ZCG LLC’s Written Information Security Plan
I. OBJECTIVE
The objective in the development and implementation of this WISP, is to create effective administrative, technical, and physical safeguards for the protection of Personally Identifiable Information (PII) retained by ZCG LLC, (Firm). This WISP is intended to comply with the obligations under the Gramm-Leach-Bliley Act and Federal Trade Commission Financial Privacy and Safeguards Rules to which this Firm is subject. The WISP sets forth our procedure for evaluating the electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting PII retained by Firm. For purposes of this WISP, PII means information containing the first name and last name or first initial and last name of a Taxpayer, Spouse, Dependent, or Legal Guardianship person in combination with any of the following data elements retained by the Firm that relate to Clients or Business Entities:
A. Social Security number, Date of Birth, or Employment data
B. Driver’s license number or state-issued identification card number
C. Income data, Tax Filing data, Retirement Plan data, Asset Ownership data, Investment data
D. Financial account number, credit or debit card number, with or without security code, access code, personal identification number; or password(s) that permit access to a client’s financial accounts
E. E-mail address, phone numbers, residential, or any contact information
PII does not include information that is obtained from publicly available sources such as a mailingaddress or phone directory listing; or readily available information on the internet, or from federal, state or local government records that are available to the general public.
II. PURPOSE
The purpose of the WISP is to:
A. Ensure the Security and Confidentiality of all PII retained byFirm.
B. Protect PII against anticipated threats or hazards to the security or integrity of such information.
C. Protect against any unauthorized access to or use of PII in a manner that creates a substantial risk of Identity Theft or Fraudulent or Harmful use.
III. SCOPE
The Scope of the WISP related to Firm shall be limited to the following protocols:
A. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing PII.
B. Assess the potential damage of these threats, taking into consideration the sensitivity of the PII.
C. Evaluating the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control identified risks.
D. Design and implementation of this WISP placing safeguards which minimize those risks, consistent with the requirements of the Gramm-Leach-Bliley Act, the Federal Trade Commission Financial Privacy and Safeguards Rule, and National Institute of Standards recommendations.
E. Regular monitoring and assessment of the effectiveness of aforementioned safeguards.
IV. IDENTIFIED RESPONSIBLE OFFICIAL
Firm has designated Daniel Zebarth to be the Data Security Coordinator (DSC). The DSC is the official responsible for the Firm data security processes and will implement, supervise, and maintain the WISP. Accordingly, the DSC will be responsible for the following:
Implementing the WISP includingrelated operational protocols
Identifying all the Firm’s locations of the data subject to the WISP and the protocols for designating them as Secured Assets with Restricted Access
Evaluating the ability of any third-party service providers not directly involved with tax preparation and electronic transmission of tax returns to implement and maintain appropriate security measures for the PII, to which they have permitted access, and ensuring third-party service providers have implemented appropriate security measures that comply with WISP
Reviewing the scope of the security measures in the WISP regularly.
Firm has also designated Daniel Zebarth to be the Public Information Officer (PIO). The PIO is Firm’s designated spokesperson. To prevent misunderstandings, all outward-facing communications should be approved by the PIO and who is in charge of the following:
All client communications by phone conversation or in writing
All statements to law enforcement agencies
All releases to news media
All information released, if any, to business associates, other businesses to which the Firm might communicate with regarding PII
V. INSIDE FIRM RISK MITIGATION
To reduce internal risks to the security, confidentiality, and/or integrity of any retained electronic, paper, or other records containing PII, the Firm has implemented the following policies and procedures:
PII Collection and Retention Policy
A. Firm will only collect the PII of clients that are required to accomplish Firm’s legitimate business needs, while maintaining compliance with all federal, state, or local regulations.
B. Access to records containing PII is limited to DSC and PIO
C. The DSC will identify and document the locations where PII may be stored by Firm:
a. Disk drives, solid-state drives, USB memory devices, removable media, removable or swappable drives, and any USB storage media
b. Securable desk drawers
c. Laptop Computer, client portals, electronic Document Management
d. Online applications, portals, and cloud software applications
e. Database applications, such as Tax Software Programs
D. Written and electronic records containing PII shall be destroyed or deleted at the earliest opportunity consistent with business needs or legal retention requirements.
a. Paper-based records shall be securely destroyed by shredding at the end of their service life.
b. Electronic records shall be securely destroyed by deleting and overwriting the file directory or by reformatting the drive on which they were housed.
Disclosure Policy
A. No PII will be disclosed without authenticating the receiving party and without securing written authorization from the client whose PII is contained in such disclosure.
B. Firm will take all possible measures to ensure all paper and electronic records containing PII securely on premises at all times. When there is a need to bring records containing PII remotely, only the minimum information necessary will be used. Under no circumstances will documents, electronic devices, or digital media containing PII be left unattended in an employee’s car, home, or in any other potentially insecure location.
C. All security measures included in this WISP shall be reviewed regularly, to ensure that the policies contained in the WISP are adequate and meet all applicable federal and state regulations. Changes may be made to the WISP at any time they are warranted. The DSC and PIO of the Firm will be responsible for the review and modification of the WISP and regulatory sources.
D. Firm may share PII of its clients with the state and federal tax authorities, Tax Software Vendors, or others as necessary to conduct its business. This includes legal counsel, business advisors in the normal course of business. Law enforcement and governmental agencies may also have customer PII shared with them in order to protect clients or in the event of a lawfully executed subpoena. Access to PII by these third-party organizations will only be the minimum required to conduct business. Any third-party service provider that requires access to PII must also be compliant with the standards contained in this WISP. The exceptions are tax software vendors and e-Filing transmitters, state and federal tax authorities, which are already compliant with laws that are stricter than this WISP.
Reportable Events
A. If a Data Security Incident requires notifications under the provisions of regulatory laws such as The Gramm-Leach-Bliley Act, there will be a mandatory post-incident review by the DSC of the events and actions taken. The DSC will determine if any changes in operations are required to improve the security of retained PII for which the Firm is responsible. Records of and changes or amendments to the Information Security Plan will be tracked and kept on file as an addendum to this WISP.
B. The DSC is responsible for maintaining any required Data Theft Liability Insurance, Cyber Theft Insurance Riders, or Legal Counsel retainers as deemed necessary by Firm.
C. The DSC will notify the IRS Stakeholder Liaison, and state and local Law Enforcement Authorities in the event of a Data Security Incident, coordinating all actions and responses taken by the Firm. The DSC or person designated by the coordinator shall be the sole point of contact with any outside organization not related to Law Enforcement, such as news media, non-client inquiries by other local firms or businesses and other inquirers.
VI. OUTSIDE THE FIRM RISK MITIGATION
To reduce external risks from outside Firm’s network, for the security, confidentiality, and/or integrity of its electronic, paper, or other records containing PII, and the effectiveness of its safeguards for limiting such risks, the Firm has implemented the following policies and procedures:
Network Protection Policy
A. Firewall protection, operating system security patches, and all software products shall be up to date and installed on the Firm’s laptop that accesses, stores, or processes PII data on Firm’s network.
B. All system security software, including anti-virus, anti-malware, and internet security, should be up to date and installed on any computer that stores or processes PII data or the Firm’s network.
C. Secure authentication protocols will be in place to:
a. Control username ID, passwords and Two-Factor Authentication processes
b. Restrict access to only Daniel Zebarth
c. Require strong passwords that conforms to accepted security standards (using upper and lower-case letters, numbers, and special characters, eight or more characters in length)
d. Change all passwords regularly or as needed such as evidence of a compromise
e. Firm passwords must not be used on other sites; or personal passwords used for Firm business. Firm passwords will be for access to Firm resources only and not mixed with personal passwords
D. Software will be monitored for unauthorized access or unauthorized use of PII data. Event Logging is enabled on its systems containing PII.
E. Firm maintain a firewall between the internet and the internal private network.
F. Operating System (OS) patches and security updates will be reviewed and installed continuously.
Firm User Access Control Policy
A. Firm will adhere to Federal Trade Commission 15 U.S.C § 6805. Section 314.4(c.5) regarding the implementation of multi-factor authentication.
B. Firm uses multi-factor authentication (MFA) for remote login authentication via a cell phone text message to ensure only authorized devices can gain remote access to Firm’s systems.
C. When a Password Utility program is utilized, the DSC will first confirm that:
a. Username and password information is stored on a secure encrypted site.
b. Multi-factor authentication of the user is enabled to authenticate new devices.
Electronic Exchange of PII Policy
A. It is Firm policy that PII will not be in any unprotected format, such as e-mailed in plain text, rich text, html, or other e-mail formats unless encryption or password protection is present or client has agreed and permits this. Passwords MUST be communicated to the receiving party via a method other than what is used to send the data, such as by phone call or SMS text message.
Wi-Fi Access Policy
A. Wireless access (Wi-Fi) points or nodes, if available, will use strong encryption. Firm Wi-Fi will require a password for access.
B. All devices with wireless capability like all-in-one copiers and smart devices will have default factory passwords changed to Firm-assigned passwords. All default passwords will be reset or the device will be disabled from wireless capability or the device will be replaced with a non-wireless capable device.
Remote Access Policy
The DSC approves use of Remote Access utilities for Firm.
Remote access can be dangerous if not configured correctly. Remote access tools that encrypt both the traffic and the authentication requests (ID and Password) used will be the standard. Remote access will only be allowed using multi-factor Authentication (MFA) in addition to username and password authentication.
Connected Devices Policy
A. Any new devices that connect to the Internal Network must meet a security review before they are added to the network. The Firm will ensure the devices meet all security patch standards and login and password protocols before they are connected to the network.
B. “Autorun” features for USB ports and optical drives like CD and DVD drives on network computers and connected devices will be disabled to prevent malicious programs from self-installing on Firm’s systems.
C. Firm will erase the hard drives or memory storage devices the Firm removes from the network at the end of their respective service lives. If any memory device is unable to be erased, it will be destroyed by removing its ability to be connected to any device, or it will be physically rendered unable to produce any residual data still on the storage device.
D. The Firm uses approved anti-virus software, which is updated regularly. Virus and malware definition updates are also updated as they are made available by the vendors.
