The IRS Data Security Plan: FAQ

Here are responses to some common questions regarding the IRS Security Plan requirements

Can a small business develop an IRS Security Plan?

The answer is: YES. While the IRS data security plan requirements seem daunting, any small business – even a single person provider – can create a plan. The Information Shield IRS Cyber Security Plan Template can help jump start the process and provide all of the documentation and policies you need for an effective plan.

Do I need a cyber security expert to develop an IRS Security Plan?

Not exactly. If you have access to a cyber security expert, then most certainly engage them in developing your plan. For most practitioners, however, they can develop and customize a plan themselves if they start with a robust template. If your organization has no security tools in place (for example encryption or malware), then you will need to adopt them. But in most cases, companies already have these tools in place. In not, technically savvy person can be implement them.

How much does it cost to develop and IRS Security Plan

The cost of a plan depends on who develops the plan and how detailed you want the plan. Hiring outside cyber security experts typically runs from $150 – $300 per hour. So a solid plan may cost several thousand dollars. A more cost effective approach is to use an IRS Cyber Security Plan Template – which is $249.00 – to get started and then do the customization yourself or with internal staff. Plan templates can save up to 20 hours of development work, or nearly $4000.00 for a typical consultant.

What is IRS Publication 4557?

IRS Publication 4557Safeguarding Taxpayer Data, is the official document published by the IRS containing specific guidance for protecting customer data. It contains the detailed requirements for what must be in a qualified data security plan. The other publication referenced by the IRS is NIST 7621r1 Small Business Information Security – The Fundamentals . These documents, while designed for small business owners, can be difficult to understand if you are not versed in cyber security.

What does the IRS data security plan require?

The IRS recommends six specific steps for designing, implementing and maintaining a data security plan.

  1. Include the name of all information security program managers.
  2. Identify all risks to customer information.
  3. Evaluate risks and current safety measures.
  4. Design a program to protect data.
  5. Put the data protection program in place.
  6. Regularly monitor and test the program.

An IRS Data Security Plan is design to support these steps. For most IRS professionals, Step 4 (Design a program to protect data) is the most daunting. A “risk analysis” (steps 2-3) is simply a list of possible problems that can happen and how you will address them. After this step, you will have written security policies that describe all of the “safety measures” that you must put in place. The next key step (5) is to list the required technical elements (firewalls, encryption, backup) and ensure that your organization has these in place. Regular monitoring and testing is simply the process of evaluating that the tools work. In many cases, your technical systems will give you an “alert” if there is a possible attack or event. This counts as “monitoring”. The annual review and update of your plan is also part of “monitoring”.

How can I get started developing an IRS Cyber Plan?

Now that tax season is over, providers should begin to develop and refine their plan. As we discussed, an existing Template can dramatically reduce the time and cost of a plan. We recommend the following approach:

  1. Get a quality IRS Security Plan Template
  2. Customize the Plan (by replacing your name and logo)
  3. Review the Plan based on your current technology
  4. Approve and sign the final plan
  5. Take all employees through the security awareness training

You will want to review and approve the plan (Steps 3-5) each year, which will take much less time and keep your plan up to date.