Purpose

ACS Technologies Group, Inc. (“ACST”) must understand the inherent risk, compensating controls, and the residual risk to maintain an effective information safeguarding program. Properly managing these risks will help ACST comply with state law, federal law, its policies, and customer expectations.

Scope and Applicability

This policy applies to all ACST facilities and other copies of ACST data, including service providers.

Policy

• Annual Information Security Risk Assessments - the Risk Manager must conduct (or manage an independent party who conducts) an annual organization-wide risk assessment including critical information systems and critical production applications. All major enhancements, upgrades, conversions, and related changes associated with these systems or applications must be preceded by a risk assessment. The report resulting from these assessments must include a detailed description of the information security risks currently facing the organization, as well as specific recommendations for preventing or mitigating these risks.

• Periodic Independent Review Of Information System Controls - an independent and externally provided review of information system controls must be obtained periodically . These reviews must include efforts to determine both the adequacy of, and the compliance with established information security policies, standards, and procedures. Persons responsible for implementing and maintaining controls must not perform the reviews.

Enforcement

Any employee found to be in violation of this policy may be subject to corrective action, up to and including termination of employment. Service Providers found to be in violation of this policy may be subject to financial penalties, up to and including termination of contract.

Variance Process

The Chief Ventures Officer is responsible for the review, documentation, and management of any and all exceptions to this policy.