WISP Weekly

Subject: Your PTIN Is on the Chopping Block—Implement This WISP Today Hey there, Compliance Cadet, Let’s skip the fine print: if your Written Information Security Program (WISP) isn’t IRS-proof by December 31, your precious PTIN could vanish faster than last year’s refunds. Good news? You can lock this down in under an hour. Seriously. 1. QUICK RISK SNAPSHOT • Inventory your data: client names, SSNs, bank info—map every digital handshake from intake form to e-file. • Rate threats on a scale of “meh” to “hair-on-fire.” Focus on the top two: unauthorized access and data theft. • Assign an owner (hint: it shouldn’t be “someone else’s” problem). 2. ADMINISTRATIVE SAFEGUARDS • Policy power play: create a concise Acceptable Use policy and enforce it. Password123? Might as well post “Help Yourself” in the parking lot. • Vendor vetting: get a signed security agreement from every software or scanning service you use. No exceptions. • Incident response plan: one page, three steps—detect, contain, report. Drill it quarterly. 3. TECHNICAL CONTROLS THAT DON’T SUCK • Encrypt everything: AES-256 for data at rest and TLS 1.2+ for data in transit. If your software can’t handle that, it’s time to upgrade. • Access logging: keep logs for 90 days and automate monitoring. A little Splunk or even a built-in audit trail will flag freaky behavior faster than your receptionist spots an overdue payment. • Multifactor authentication: not optional, not “maybe later.” Get it on every workstation, VPN, and cloud account. 4. TRAINING & PHISH-TESTS • 15-minute monthly huddles: cover one topic—phishing, social engineering, device hygiene. • Simulated phishing blasts: send fake spear-phish emails and reward the team member who reports it fastest. • Immediate off-boarding: when someone leaves, revoke every credential the minute you hear “I’m outta here.” 5. DOCUMENTATION & ONGOING REVIEW • One‐page WISP summary: high-level overview for auditors. • Evidence folder: screenshots of encryption settings, training rosters, incident-response logs. • Annual WISP checkup: calendar a “does this still suck?” session six months before PTIN renewal. Bottom line: the IRS wants proof you’ve done the work—no slideshows, no jargon, just actionable steps and dated documentation. Nail this checklist, and you’ll sleep a lot better next tax season (and keep that PTIN where it belongs). Need a head start? Download IRS Publication 5708’s WISP template, plug in your practice details, and call it a day: https://www.irs.gov/pub/irs-pdf/p5708.pdf Remember, perfect security doesn’t exist—but a sloppy WISP is an open invitation to penalties, lost PTINs, and nightmare client calls. Take these five steps today and transform “cybersecurity confused” into “compliance confident.” Stay vigilant, Your Trusted Compliance Wingman

May 17, 2025

The Trusted Compliance Wingman May 2025 | Vol. 3, Issue 5 Is Your WISP a Paper Tiger? 5 IRS & FTC Safeguards Hacks to Bulletproof Client Data Your PTIN Is on the Chopping Block—Implement This WISP Today Hey there, Compliance Cadet, Let’s skip the fine print: if your Written Information Security Program (WISP) isn’t IRS-proof… Read.