governing data classification, storage, transmission, and disposal of taxpayer information.
• Ensure that policies detail the use of strong authentication, encryption standards, firewall configurations, software patching, and secure remote access (VPN, MFA).

References:

• IRS Pub 1345: Stresses proper authentication and secure data transmission for e-file providers.
• IRS Pub 4557: Outlines core policies for safeguarding taxpayer data.
• IRS Pub 5708/5709: May offer best practices on emerging technologies and defensive controls.
• FTC Safeguards Rule: Mandates written policies reflecting current best practices and controls.

4. Control Access and Authentication

Action Items:

• Restrict access to taxpayer data strictly based on job responsibilities. Implement role-based access and enforce the principle of least privilege.
• Deploy MFA for sensitive systems, especially for remote access and administrator-level accounts.

References:

• IRS Pub 4557 & 1345: Recommend strong authentication to prevent unauthorized access.
• FTC Safeguards Rule: Requires measures to control and limit access to customer information.

5. Ensure Secure Transmission, Storage, and Disposal of Taxpayer Data

Action Items:

• Encrypt all sensitive taxpayer data at rest and in transit.
• Use secure email solutions, HTTPS connections, and secure file transfer methods.
• Properly dispose of old data and equipment following NIST or IRS-recommended standards.

References:

• IRS Pub 4557 & 1345: Highlight encryption and secure transmission for protecting e-file and taxpayer data.
• FTC Safeguards Rule: Encourages robust technical measures like encryption and secure disposal.

6. Vendor and Service Provider Management

Action Items:

• Assess the security posture of all third-party vendors who handle taxpayer information or support critical processes.
• Require contractual assurances that vendors comply with IRS and FTC standards, and regularly obtain compliance attestations or certifications.

References:

• IRS Publications: Emphasize the responsibility of e-file providers and tax professionals to ensure vendors also protect taxpayer data.
• FTC Safeguards Rule: Requires monitoring and oversight of service providers’ safeguards.

7. Employee Training and Security Awareness

Action Items:

• Conduct annual security awareness training that covers phishing, social engineering, password management, and recognizing suspicious activity.
• Update training materials to incorporate guidance from recent IRS publications and emerging threats noted in FTC advisories.

References:

• IRS Pub 4557 & 5709: Stress the importance of continuous staff education and training.
• FTC Safeguards Rule: Mandates training staff to implement the security program effectively.

8. Incident Response and Breach Notification Procedures

Action Items:

• Maintain a clear incident response plan detailing how to identify, contain, remediate, and report breaches or security incidents.
• Understand and follow IRS and FTC notification requirements, as well as any relevant state breach notification laws.

References:

• IRS Pub 4557: Urges preparedness for incidents and defines proper breach response actions.
• FTC Safeguards Rule: Requires security plans to address how organizations will respond to security events.

9. Technical Controls, Monitoring, and Testing

Action Items:

• Conduct vulnerability scans, penetration tests, and audits at least annually to identify weaknesses in your infrastructure and applications.
• Monitor system logs, review access reports, and utilize SIEM tools to detect suspicious activities.

References:

• IRS Pub 5708/5709: May include technical checklists or advanced security strategies.
• FTC Safeguards Rule: Requires regular testing and monitoring of the effectiveness of the information security program.

10. Documentation and Record-Keeping

Action Items:

• Maintain comprehensive documentation of the WISP, including revisions, risk assessments, training records, vendor agreements, and incident response activities.
• Keep these records securely and ensure they are readily available for IRS or FTC audits or inquiries.

References:

• IRS Pub 1345 & 4557: Stress maintaining proper documentation to demonstrate compliance.
• FTC Safeguards Rule: Requires documentation to show the safeguards program is implemented and maintained.

11. Annual Review, Approval, and Continuous Improvement

Action Items:

• At least once a year, review the WISP in light of updates to IRS Publications 1345, 4557, 5708, 5709, and changes to the FTC Safeguards Rule.
• Incorporate new threat intelligence, regulatory updates, and technological advancements.
• Seek approval from executive management and communicate updates to all relevant staff.

References:

• IRS Publications: Advocate for ongoing adjustments to reflect evolving guidance and threats.
• FTC Safeguards Rule: Requires periodic evaluation and adjustments to the security program.

In summary, creating and maintaining an IRS-compliant WISP annually involves:

• Aligning with IRS Publications 1345, 4557, 5708, 5709 and integrating their guidance into your data protection measures.
• Meeting the FTC Safeguards Rule requirements by developing a written, regularly updated, and tested information security program.
• Proactively managing risks, training employees, monitoring vendors, and preparing for possible incidents.

By following these steps and regularly consulting the latest IRS and FTC guidance, you ensure your firm stays compliant, protects taxpayer data effectively, and upholds client trust.