Source: rightworks.com | Based on IRS Publication 4557 and the FTC Safeguards Rule
| # | Component | What it is | What to do |
|---|---|---|---|
| 1 | Program Objective and Scope | The opening section of your WISP that states why the plan exists, what legal obligations drive it, and what data it covers. | State the legal basis (IRS 4557, FTC Safeguards Rule, applicable state laws). Define what client data types the plan protects and which systems are in scope. |
| 2 | Designated Coordinator | The named individual responsible for creating, implementing, and maintaining your information security program. | Appoint a Data Security Coordinator and a Public Information Officer. Document their specific responsibilities and name a backup for each role. |
| 3 | Written Risk Assessment | A formal, documented evaluation of where and how client data could be compromised, internally, externally, or accidentally. | List all data types you collect and process. Identify internal and external threats, assign a risk level to each, and schedule the next review date. |
| 4 | Hardware and Software Inventory | A complete record of every device and platform that stores, processes, or transmits personally identifiable information (PII). | Log every device by type, physical location, and what data it holds. Include cloud services and third-party platforms. Update when devices are added or retired. |
| 5 | Access Controls | The policies and technical controls that determine who can access client data, under what conditions, and what happens when access needs to be removed. | Enable MFA on all systems accessing client data. Apply least-privilege access. Document the process for granting, modifying, and revoking access, including a termination checklist. |
| 6 | Data Encryption | The technical standards your firm uses to protect client data from being read by unauthorized parties, both when stored and when transmitted. | Encrypt all stored client data and use TLS/SSL for data in transit. Document your encryption standards and assign responsibility for key management. |
| 7 | Secure Data Disposal | The documented process for permanently destroying client data once it's no longer needed, so it can't be recovered or misused. | Define retention periods by data type. Document your destruction method (certified shredding, drive wiping). Assign responsibility and maintain a disposal log. |
| 8 | Employee Training Program | A formal, recurring program that ensures all staff understand their security responsibilities and can recognize common cyberthreats. | Train all staff within 30 days of hire and annually thereafter. Cover phishing, password hygiene, and incident reporting. Document completion dates and update content as threats evolve. |
| 9 | Vendor Oversight | The process for confirming that third-party providers who access your systems or client data maintain security standards consistent with your own. | Identify all vendors with data access. Request SOC 2 reports or equivalent documentation. Include data protection requirements in contracts and reassess vendors annually. |
| 10 | Incident Response Plan | A documented, tested playbook for how your firm responds when a data breach or cyberattack occurs, including who does what and who gets notified. | Define what constitutes a breach. Document containment steps, notification parties (clients, IRS Stakeholder Liaison, FTC if 500+ affected, state regulators), and staff roles. Test annually. |
| 11 | Physical Security Controls | The policies governing physical access to devices, offices, and documents that contain client data, including controls for remote and hybrid workers. | Document office access controls, clean desk policies, and visitor procedures. Address laptop and mobile device policies for staff working outside the office. |
| 12 | Implementation and Compliance Statement | The formal attestation that your WISP has been implemented in compliance with applicable federal and state regulations. | Confirm alignment with IRS Publication 4557, the FTC Safeguards Rule under GLBA, and any applicable state laws. Include signature lines for the coordinator and firm leadership. |