Technical and administrative measures that limit who can access which systems and data, based on the principle of least privilege.
Access controls are the combination of technical settings, role definitions, and review procedures that determine which individuals can access which systems, files, and data. The FTC Safeguards Rule requires access controls based on the principle of least privilege under 16 CFR 314.4(c)(1): people receive only the access they need to do their job, no more. Access controls include user provisioning, role-based permissions, periodic access reviews, separation of duties, and timely deprovisioning when employees leave or change roles.
Most firms grant access broadly during onboarding and never revoke it. Years later, former staff, departed contractors, and stale shared accounts still hold credentials to client data. The FTC treats overprivileged access as a control failure. Quarterly access reviews and a documented offboarding checklist are the practical fixes most regulators expect to see.
The 58-Control Register module handles this for your firm, personalized to your software, team size, and state requirements.
See plans and pricingA login mechanism that requires two or more independent factors, such as a password plus a code from an authenticator app or hardware key.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
A structured list of all security controls your firm should have in place, mapped to regulatory requirements, with testing status and evidence.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy