Build a defensible Written Information Security Plan.
Wolf Tech helps tax professionals, CPA firms, and small businesses in South Florida understand and document the cybersecurity controls expected by the IRS and FTC. Start with our free WISP Starter Guide.
Provided for educational and planning purposes. Not legal advice or a guarantee of regulatory compliance.
- What a WISP is and why it matters
- Top 10 common security gaps
- IRS Security Six checklist
- Readiness scorecard & MFA / backup checklists
- Short incident-response checklist
Documentation that maps to real-world risk
Regulatory expectation
The IRS expects every paid tax preparer to maintain a written security plan. The FTC Safeguards Rule applies to many small businesses handling customer financial data.
Real risk reduction
A WISP forces a clear inventory of sensitive data, access controls, and incident response — the same gaps attackers consistently exploit.
Trust with clients & insurers
Cyber insurance carriers, partners, and clients increasingly ask for documented security programs before engaging or renewing coverage.
IRS, FTC, and NIST guidance
Publication 4557
Safeguarding Taxpayer Data — guide for tax professionals on protecting client information.
Publication 5708
Creating a Written Information Security Plan — sample template and required elements.
Safeguards Rule (16 CFR 314)
Required information security program elements for financial institutions, including tax preparers.
Cybersecurity Framework
Identify, Protect, Detect, Respond, Recover — the structure many WISPs map controls against.
Common security gaps in small firms
- No written security plan or outdated documentation
- MFA missing on email, remote access, or admin accounts
- Backups never tested or stored on the same network
- Shared logins for tax/accounting software
- Phishing training treated as one-time, not ongoing
- No formal incident-response or breach-notification plan
- Vendor and third-party access never reviewed
- Personal devices used for client work without controls
- Patching and endpoint protection inconsistent
- Sensitive data stored unencrypted on local drives
Practical checklists, not theory
WISP overview
Plain-language explanation of what a WISP is and what it must cover.
Readiness scorecard
10-point self-assessment to identify where to focus first.
MFA checklist
Where multi-factor authentication should be enabled across your stack.
Backup checklist
Tested, offline, and immutable backup practices for small firms.
Phishing protection
Email controls and user-training cadence that meaningfully reduce risk.
Incident response
Short checklist for the first 24–72 hours after a suspected incident.
Get the guide or request a readiness review
Tell us a little about your firm. Use one form for either action — we'll send the PDF instantly or schedule a no-pressure conversation.
Practical, transparent, local
Local team serving South Florida firms.
Built for firms with 1–200 employees.
Maps to IRS, FTC, and NIST guidance.
Reply within 1 business hour, Mon–Fri.
Common questions
Where this guidance comes from
- IRS Publication 4557 — Safeguarding Taxpayer Data
- IRS Publication 5708 — Creating a WISP
- FTC Safeguards Rule (16 CFR Part 314)
- NIST Cybersecurity Framework
- IRS Security Summit — Security Six
This page and the downloadable guide are provided for informational and cybersecurity planning purposes only and should not be considered legal advice. Consult qualified legal counsel and your regulators for compliance determinations specific to your business.