Expert Tax Services for Individuals and Businesses

1. Purpose and Scope

This Written Information Security Plan (“WISP”) is established to protect all client data handled by Dewey Ventures as required by:

• IRS Publication 4557 (Safeguarding Taxpayer Data)
• The Federal Trade Commission (FTC) Safeguards Rule
• Internal Revenue Code §6713
• Other applicable federal and state privacy regulations

This plan applies to all employees, contractors, temporary workers, and third-party service providers who access or handle client information.

2. Definitions

• Personally Identifiable Information (PII): Any information that can identify an individual, including names, Social Security numbers, addresses, phone numbers, tax returns, and banking information.
• Client Information: All tax documents, financial records, electronic files, or communications received or created as part of tax preparation, tax consulting, or bookkeeping services.
• Authorized User: A person granted access to systems because it is necessary to perform job duties.

3. Information Security Objectives

1. Protect taxpayer data from unauthorized access, disclosure, theft, or misuse.
2. Ensure secure handling, storage, transmission, and destruction of sensitive information.
3. Maintain compliance with the IRS and FTC Safeguards Rule.
4. Provide ongoing cybersecurity training to all personnel.
5. Respond quickly and effectively to any data breach or suspicious activity.

4. Responsible Security Officer

Name: Dewayne “Dewey” Fillingim
Role: Information Security Program Coordinator
Duties Include:

• Implementing and maintaining this WISP
• Conducting annual risk assessments
• Overseeing employee training
• Ensuring corrective actions after security incidents

5. Risk Assessment

Data Collected

• Tax returns
• W-2s, 1099s, bank statements
• Identification documents
• Client contact information
• Bookkeeping records
• Payment information (no storage of full credit card numbers)

Internal & External Risks

• Phishing and email compromise
• Malware/ransomware
• Unauthorized device access
• Improper disposal of documents
• Employee negligence
• Natural disasters

Current Safeguards

• Multi-factor authentication (MFA)
• Encrypted cloud storage
• Secure tax preparation software
• Locked filing cabinets
• Automatic backups
• Antivirus and firewall systems

Risk Determination

Risks are reviewed annually and safeguards are enhanced as necessary.

6. Administrative Safeguards

Access Control

• Access granted only when necessary for job duties
• Immediate removal of access upon termination
• Unique usernames/passwords required

Employee Training

• Annual IRS Publication 4557 training
• Phishing awareness
• Proper handling and disposal of taxpayer data
• Incident reporting procedures

Third-Party Providers

Vendors must:

• Use encryption
• Maintain Safeguards Rule compliance
• Provide proof of security measures upon request

7. Physical Safeguards

Office & Document Security

• Office locked when unattended
• Documents stored in locked cabinets
• No sensitive files left on desks

Device Security

• Password-protected, MFA-enabled devices
• Screens auto-lock after 5 minutes
• Encrypted laptops and mobile devices
• No taxpayer data stored on unapproved personal devices

Paper Handling

• Documents scanned immediately
• No unnecessary printing
• Shredding with a cross-cut shredder

8. Technical Safeguards

Password Policy

• Minimum 12 characters
• Must include upper/lowercase letters, numbers, and symbols
• Changed annually or after any suspected compromise
• MFA required on all sensitive systems

Network Security

• Firewalls active on all devices
• Updated antivirus and anti-malware
• Secured Wi-Fi with WPA3 encryption
• Guest network isolated

Data Security

• Encryption at rest and in transit
• Secure client portals for document exchange
• No unencrypted emails containing PII
• Daily encrypted backups stored securely

9. Incident Response Plan

What Constitutes an Incident

• Lost/stolen devices
• Unauthorized access attempts
• Malware infections
• Email compromise
• Office break-ins
• Employee misconduct or accidental disclosures

Response Steps

1. Contain the incident
2. Assess the data affected
3. Notify Dewey (Security Officer)
4. Report to IRS/FTC if required
5. Notify clients if necessary
6. Document all actions
7. Strengthen safeguards to prevent recurrence

10. Data Retention & Disposal

Retention

• Tax files retained for at least 3 years or longer if legally required
• Electronic backups preserved securely

Disposal

• Cross-cut shredding for paper documents
• Secure digital file wiping
• Proper destruction of old devices and hard drives

11. Annual Review

This WISP is reviewed every year or sooner if:

• New threats arise
• New technology is implemented
• Regulatory requirements change
• A security incident occurs

12. Certification

I acknowledge and certify that I understand this Written Information Security Plan and agree to follow its policies and procedures.

Signature: 

____________________________
Name: Dewayne “Dewey” Fillingim
Date: 11/28/2025 (renewed)________________________________