PRESENTATION OUTLINE

Review the requirement for a WISP
Where do the requirements come from? (GLBA and FTC)
Why it is a requirement for CPAs?
How does a CPA or firm comply with the requirements?
Are there penalties or other enforcement mechanisms?
How to determine the applicability (scope) of requirements?

Review the major components of the WISP.

Designate responsibility
Conduct risk assessment
Inventory of Assets
Document controls
Evidence of Controls
Plan of Action implementation

Practical ways to develop a satisfactory WISP. IRS Publication 5708_Creating a Written Information Security Plan

Detailed inventory of hardware, software, user accounts, protected data, external information systems. 
Inventory of hardware, software and external systems
Inventory of protected data locations (PII, tax payer data)
Users and devices authorized to access protected data

Document an assessment of potential risks to the confidentiality, integrity, and availability of all items that access, transmit, store, or manipulate protected data. 
Document risks associated with identified assets, data, authorized and unauthorized access.

Document the administrative controls (Policies) that will govern the security of protected data in your organization.
Data collection and retention
Data disclosure
Network protection (List how your system and devices are protected)
User access (How users access devices)
Remote access (How employees access data remotely)
Connected devices (How new devices or software is added to the network)
Reportable Incidents
Draft Employee Code of Conduct

Maintaining the WISP over time.
The Written Information Security Plan is an evergreen plan. It must be reviewed, updated, and revised regularly.
Document activities related to the WISP maintenance
Re-evaluate portions of the WISP monthly or when major changes occur
Establish a working group or committee for accountability
Implement automation and reporting from service providers
Update Plan of Action and related WISP components