Plain-language definitions of the FTC, IRS, and cybersecurity terms every CPA firm needs to understand. No jargon, no legalese.
Technical and administrative measures that limit who can access which systems and data, based on the principle of least privilege.
The combination of regular data backups and tested restoration procedures that protect against data loss from any cause.
The annual written report the Qualified Individual must deliver to firm leadership on the status of the information security program.
A documented plan for keeping the firm operating through disruptions such as outages, natural disasters, or extended staff absences.
A documented process for evaluating, approving, and tracking modifications to systems, applications, and security configurations.
The Cybersecurity Maturity Model Certification, required for firms in the Department of Defense supply chain that handle Controlled Unclassified Information.
Ongoing automated monitoring of systems for security threats, misconfigurations, and policy violations, as an alternative to periodic testing.
A structured list of all security controls your firm should have in place, mapped to regulatory requirements, with testing status and evidence.
Any record about a consumer that is held by a financial institution, including tax returns, Social Security numbers, and financial account data.
Meeting the documented security requirements that cyber insurance carriers mandate as a condition of coverage and claims payment.
The legal requirement to notify affected individuals, regulators, and sometimes law enforcement when personal data is exposed in a security incident.
A system for labeling data by sensitivity (e.g., public, internal, confidential, restricted) so that appropriate controls can be applied.
A comprehensive record of all systems, applications, and locations where your firm stores, processes, or transmits client data.
A technical plan that restores systems and data after an incident such as ransomware, hardware failure, or cloud outage.
The IRS Electronic Filing Identification Number can be suspended or revoked for data security failures, taxpayer data breaches, or pattern-of-noncompliance.
Protecting stored data with cryptographic controls so that it cannot be read by anyone without the decryption key.
Protecting data with cryptographic controls while it moves between systems, typically using TLS 1.2 or higher.
Any business significantly engaged in providing financial products or services to consumers, which includes CPA firms, tax preparers, and bookkeepers.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
The civil monetary penalties the FTC can assess against financial institutions that fail to maintain a compliant information security program.
The federal law that requires financial institutions, including CPA firms, to protect consumers' nonpublic personal information.
A documented set of procedures your firm follows when a data breach or security incident occurs.
The Internal Revenue Code provision that criminalizes a tax preparer's unauthorized disclosure or use of taxpayer return information.
IRS guidelines outlining data security requirements and best practices for tax professionals handling taxpayer information.
ISO 27001 is an international, certifiable security management standard; a WISP is the US-required information security program for financial institutions.
The capture and review of security-relevant events from systems, applications, and devices to detect anomalies and support incident investigation.
A login mechanism that requires two or more independent factors, such as a password plus a code from an authenticator app or hardware key.
A practical framework that organizes security activities into six functions, useful as a structure for your WISP and risk assessment.
An authorized, simulated attack against your systems to identify exploitable vulnerabilities before real attackers do.
The IRS requirement that tax professionals attest to having a Written Information Security Plan when renewing their Preparer Tax Identification Number.
The person designated to oversee and be accountable for your firm's information security program, as required by the FTC Safeguards Rule.
Policies that govern how long client data is kept and how it is securely destroyed when it is no longer needed.
A systematic process of identifying threats to your firm's data and evaluating the effectiveness of your security controls.
Regular training for all employees on recognizing phishing, handling client data safely, and following the firm's security policies.
The FTC Safeguards Rule requirement to select, contract with, and monitor vendors that handle your client data.
SOC 2 is a third-party audit of service organizations; a WISP is an internal security program required of financial institutions.
The combined responsibilities of the tax software vendor and the firm for protecting taxpayer data inside tax preparation software.
Automated scanning of systems to identify known software vulnerabilities, misconfigurations, and missing patches.
A starting-point document for a Written Information Security Plan, useful as a structural outline but never sufficient as a finished WISP.
A documented set of policies and procedures describing how your firm protects sensitive client data.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance. No data is sold to third parties. You can opt out at any time. Privacy Policy