home

ACST Policies & Guidelines

HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines
HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines

What would you like to know more about?

Show Contents

thumbnailACST Policies & Guidelines

Corporate Policies

Risk Assessment Policy

Purpose

Risk assessments are used to determine the likelihood and magnitude of harm that an information system, ACS Technologies Group, Inc. (“ACST”), and our customers may suffer in the event of a security breach. By evaluating potential risks, ACST can better determine how much risk should be mitigated and what controls should be used in mitigation. Without risk assessments ACST may leverage inappropriate (either too strict or too lax) security controls to protect information systems.

Scope and Applicability

This policy applies to all ACST employees who are responsible for enhancing information systems and/or components that comprise those systems (e.g., products, mainframes, servers, SAN, NAS, desktops, laptops, routers, switches, firewalls). Vendors, service providers, and third-parties, especially those who share data with ACST and/or ACST products, must complete our Vendor Security Assessment Questionnaire ("VSAQ")

Policy

  • Risk assessments will be performed on all information systems that house or access ACST sensitive information. These assessments will address unauthorized access, use, disclosure, disruption, modification and/or destruction of information or the information system itself. The assessments shall identify known potential threats, the likelihood of their occurrence and the magnitude of the impact of those threats should they occur. The risk assessment shall be reviewed and updated every two years or whenever a significant change is made to the information system, whichever comes first.

  • Risk assessments shall be performed prior to acquiring an information system (for systems owned/operated by ACST).

  • Risk assessments shall be performed prior to the initial establishment of service agreements (for systems owned/operated by a third-party on behalf of ACST).

Enforcement

Any employee found to be in violation of this policy may be subject to corrective action, up to and including termination of employment. Service Providers found to be in violation of this policy may be subject to financial penalties, up to and including termination of contract.

Variance Process

The Chief Ventures Officer is responsible for the review, documentation, and management of any and all exceptions to this policy.

Last updated: May 28, 2025