Written Information Security Plan (WISP)

Written Information Security Plan (WISP)

March 18, 2025

I. OBJECTIVE

The objective of this Written Information Security Plan (WISP) is to establish safeguards to protect Personally Identifiable Information (PII) handled by i plus one, INC. DBA AutoWorkpapers. This WISP is designed to comply with the Gramm-Leach-Bliley Act and Federal Trade Commission Financial Privacy and Safeguards Rules. It outlines best practices for accessing, collecting, storing, using, transmitting, and protecting PII. For the purposes of this WISP, PII includes, but is not limited to:

  • Social Security Number, Date of Birth, Employment Information 

  • Driver’s License Number or State-Issued Identification Number 

  • Income Data, Tax Filing Data, Retirement Plan Data, Asset Ownership Data, Investment Data 

  • Financial Account Numbers, Credit or Debit Card Numbers, Security Numbers, Access Codes, Personal Identification Numbers, or Passwords 

II. PURPOSE

The purpose of this WISP is to:

  • Ensure the security and confidentiality of PII retained by i plus one, INC. DBA AutoWorkpapers.

  • Protect PII from threats or hazards to its security and integrity through employee training and technical safeguards.

  • Prevent unauthorized access to or use of PII that could result in identity theft or other fraudulent activities.

III. SCOPE

The scope of this WISP includes:

  • Identifying internal and external risks to the security, confidentiality, and integrity of PII.

  • Assessing the potential damage of these threats, considering the sensitivity of the PII.

  • Evaluating the sufficiency of existing policies, procedures, and safeguards.

  • Designing and implementing safeguards to minimize risks, consistent with regulatory requirements.

  • Regularly monitoring and assessing the effectiveness of these safeguards.

IV. IDENTIFIED RESPONSIBLE OFFICIALS

i plus one, INC. DBA AutoWorkpapers has designated Thomas Shelley, CEO, as the Data Security Coordinator (DSC). The DSC is responsible for:

  • Implementing and maintaining the WISP.

  • Identifying data repositories and designating them as Secured Assets with Restricted Access.

  • Verifying employee completion of Information Security Plan Training.

  • Monitoring and testing compliance with the WISP.

  • Evaluating third-party service providers' security measures.

  • Conducting annual training sessions for employees with access to PII.

Public Information Officer (PIO): Thomas Shelley, CEO

  • i plus one, INC. DBA AutoWorkpapers has assigned Thomas Shelley, CEO as the Public Information Officer (PIO). The PIO will act as the official spokesperson for the firm, ensuring consistent and accurate communication. Responsibilities include:

  • Managing all client communications via phone or written correspondence.

  • Coordinating statements with law enforcement agencies.

  • Handling news media releases.

V. RISK ASSESSMENT

To protect sensitive data and maintain the integrity of our security measures, i plus one, INC. DBA AutoWorkpapers conducts quarterly risk assessments. This process identifies vulnerabilities, evaluates potential threats, and implements safeguards to mitigate risks to taxpayer information, employee records, and other critical data. It involves the following:

  • Identifying risks: We check all surface areas across which attacks or breaches may occur, then identify all possible threat models which might use that surface area.

  • Cataloging information: We maintain a catalogue of all surface areas (hardware, services, web portals, client communications, etc.) and the threats associated with those surface areas.

  • Evaluating potential losses: During quarterly reviews, we triage threats based on potential loss and implement changes as needed.

  • Monitoring and testing: We establish ongoing processes to monitor current safeguards and test for emerging risks to ensure vulnerabilities are identified and mitigated.

VI. HARDWARE AND SOFTWARE INVENTORY

Below is a comprehensive list of hardware and software owned, operated, or leased by the firm and its staff:

Hardware/Software:

  • Latest Apple computers running the most recent macOS with strong passwords and encrypted hard drives

  • Microsoft Azure Data Cloud, which provides best-in-class security for handling tax documents and sensitive data, trusted by Fortune 500 companies for their most sensitive data. All input data to Microsoft is deleted within 24 hours and encrypted in transit, and is never used for training their AI models. 

VII. INSIDE THE FIRM RISK MITIGATION

To mitigate internal risks, i plus one, INC. DBA AutoWorkpapers has implemented the following policies:

  • Collect only necessary PII for legitimate business needs.

  • Limit access to PII to employees with a legitimate need.

  • Require multi-factor authentication for accessing client PII.

  • Securely destroy or delete records containing PII when no longer needed.

  • Conduct regular training and require employees to acknowledge understanding of the WISP.

VIII. OUTSIDE OF FIRM RISK MITIGATION

To mitigate external risks, i plus one, INC. DBA AutoWorkpapers has implemented the following measures:

  • Use a modern operating system with advanced antivirus protection, with regular security updates.

  • Require strong, unique passwords and two-factor authentication to gain access to any company systems that may contain PII.

  • Require third-party software providers to use AES 256-bit encryption for PII.

IX. SAFETY MEASURES

PII Collection and Retention Policy

  • We only collect the PII necessary for business operations and to comply with relevant regulations.

  • Access to PII is limited to employees who need it for their job duties.

  • We don't ever sell data to third parties for any reason.

  • PII records will be securely destroyed when no longer needed or when required by law:

    • Paper records will be shredded or incinerated.

    • Electronic records will be deleted or overwritten.

Data Disclosure Policy

For the most part, data is only shared with the client themselves, with very few exceptions.

  • Access to areas where PII is stored — such as file rooms, desks, and computers — is restricted.

  • Employees will be trained to keep PII secure on-site.

  • Client PII may be shared with tax authorities or law enforcement when required.

  • Client PII may be temporarily shared with security-vetted vendors (Microsoft) for the purposes of business operations. This data is not stored by them, it is only used in the scope of providing the service, such as for OCR classification of documents, and then deleted as soon as possible.

User Access Control Policy

The Firm will comply with FTC regulations, including multi-factor authentication (MFA) requirements.

  • MFA will be used for remote logins, via text or apps like Google Authenticator, ensuring only authorized devices can access Firm systems.

  • All users will have unique passwords. Shared passwords or accounts are prohibited. Users may change their passwords at any time without sharing them with the DSC.

  • Passwords will be reset according to National Institute of Standards and Technology (NIST) guidelines, with the DSC notifying employees of any accelerated resets.

  • If using a password management tool, the DSC will ensure it stores passwords securely and requires MFA for device authentication.

Electronic Exchange of PII Policy

  • PII will never be sent unprotected through publicly accessible channels unless encrypted or password-protected. 

  • Passwords must be sent separately (e.g., via phone or SMS).

  • The Firm may use a password-protected portal for exchanging PII, subject to approval of security protocols by the DSC.

  • PII stored on external drives will be encrypted.

Network Protection

  • All computers that access, store, or process PII on the Firm's network must have up-to-date security patches and software installed. This includes any third-party devices connected to the network.

  • Strong user authentication protocols will be implemented to:

    • Control usernames, passwords, and two-factor authentication (2FA)

    • Restrict access to active user accounts

    • Require strong passwords that meet accepted security standards

  • Operating system (OS) patches and security updates will be reviewed and installed regularly.

Remote Access Policy

  • The DSC and the Firm's IT contractor will approve all remote access tools used by the Firm.

  • Since remote access can be risky if not configured properly, it is crucial to secure it with encryption for both traffic and authentication (ID and password). 

  • Additionally, remote access will require MFA along with username and password authentication for extra security.

Connected Devices Policy

The Firm or a certified third-party vendor will securely erase hard drives or memory storage devices removed from the company. If a device cannot be erased, it will be destroyed or rendered unable to store any data.

Wi-Fi Access Policy

  • All wireless access points (Wi-Fi) will use strong encryption, and access will be password-protected. 

  • Devices with wireless capabilities (e.g., printers, copiers, fax machines, smart devices) will have their default factory passwords changed to Firm-assigned passwords. 

  • Any device with default passwords will either have the passwords reset, be disabled from wireless access, or be replaced with a non-wireless device.

Information Security Training Policy

  • All employees will receive training on maintaining the privacy and confidentiality of the Firm's PII.

  • New employees will be trained before gaining access to PII, and periodic refreshers will be held to ensure a consistent understanding of Information Security. 

  • Disciplinary action may be taken if an employee fails to follow these policies.

X. INCIDENT RESPONSE AND BREACH NOTIFICATION

In the event of a data security incident requiring notifications under laws such as the Gramm-Leach-Bliley Act, the DSC will conduct a mandatory post-incident review. 

  • The review will assess the events and actions taken, and determine if changes are needed to enhance the security of retained PII. 

  • Records of any amendments to the WISP will be documented as an addendum to this WISP.

  • The DSC will notify the relevant IRS stakeholders and local law enforcement authorities in the event of a data security incident. 

  • The DSC, or a designated representative, will serve as the sole point of contact for external organizations not related to law enforcement.

XI. EMPLOYEE CODE OF CONDUCT

The WISP will be provided to all employees, who must acknowledge receipt and agree to comply. 

  • Employees should report any risks to the DSC. If the DSC is the source of risks, employees should report directly to the Firm's owner.

  • The DSC will train employees on the WISP's policies, and periodic reviews will be conducted for compliance.

  • Employees must secure all PII: 

    • Paper records should be locked

    • Digital files must be password-protected or encrypted

    • Computers should be locked when unattended

  • Non-compliance with these policies will result in disciplinary action, ranging from warnings to termination.

  • Upon termination, access to systems and physical resources will be immediately revoked. 

XII. IMPLEMENTATION CLAUSE

This WISP is implemented on 03/18/2025 by i plus one, INC. DBA AutoWorkpapers in compliance with the Gramm-Leach-Bliley Act and the Federal Trade Commission Financial Privacy and Safeguards Rules.

Signed by:

Principal Officer: Thomas Shelley, CEO

DSC: Thomas Shelley, CEO