Features
ComplianceVault
Simplifying Compliance for Accounting Firms
ComplianceVault is a feature exclusively available to subscribers of SmartVault’s Accounting Unlimited Plan. It provides accounting firms with essential compliance tools, including downloadable information security policy templates and a Written Information Security Plan (WISP) to help ensure compliance with the FTC Safeguards Rule. These resources enable firms to build a strong, regulatory-compliant Information Security Program without the time and costs typically required for custom documentation.
What Problems Does ComplianceVault Solve?
ComplianceVault addresses key compliance challenges for accounting firms:
Pre-built Templates Aligned with FTC Requirements
Our templates cover core security areas as required by the FTC Safeguards Rule, ensuring foundational compliance with ease.
Foundation for an Information Security Program
Access to essential policies and procedures needed for a robust Information Security Program.
Time and Resource Savings
Firms save on the effort, expense, and time of creating their own compliance documentation from scratch.
Customizable Templates for Tailored Compliance
Each document is fully customizable, allowing firms to adjust the templates to their specific needs.
Understanding the FTC Safeguards Rule
In November 2023, the Federal Trade Commission (FTC) introduced the Safeguards Rule, which requires all financial institutions, including accounting firms, to implement a Written Information Security Program (WISP).
The rule mandates the following 10 core components to achieve compliance:
1. Establish a Written Information Security Program (WISP)
Firms must develop, implement, and maintain a documented Information Security Program. This program should be comprehensive, include administrative, technical, and physical safeguards, and be easily accessible to authorized personnel. The WISP should clearly outline policies and procedures designed to protect customer data and address both current and future risks.
2. Designate a Qualified Individual
A specific person must be appointed to oversee the Information Security Program. This individual is responsible for implementing, managing, and regularly updating the program. They will also act as the primary point of contact for security-related matters and ensure compliance with the FTC Safeguards Rule requirements.
3. Conduct a Risk Assessment
Firms are required to perform regular, written risk assessments to identify and evaluate potential risks and threats to customer information. These assessments should consider external threats (e.g., cyberattacks) and internal vulnerabilities (e.g., outdated software or insufficient employee training) and provide clear recommendations for addressing these risks.
4. Design and Implement Safeguards
Based on the findings of the risk assessment, firms must implement appropriate safeguards to mitigate identified risks. These safeguards should include technical solutions (e.g., firewalls and intrusion detection systems), physical protections (e.g., locked file cabinets and secure office spaces), and administrative measures (e.g., employee training on security best practices).
5. Implement and Review Access Controls
Firms must determine who has access to customer information and ensure access is granted on a need-to-know basis. Access controls should include password protection, user authentication, and role-based permissions. Firms are also required to periodically review access rights and revoke unnecessary access to reduce risks.
6. Encrypt Customer Information
Customer data must be encrypted during transmission and while at rest. Encryption ensures that even if data is intercepted or accessed by unauthorized parties, it cannot be read or used without the encryption key. This is a critical measure to protect sensitive information.
7. Assess Applications
Firms must evaluate the security of both in-house and third-party applications that handle customer information. This includes ensuring that applications are regularly patched, updated, and configured securely. Vendors providing third-party applications should also meet security and compliance requirements.
8. Implement Multi-Factor Authentication (MFA)
Multi-Factor Authentication adds an extra layer of security by requiring users to verify their identity through multiple methods (e.g., a password and a one-time code sent to their phone). This requirement applies to all systems where customer information is accessed to prevent unauthorized access.
9. Dispose of Customer Information Securely
Firms must securely dispose of customer information that is no longer needed. Data should be deleted or destroyed in a way that ensures it cannot be reconstructed. The FTC Safeguards Rule specifies that data no longer in use must be securely disposed of within two years of its last use unless otherwise required by law.
10. Develop an Incident Response Plan
Firms must create a detailed, written plan for responding to security incidents, such as data breaches or cyberattacks. The plan should include steps for identifying the incident, containing the threat, assessing the impact, notifying affected parties, and documenting the response for future improvements.
Frequently Asked Questions
Is ComplianceVault available on all plans?
No, Compliance Vault is exclusively available to subscribers of SmartVault’s Unlimited Plan. This feature is designed to enhance the Unlimited Plan by providing essential compliance tools, such as customizable templates and a Written Information Security Plan (WISP), to help firms meet the FTC Safeguards Rule requirements. Lower-tier plans do not include Compliance Vault, but upgrading to the Unlimited Plan unlocks access to these valuable compliance resources along with other premium features, ensuring firms can streamline compliance and focus on their core operations.
How often are the templates updated?
The Compliance Vault templates are regularly reviewed and updated by SmartVault to ensure they reflect the latest regulatory requirements and industry best practices. Our compliance experts monitor changes to the FTC Safeguards Rule and other relevant regulations, ensuring that templates remain accurate, comprehensive, and effective. These updates ensure that firms using Compliance Vault can stay ahead of evolving compliance standards without the burden of creating or revising documentation themselves. Customers will always have access to the most current versions of these resources as part of their Unlimited Plan subscription.
What is a WISP?
A Written Information Security Plan (WISP) is a document that outlines an organization’s security policies and procedures to help ensure compliance with the FTC Safeguards Rule.
What is SmartVault's commitment to security and compliance?
SmartVault is dedicated to providing a secure and compliant document management experience for our clients. We have achieved several key industry certifications and compliance milestones, demonstrating our commitment to maintaining the highest standards of data protection:
- ISO 27001:2013 and ISO 27001:2022: These certifications ensure that SmartVault follows international standards for information security management, demonstrating our commitment to protecting client data.
- ISO 22301: This certification focuses on business continuity, ensuring that SmartVault has robust plans and processes in place to continue operations and safeguard client data during any potential disruptions.
- SOC 2 Type 1 and SOC 2 Type 2: SOC 2 compliance verifies that SmartVault’s systems and processes meet strict security, availability, and confidentiality standards, providing assurance that we prioritize secure and reliable service for our clients.
Who Benefits from ComplianceVault?
Accounting, Tax, and Bookkeeping Firms
Firms that need to implement or enhance their information security program, streamline compliance, and focus on core operations will find ComplianceVault invaluable.
Ready to Transform Compliance?
With ComplianceVault, firms can protect sensitive data, meet regulatory standards, and focus on their business. Join SmartVault’s Unlimited Plan today to unlock ComplianceVault and simplify compliance for your firm.
See ComplianceVault in Action
Want to see exactly how SmartVault can work for your business? Book a 15-minute demo today.
For more information on SmartVault’s commitment to hassle-free compliance, visit our Security and Compliance page.
