Safeguarding Your Assets

Information Security Policy

  1. Introduction

This document defines the Information Security Policy of AAL Business and Tax, P.A., a CPA Firm. The Information Security Policy applies to all business functions and information conducted by the firm’s employees. It is the employees’ responsibility to protect and maintain the confidentiality, integrity, and availability of client information.

  1. Purpose

The purpose of the Policy is to protect the information belonging to the clients of AAL Business and Tax, P.A. (also called the “Firm”). The Gramm-Leach-Bliley (GLB) Act of 1999, P.L. 106-102 gives the Federal Trade Commission the authority to regulate information safeguard protocols for various types of businesses which include professional tax preparers.

This policy informs the firm’s employees of the standards and procedures governing the holding, use and disposal of client information.

It is the goal of the firm that:

  • Client information will be safeguarded against unauthorized access and/or misuse.
  • Confidentiality of information with be upheld.
  • Integrity of client information will be maintained.
  • Availability of information and information systems is maintained without disruption.
  • Business continuity planning procedures will be established and maintained.
  • Regulatory, contractual and legal requirements will be complied with.
  • Physical and communications security will be maintained.
  • Consequences of an infringement of this policy will be clearly communicated and enforced.
  • Any and all information security incidents are reported to the appropriate entity as outlined within this Policy.

Client information defined:

  • Identifying information showing clients’ name, address, phone numbers, emails, and social security numbers.
  • Identifying business information showing an entity’s name, address, phone numbers, emails, and employer identification numbers.
  • Correspondence with clients such as emails, faxes, and phone conversations.
  • Financial information including but not limited to bank account numbers, investment information, as well as debt and/or credit information.
  1. Scope

AAL Business and Tax, P.A. maintains the following security measures to safeguard against a breach of information confidentiality. This policy applies to all employees of AAL Business and Tax as well as any vendor that has access to client information. It is the policy of AAL Business and Tax to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. 

  1. Policy

AAL Business and Tax, P.A. maintains the following security measures to safeguard against a breach of information confidentiality. This policy applies to all employees of AAL Business and Tax as well as any vendor that has access to client information. It is the policy of AAL Business and Tax to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information.  The Firm has designates its majority shareholder as the coordinator of our information security program and may designate other employees as it becomes necessary.

We continuously identify and assess the risks to customer information in each relevant area of the firm’s operation.  We also evaluate the effectiveness of the current safeguards for controlling security risk.

  1. System Access Control

AAL Business and Tax, P.A. has an obligation to effectively protect the confidential personal and financial information entrusted to it by its clients. Using passwords that are difficult to guess is a key step toward effectively fulfilling that obligation.

Passwords may never be shared or revealed to anyone other than the authorized user.

If a password is suspected to being disclosed or known to have been disclosed to anyone other than the authorized user, it should be changed immediately.

  1. System Privileges

The computer and communications system privileges of all users, systems, and independently operating programs such as agents, must be restricted based on the need to know. This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists.

Default user file permissions must not automatically permit anyone on the system to read, write, execute or delete a system file. Although users may reset permissions on a file-by-file basis, such permissive default file permissions are prohibited. Default file permissions granted to limited groups of people who have a genuine need to know are permitted.

Computer and communications systems must restrict access to the computers that users can reach over AAL Business and Tax, P.A. networks. These restrictions can be implemented through routers, gateways, firewalls, wireless access points, and other network components. These restrictions must by used to, for example, control the ability of a user to log on to a certain computer then move from that computer to another.

New users and changed privileges are to be established and are at the discretion of the owner, Celeste Lioce. Individuals who are not firm employees may not be granted a user ID or be given privileges to use AAL Business and Tax, P.A. computers or networks.

Third-party vendors must not be given Internet or remote privileges to AAL Business and Tax, P.A. computers or networks unless Celeste Lioce determines they have a legitimate business/academic need. These privileges must be enabled only for the time period required to accomplish the approved tasks, such as remote maintenance. If a perpetual or long-term connection is required, then the connection must be established by approved extended user authentication methods.

Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful and will be considered serious violations of ALL Business & Tax policy. Short-cuts bypassing systems security measures, pranks, and practical jokes involving the compromise of systems security measures are absolutely prohibited.

The privileges granted to users, based on their role within the organization, should be reevaluated by administration annually. All significant changes in employee duties or employment status must be modified immediately and user access revoked when employment has been terminated.

  1. Computer Viruses, Worms, And Trojan Horses

Users must keep approved and current virus-screening software enabled on their computers. This software must be used to scan all software coming from third parties and must take place before the new software is executed. Users must not bypass scanning processes that could stop the transmission of computer viruses.

Users are responsible for damage occurring because of viruses on computer systems under their control. As soon as a virus is detected, the involved user must immediately call our information technology service provider and disconnect the network and all computers from the internet and from each other.

AAL Business and Tax, P.A. computers and networks must not run software that comes from sources other than business/academic partners, knowledgeable and trusted user groups, well-known systems security authorities, computer or network vendors, or commercial software vendors.

Integrated Data Technologies (IDT) is the technology provider for the firm. Data and information security is insured using a Sonic Wall for firewall protection. The firm uses a secured encrypted connection to the internet. AAL Business and Tax, P.A. the same technology security system as the NSA in the Dell TZ30. Although no system is 100% secure, the firm takes information security very seriously and makes sure to have the highest security currently available.

  1. Data and Program Backup

Periodic system backups will be made. To ensure that valuable or critical data is backed up, it must be stored on network servers managed by AAL Business and Tax, P.A..

It is our policy to keep records related to engagements as noted below. However, the Firm does not keep any original client records, so we will return those to you at the completion of the services rendered under any engagement. When records are returned to you, it is your responsibility to retain and protect your records for possible future use, including potential examination by any government or regulatory agencies.

The following chart outlines and summarizes our current record retention policy:

Retention Period

Current Client

Former Client

Billing Files

7 years

7 years

Correspondence Files

7 years

7 years

Audit/Review/Compilation Statements & Reports

7 years

7 years

Tax Returns

5 years

5 years

Special Reports

7 years

5 years

Workpaper Files:

Audit/Review/Compilation Workpapers

7 years

7 years

Tax Return Workpapers

5 years

5 years

All Other Services

5 years

5 years

Permanent/Carry-Forward Files (Audit/Review/Compilation Services)


7 years

Permanent/Carry-Forward Files


5 years

  1. Portable Computers

Employees in the possession of portable, laptop, notebook, handheld, tablet and other transportable computers containing Confidential information must not leave these computers unattended at any time unless the information is stored in encrypted form.

Whenever Confidential information is written to a disk or other storage media, the storage media should be suitably marked as such. When not in use, this media should be stored in a locked safe, locked furniture, or a similarly secured location.

  1. Remote Printing

Printers must not be left unattended if Confidential information is being printed or soon will be printed. The persons attending the printer must be authorized to examine the information being printed.

Unattended printing is permitted if the area surrounding the printer is physically protected such that persons who are not authorized to see the material being printed may not enter.

No employee of the firm shall print customer information to public printers.  Further, it is the Firm’s policy to not allow printers that are controlled by wireless connection (Wi-Fi).

  1. Privacy

We collect nonpublic personal information about clients from the following sources:

  • Information we receive from clients on applications, tax preparation worksheets, other documents we use in preparing tax returns, or other forms;
  • Information about transactions with us or others; and
  • Information we receive from a consumer reporting agency.

We do not disclose any nonpublic personal information about you to anyone, except as permitted by law.

If you decide to close your account(s) or become an inactive member customer, we will adhere to the privacy policies and practices as described in this notice.

We restrict access to your personal and account information to those employees who need to know that information to provide physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information.

Your confidence in us is important and we want to know that your personal and account information is safe. If you have any questions or concerns, please contact us at 561-844-4431.

  1. Information Security

ALL Business & Tax intends to undertake efforts to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. The following are ways the firm will use best practices to maintain information security when conducting business:

  • Employee training and management. All employees of AAL Business and Tax, P.A. will be trained on and be required to follow the information security procedures as described in this policy.
  • Information Systems and Information Processing and Disposal. Information obtained, stored and disposed of will be properly done so as described in this policy by all employees.
  • Detecting, Preventing and Responding to Attacks.
  1. Physical Security of Computer And Communications Gear

All AAL Business and Tax, P.A. network equipment must be physically secured. Access to data centers, telephone wiring closets, network switching rooms, and other

  1. Violations

Users who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination and/or legal action.

  1.  Incident Response Plan

The firm has an incident response plan which is a secure document but which outlines the procedures to facilitate a rapid response to any security or data incidents.  This incident response follows the laws and the regulations of the local, State and Federal government including but not limited to the Internal Revenue Service.

Featured Articles

Subscribe to our Emailed Newsletter