The IRS says your WISP is “just one part.”
Here’s the rest.

Sponsored Content from Client Data Safeguards by CactusVPN Professional

The IRS says your WISP is “just one part.”
Here’s the rest.

Texas CPA firms have done the security work. Most run a secure client
portal with multi-factor authentication, and most now keep a written
information security plan, or WISP, as the FTC Safeguards Rule and the IRS
expect. That work matters. But the IRS’s own guidance is candid about where
the plan stops. In Publication 5708, the Security Summit describes a WISP
as “just one part of what tax professionals need to protect their clients
and themselves.” Necessary, but not the whole job.

The distinction is between having a plan and following it. A written plan
describes what a firm intends to do. It does not show whether those steps
actually happened last month, or whether anyone could demonstrate they did.
Most practices do not need another policy. They need evidence they are
following the one they already have.

Three of those safeguards sit outside what a client portal was built to
cover, and Pub 5708 points to all three. The first is credentials. The IRS
guidance says firm passwords should not be reused across other sites and
expects systems to be monitored for unauthorized access, because a reused
password that surfaces in a breach is a known way in. The second is how a
firm connects when work happens away from the office. The guidance
dedicates a full remote-access section to it and defines a VPN in its
glossary. The third is documentation. The IRS calls a WISP an evergreen
document that must be “regularly reviewed, tested, and updated,” kept with
a dated trail that shows the plan is real.

The thread running through all three is evidence. A plan in a drawer proves
intent. A dated monthly record proves action. When a firm can show that it
monitored its credentials, protected its off-site connections, and
documented both, month after month, the question every professional should
be ready for, “what have you been doing to protect client data?”, has a
calm and credible answer instead of a scramble.

None of this requires an enterprise IT department or replacing tools a firm
already trusts. It means operating and documenting the safeguards that sit
on the firm’s own side, alongside the portal and the plan. Client Data
Safeguards, from CactusVPN Professional, helps small and solo Texas
practices do that, and produce the evidence to prove it. We wrote a short,
plain-language guide that walks through the three safeguards and how to
close the gap.

Keep what you have already built. Fill the part the IRS is pointing to.


Client Data Safeguards is operated by CactusVPN, an independent privacy
company with 15 years behind it.

Posted on in News
By
Sergiu is a proud founder and CEO of CactusVPN. What started like a passion for internet security grew into a business that helps thousands of people across the globe to regain their freedom while using the Internet.