Written information security plan (WISP)
INTRODUCTION
Digital Therapy's Wisp Service is designed to equip tax and accounting firms with a robust framework to evaluate and document a company's current state, to identify vulnerabilities across SOPs, hardware, network, software, policies, and training. This plan is constructed using IRS Publications 5708, 4557, 1345, and the FTC Safeguards Rule (16 CFR Part 314). The plan is designed to serve as a guideline and checklist and leverages a risk-based scoring rubric to strengthen companies' data integrity, security, and overall durability.
Each section contains:
-- U.S. Code citation and IRS/FTC publication attribution
-- Professional summary of the purpose of operation controls and their significance
-- Actionable-Compliance Checklist
-- Structured input fields for documentation
-- Scoring area for audit teams
-- Attachment fields for supporting artifacts
This document can be digitized, scored, and stored for evidence and internal use, transforming what was once a static compliance plan into a dynamic risk management tool.
SECTION 1 — SECURITY GOVERNANCE & PROGRAM MANAGEMENT
Objective: Define and formalize the oversight structure for information security.
Purpose: Demonstrate to federal agencies and internal stakeholders that a Qualified Individual (QI) is assigned, authorized, and actively responsible for maintaining WISP compliance across the firm.
Sources:
-- IRS Pub 5708, p. 5
-- IRS Pub 4557, Security Leadership
-- IRS Pub 1345, Chapter 2
-- FTC Safeguards Rule §314.4(a)
CHECKLIST
• Qualified Individual designated by firm leadership
• Written job description issued and signed
INPUT:
Company:
TEST 2
Name of QI:
Title/Role in Firm:
Date Assigned:
Reporting Chain:
COMPLIANCE SCORE (1–5):
EVIDENCE ATTACHED:
—
SECTION 2 — DATA RISK ASSESSMENT & INVENTORY
Objective: Conduct an annual data risk analysis and maintain an up-to-date inventory of all IT assets and data repositories.
Purpose: Identify exposure points and vulnerabilities within the firm’s technological infrastructure that may result in unauthorized disclosure or loss of taxpayer information.
Authoritative Sources:
-- FTC §314.4(b)
-- IRS Pub 5708, p. 6–8
-- IRS Pub 4557
-- IRS Pub 1345
CHECKLIST
—
INPUT:
Date of Last Risk Assessment:
Responsible Staff/Consultant:
Risk Framework or Tool Used:
Top 3 Risks Identified:
1.
2.
3.
COMPLIANCE SCORE (1–5):
EVIDENCE ATTACHED:
—
SECTION 3 — TECHNICAL SAFEGUARDS: THE SECURITY SIX
Objective: Implement the six core technical protections defined by the IRS.
Purpose: Ensure that digital security protections are deployed, monitored, and documented to minimize intrusion risk.
Authoritative Sources:
CHECKLIST
—
INPUT:
Control
Antivirus
Firewall
MFA
Encryption
Backup
VPN
Status
—
—
—
—
—
—
Last Verified
Tool Used
COMPLIANCE SCORE (1–5):
EVIDENCE ATTACHED:
—
SECTION 4 — EMPLOYEE TRAINING & HUMAN CONTROLS
Objective: Educate staff in secure behaviors and enforce human-centric controls.
Purpose: Build a human firewall. Teach staff to prevent, detect, & respond to security events.
Authoritative Sources:
-- IRS Pub 4557
-- IRS Pub 5708, p. 9
-- FTC §314.4(e)
CHECKLIST
—
INPUT:
Training Provider:
Most Recent Session:
Phishing Simulation Conducted:
—
% Staff Passing:
COMPLIANCE SCORE (1–5):
EVIDENCE ATTACHED:
—
SECTION 5 — SERVICE PROVIDER & VENDOR MANAGEMENT
Objective: Vet and manage all third-party service providers with access to sensitive data.
Purpose: Mitigate supply chain risks and maintain security continuity across vendor relationships.
Authoritative Sources:
-- IRS Pub 4557
-- IRS Pub 5708, p. 10
-- IRS Pub 1345
-- FTC §314.4(f)
CHECKLIST
—
INPUT:
Vendor
Access Type
Agreement Signed
—
—
—
Reviewed On
COMPLIANCE SCORE (1–5):
EVIDENCE ATTACHED:
—
SECTION 6 — INCIDENT RESPONSE & BREACH NOTIFICATION
Objective: Ensure the firm has formalized and rehearsed its breach response capabilities.
Purpose: Prepare for potential security events with structured response protocols to limit damage and ensure proper notifications.
Authoritative Sources:
CHECKLIST
—
INPUT:
Last Test Date:
Simulated Scenario:
Response Time:
minutes
Communication Plan Reviewed:
—
COMPLIANCE SCORE (1–5):
EVIDENCE ATTACHED:
—
SECTION 7 — DOCUMENT RETENTION, LOGGING & AUDIT HISTORY
Objective: Manage document retention, system logging, and auditability protocols.
Purpose: Demonstrate a history of compliance and readiness to produce records on demand.
Authoritative Sources:
-- FTC §314.4(i)
-- IRS Pub 5708, p. 12
-- IRS Recordkeeping Guidelines
CHECKLIST
—
INPUT:
Logging System Used:
Most Recent Log Entry:
Destruction Methodology:
Retention Period (Years):
COMPLIANCE SCORE (1–5):
EVIDENCE ATTACHED:
—
SECTION 8 — COMPLIANCE SUMMARY & RISK SCORECARD
Objective: Provide leadership with a quantified view of organizational security posture.
Purpose: Deliver a concise executive summary suitable for board reporting, investor confidence, and legal compliance.
Authoritative Sources:
CHECKLIST
—
INPUT:
Section
Section
Governance
Risk Assessment
Technical Controls
Training
Vendor Mgmt
Incident Plan
Logging
Score (1–5)
Total Score:
/ 35
WISP Health Grade:
—
Qualified Individual Signature:
Date:
APPENDICES (Attach the Following Where Applicable)
-
Appendix A: Risk Assessment Matrix
-
Appendix B: Vendor List
-
Appendix C: Training Logs & Signatures
-
Appendix D: Confidentiality Agreements
-
Appendix E: Incident Response Plan
-
Appendix F: WISP Document Version
Need to submit or update your Written Information Security Plan?
Complete the form to provide your WISP documentation. Our team will review your submission for compliance.