home

ACST Policies & Guidelines

HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines
HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines

What would you like to know more about?

Show Contents

thumbnailACST Policies & Guidelines

Corporate Policies

Access Control and Monitoring Policy

Purpose

ACS Technologies Group, Inc. ("ACST") seeks to protect internal use only and confidential data and to minimize damage that could potentially result from unauthorized access to it. Damages may include the loss of confidential data, damage to our corporate image, and damage to critical internal systems.

Scope and Applicability

This policy applies to all ACST employees and third-party Service Providers with access to confidential data, including but not limited to databases, data storage systems, networking equipment, servers, workstations, and business applications.

Policy

ACST uses tools, techniques, and processes to control access to, manage, monitor, and audit ACST infrastructure and systems.

  1. Any device connected to ACST networks and any traffic it may send or receive is subject to record the following:

    1. Failure (permission denied) to create or delete user or role.

    2. Failure (permission denied) to alter permissions for a user or role.

    3. Successful creation, deletion, or permissions alteration of a user or role.

    4. Failure (permission denied) or successful password change.

    5. Failure (permission denied) to write to log files.

    6. Access denied to sensitive information.

    7. A success or failure of any account or role attempting to assume the permissions of any other account or role.

  2. For System Configuration and operating system files, the following must be recorded:
    1. Failed write attempts to configuration executable files
    2. Failed read attempts to configure files.
  3. At a minimum the following information must be recorded in log files:
    1. Time and Date Stamp
    2. Username Network identifier of the source of the attempt
    3. Description of the event
    4. Location of the event
    5. Status (success or failure).
  4. Log files shall never contain the following information:
    1. Confidential Information
    2. Passwords
    3. Cryptographic Keys
  5. System time must be accurately maintained on all systems within 5 minutes.

  6. Recorded security logs must be retained for a period of one year.

  7. Security logs must only be writable by the system logging process, and logs must be transferred to a location inaccessible by ACST as they are created.

  8. Security logs must only be readable by system administrators and staff with responsibility to audit the logs, and third-parties meeting ACST contractual standards.

  9. Security logs must be reviewed in full on a quarter year basis.

  10. Remove or disable users who have been inactive for at least 180 days.

  11. Remote access to ACST systems must incorporate Multi Factor Authentication (MFA).

    1. ACST protects its internal networks and systems by enforcing the following device configuration policy via the MFA application:

      1. Operating systems: past manufacturer end of life for support.

      2. Web browser: Only major browsers supported. Browser must be the current version within the past 30 days.

      3. Mobile devices: Block access if OS is three or more versions behind. These are considered obsolete devices and are not supported. This ensures that secure, up to date devices are accessing ACST internal networks. The effect of this is twofold:

        1. Duo push notifications will no longer be sent to your obsolete mobile device. You can still receive text and phone confirmations from Duo.

        2. You will no longer be able to access externally addressable company resources from the obsolete mobile device i.e. Intranet, Corp Wiki, Jira, etc.

  12. ACST uses a Virtual Private Network (VPN) to allow specified employees access to the internal ACST network to perform their duties.
    1. Only staff with a validated need are allowed to use VPN. Justification for VPN access must be submitted at the time of the request. Other technologies may be able to be used in lieu of VPN.

    2. Staff must use an ACST-owned device to use the VPN.

    3. Refer to Exported - Remotely Available ACST Systems wiki for additional information.

Enforcement

Depending upon the severity and extent of the violation, employees and third-party service providers may be subject to termination of employment or contract, financial penalties, and/or legal action.

Variance Process

The Chief Ventures Officer is responsible for the review, documentation, and management of any and all exceptions to this policy.

Last updated: May 28, 2025