Tax professionals have something every cyber criminal wants: taxpayer data that can help them file bogus income tax returns. One of the first steps toward stopping computer crooks before they get to your data is to assess the risks in your office – then make a security plan.
Working up a good security plan not only makes us think about areas where our data is vulnerable, but it also helps us to think beyond what to do if there’s an intrusion on our system; it makes us focus on prevention.
Let’s get started.
Complete a Risk Assessment
This is basically an honest look at our computer systems and our procedures, identifying the risks and potential impacts of unauthorized access, use or disclosure of your information. It also means looking at what happens if someone modifies or destroys your information or the computers that can be used to access taxpayer data.
In any risk assessment, you want to ask yourself these tough questions:
- How vulnerable is my customers’ data to theft, disclosure, alteration or unrecoverable loss?
- What can we do to reduce the impact to our customers and our business in such an event?
- What can be done to reduce our vulnerability?
Write and Follow an Information Security Plan
Using your assessment, your plan should:
- Address every item you identified in the assessment.
- Define the safeguards you want your staff, your affiliates and any service providers to follow.
- Require a responsible person to review and approve your Information Security Plan.
- Require a responsible person to monitor, revise and test your Information Security Plan on a periodic basis to address any system changes or business changes as well as any identified problems.
Such examination of the Security Plan should be carried out once a year at least, but more often is better. The plan – and any other safeguards you’ve put in place – should be evaluated and tested. Document any deficiencies and create a plan to address them. Put that plan into action as part of your updated Information Security Plan.
For more about these and other steps to safeguard your data, take a look at IRS Publication 4557, Safeguarding Taxpayer Data.