FSMC Bookkeeping Services

 Written Information Security Plan (WISP)

Written Information Security Plan (WISP)

 

Version: 1.0 Date Approved: 07/01/2025]
Approved By: Michael J McCormick / FSMC Bookkeeping Services – Managing Partner
Next Review Date: 07/01/2026

 

1. Introduction & Purpose

FSMC Bookkeeping Services (“the Firm”) is committed to protecting the confidentiality, integrity, and availability of sensitive client and firm information. This Written Information Security Plan (WISP) outlines the administrative, technical, and physical safeguards the Firm has implemented to protect Non-public Personal Information (NPI) and other sensitive data, as required by the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information (Safeguards Rule), Internal Revenue Service (IRS) requirements (including Publication 4557 and requirements for PTIN holders), and applicable state regulations.

The purpose of this WISP is to:

  • Ensure the security and confidentiality of NPI and sensitive client data.
  • Protect against anticipated threats or hazards to the security or integrity of such information.
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any client or the Firm.
  • Comply with all relevant legal and regulatory requirements regarding data security and privacy.

2. Scope

This WISP applies to:

  • Personnel: All owners, principals, employees, contractors, temporary staff, and other individuals who have access to the Firm’s information systems or sensitive data.
  • Information: All NPI and sensitive client or firm data, regardless of format (electronic or physical), including but not limited to financial statements, tax returns, Social Security numbers, bank account details, payroll information, investment details, client lists, and other personally identifiable information (PII).
  • Systems & Locations: All computer systems, networks, software (including cloud-based applications), mobile devices, physical files, and office locations used to collect, process, store, transmit, or dispose of covered information.

3. Designated Coordinator(s) / Qualified Individual

The following individual(s) are designated as the Qualified Individual(s) responsible for overseeing, implementing, and maintaining this WISP and the Firm’s information security program:

  • Primary Coordinator: Michael J McCormick, Managing Member and Compliance Officer

Responsibilities of the Coordinator(s) include:

  • Implementing and maintaining this WISP.
  • Conducting or overseeing regular risk assessments.
  • Designing, implementing, and monitoring information safeguards.
  • Overseeing employee security awareness training.
  • Overseeing service provider due diligence and management.
  • Coordinating the Firm’s incident response efforts.
  • Regularly testing and evaluating the effectiveness of safeguards.
  • Updating the WISP as needed, at least annually.
  • Reporting the status of the information security program to Firm leadership.

4. Information Covered

This plan specifically covers Non-public Personal Information (NPI) and other sensitive data, including but not limited to:

  • Information provided by clients to obtain financial products or services (e.g., tax preparation, bookkeeping, financial planning, consulting).
  • Information resulting from transactions involving financial products or services (e.g., account balances, payment history).
  • Information otherwise obtained in connection with providing financial products or services.
  • Specific examples include:
    • Names, addresses, phone numbers
    • Social Security numbers (SSNs), Employer Identification Numbers (EINs)
    • Dates of birth
    • Financial account numbers (bank, brokerage, credit card)
    • Income, assets, liabilities, and other financial data
    • Tax return information
    • Payroll data
    • Credit history information
    • Login credentials for financial accounts or systems
    • Any information defined as “customer information” under the GLBA Safeguards Rule or PII under relevant state laws.

This WISP addresses the security of covered information throughout its lifecycle: collection, access, processing, storage, transmission, and disposal.

5. Risk Assessment

The Firm will conduct regular risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of covered information. The assessment process includes:

  • Identifying Information Assets: Cataloging systems, devices, locations, and types of covered information.
  • Identifying Threats & Vulnerabilities: Identifying potential threats (e.g., malware, phishing, unauthorized access, system failure, human error, physical theft) and vulnerabilities (e.g., unpatched software, weak passwords, lack of training, insecure configurations).
  • Analyzing Likelihood and Impact: Evaluating the probability of threats exploiting vulnerabilities and the potential impact on the Firm and its clients.
  • Evaluating Existing Controls: Assessing the effectiveness of current safeguards in mitigating identified risks.
  • Determining Risk Levels: Prioritizing risks based on likelihood and impact.
  • Documenting Findings: Recording the assessment process, findings, and recommended actions.

Risk assessments will be conducted at least annually, or more frequently if there are significant changes to the Firm’s operations, technology, business arrangements, or upon discovery of new threats or vulnerabilities. The Designated Coordinator oversees this process.

6. Information Safeguards

The Firm implements the following administrative, technical, and physical safeguards to control the risks identified in the risk assessment:

6.1. Administrative Safeguards (Policies, Procedures, Training)

  • Access Control Policy: Access to covered information is restricted based on the principle of least privilege (job function necessity). Access rights are reviewed regularly and promptly revoked or modified upon termination or change in job duties.
  • Employee Training: All personnel receive mandatory security awareness training upon hiring and at least annually thereafter. Training covers this WISP, data handling procedures, password security, phishing and social engineering awareness, secure use of email and internet, incident reporting, and the importance of client data confidentiality. Training completion is documented.
  • Background Checks: Background checks are conducted for personnel in positions with access to sensitive data, consistent with applicable laws.
  • Confidentiality Agreements: All personnel are required to sign confidentiality agreements regarding client and firm information.
  • Clean Desk & Screen Policy: Personnel are required to secure physical documents and lock unattended workstations to prevent unauthorized viewing or access.
  • Acceptable Use Policy: Defines acceptable use of Firm technology resources, including internet, email, and software. (Reference Appendix or separate policy document).
  • Secure Data Disposal Policy: Procedures are established for the secure disposal of physical documents (e.g., cross-cut shredding) and electronic media (e.g., degaussing, physical destruction, cryptographic erasure) containing covered information, consistent with data retention requirements.
  • Vendor Management: Procedures outlined in Section 7.

6.2. Technical Safeguards (Technology Controls)

  • Authentication & Access Control:
    • Strong, unique passwords are required for all systems and applications. Passwords must meet complexity requirements and be changed periodically.
    • Multi-Factor Authentication (MFA) is mandatory for all internal and remote access to systems containing covered information, including email, cloud applications, VPNs, and administrative access.
  • Encryption:
    • Covered information is encrypted at rest (e.g., on servers, databases, laptops, mobile devices, backup media) using industry-standard algorithms (e.g., AES-256).
    • Covered information is encrypted in transit over external networks (e.g., using TLS/SSL for web traffic, VPNs for remote access, secure email encryption or secure portals for client communication containing NPI).
  • Network Security:
    • Firewalls are implemented and maintained at network perimeters and potentially between internal network segments.
    • Intrusion Detection/Prevention Systems (IDPS) may be used to monitor for malicious activity.
    • Wireless networks are secured using strong encryption (WPA2/WPA3) and authentication. Guest networks are segregated from the internal network.
  • Endpoint Security:
    • All endpoints (servers, workstations, laptops, applicable mobile devices) are protected with managed antivirus/anti-malware/Endpoint Detection and Response (EDR) software that is centrally managed and regularly updated.
    • A patch management program is in place to promptly install security updates for operating systems and applications.
  • Secure Remote Access: Remote access to the Firm’s network or systems containing covered information requires connection via an approved, encrypted Virtual Private Network (VPN) with MFA.
  • Vulnerability Management: Regular vulnerability scanning of internal and external systems is conducted, and identified vulnerabilities are remediated promptly based on risk.
  • Logging and Monitoring: Systems generate logs of access and security events. These logs are reviewed regularly for signs of unauthorized activity or security incidents. Logs are retained according to policy.
  • Data Backup and Recovery: Covered information is backed up regularly according to a defined schedule. Backups are encrypted, stored securely (including offsite/cloud copies), and periodically tested for restorability. A Disaster Recovery Plan outlines procedures for restoring data and operations after a disruption.
  • Software Security: Security is considered when selecting and implementing new software, especially cloud-based services handling covered information.

6.3. Physical Safeguards (Physical Access Controls)

  • Facility Security: Office spaces containing covered information are secured with locked doors and access controls. Visitors are monitored and escorted as necessary. Server rooms or areas with concentrated physical records have enhanced access restrictions.
  • Device Security: Laptops and mobile devices used for firm business are secured (e.g., password/biometric protection, screen locks, encryption). Procedures exist for reporting and remotely wiping lost or stolen devices.
  • Media Security: Physical media (paper files, hard drives, backup tapes, USB drives) containing covered information are stored in locked cabinets or secure areas when not in use. Secure disposal methods (Section 6.1) are used.
  • Environmental Controls: Server rooms have appropriate environmental controls (e.g., cooling, fire suppression) where applicable.

7. Service Provider Oversight

The Firm takes reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for covered information they access or maintain on the Firm’s behalf (e.g., cloud hosting providers, SaaS application vendors, IT support services, payroll processors, document shredding services). This includes:

  • Due Diligence: Evaluating the service provider’s security practices, policies, and reputation before engagement (e.g., reviewing security certifications like SOC 2, requesting security questionnaires).
  • Contractual Requirements: Requiring service providers by contract to implement and maintain appropriate safeguards, report security incidents, and allow for audits where necessary.
  • Ongoing Monitoring: Periodically reassessing the security practices of critical service providers.

8. Incident Response Plan (IRP)

The Firm maintains a separate, detailed Incident Response Plan (IRP) outlining procedures for responding to suspected or actual security incidents involving covered information. The IRP includes:

  • Roles and Responsibilities: Clearly defined roles for the incident response team.
  • Incident Identification & Reporting: Procedures for personnel to report suspected incidents.
  • Response Phases: Steps for containment, eradication, recovery, and post-incident analysis (lessons learned).
  • Notification Procedures: Guidelines for notifying affected clients, regulatory bodies (including the FTC under its breach notification requirements, IRS, state agencies), law enforcement, and insurers, as required by law and contract.
  • Documentation: Requirements for documenting the incident and the response efforts.

View IRP here: 

9. Training and Awareness

As noted in Section 6.1, ongoing security awareness training is critical. The Designated Coordinator is responsible for ensuring training content is relevant, delivered effectively, and that completion is tracked. Training reinforces policies outlined in this WISP and educates personnel about current threats.

10. Plan Evaluation and Updates

This WISP and the Firm’s overall information security program will be evaluated and adjusted based on:

  • Results of risk assessments.
  • Results of security testing and monitoring (e.g., vulnerability scans, penetration tests if conducted).
  • Security incidents experienced by the Firm or relevant threats observed in the industry.
  • Changes in business operations, technology, or service provider arrangements.
  • Changes in legal or regulatory requirements.

The Designated Coordinator will oversee a formal review and update of this WISP at least annually, or more frequently as needed. Significant changes will be approved by Firm leadership.

 

11. Record Keeping

The Firm will maintain records related to this WISP and the information security program, including but not limited to:

  • Versions of the WISP.
  • Risk assessment reports.
  • Security awareness training logs.
  • Incident response documentation.
  • Service provider due diligence and contracts.
  • Results of security testing and monitoring.
  • Access reviews.

Records will be retained according to the Firm’s data retention policy and applicable legal requirements.

15. Contact Information

For questions regarding this WISP or to report a security incident, contact:

WISP Coordinator: Michael J McCormick

Email: compliance@digitalthatdelivers.com

Phone: 813-524-7330