Qualified Individual
Designate the person responsible for the information security program.
The IRS gives away a WISP template. I build the controls and evidence that make the written plan true.
01 · The commodity trap
IRS Publication 5708 is a free sample Written Information Security Plan built for tax and accounting practices. Download it. Read it. A blank plan should not cost thousands of dollars.
The problem starts when a completed template says your firm uses multifactor authentication, encrypts customer information, removes access promptly, reviews vendors, and disposes of old records. Typing those statements does not establish the controls.
I inventory the real environment first: tax software, email, file sharing, endpoints, backups, remote access, phones, vendors, and the people who touch customer information. The plan comes after the evidence. That order is the product.
02 · The obligation
The FTC Safeguards Rule sets the shape of the information security program. Applicability and the small-firm exemptions still need to be evaluated against your facts.
Designate the person responsible for the information security program.
Assess foreseeable internal and external risks against the systems actually in use.
Design and implement controls, including access, inventory, encryption, MFA, disposal, and logging.
Evaluate whether safeguards work and respond to the findings.
Provide security awareness and role-appropriate training, then document it.
Select capable providers, set expectations by contract, and monitor them.
Adjust the program when systems, threats, or business operations change.
Prepare a written plan for responding to and recovering from security events.
Prepare a written annual report for the governing body or equivalent senior officer.
The small-firm rule matters
Fewer than 5,000 consumers?16 CFR 314.6 exempts financial institutions that maintain customer information concerning fewer than 5,000 consumers from four requirements: the written risk assessment, penetration testing and vulnerability assessment requirements, the written incident response plan, and the annual written report.
The rest of the Safeguards Rule still applies. I apply the exemption before proposing work, because a defensible smaller scope is better than selling controls the rule does not require.
03 · Engagement
Fixed scope where the facts allow it. Explicit uncertainty where they do not.
Fixed price, fixed scope, typically 2–3 weeks.
Scoped after Phase 1.
Optional ongoing Qualified Individual support, annual training, reassessment, and updates as the firm changes.
Published pricing
Assessment and WISP from $4,500. Typically 2–3 weeks.
Phase 2 at $185–225/hr. Phase 3 from $500/mo.
Not for firms that want the document and not the controls.
Start with scope
No fear pitch. No upload of customer records. Just enough context to decide whether an assessment is useful.
Book a 20-minute scoping call