Information Security

ACA Group Written Information Security Plan ("WISP")

As of March, 2021

ACA Group (“ACA”) has developed and implemented a Written Information Security Program (“WISP”) to ensure that ACA has a robust information safeguarding program that addresses ACA’s information safeguarding obligations under applicable privacy and information safeguarding laws, as well as ACA’s contractual obligations.

Specifically, ACA’s WISP is designed to:

  • Maintain the security and confidentiality of certain information received by, stored at, sent out, or otherwise used by, ACA;
  • Protect against anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

All ACA employees are subject to the WISP and certain independent contractors of ACA are subject to the WISP while performing services for ACA, if and to the extent specified in the independent contractor’s written agreement with ACA.

ACA’s General Counsel and ACA’s Chief Information Officer serve as the “WISP Coordinators.” The WISP Coordinators are responsible for implementing and annually updating the WISP and annually training ACA employees on information security.

The WISP describes a number of information security policies and standards for the following areas:

  • Acceptable use;
  • Network and cloud security (encryption, firewalls, anti-virus protection, malware protections, etc.);
  • Computer and mobile device security;
  • Removable media security (USB flash drives, etc.);
  • Physical security (locks/keys, clean desk policy, printers, visitor access, etc.);
  • Secure software development;
  • Secure transmission of information (mail, E-mail, SFTP, etc.);
  • Secure destruction of sensitive information; and
  • Security incident reporting.

In addition to ACA’s WISP, ACA maintains a variety of other policies and procedures to support its information safeguarding program including but not limited to the following:

  • Incident Response Plan
  • Crisis Management Plan
  • Disaster Recovery and Business Continuity Plan
  • Global Privacy Policy