That Required Security Plan? Let's Build It Together.

It often starts with a simple email. A client, a successful CPA firm we’ve worked with for years, forwards us a notice from the IRS with the subject line: “A Written Security Plan is Required – Do You Have One?”

My first thought is always, "This is a great opportunity."

For many tax and accounting professionals, that email can trigger a wave of anxiety. A Written Information Security Plan (or WISP) sounds like another daunting, complex compliance hurdle. And it’s true—the FTC Safeguards Rule and IRS regulations are not something to be taken lightly. But as we discussed in a recent internal workshop, this requirement isn't just about checking a box. It’s about building a real, practical roadmap to protect your firm and your clients.

When a client brings this to us, we don't just hand them a generic template. We start a workshop. We are firm believers that you can’t secure what you don’t understand. Our process begins with a deep dive into how your firm operates. What’s in your tech stack? Are you using Drake, Lacerte, or another tax software? Where is your data—in Google Workspace, a private server, or a mix of both? Who needs access to it?

This is where we turn what feels like a mountain of work into a manageable project. In our workshop, we leverage tools like Google's AI to process the mountain of compliance documents—those dense IRS and FTC publications—and cross-reference them against your specific setup. We can ask intelligent questions like, "Given this firm's use of published applications on a cloud server, what are the exact requirements for endpoint antivirus monitoring?" This helps us shortcut the research and focus on what truly matters for your business.

From this collaborative process, we build out the core components of your WISP:

• Identifying Responsible Parties: Who is your designated Data Security Coordinator? It’s a required role, and we help you define its responsibilities.

• Assessing Risk: We map out where your sensitive data lives and moves, from your firewall to the cloud, and identify the risks at each point.

• Implementing Safeguards: This is where the technical work comes in. We document and, if needed, implement the controls you already have—like multi-factor authentication on your cloud accounts—and identify any gaps, such as the need for formalized security awareness training or a monitored antivirus solution.

• Creating an Incident Response Plan: If a breach does happen, who do you call? What are the steps? We build a clear, actionable plan so you’re not scrambling in a crisis.

  
  

The final deliverable isn't just a document; it’s a complete compliance package. You get a WISP tailored to your firm, a checklist of your current safeguards, a clear budget for any necessary improvements, and a plan for the required annual reviews and training.

That email from the IRS isn’t a threat; it's a prompt to turn a legal obligation into a business asset. A well-crafted WISP strengthens your security posture, builds client trust, and gives you peace of mind. If that email has landed in your inbox, don't panic. Give us a call. Let's build your roadmap together.