Information Security

ACA COMPLIANCE GROUP
WRITTEN INFORMATION SECURITY PLAN (“WISP”)
As amended August 28, 2017

 

Summary

ACA Compliance Group (“ACA”) has developed and implemented a written information security plan (“WISP”) to establish effective safeguards to protect personal and confidential information received by of ACA’s clients, employees, and other persons. This is a summary of ACA’s WISP.

ACA’s WISP is intended to ensure that ACA has a robust information safeguarding program. In addition, it addresses ACA’s information safeguarding obligations under applicable privacy and information safeguarding laws, as well as ACA’s contractual confidentiality obligations to its clients. Specifically, ACA’s WISP is designed to:

  • ensure the security and confidentiality of information received by, stored at, sent out, or otherwise used by ACA; 
  • protect against anticipated threats or hazards to the security or integrity of such information; and 
  • protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.

The policies and procedures in ACA’s WISP broadly apply to all information, in paper or electronic form, and generally apply without regard to whether a particular document or record contains “Personal Information.” However, in certain instances, specific procedures are required when a record or communication involves Personal Information.

All ACA employees are subject to the WISP. Certain independent contractors of ACA are subject to the WISP while performing services for ACA, if and to the extent specified in the independent contractor’s written agreement with ACA.

ACA’s General Counsel and ACA’s Chief Information Officer serve as the “WISP Coordinators.” In developing and implementing the WISP, the WISP Coordinators:

  • identified reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of electronic, paper or other records collected, maintained, sent, or used by ACA that contain personal or other sensitive information;
  • assessed the likelihood and potential damage of these threats, taking into consideration the sensitivity of that information;
  • evaluated the sufficiency of existing policies, procedures, information systems, and other safeguards in place to control risks; and
  • designed and implemented the WISP in order to memorialize existing safeguards and establish new safeguards to minimize those risks.

On an ongoing basis, the WISP Coordinators are responsible for:

  • implementing the WISP; 
  • training ACA staff on the WISP requirements;
  • testing the WISP’s safeguards;
  • evaluating third party service providers to confirm that such service providers have established appropriate Personal Information protective security measures;
  • reviewing the WISP at least annually, or whenever there is a material change in ACA’s business practices that may implicate the security or integrity of records containing Personal Information or other sensitive information, or whenever there is an actual or threatened security breach event; and
  • reporting any material findings from any WISP review, and any material recommendations for improving the WISP arising out of such a review, to ACA’s Management Committee.

The WISP describes a number of technology-based information security measures, safeguards, and procedures, covering the following areas:

  • Network security (including firewalls, anti-virus protection, and malware protections);
  • Computer security;
  • Mobile device security; 
  • E-mail security;
  • Removable media security (USB flashdrives, etc.); and  
  • Password security.

The WISP addresses physical office security (locks/keys, desk policy, printers, faxes, visitor access, etc.). It contains special procedures for working in out of the office (i.e., in client offices, home offices, or in other public settings). It also sets forth procedures for training new ACA staff, processing departing employees, and disciplining ACA staff for WISP violations.

The WISP contains guidelines for secure transmission of information between ACA and its clients and vendors, and addresses due diligence of ACA vendors. It also contains requirements for the reporting of suspected or actual security breaches.

All ACA staff are required to certify that they have received a copy of the WISP, have read it, and intend to comply with its terms.

The Table of Contents for the current version of ACA’s WISP is copied below.

Additional questions about ACA’s WISP should be directed to ACA’s General Counsel, Cathie Saadeh, at (301) 495-7850.


Table of Contents

GENERAL INFORMATION 
Who is subject to this WISP
Scope
Confidentiality
Questions
Exceptions
SECURITY BREACHES
What is a security breach?
Reporting of possible security breach
PERSONAL INFORMATION
Special procedures for Personal Information
USE OF PERSONAL EQUIPMENT PROHIBITED
Use of ACA equipment required
Exceptions allowing use of personal equipment
USE OF THIRD PARTY HOSTING SITES PROHIBITED
INSTANT MESSAGING AND CHAT
COMPUTER SECURITY (INCLUDING DESKTOPS, LAPTOPS, TABLETS, ETC.)
MOBILE DEVICE SECURITY
EMAIL SECURITY
Sending information to clients or other third parties via email
Sending information within ACA via email
REMOVABLE MEDIA SECURITY (USB FLASHDRIVES, ETC.)
Information to clients must not be provided via removable media
Storage of information on removable media
PASSWORD SECURITY
NETWORK SECURITY
Firewalls
Patches
Anti-virus and anti-malware
Wireless networks
RECIEPT OF INFORMATION FROM CLIENTS
In brief
Guide to transmission methods
Via unencrypted email
Via encrypted email
Via ACA’s secure file transfer portal
Via the client’s secure file transfer website
In paper sent via recognized national overnight carrier (FedEx, etc.)
In paper sent via regular postal mail
Via encrypted removable media
Via non-encrypted removable media provided onsite to ACA personnel
Via non-encrypted removable media provided by mail, courier, or overnight delivery to ACA
personnel
PHYSICAL SECURITY
Office suites
Visitor access
Individual employee offices
Keys/passcodes/keycards
Desk policy
Laptops and tablets
Printers
Fax machines
Storage of ACA records
WORKING OUTSIDE OF ACA OFFICES
VPN use required to access Internet on public wireless networks
Laptops and tablets
Mobile device security
Conversations
Paper documents
WORKING FROM HOME
DOCUMENT DESTRUCTION
OFFBOARDING AND ACCESS CHANGE PROCEDURES FOR ACA PERSONNEL
ACA VENDOR DILIGENCE
ADDITIONAL INFORMATION
Purpose and Review
Oversight
Training
Violations
Access