Security compliance is complex and covers a broad range of activities, including information (financial, healthcare, personnel, and so forth), physical (facilities, work areas, and so forth), systems (networks, servers, and so forth), and regulatory governance (FISMA, HIPAA, and so forth). Non-compliance with any of these complex security compliance requirements has several ramifications that affect a number of stakeholders — ACSI, our clients and their consumers, and regulatory bodies. ACSI has therefore taken several steps to ensure broad comprehensive security compliance.
- Security Policies - ACSI has documented our security policies, including, but not limited to, acceptable use policies for our staff, including adherence to password complexity and rotation schemes, use of email and Internet, and handling of protected data. These policies are provided to all employees for review and acceptance of their understanding. ACSI’s Chief Information Security Officer is responsible for instituting and ensuring enforcement of all ACSI security policies.
- Internal Security Compliance Measures - ACSI utilizes a layered approach to enforce our policies with active directory user-, group-, and domain-level policies; firewall intrusion detection with Internet content filtering; restricted use of Internet and email; and multiple levels of anti-virus and malware protection along with routine software patch management. We use several logging and 24x7x365 monitoring tools that notify of us of suspicious activities, track user activity, and help us maintain tight control on change management so we can ensure the highest levels of data integrity, security, and accountability.
- Third-Party Security Compliance Assessments - ACSI’s compliance is verified via an annual TECH LOCK® Certified Program audit, the industry gold standard for ensuring federal and state security compliance. The TECH LOCK® Certified Program is a data security audit, performed by information security professionals combining multiple regulatory and industry standard control objectives into a single comprehensive audit. Most collection agencies will generally do one single data security standards audit like SOC 2, ISO 27002, or PCI DSS to meet minimal client due diligence requirements. Security compliance is complex and covers a broad range of activities, including information (financial, client, personnel, etc.), physical (facilities and work areas), systems (networks, servers, and mobile devices), and regulatory governance (FISMA, HIPAA, PCI DSS, Nevada NRS 603a, Massachusetts 201 CMR 17.00 etc.). Non-compliance with any of these complex security compliance requirements has several ramifications that affect a number of stakeholders - ACSI, our clients and their consumers, and regulatory bodies. Thus, ACSI has taken several steps to ensure compliance with these comprehensive security mandates and policies.
- Security Training & Updates - All ACSI employees must complete security awareness training covering regulatory security compliance requirements, ACSI’s security policies and requirements, and client-specific security requirements. This training is conducted internally under the supervision of our CISO and Director of Corporate Compliance on a regular basis. Employees who have completed security awareness training are required to demonstrate their understanding of ACSI’s security policies and requirements via comprehension testing.