Are You Regulated to Have a Written Information Security Plan?

Contact us Looking for an IT Company to help with your Written Information Security Plan?

CPA Firms Need to Comply with the Gramm-Leach-Bliley Act (GLBA)

Is Your CPA Firm in Compliance?

In order to combat the ever increasing threat of data security breaches, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was created to require CPA firms to protect the information they collect from clients by implementing written information security plans that detail how their CPA firm is equipped to protect their clients’ personal information.


Recently, the IRS initiated the Protect Your Clients; Protect Yourself campaign to educate and inform tax professionals about their responsibilities for compliance.  While the IRS has issued publications that include details and security recommendations as well as requirements, navigating, validating and documenting this information can be difficult.

Medical Providers Need to Comply with the HIPAA Privacy Rule

Is Your Medical Office in Compliance?

As a cornerstone of HIPAA, the HIPAA Security Rule requires physicians to protect patients’ electronically stored, protected health information (ePHI) by using appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of this information.  HIPAA defines administrative safeguards as, “Administrative actions, policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information.


Behind every security compliance measure is a documentation requirement. Practically every facet of HIPAA compliance requires that policies and procedures be created and implemented. These documents must be retained for at least six years (and state requirements may mandate longer retention periods). Regulations require periodic review of policies and response to changes in the ePHI environment.


Without a detailed written information security plan, your business runs the risk of being non-compliant and subject to fines, loss of business and loss of reputation in the event of a breach.  Suggested mitigation techniques and policies include:

  • Protecting email accounts with strong passwords

    The NIST Password Guideline Standards are laid out in the NIST Special Publication 800-63B and are a part of NIST’s Digital Identity Guidelines.

  • Implementing two-factor authentication

    Two-Factor Authentication (2FA) is essential to security because it immediately neutralizes the risks associated with compromised passwords.

  • Utilizing anti-phishing security tools

    By implementing anti phishing software, organizations can significantly reduce the risk of falling victim to phishing attacks.

  • Security Awareness Training

    Prevent cyber incidents by changing employee behavior. Let T3 customize a security awareness program and get immediate improvement in cyber resilience through education.

  • Network Security Assessment

    A network security assessment is an audit of your organization’s IT infrastructure that reviews your network’s security measures. Its goal is to identify vulnerabilities. It covers all critical software, hardware, as well as physical and administrative procedures within your organization.

  • Implementing a written information security plan

    In addition to being compliant with regulations, Information Security Plans are designed to protect information from a wide range of threats to ensure business continuity, minimize business risk and maximize return on investments.

Data breaches cost an average of $9.44 million dollars in the US last year.

(Technology Magazine 2/23/2023)