top of page

Written Information Security Plan (WISP)

Prepared by: Brian Williams

Date: 8/8/2025

Review Date: 8/1/2026

1. Purpose and Scope

This Written Information Security Plan (WISP) outlines the policies and procedures established by Brian Williams, CPA, PLLC to protect client data in accordance with the Gramm-Leach-Bliley Act, IRS Publication 4557, and the FTC Safeguards Rule.

 

2. Designated Security Coordinator

Name: Brian Williams
Role: Oversees the implementation, training, and enforcement of this plan.

 

3. Risk Assessment

Identified risks to client information include:
- Unauthorized access to physical files or digital systems
- Phishing, malware, or ransomware attacks
- Loss or theft of devices containing sensitive data
- Accidental data sharing or misdelivery

Mitigation strategies are outlined below.

4. Safeguards Employed

A. Access Controls
- Only authorized personnel have access to client files and systems.
- Strong, unique passwords are required and changed every 90 days.
- Multi-factor authentication (MFA) is enabled on all systems handling client data.

B. Data Encryption
- All electronic client data is encrypted in transit and at rest.
- Email communications containing sensitive data are encrypted or sent through a secure portal.

C. Device Security
- All computers and devices are password-protected.
- Up-to-date antivirus and anti-malware software is installed and automatically updated.
- Full disk encryption is used on all laptops or mobile devices.

D. Physical Security
- Paper files are stored in locked file cabinets in a secured office.
- Office doors are locked when unattended.
- Visitors are not permitted in areas where client data is accessible.

E. Data Backup and Recovery
- Client files are backed up daily to a secure cloud provider or encrypted external drive.
- Backup systems are tested quarterly for recovery capability.

 

5. Employee Management and Training

- As a solo practitioner, Brian Williams is solely responsible for maintaining knowledge and training related to data privacy and security.
- Annual review of IRS guidelines and cybersecurity best practices is performed.

 

6. Service Provider Oversight

- Contracts with third-party vendors (e.g., software providers, cloud storage) require data protection standards and breach notification procedures.
- Due diligence is performed on vendors’ security practices before engagement.

 

7. Incident Response Plan

In the event of a data breach:

1. Contain the breach and disconnect affected systems.
2. Notify the IRS Stakeholder Liaison immediately.
3. Report the incident to law enforcement and clients as required.
4. Investigate the breach, determine the cause, and apply corrective actions.
5. Document the incident and review safeguards for improvements.

8. Annual Review and Updates

 

This plan will be reviewed at least annually or whenever there are changes to:
- Business operations
- Technology used
- Legal or regulatory requirements

 

9. Recordkeeping

- Documentation of software updates, backups, security reviews, and other compliance activities will be maintained for at least 3 years.

 

Signature

Brian Williams

Brian Williams
Date: 8/8/2025

bottom of page