Written Information Security Plan (WISP)

The Tax Lady

Written Information Security Plan (WISP)

Effective Date: 01/01/2022

Last Reviewed: 06/24/2025

1. Purpose and Scope

This Written Information Security Plan (WISP) is designed to ensure the safeguarding of taxpayer data collected, stored, transmitted, or disposed of by The Tax Lady. The plan addresses how we identify risks, implement protective measures, train staff, and respond to data breaches, in accordance with the FTC Safeguards Rule and IRS guidance.

2. Program Coordinator

Designated Coordinator:
Name: Cynthia Payan
Title: Cynthia Payan
Contact: Cynthia@TheTaxesLady.com

The Program Coordinator is responsible for implementing and enforcing this WISP, conducting regular risk assessments, and maintaining compliance with federal regulations.

3. Risk Assessment

We identify internal and external risks to taxpayer data in the following areas:

Internal Risks:

  • Unauthorized access to client data by employees.

  • Improper disposal of physical or electronic records.

  • Use of weak or reused passwords.

  • Lack of staff training on phishing and social engineering.

External Risks:

  • Hacking attempts on software or email accounts.

  • Malware or ransomware attacks.

  • Breaches due to third-party vendors or software vulnerabilities.

  • Physical theft (e.g., laptops, USB drives, printed records).

4. Safeguards and Controls

Administrative Safeguards

  • Role-based access control: Staff only access information necessary for their role.

  • Confidentiality agreements signed by all employees and contractors.

  • Background checks performed on all employees handling client data.

Technical Safeguards

  • Encrypted email communication with clients using secure portals or password-protected attachments.

  • Up-to-date antivirus and anti-malware software on all systems.

  • Multi-Factor Authentication (MFA) enabled for all tax software and cloud accounts.

  • Firewalls and secure Wi-Fi with password protection and limited access.

Physical Safeguards

  • Paper documents stored in locked cabinets when not in use.

  • Office premises locked after hours; client data not left in open areas.

  • Access to offices restricted to authorized personnel only.

5. Data Handling Policies

Data Collection and Storage

  • Only collect necessary taxpayer data.

  • Electronic data stored on encrypted and password-protected systems.

  • Cloud storage must comply with IRS security recommendations.

Access and Use

  • No client data is accessed via public Wi-Fi.

  • Tax software is hosted on secure, authorized platforms.

  • Personal devices used for business must meet company security standards.

Data Retention and Disposal

  • Retain client files according to IRS regulations (generally 3 years minimum).

  • Shred physical documents when no longer needed.

  • Secure deletion of electronic files using certified wiping software.

6. Incident Response Plan

In the event of a data breach or suspected compromise:

  1. Contain the breach: Disconnect affected systems from the network.

  2. Investigate and assess impact: Identify what data was accessed or exposed.

  3. Notify affected parties: Inform clients and the IRS (as required) promptly.

  4. Report: File a data breach report with local law enforcement, the FTC, and IRS Stakeholder Liaison.

  5. Document: Maintain a written report of the incident and steps taken.

  6. Review and revise: Update security protocols to prevent future incidents.

7. Employee Training

  • All employees receive training upon hire and annually on:

    • Phishing and social engineering threats.

    • Secure handling of physical and digital data.

    • Proper use of email and internet for work purposes.

  • Training includes mock phishing tests and review of recent cybersecurity threats.

8. Regular Security Reviews

  • Quarterly: Internal reviews of access logs, antivirus status, and physical security.

  • Annually: Comprehensive review and update of the WISP.

  • Software Updates: Apply patches and updates immediately upon availability.

9. Service Providers and Vendors

  • We assess third-party vendors for compliance with data security standards.

  • Contracts require vendors to maintain IRS/FTC-compliant safeguards.

10. Acknowledgement and Compliance

All staff must review this WISP, confirm understanding, and agree to abide by the policies annually.

The Tax Lady is committed to maintaining the privacy and security of taxpayer information. This plan will be updated as necessary to reflect changes in technology, threats, or regulatory guidance.