IRS Publication 4557 · GLBA Compliance

Written Information Security Plan Generator

Complete each section to generate your WISP document. Your compliance score is calculated in real-time. A score of 85% or higher is required for a compliant plan.

Business Information

Business / Practice Name *

Business Type / Industry

Person Completing This Document *

Job Title / Role

Document Created

—

Business Address

Number of Employees

Designated Privacy / Security Officer

Data Inventory & Scope

15 pts

Why this matters: The IRS requires you to document what client data you collect, where it is stored, and how it flows through your systems.

We collect and process Personally Identifiable Information (PII) including SSNs, bank records, and income data.

Acknowledgment of client data types covered under IRS Publication 4557.

5 pts

We have a documented inventory of all locations where client data is stored (physical and digital).

Includes computers, servers, cloud drives, USB drives, filing cabinets, and any third-party systems.

5 pts

We have identified and documented all third-party vendors who access or handle client data.

Examples: tax software providers, cloud storage, payroll services, printing companies.

5 pts

Primary software / platforms used to store client data

Access Controls & Authentication

20 pts

IRS Requirement: Multi-Factor Authentication (MFA) on all systems accessing client data is mandatory under Publication 4557.

Multi-Factor Authentication (MFA) is enabled on all systems and email accounts that access client data.

This is a non-negotiable IRS requirement. Applies to email, cloud storage, and tax software.

8 pts

Unique user accounts with strong passwords (12+ characters) are required for every employee.

No shared credentials. Passwords must include upper/lowercase, numbers, and symbols.

4 pts

Access to client data is restricted on a need-to-know basis (least privilege).

Admin rights are limited. Access is revoked immediately upon employee departure.

4 pts

Screens auto-lock after 15 minutes of inactivity.

Prevents unauthorized access when workstations are left unattended.

4 pts

Data Protection & Encryption

20 pts

All client data is encrypted at rest on all devices and servers.

BitLocker or FileVault enabled. Cloud storage uses encryption by default.

6 pts

Client data is encrypted in transit via secure channels only.

No unencrypted email attachments with PII. Secure portals or encrypted email required.

6 pts

Automated encrypted backups are performed weekly (or more often).

Backups tested quarterly. Off-site or cloud copy maintained.

4 pts

A data retention and destruction policy exists.

Paper records shredded. Digital records securely wiped (not just deleted).

4 pts

Employee Security Training

15 pts

Note: If building a compliant security training program is beyond your capacity, Preeminent Technologies can build and deliver it for you.

Annual security awareness training for all employees.

Covers phishing, password hygiene, data handling, and suspicious activity.

6 pts

Employees sign an annual security policy acknowledgment.

Retained in employee files. New hires sign before accessing client data.

5 pts

Employees trained on breach / phishing incident response.

Clear escalation path. IRS notification within 72 hours when required.

4 pts

Incident Response Plan

15 pts

A written incident response plan exists.

Includes identification, containment, eradication, recovery, and notification.

6 pts

Emergency contact list is documented (IRS, authorities, IT provider).

IRS: 1-800-908-4490. FTC: ReportFraud.ftc.gov. IT provider on speed-dial.

5 pts

The WISP is reviewed and updated at least annually.

Review log maintained. Triggered by major business or system changes.

4 pts

Describe your current incident response process

Physical & Environmental Security

10 pts

Paper client files are secured in locked cabinets.

Keys limited to authorized staff. After-hours access restricted.

5 pts

Workstations are positioned to prevent screen visibility (shoulder surfing).

Privacy screens used in client-facing areas.

5 pts

Network & Device Security

5 pts

Firewall and endpoint protection active on all devices.

Auto-updates enabled. Weekly scans configured.

3 pts

Business and guest Wi-Fi networks are separated.

Prevents unauthorized access to internal systems via guest network.

2 pts

WISP COMPLIANCE SCORE

Complete the sections above to calculate your score.