Written Information Security Plan (WISP)

Written Information Security Plan (WISP)

OBJECTIVE

Our objective in the development and implementation of this comprehensive Written Information Security Plan (WISP) is to create effective administrative, technical, and physical safeguards for the protection of the Personally Identifiable Information (PII) retained by Fields & Smith Services, LLC., (hereinafter known as the Firm). This WISP is to comply with obligations under the Gramm-Leach-Bliley Act and Federal Trade Commission Financial Privacy and Safeguard Rules to which the Firm is subject. The WISP sets forth our procedure for evaluating our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PII retained by the Firm. For purposes of this WISP, PII means information containing the following information:
  1. Client’s and their Spouse, Dependent(s) or Legal Guardianship Information, including photocopies where necessary:
    1. First, Middle and Last name.
    2. Social Security Number, Date of Birth.
    3. Employment and Income data.
    4. Driver’s license number or state-issued identification card number.
    5. Tax Filing data.
    6. Retirement Plan data, Asset Ownership Data, Investment data.
    7. Financial Institution routing and account number, credit or debit card number, with or without security code, access code, personal identification number; or password(s) that permit access to a client’s financial accounts.
    8. E-mail address, non-listed phone numbers, residential or mobile contact information.

PII shall not include information that is readily available, and obtainable from publicly available sources, such as, Mailing Addresses, Phone Directory listings; or from federal, state or local government records lawfully made available to the public.  


PURPOSE

The purpose of this WISP is to:
  1. Ensure the security and confidentiality of all PII retained by the Firm.
  2. Protect PII against anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any unauthorized access to or use of PII in a manner that creates substantial risk of identity theft, fraudulent or harmful use.

SCOPE

The scope of this WISP related to the Firm shall be limited to the following protocols:
  1. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing PII.
  2. Assess the potential damage of these threats, taking into consideration the sensitivity of the PII.
  3. Evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control identified risks.
  4. Design and implement this WISP to place safeguards to minimize those risks, consistent with the requirements of the Gramm-Leach-Bliley Act, the Federal Trade Commission Financial Privacy and Safeguards Rule, and National Institute of Standards recommendations.
  5. Regular monitoring and assessment of the effectiveness of these safeguards.

IDENTIFIED REPONSIBLE INDIVIDUALS

Fields & Smith Services, LLC. has designated Damian Fields, Founding Partner, to be the Data Security Coordinator (hereinafter the DSC). The DSC is the responsible official for the Firm data security processes and will implement, supervise, and maintain the WISP. Accordingly, the DSC will be responsible for the following:
  1. Implementing the WISP including all daily operational protocols.
  2. Identifying all the Firm’s repositories of data subject to the WISP protocols and designating them as secured assets with restricted access.
  3. Verifying all employees have completed recurring Information Security Plan Training.
  4. Monitoring and testing employee compliance with the plan’s policies and procedures.
  5. Evaluating the ability of any third-party service providers not directly involved with tax preparation and electronic transmission of tax returns to implement and maintain appropriate security measures that comply with this WISP.
  6. Reviewing the scope of security measures in the WISP at least annually or whenever there is a material change in our business practices that affect the security or integrity of records containing PII.
  7. Conducting an annual training session for all owners, managers, employees, and independent contractors, including temporary and contract employees who have access to PII enumerated in the elements of the WISP. All attendees at such training sessions are required to certify their attendance at the training and their familiarity with our requirements for ensuring the protection of PII.
Fields and Smith Services, LLC. has designed Damian Fields, Founding Partner, to be the Public Information Officer (hereinafter PIO). The PIO will be the Firm’s designated public statement spokesperson. To prevent misunderstandings and hearsay, all outward facing communications should be approved through this person who shall oversee the following:
  1. All client communications.
  2. All statements to law enforcement agencies.
  3. All releases to the news media.
  4. All information that is released to business associates, neighboring businesses, and trade associations to which the Firm belongs.

INSIDE THE FIRM RISK MITIGATION

To reduce internal risks to the security, confidentiality, and/or integrity of any retained electronic, paper, or other records containing PII, the Firm has implemented mandatory policies and procedures as follows:


PII Collection and Retention Policy
  1. We will only collect the PII of clients, customers, employees and/or independent contractors that is necessary to accomplish our legitimate business needs, while maintaining compliance with all federal, state, and local regulations.
  2. Access to records containing PII is limited to employees whose duties, relevant to their job descriptions, constitute a legitimate need to access said records, and only for job-related purposes.
  3. The DSC will identify and document the locations where PII may be stored on the Company premises:
    1. Servers, disc drives, solid-state drives, USB memory devices, removeable media.
    2. Filing cabinets, securable desk drawers, contracted document retention and storage firms.
    3. PC Workstations, laptop computers, client portals, electronic document management.
    4. Online (web-based) applications, portals, and cloud software applications such as box.
    5. Database applications, such as bookkeeping and tax software programs.
    6. Solid-state drives, removable swappable drives, and USB storage media.
  4. Designated written and electronic records containing PII shall be destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements.
    1. Paper-based records shall be securely destroyed by shredding or incineration at the end of their service life.
    2. Electronic records shall be securely destroyed by deleting and overriding the file directory or by reformatting the drive on which they were housed.
    3. Specific business record retention policies and secure data destruction policies are in attachment to this WISP.


Personnel Accountability Policy
  1. A copy of the WISP will be distributed to all current employees and to new employees on the beginning dates of their employment. It will be the employee's responsibility to acknowledge, in writing by signing the attached sheet, that he/she/they received a copy of the WISP and will abide by its provisions. Employees are actively encouraged to advise the DSC of any activity or operation that poses risk to the secure retention of PII. If the DSC is the source of these risks, employees should advise any other Principal or the business owner.
    1. The firm will create and establish general Rules of Behavior and Conduct regarding policies safeguarding PII according to IRS. Pub. 4557 Guidelines.
    2. The firm will screen the procedures prior to granting new access to PII for existing employees.
    3. The firm will conduct background checks on new employees who will have access to retained PII.
    4. The firm may require non-disclosure agreements for employees who have access to PII of any designated client determined to have highly sensitive data or security concerns related to their account. 
  2. The DSC or designated authorized representative will immediately train all existing employees on the detailed provisions of the Plan. All employees will be subject to periodic reviews by the DSC to ensure compliance.
  3. All employees are responsible for maintaining the privacy and integrity of the Firm’s retained PII. Any paper records containing PII are to be secured appropriately when not in use. Employees may not keep files containing PII open on their desks when they are not at their desks. Any computer file stored on the company network containing PII will be password protected and/or encrypted. Computers must be locked from access when employees are not at their desks. At the end of the workday, all files and other records containing PII will be secured by employees in a manner that is consistent with the Plan’s rules for protecting the security of PII.
  4. Any employee who willfully discloses PII or fails to comply with these policies will face immediate disciplinary action that includes a verbal or written warning plus other actions up to and including termination of employment.
  5. Terminated employees’ computer access logins and passwords will be disabled at the time of termination. Physical access to any documents or resources containing PII will be immediately discontinued. Terminated employees will be required to surrender all keys, IDs or access codes or badges, and business cards that permit access to the Firm’s premises or information. Terminated employees’ remote electronic access to personal information will be disabled; voicemail access, e-mail access, internet access, tax software download/upload access, accounts and passwords will be inactivated. The DSC or designee shall maintain a highly secured master list of all lock combinations, passwords, and keys, and will determine the need for changes to be made relevant to the terminated employee’s access rights.


PII Disclosure Policy
  1. No PII will be disclosed without authenticating the receiving party and without securing written authorization from the individual whose PII is contained in such disclosure. Access is restricted for areas in which personal information is stored, including file rooms, filing cabinets, desks, and computers with access to retained PII. An escort will accompany all visitors while within any restricted area of stored PII data.
  2. The Firm will take all possible measures to ensure that employees are trained to keep all paper and electronic records always containing PII securely on premises. When there is a need to bring records containing PII offsite, only the minimum information necessary will be checked out. Records taken offsite will be returned to the secure storage location as soon as possible. Under no circumstances will documents, electronic devices, or digital media containing PII be left unattended in an employee’s car, home, or in any other potentially insecure location.
  3. All security measures including this WISP shall be reviewed annually, beginning September 2025 to ensure that the policies contained in the WISP are adequate and meet all applicable federal and state regulations. Changes may be made to the WISP at any time they are warranted. When the WISP is amended, employees will be informed in writing. The DSC and principal owners of the Firm will be responsible for the review and modification of the WISP, including any security improvement recommendations from employees, security consultants, IT contractors, and regulatory sources.
  4. Fields & Smith Services, LLC. share employee PII in the form of employment records, pensions/401ks, insurance information, and other information required of any employer. The Firm may share the PII of our clients with the state and federal tax authorities, tax software vendor, a bookkeeping service or vendor, a payroll service or vendor, an outside CPA firm, an Enrolled Agent, general legal counsel or outside legal counsel, and/or business advisors in the normal course of business for any tax preparation firm. Law enforcement and/or governmental agencies may also have client PII shared with them to protect our clients or in the event of a lawfully executed subpoena. An IT support company may occasionally see PII in the course of contracted services. Access to PII by these third-party organizations will be the minimum required to conduct business. Any third-party service provider that requires access to information must be compliant with the standards contained in this WISP at a minimum. The exceptions are tax software vendors and e-filing transmitters; and the state and federal tax authorities, which are already compliant with laws that are stricter than this WISP requires. These additional requirements are outlined in IRS Publication 1345.


Reportable Event Policy
  1. If there is a Data Security Incident that requires notification under the provisions of regulatory laws such as The Gramm-Leach-Bliley Act, there will be a mandatory post-incident review by the DSC of the events and actions taken. The DSC will determine if any changes in operations are required to improve the security of retained PII for which the Firm is responsible. Records of and changes or amendments to the Information Security Plan will be tracked and kept on file as an addendum to this WISP.
  2. The DSC is responsible for maintaining any Data Theft Liability Insurance, Cyber Theft Insurance Riders, or Legal Counsel on retainer as deemed prudent and necessary by the principal ownership of the Firm.
  3. The DSC will also notify the IRS Stakeholder Liaison, and state and local law enforcement authorities in the event of a data security incident, coordinating all actions and responses taken by the Firm. The DSC or person designated by the coordinator shall be the sole point of contact with any outside organization not related to law enforcement, such as news media, non-client inquiries by other local firms or businesses and other inquirers.

OUTSIDE THE FIRM RISK MITIGATION

To combat external risks from outside the Firm network to the security, confidentiality, and/or integrity of electronic, paper, or other records containing PII, and improve – where necessary – the effectiveness of the current safeguards for limiting such risks, the Firm has implemented the following policies and procedures.


Network Protection Policy
  1. Firewall protection, operating system security patches, and all software products shall be up to date and installed on any computer that accesses, stores, or processes PII data on the Firm’s network. This includes any third-party devices connected to the network.
  2. All system security software, including anti-virus, anti-malware, and internet security, shall be up to date and installed on any computer that stores or processes PII data or the Firm’s network.
  3. Secure user authentication protocols will be in place to:
    1. Control username ID, passwords and two-factor authentication processes.
    2. Restrict access to currently active user accounts.
    3. Require strong passwords in a manner that conforms to accepted security standards, the Firm’s password policy is:
      1. The minimum password length is 14 characters.
      2. Mixed password; must use upper and lowercase letters.
      3. Minimum of 2 special characters.
      4. Minimum of 2 numeric digits.
    4. Change all passwords every 60 days, or under specific conditions, such as user requests, when there is evidence of a compromise, or too many unrecognized attempt.
    5. The Firm has a minimum password age of one day before a new password can be created.
    6. A user may not use a password that was previously used within the past 5 password changes.
    7. Firm-related passwords must not be used on other sites; or personal passwords used for Firm business. Firm passwords will be for access to Firm resources only and not mixed with personal passwords.
    8. If a user gets locked out of their account and is unable to recover their account, an administrator may reset the account password manually.
  4. All computer systems will be continually monitored for unauthorized access or unauthorized use of PII data. Event logging will remain enabled on all systems containing PII data. Review of event logs by the DSC or IT partner will be scheduled at random intervals not to exceed 90 days.
  5. The Firm will maintain a firewall between the internet and the internal private network. This firewall will be secured and maintained by the Firm’s IT service provider. The Firewall will follow firmware/software updates per vendor recommendations for security patches. Workstations will also have software-based firewall enabled.
  6. Operating System (OS) patches and security updates will be reviewed and installed continuously. The DSC will conduct a top-down security review at least every 30 days.


Firm User Access Control Policy
  1. The Firm will adhere to the Federal Trade Commission 15 U.S.C. § 6805. Section 314.4(c.5) regarding the implementation of multi-factor authentication.
  2. The Firm will use multi-factor authentication (MFA) for all login authentications via ZOHO Authenticator App – OneAuth. This MFA cannot be disabled by any employee.
    1. OneAuth requires the use of a biometric verification mode such as Face ID or Touch ID to sign in.
    2. OTP & OneAuth recovery methods require a passphrase. The Firm does not allow SMS OTP to recover accounts.
    3. MFA Lifetime is 180 days after logging into a trusted browser.
    4. Users have the option to generate backup recovery codes in the event an account needs to be recovered.
  3. All users will have unique passwords to the computer network. The Firm will not have any shared passwords or accounts for our computer systems, internet access, software vendor for product downloads, etc. Passwords can be changed by the user without disclosure of the password to the DSC or any Firm employee at any time.
  4. Passwords will be refreshed in accordance with the National Institute of Standards and Technology (NIST) guidelines. The DSC will notify employees when accelerated password reset is necessary.
  5. If a password utility program, such as LastPass or Password Safe, is utilized, the DSC will first confirm that:
    1. Username and password information is stored on a secured encrypted site.
    2. Multi-factor authentication of the user enables the user to authenticate new devices.
    3. Passwords are not allowed to be stored using system browsers.


Electronic Exchange of PII Policy
  1. It is the Firm policy that PII will not be in any unprotected format, such as e-mailed in plain text, rich text, html, or other e-mail formats unless encryption or password protection is present. Passwords MUST be communicated to the receiving party via a method other than what is used to send the data, such as by phone call or SMS text message (out of stream from the data sent).
  2. The Firm may use a password protected portal to exchange documents containing PII upon approval of data security protocols by the DSC.
  3. MS BitLocker or similar encryption will be used on interface drives, such as USA drive, for files containing PII.


Wi-Fi Access Policy
  1. Wireless access (Wi-Fi) points or nodes, if available, will use strong encryption. Firm Wi-Fi will require a password for access. If open Wi-Fi for clients is made available (guest Wi-Fi), it will be on a different network and Wi-Fi node from the Firm’s private work-related Wi-Fi.
  2. All devices with wireless capability such as printers, all-in-one copiers and printers, fax machines, and smart devices such as TVs, refrigerators, and any other devices with smart technology will have default factory passwords changed to Firm-assigned passwords. All default passwords will be reset, or the device will be disabled from wireless capability, or the device will be replaced with a non-wireless capable device.


Remote Access Policy
The DSC and the Firm’s IT contractor will approve use of Remote Access utilities for the entire Firm. Remote access using tools that encrypt both the traffic, and the authentication requests (ID and Password) used will be the standard. Remote access will not be available unless the office is staffed, and systems are monitored. Remote access will only be allowed using multi-factor authentication (MFA) in addition to username and password authentication.
  1. Remote access to the Firm systems may only be accessed by using computer equipment approved and provided by the Firm.
  2. Computer equipment approved and used for Remote Access must be hardwired to home networks, use WI-FI access points that are password protected, or Firm provided internet access devices.
  3. AT NO TIME SHALL COMPUTER EQUIPMENT BE CONNECTED PUBLIC WI-FI NETWORK.


Connected Devices Policy
  1. Any new devices that connect to the Internal Network will undergo a thorough security review before they are added to the network. The Firm will ensure the devices meet all security patch standards and login and password protocols before they are connected to the network.
  2. “AutoRun” features for USB ports and optical drives like CD and DVD drives on network computers and connected devices will be disabled to prevent malicious programs from self-installing on the Firm’s systems.
  3. The Firm or a certified third-party vendor will erase the hard drives or memory storage devices the Firm removes from the network at the end of their respective service lives. If any memory device is unable to be erased, it will be destroyed by removing its ability to be connected to any device, or circuitry will be shorted, or it will be physically rendered unable to produce any residual data still on the storage device.
  4. The Firm runs approved and licensed anti-virus software, which is updated on all servers continuously. Virus and malware definition updates are also updated as they are made available. The system is tested weekly to ensure the protection is current and up to date.


Information Security Training Policy
All employees will be trained in maintaining the privacy and confidentiality of the Firm’s PII. The DSC will conduct training regarding the specifics of paper record handling, electronic record handling, and FIRM security procedures at least annually. All new employees will be trained before PII access is granted, and periodic reviews or refreshers will be scheduled until all employees are of the same mindset regarding information security. Disciplinary action may be recommended for any employee who disregards these policies.

IMPLEMENTATION

Effective August 19, 2024, Fields & Smith Services, LLC. has created this Written Information Security Plan (WISP) in compliance with regulatory rulings regarding implementation of a written data security plan found in the Gramm-Leach-Bliley Act and the Federal Trade Commission Financial Privacy and Safeguards Rules.

Signed: Damian Fields Date: August 19, 2024

Damian Fields

Founding Partner – DSC

Fields & Smith Services, LLC. 




    • Related Articles

    • Consent to Use/Disclose Tax Return Information

      PURPOSE This policy is intended to inform you of how we use your tax return information, how tax return information can be used, the consents that must be given to us by you and what the Federal Law requires us to disclose. HOW WE USE TAX RETURN ...

    • Privacy Policy

      This privacy policy applies to Fields & Smith Services, LLC., a multi-member limited liability corporation formed in the State of Ohio, and all subsidiaries of Fields & Smith Services, LLC. Which may include, but is not limited to, FIELDS SMITH, ...

    • Drug Testing Policy Pre-Employment and Employment

      PURPOSE In compliance with our Drug-Free Workplace, and for certain positions that require operating heavy machinery, all candidates who have received a written offer of employment, and any employee who operates company vehicles and/or heavy ...

    • Background Check Pre-Employment & Employment

      PURPOSE As a professional services corporation, it is our duty and responsibility to ensure that we are conducting ourselves in a professional and legal manner; by doing so, we can safeguard consumer data and prevent fraudulent use or distribution of ...

    • Terms of Use

      This Terms of Use Policy applies to Fields & Smith Services, LLC., a multi-member limited liability corporation formed in the State of Ohio, and all subsidiaries of Fields & Smith Services, LLC. Which may include, but is not limited to, FIELDS SMITH, ...