Purpose

The purpose of this policy is to outline requirements to ensure that ACS Technologies Group, Inc. (“ACST”)'s Information Security Policies are current and reflect the best information security practices.

Scope and Applicability

The scope of this document covers procedural requirements to review and update ACST information security documentation.

Policy

It is ACST's policy to protect its information assets and that of its stakeholders regardless of whether such assets are printed, written, stored electronically, transmitted by mail, transmitted through electronic means or the spoken word. To help ensure continued suitability, adequacy, and effectiveness, each policy shall be reviewed annually at a minimum, and any time significant changes to the ACST environment occur or following a critical security incident.

Such annual reviews shall consider:

• Feedback from affected parties

• Results of independent reviews

• Status of preventative and corrective actions

• Results of previous policy reviews

• Performance of the process as well as information policy compliance/adherence

• Changes that could affect ACST's approach to managing information security, including changes to the organizational environment, business circumstances, resource availability, contractual, regulatory, and legal conditions, or to the technical environment

• Trends related to threats and vulnerabilities

• Reported information security incidents

• Recommendations provided by relevant authorities and experts

At the conclusion of the policy review, the output of such review shall include decisions and action related to:

• Improvement of the ACST approach to managing information security and its processes

• Improvement of control objectives and controls

• Improvement in the allocation of resources and/or responsibilities.

Formal documentation that the policy review occurred shall be maintained. Such documentation shall include, at minimum date, attendees, policies reviewed, and outcomes.

At the conclusion of the policy review, management approval must be obtained before editing any policies. Changed policies shall be maintained and distributed per applicable policies.

Policies must be reviewed and approved by the Executive Leadership Team ("ELT") they become an official part of the ACST policy framework.

Documentation that is part of the ACSTpolicy framework shall include, at minimum, the following fields:

• Title

• Effective Date

• Revision Number

• Enforcement (policies, procedures and standards)

• Revision History

• Scope/Applicability

• Definitions

• References (If applicable)

• External References (Such as NIST, CIP, and Rules of Procedures)

• Author Name

• Approver Name

Only controlled copies of the policy framework shall be considered official. Controlled copies shall be those on the ACSTIntranet. Printed documents shall be considered controlled only if the documentation is clearly marked with control information, and the dates match those of the latest documentation on the Intranet.

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Service Providers found to have violated this policy may be subject to financial penalties, up to and including termination of contract.

Variance Process

The Chief Ventures Officer is responsible for the review, documentation, and management of any and all exceptions to this policy.