1 – Introduction

This statement gives a brief overview of the measures we have taken to maximize the continuity of services to your organization, to minimize the duration of any disruptions and to protect our assets as well as all assets entrusted to us by our clients.

It should be noted that Acumen is a dynamic organization, as is the environment in which it operates. Consequently, Acumen reserves the right to update its security and continuity environments without consulting or pre-informing its clients. Acumen guarantees that any changes made to this environment will at least conform to industry expected practices. Clients may retrieve the latest version of this Statement from the Acumen website to match their own requirements against those implemented by Acumen.

2 – Health and Safety

As corporate responsibility is a key value of the Acumen, the organization is highly concerned for the welfare, health and safety of its employees, clients and visitors within its offices. Managing health and safety is also considered an integral part of the total risks management of Acumen. For these reasons, Health and Safety are key priorities for the organization. This is further translated into the organization’s first aid program, pandemic program and evacuation procedures.

3 – Security

3.1 – Physical Security
The offices are equipped with climate control systems, early warning and detection systems and appropriate extinguishing equipment. Physical guards are on duty during off-hours to prevent/detect unauthorized access to the premises.

3.2 – Information Security
3.2.1 – Storage
Client information is stored only on the company networks, not on workstations.
3.2.2 – Anti-virus protection
The servers and workstations are protected through anti-virus software which is updated no more than a few hours after the anti-virus solution provider releases new anti-virus signature files.
3.2.3 – Data Protection
3.2.3.1 – At rest
Data at rest is protected through restrictions on the access rights as described in section 3.2.4.
3.2.3.2 – In transit
Data in transit is encrypted wherever possible. Various technologies are described in this document.. For client access, see section 3.2.6. Remote access is done through an SSL-VPN as described in section 4.3 or through Microsoft’s Direct Access.
3.2.3.3 – In use
Data is stored by default on the networks. As a consequence, data in use is protected in much the same way as data at rest. In exceptional cases laptops may contain client information, however all Acumen laptops are encrypted using Microsoft Bitlocker to protect the data in the event of theft.
3.2.3.4 – Encryption
Acumen will use AES-256 level encryption or higher where encryption is applied. Exceptions are noted where systems required to provide the services cannot support this encryption level. It should be noted that not all data at rest is encrypted. Local restrictions and application support consequences are two key reasons it may not be possible to encrypt data at rest.
3.2.4 – Information access
Access to any information is granted using the Principle of Least Privilege. Approvals for access are given by management only and always in writing.
Acumen does not use any client-confidential data that is accessed, stored or passed through their systems, other than in delivery of the service to its clients. Data processed at the request of the client remains the property and responsibility of the client.
3.2.5 – Authentication
3.2.5.1 – Internal
Authentication is based on a User-ID/Password combination. The password requires changing every 60 days. Passwords are a minimum of 8 characters for user accounts and complexity requirements are enforced. Passwords may not be written down.

There is a history of the last 10 passwords per user/administrator that may not be re-used.

4 – Auditing

4.1 – System Vulnerability scanning
Acumen performs quarterly external vulnerability scans. The results of the scans are aggregated into an internal report and actions and justifications of the potential vulnerabilities are recorded.

4.2 – Human Resource Management
4.2.1 – Employee Recruitment
Employee recruitment checks are done in accordance with local requirements and restrictions. Depending on the seniority and responsibility of the role, Acumen extends the background checks. At the very minimum, the checks include identity verification, reference verifications and certificate verifications. Additional checks may be done where permitted in local legislations.
HR communicates the recruitment of new employees and informs the IT department of the access rights that have to be given.
4.2.2 – Career changes
Career changes within the organization may lead to further background checks, depending on the change of responsibilities.
4.2.3 – Employee Termination
When employees leave the organization, all previously granted access rights are promptly and properly revoked, ensuring access to the business information is safeguarded.