FSMC Bookkeeping Services

Incident Response Plan (IRP)

Incident Response Plan (IRP)

(Part of the Written Information Security Program – WISP)

Prepared for: FSMC Bookkeeping Services https://fsmcquickbooks.com

Confidential – For Internal Use Only

 

1.  Purpose & Scope

FSMC Bookkeeping Services (“the Firm”) maintains this Incident Response Plan (IRP) to establish clear procedures for detecting, responding to, mitigating, and documenting suspected or confirmed security incidents involving covered information, including client financial, tax, and personally identifiable information (PII).

This IRP supports compliance with:

  • IRS Publication 4557 (“Safeguarding Taxpayer Data”)
  • The FTC Safeguards Rule and breach notification requirements
  • Applicable state data protection and breach notification laws

 

2.  Roles and Responsibilities

Incident Response Team (IRT): The Firm designates the following roles for coordinated response: Incident Response Coordinator (IRC)

  • Oversees incident response activities
  • Authorizes escalation to regulators, clients, and law enforcement
  • Approves recovery and communication measures

IT & Security Lead

  • Identifies, analyzes, and contains threats
  • Implements eradication and recovery measures
  • Coordinates with vendors, forensic specialists, or insurers

Compliance & Legal Advisor

  • Ensures all actions comply with legal/regulatory obligations
  • Advises on reporting to IRS, FTC, state agencies, and law enforcement

Client Relations Manager

  • Manages notifications to clients and stakeholders
  • Provides clear, timely, and accurate communications

Documentation & Records Officer

  • Maintains incident records, reports, and post-incident reviews

 

3.  Incident Identification & Reporting

All employees, contractors, and vendors must promptly report any suspected or actual security incident involving covered information.

Examples of incidents include:

  • Unauthorized access to tax or financial data
  • Malware, ransomware, or phishing attacks
  • Lost/stolen devices containing client data
  • Improper disposal or transmission of sensitive records Reporting procedure:
  • Immediately notify the Incident Response Coordinator (IRC)
  • Submit an Incident Report Form (IRF) with details (time, systems affected, suspected cause)
  • Escalate to IT & Security Lead for confirmation and analysis

 

4.  Response Phases

The Firm follows the NIST-based four-phase approach:

  1. Containment
    • Isolate affected systems to prevent further compromise
    • Disable compromised accounts or credentials
    • Preserve evidence for forensic analysis
  2. Eradication
    • Remove malware, malicious accounts, or unauthorized access points
    • Patch vulnerabilities and update configurations
    • Validate integrity of systems before reconnecting
  3. Recovery
    • Restore systems from secure, verified backups
    • Monitor for recurrence of threats
    • Resume business operations securely and gradually
  4. Post-Incident Analysis (Lessons Learned)
    • Conduct a root-cause analysis
    • Review response effectiveness and gaps
    • Update WISP and IRP procedures accordingly
    • Provide additional staff training if required

 

5.  Notification Procedures

  • Clients: Prompt notification if their covered information is compromised, with details on scope, risk, and recommended protective measures.
  • Regulators: Notify the IRS, FTC, and state regulatory agencies as required by
  • Law Enforcement: Contact federal or state law enforcement if criminal activity is
  • Insurers: Notify cyber liability insurance providers immediately, if

All notifications must be approved by the Incident Response Coordinator and documented in the incident record.

 

6.  Documentation

  • Incident Report Form (initial identification)
  • Chronology of response actions
  • Communications (internal and external)
  • Regulatory and client notifications
  • Post-incident review report

Records are retained for a minimum of five years in compliance with IRS and FTC guidelines.

 

7.  Review & Testing

This IRP will be reviewed annually and after any incident. Tabletop exercises or simulated incident drills will be conducted at least once per year. Updates will be incorporated into the Firm’s WISP.

 

This Incident Response Plan forms a separate, standalone document but is formally incorporated as part of FSMC Bookkeeping Services’ Written Information Security Program (WISP).