The IRS Security Six
Six foundational cybersecurity protections that every tax preparer must implement. Required by IRS Publication 4557 and referenced in the FTC Safeguards Rule — these are the minimum standards for protecting client data.
What are the IRS Security Six?
The "Security Six" are six cybersecurity measures outlined in IRS Publication 4557 that every tax professional must have in place. They form the foundation of your security program and are a key part of your WISP (Written Information Security Plan).
Think of them as the minimum viable security for a tax practice. You can’t be IRS-compliant without all six, and your WISP should document how each one is implemented in your specific environment. Click any topic below for a detailed guide.
The six required protections
Antivirus Software
Every device that touches client data needs active antivirus with real-time scanning and automatic updates. Traditional antivirus is the baseline — EDR (Endpoint Detection & Response) is the modern standard that catches threats signature-based tools miss.
Firewall Protection
Both hardware and software firewalls are required. Your router’s built-in firewall protects the network perimeter; OS firewalls protect individual devices. Multi-user offices should use a dedicated firewall appliance with deep packet inspection and logging.
Multi-Factor Authentication
MFA is mandatory on every system that accesses client data: tax software, email, cloud storage, and remote access. A password alone is not enough — 99% of account-based attacks are stopped by MFA. Use authenticator apps or hardware keys, not SMS.
Data Encryption
All client data must be encrypted at rest (stored files, drives, backups) and in transit (email, uploads, web traffic). Use AES-256 for storage, TLS 1.2+ for transmission. Enable BitLocker/FileVault on every device and never email unencrypted tax documents.
Data Backups
Follow the 3-2-1 rule: three copies of your data, two different media types, one offsite. Automate daily backups, encrypt everything, and test restores quarterly. An untested backup is no backup at all. The IRS requires 7-year retention of client records.
VPN for Remote Access
Any remote access to your office network or client data must go through a VPN. This includes working from home, public Wi-Fi, or accessing cloud software off-site. Use a business VPN (not consumer) with MFA, logging, and always-on configuration.
Need help implementing the Security Six?
We can assess your current setup, identify gaps, and implement all six protections for your practice. Most implementations take less than a week.
Security Six — frequently asked questions
Yes. IRS Publication 4557 lists all six as requirements for any tax professional who handles taxpayer data. The FTC Safeguards Rule reinforces several of these (encryption, MFA, monitoring) as federal law. Missing even one leaves you non-compliant and exposes you to enforcement action.
For some of them, yes. Windows Defender provides basic antivirus, Windows Firewall covers the software firewall requirement, and most authenticator apps (Google Authenticator, Microsoft Authenticator) are free. However, enterprise-grade solutions provide better protection, centralized management, and the logging/reporting the FTC Safeguards Rule requires. For encryption and VPN, free consumer tools often lack the features needed for compliance documentation.
Absolutely. Your WISP should document which specific tools you use for each of the six protections, how they are configured, who is responsible for maintaining them, and how often they are reviewed. If you are ever audited or face a breach, your WISP is the evidence that you had reasonable safeguards in place. Our free WISP template includes sections for each of the Security Six.
Protect Your Tax Practice Today
Schedule a free consultation with our cybersecurity experts. We'll review your current security posture and help you achieve full IRS compliance.
Protect your tax practice from cyber threats
Schedule a free consultation to assess your firm's security posture.