FTC Safeguards Rule recordkeeping guide

Your risk assessment is the foundation of your entire information security program. The FTC requires that you document the process, findings, and remediation plans.

• Written risk assessment report identifying internal and external threats
• Inventory of all systems, devices, and locations where customer information is stored
• Vulnerability scan results and penetration test reports
• Risk ratings for each identified threat (likelihood and impact)
• Remediation plans with timelines for addressing identified vulnerabilities
• Evidence of re-assessments conducted after material changes to operations

The written information security program itself must be documented and updated regularly. Keep all versions to demonstrate your program has evolved with changing threats.

• Written Information Security Plan (WISP) with all amendments
• Access control policies and role-based permission matrices
• Encryption standards and key management procedures
• Incident response plan with contact lists and escalation procedures
• Change management logs showing when and why the plan was updated
• Board or management approval records for the security program

The FTC Safeguards Rule requires that personnel are trained on your security program. You must prove training occurred and that employees understood the material.

• Annual security awareness training completion certificates
• Training materials and presentation slides used in each session
• Attendance records with dates, trainer names, and topics covered
• Signed employee acknowledgment forms for security policies
• Records of specialized training for IT staff and the Qualified Individual
• Phishing simulation results and follow-up remedial training records

The amended Safeguards Rule requires continuous monitoring or annual penetration testing and semi-annual vulnerability assessments. Document every test.

• Annual penetration test reports from qualified testing firms
• Semi-annual vulnerability assessment scan results
• Continuous monitoring system logs and alert histories
• Remediation records showing how identified issues were resolved
• Third-party audit reports and compliance certifications
• Access log reviews and anomaly investigation records

Every security incident, whether confirmed or suspected, must be documented from detection through resolution and post-incident review.

• Incident detection logs with timestamps and initial classification
• Investigation notes, forensic analysis reports, and evidence preservation records
• Notification records (IRS, FTC, state attorneys general, affected individuals)
• Remediation actions taken and timeline for implementation
• Post-incident review findings and program improvements made
• Law enforcement reports if applicable

Tax preparers who use third-party services like cloud storage, IT support, or tax software must document their vendor oversight activities.

• Vendor due diligence assessments and security questionnaire responses
• Contracts with data protection and confidentiality clauses
• Service Level Agreements (SLAs) with security requirements
• Annual vendor review reports and compliance certifications
• Records of vendor security incidents and their resolution
• Subprocessor lists and approval records