Written information security plan (WISP)
INTRODUCTION
Digital Therapy's Wisp Service is designed to equip tax and accounting firms with a robust framework to evaluate and document a company's current state, to identify vulnerabilities across SOPs, hardware, network, software, policies, and training. This plan is constructed using IRS Publications 5708, 4557, 1345, and the FTC Safeguards Rule (16 CFR Part 314). The plan is designed to serve as a guideline and checklist and leverages a risk-based scoring rubric to strengthen companies' data integrity, security, and overall durability.
Each section contains:
-- U.S. Code citation and IRS/FTC publication attribution
-- Professional summary of the purpose of operation controls and their significance
-- Actionable-Compliance Checklist
-- Structured input fields for documentation
-- Scoring area for audit teams
-- Attachment fields for supporting artifacts
This document can be digitized, scored, and stored for evidence and internal use, transforming what was once a static compliance plan into a dynamic risk management tool.
SECTION 1 — SECURITY GOVERNANCE & PROGRAM MANAGEMENT
Objective: Define and formalize the oversight structure for information security.
Purpose: Demonstrate to federal agencies and internal stakeholders that a Qualified Individual (QI) is assigned, authorized, and actively responsible for maintaining WISP compliance across the firm.
Sources:
-- IRS Pub 5708, p. 5
-- IRS Pub 4557, Security Leadership
-- IRS Pub 1345, Chapter 2
-- FTC Safeguards Rule §314.4(a)
CHECKLIST
• Qualified Individual designated by firm leadership
INPUT:
Company:
TEST
Name of QI:
TEST
Title/Role in Firm:
TEST
Date Assigned:
TEST
Reporting Chain:
TEST
COMPLIANCE SCORE (1–5):
TEST
EVIDENCE ATTACHED:
Yes
SECTION 2 — DATA RISK ASSESSMENT & INVENTORY
Objective: Conduct an annual data risk analysis and maintain an up-to-date inventory of all IT assets and data repositories.
Purpose: Identify exposure points and vulnerabilities within the firm’s technological infrastructure that may result in unauthorized disclosure or loss of taxpayer information.
Authoritative Sources:
-- FTC §314.4(b)
-- IRS Pub 5708, p. 6–8
-- IRS Pub 4557
-- IRS Pub 1345
CHECKLIST
• Annual documented risk assessment performed
• Asset inventory: hardware, software, cloud services
INPUT:
Date of Last Risk Assessment:
TEST
Responsible Staff/Consultant:
TEST
Risk Framework or Tool Used:
TEST
Top 3 Risks Identified:
1.
TEST
2.
TEST
3.
TEST
COMPLIANCE SCORE (1–5):
TEST
EVIDENCE ATTACHED:
Yes
SECTION 3 — TECHNICAL SAFEGUARDS: THE SECURITY SIX
Objective: Implement the six core technical protections defined by the IRS.
Purpose: Ensure that digital security protections are deployed, monitored, and documented to minimize intrusion risk.
Authoritative Sources:
CHECKLIST
• Multi-factor authentication enforced
• Drive encryption enabled
INPUT:
Control
Antivirus
Firewall
MFA
Encryption
Backup
VPN
Status
Enabled
Enabled
Disabled
Partial
Auto
Inactive
Last Verified
TEST
TEST
TEST
TEST
TEST
TEST
Tool Used
TEST
TEST
TEST
TEST
TEST
TEST
COMPLIANCE SCORE (1–5):
TEST
EVIDENCE ATTACHED:
Yes
SECTION 4 — EMPLOYEE TRAINING & HUMAN CONTROLS
Objective: Educate staff in secure behaviors and enforce human-centric controls.
Purpose: Build a human firewall. Teach staff to prevent, detect, & respond to security events.
Authoritative Sources:
-- IRS Pub 4557
-- IRS Pub 5708, p. 9
-- FTC §314.4(e)
CHECKLIST
• Acceptable use policies reviewed
INPUT:
Training Provider:
TEST
Most Recent Session:
TEST
Phishing Simulation Conducted:
Yes
% Staff Passing:
TEST
COMPLIANCE SCORE (1–5):
TEST
EVIDENCE ATTACHED:
Yes
SECTION 5 — SERVICE PROVIDER & VENDOR MANAGEMENT
Objective: Vet and manage all third-party service providers with access to sensitive data.
Purpose: Mitigate supply chain risks and maintain security continuity across vendor relationships.
Authoritative Sources:
-- IRS Pub 4557
-- IRS Pub 5708, p. 10
-- IRS Pub 1345
-- FTC §314.4(f)
CHECKLIST
• Signed data protection agreements in place
• Vendor risk assessed annually
INPUT:
Vendor
TEST
TEST
TEST
Access Type
TEST
TEST
TEST
Agreement Signed
Yes
Yes
Yes
Reviewed On
TEST
TEST
TEST
COMPLIANCE SCORE (1–5):
TEST
EVIDENCE ATTACHED:
Yes
SECTION 6 — INCIDENT RESPONSE & BREACH NOTIFICATION
Objective: Ensure the firm has formalized and rehearsed its breach response capabilities.
Purpose: Prepare for potential security events with structured response protocols to limit damage and ensure proper notifications.
Authoritative Sources:
CHECKLIST
• Response plan documented and accessible
• Emergency contact list compiled and current
INPUT:
Last Test Date:
TEST
Simulated Scenario:
TEST
Response Time:
TEST
minutes
Communication Plan Reviewed:
Yes
COMPLIANCE SCORE (1–5):
TEST
EVIDENCE ATTACHED:
Yes
SECTION 7 — DOCUMENT RETENTION, LOGGING & AUDIT HISTORY
Objective: Manage document retention, system logging, and auditability protocols.
Purpose: Demonstrate a history of compliance and readiness to produce records on demand.
Authoritative Sources:
-- FTC §314.4(i)
-- IRS Pub 5708, p. 12
-- IRS Recordkeeping Guidelines
CHECKLIST
• WISP edits logged and versioned
• Risk assessments retained 3+ years
INPUT:
Logging System Used:
TEST
Most Recent Log Entry:
TEST
Destruction Methodology:
TEST
Retention Period (Years):
TEST
COMPLIANCE SCORE (1–5):
TEST
EVIDENCE ATTACHED:
Yes
SECTION 8 — COMPLIANCE SUMMARY & RISK SCORECARD
Objective: Provide leadership with a quantified view of organizational security posture.
Purpose: Deliver a concise executive summary suitable for board reporting, investor confidence, and legal compliance.
Authoritative Sources:
CHECKLIST
• All control areas scored and documented
INPUT:
Section
Section
Governance
Risk Assessment
Technical Controls
Training
Vendor Mgmt
Incident Plan
Logging
Score (1–5)
TEST
TEST
TEST
TEST
TEST
TEST
TEST
TEST
Total Score:
TEST
/ 35
WISP Health Grade:
A
Qualified Individual Signature:
TEST
Date:
TEST
APPENDICES (Attach the Following Where Applicable)
-
Appendix A: Risk Assessment Matrix
-
Appendix B: Vendor List
-
Appendix C: Training Logs & Signatures
-
Appendix D: Confidentiality Agreements
-
Appendix E: Incident Response Plan
-
Appendix F: WISP Document Version
Need to submit or update your Written Information Security Plan?
Complete the form to provide your WISP documentation. Our team will review your submission for compliance.