Written Information Security Plan
Make Cents Bookkeeping and Tax Services

This Written Information Security Plan establishes the administrative, technical, and physical safeguards implemented by Make Cents Bookkeeping and Tax Services to protect the confidentiality, integrity, and availability of taxpayer and client information. This plan is adopted in compliance with the Gramm-Leach-Bliley Act, the Federal Trade Commission Safeguards Rule codified at 16 CFR Part 314, and Internal Revenue Service requirements applicable to paid tax return preparers and authorized e-file providers. The plan applies to all forms of personally identifiable information and federal tax information handled by the firm, whether maintained electronically, physically, verbally, or through remote access.

A. Objective and Scope
The objective of this plan is to ensure the security and confidentiality of taxpayer information, protect against anticipated threats or hazards to the integrity of such information, and prevent unauthorized access or use that could result in identity theft, fraud, or other substantial harm. The scope of this plan includes all client and taxpayer data collected, accessed, stored, transmitted, or disposed of by the firm in the course of providing bookkeeping, tax preparation, tax planning, and related professional services. Covered information includes, but is not limited to, names, addresses, Social Security numbers, dates of birth, income data, tax return information, bank account details, retirement account data, login credentials, and any other data defined as nonpublic personal information under federal law.

B. Designation of Responsibility and Governance
The firm designates a qualified individual to oversee and implement its information security program. The Data Security Coordinator is responsible for developing, maintaining, and enforcing this plan; identifying and assessing risks to customer information; coordinating employee training; overseeing service providers; and leading incident response efforts. Governance responsibilities include maintaining documentation of safeguards, ensuring that access to information is limited to individuals with a legitimate business need, and reviewing the plan at least annually or whenever there is a material change in business operations, technology, or regulatory requirements.

C. Risk Assessment and Safeguard Design
The firm conducts ongoing assessments of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of taxpayer data. Internal risks include employee error, improper access, inadequate password practices, and improper disposal of records or devices. External risks include phishing and spear-phishing attacks, malware and ransomware, unauthorized network access, data interception during transmission, theft or loss of devices, and exploitation of unpatched software or systems. The firm evaluates the effectiveness of existing safeguards and designs controls appropriate to its size and operations, including layered security measures that reduce the likelihood and impact of a data security incident.

D. Information System Controls
Access to information systems is restricted through unique user credentials assigned to each authorized individual. Multi-factor authentication is required for all systems that store, process, or transmit taxpayer information, including tax software, email accounts, cloud storage, and remote access tools. Passwords are required to meet strong complexity standards and are not shared or reused across systems. All firm computers, mobile devices, and storage media are protected by full-disk encryption, and sensitive files transmitted electronically are encrypted or exchanged through secure portals. Firewalls, anti-virus, and anti-malware software are installed on all devices and configured to update automatically. Operating systems, browsers, and applications are kept current through regular security updates and patch management. Remote access is permitted only through secure, encrypted connections, and access over public or unsecured networks is prohibited unless protected by a virtual private network.

A. Physical Safeguards
Paper records containing taxpayer information are stored in locked cabinets or secured areas accessible only to authorized individuals. A clean desk policy is enforced to prevent unauthorized viewing or removal of documents. Devices are secured when unattended, and access to workspaces is controlled. When records are no longer required for business or legal purposes, paper documents are destroyed through cross-cut shredding or certified destruction, and electronic media are securely wiped or physically destroyed to prevent data recovery.

B. Employee Management and Training
All personnel with access to taxpayer information receive initial and ongoing training on data security responsibilities, including recognizing phishing attempts, safeguarding credentials, proper handling of sensitive information, and reporting suspected security incidents. Access to information systems is granted only after training is completed and is promptly revoked upon termination of employment or engagement. Employees are required to acknowledge their understanding of and compliance with the firm’s information security policies. Violations of these policies may result in disciplinary action, up to and including termination.

C. Service Provider Oversight
The firm selects and retains service providers that are capable of maintaining appropriate safeguards for taxpayer information. Service providers with access to such information are required, by contract or written agreement, to implement security measures consistent with federal requirements and industry standards. The firm oversees service providers by evaluating their security practices and requiring prompt notification of any actual or suspected data security incident involving taxpayer information.

D. Incident Response and Breach Management
The firm maintains procedures for responding to actual or suspected data security incidents. Upon discovery of a potential breach, the firm will promptly take steps to contain and mitigate the incident, assess the scope and impact, and preserve evidence. The firm will notify the IRS Stakeholder Liaison, appropriate state agencies, affected clients, and law enforcement as required by law and guidance. Following an incident, the firm will review and update its safeguards to prevent recurrence and document the actions taken as part of its incident response and recovery process.

A. Monitoring, Testing, and Review
The effectiveness of safeguards is monitored and tested on an ongoing basis through system reviews, access monitoring, and periodic evaluation of policies and procedures. The firm monitors PTIN and, where applicable, EFIN activity for signs of misuse or unauthorized filings. This plan is reviewed at least annually and updated as necessary to reflect changes in risks, technology, business operations, or regulatory guidance.

B. Record Retention and Disposal
Taxpayer records are retained only for the period required by law, professional standards, or legitimate business needs. When retention periods expire, records are disposed of securely in a manner that prevents unauthorized access or reconstruction. The firm avoids collecting or retaining unnecessary taxpayer information and limits data storage to what is required to perform services competently and lawfully.

C. Compliance Statement
This Written Information Security Plan is implemented as an active operational policy of Make Cents Bookkeeping and Tax Services. The firm affirms that the safeguards described herein are appropriate to its size and complexity and are designed to comply with applicable federal laws and Internal Revenue Service requirements governing the protection of taxpayer information.

D. Certification
This plan is approved, adopted, and enforced by the firm’s owner and designated Data Security Coordinator and is effective as of the date of adoption.

References

Federal Trade Commission. (2023). Safeguards Rule, 16 C.F.R. Part 314. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314

Internal Revenue Service. (2024). Safeguarding taxpayer data (Publication 4557). https://www.irs.gov/tax-professionals/safeguarding-taxpayer-data

Internal Revenue Service. (2024). Creating a written information security plan for your tax & accounting practice (Publication 5708). https://www.irs.gov/forms-pubs/about-publication-5708

Internal Revenue Service. (n.d.). Identity theft central. https://www.irs.gov/identity-theft-central

Internal Revenue Service. (n.d.). Protect your clients; protect yourself. https://www.irs.gov/tax-professionals/protect-your-clients-protect-yourself