Updated: July 15th, 2024
1. Overview and Purpose: The objective of the Written Information Security Plan (WISP) is to document the protection of the data and systems within the organization’s scope. The purpose of the data security plan is to provide an overview of the security requirements of the systems and describe the controls that have been implemented or plan to be implemented to comply with IRS regulations. Senior management will authorize the system to operate based on the assessment of the management, technical and operational controls.
2. Company Description: All In One Financial Services is a sole proprietor tax preparation, tax and financial consulting firm which has only one practitioner.
IRS Electronic Filing Identification Number (EFIN): 569741
IRS Preparer Tax Identification Number (PTIN): P00758919
Said practitioner is also a licensed Life, Health, and Annuity producer in the States of NC & NJ. National producer #: 7415336 and NJ license #: 8107759.
The following is both the home and office of the sole proprietor and tax preparer:
All In One Financial Services
105 Paper Birch Avenue
Asheville, NC 28806-0007
(888) 489-2590,
rjmfinancial@yahoo.com, www.avltaxprep.com
3. Authorizing Official: Ron J. Miller, Tax & Financial Consultant, T/A as All In One Financial Services, 105 Paper Birch Avenue, Asheville, NC 28806-0007, (888) 489-2590, rjmfinancial@yahoo.com, is the designated authorizing official of the All In One Financial Services systems.
4. Assignment of Security Responsibility: Same as above “Authorizing Official”.
5. General System Description and Purpose: The systems provided by All In One Financial Services functions to provide tax preparers the ability to prepare taxpayer’s tax forms in a safe and efficient manner. The system is also configured to keep the client’s data protected in accordance with IRS Regulations.
6. Related Laws/Regulations/Policies: The Systems must comply with IRS regulations for the confidentiality, integrity and availability of the data which is contained within the systems.
7. Risk Assessment and Mitigation: Risk is based on whether the integrity or availability of the data changed as well as whether possible disclosure of information could cause harm to our business or clients’. Please view the Risk Register located in Appendix A for a list of potential risks. Risk is mitigated by many of the following administrative and technical controls which are put in place. Administrative controls include security awareness training, information disposal and vulnerability management. Technical controls include access control for accounts, data backups and security controls for protecting data.
8. Security Awareness Training Program: The proprietor is required to complete security awareness training annually. The training helps to identify potential phishing emails, how to identify Personal Identifiable Information (PII), and how to protect PII as well as how to recognize tricks and techniques hackers may use to harm the organization and clients’ information.
9. Password and Account Requirements: For clients’ who utilize the provided VeriFyle client portal system, they will have to adhere to the strict guidelines of passwords established through the VeriFyle system. VeriFyle will not share or distribute password information to anyone or entity. It is the sole responsibility of the client to keep such passwords secure but obtainable for future and continued use. All In One Financial Services, it’s heirs or assigns shall not have any access to VeriFyle password information and therefore will be held harmless.
10. Anti-Virus and Vulnerability Management Programs: All In One Financial Services has Microsoft Defender anti-virus installed on all systems and it is set to automatically update when a new virus definition is released. Systems are set to automatically install updates when they are released. Applications that are used on the systems are set to automatically update and/or the system administrator receives email updates when a new version is available for download.
11. Data Security: Data that contains customer data that is considered Personally Identifiable Information (PII) will always be encrypted including data at rest. All devices and papers which include customer data or PII will be kept in a secure location and will be restricted to only authorized personnel.
12. Vendor Management: Before entering a contract or sharing data with a vendor, the vendor will be assessed as to whether they have the proper security controls in place to protect the type of data that will be shared or stored. Also, contract language will include at a minimum that the vendor is required to contact All In One Financial Services within 72 hours if there has been a breach which involved our data or customer data. The contract will also state that the vendor is required to keep the security controls at the current level or above in place to protect the data.
13. Information Disposal: Proper disposal of digital information by use of media sanitization, clearing, purging, and/or destroying the devices will be followed by All In One Financial Services. This will also be followed for disposing of hard copy information which has PII or customer data on it, such as using a cross-cut shredder.
14. Physical Security: The building is controlled by lock, key, Blink Camera System with cameras at four strategic locations and secured by an ADT Alarm System at all entry points with 24/7/365 monitoring by Alarm Relay Central Monitoring who will notify the proper authorities should an event or alarm trigger occur.
15. Incident Response: The proprietor will report the loss or theft of taxpayer data immediately to their IRS Stakeholder Liaison and any other authorities deemed appropriate to secure the situation and further protect client data. This will help to ensure that appropriate precautions can be made to protect clients from fraudulent returns possibly being filed in their names. The IRS Stakeholder Liaison can also assist in the recovery efforts to include getting a new EFIN if required.
16. Back-up and Disaster Recovery Plan: Critical data will be periodically backed-up on CD-R discs and any other means deemed appropriate by the proprietor to secure client data. The use of the VeriFyle portal, which is the best means of data transference and storage in of itself is a back-up system using six levels of encryption and cloud storage. Carbonite and the VeriFyle system would be the primary means of recovery of data in the event of a natural disaster such as storms, hurricanes, or tornadoes.
17. Revisions and Updates to the Plan: This plan will be reviewed annually or as changes are made to the environment, by the IRS and/or any other taxing authority such as State Departments of Revenue. The proprietor, it’s assigns or heirs will be the final approving authority for changes made to the plan.
Revision History:
(A): 08-19-2023 Ron J. Miller
Added Carbonite back-up information
(B): 07-15-2024
Ron J. Miller reviewed & reformatted WISP to clarify information
18. System and Data Inventory: Below is the inventory of the systems and where the data is stored and the type of information which is stored on the system.
(A): Dell Inspiron 3880 Desktop Computer with Microsoft Defender security system located in
Home/Office which stores Tax Returns and all tax documents provided by clients as well as all Life, health and annuity account information and related documents provided by clients. The system is connected to the internet via hard wire for better security. No Wi-Fi is utilized with this system.
(B): Microsoft Windows 11 is the main operating platform and all tax and financially sensitive folders & files are encrypted using Microsoft’s advanced encryption services. It is connected to the internet.
(C): Ron J. Miller & All In One Financial Services has subscribed to Carbonite back-up systems since August 2nd, 2017 for all client data as well as non-client data on the above referenced computer. It is a Cloud based system for easy access through the internet from anywhere should the above referenced computer system fail.
(D): All In One Financial Services provides its’ clients a FREE client portal to use, store and electronically sign documents which has six levels of military grade encryption and is IRS approved. It is a Cloud based system and is available through the internet from anywhere.
19. Implementation: Effective July 16th, 2023 All In One Financial Services has created this Written Information Security Plan (WISP) in compliance with regulatory rulings regarding implementation of a written data security plan found in the Gramm- Leach-Bliley Act and the Federal Trade Commission Financial Privacy and Safeguards Rules.
Signed: Ron J. Miller – Public Tax Accountant Owner/Operator D/B/A: All In One Financial Services.
Date: July 16th, 2023