<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5003644&amp;fmt=gif">
Skip to content
English - Australia
Contact Us Customer Portal
  • There are no suggestions because the search field is empty.

Data Security & Encryption

Everything you need to know about Data Security & Encryption in Acorn PLMS.

Audit Logging & Monitoring

Acorn PLMS implements a comprehensive audit logging and monitoring strategy to protect your institutional data, maintain system integrity, and ensure compliance with security standards. This article explains how Acorn tracks system changes, conducts security assessments, and maintains visibility into your platform's security posture.

Regular Penetration Testing and Vulnerability Assessment

Your organisation benefits from Acorn's commitment to proactive security evaluation. Acorn conducts annual external penetration tests and performs additional testing on major system changes. These evaluations are conducted by third-party security specialists who validate the overall security posture of the platform.

Beyond penetration testing, Acorn PLMS systems and applications are regularly scanned externally for vulnerabilities. Third-party security assessments help identify and remediate potential risks before they can impact your data. Acorn has also undergone SOC 2 evaluation by external auditors. You can review Acorn's SOC 2 report, included in the Acorn Security Documentation package, to verify compliance with security, availability, processing integrity, confidentiality, and privacy criteria.

Test results and remediation reports from Acorn's most recent annual penetration test are available upon request. The development team at Acorn has completed all remediation items identified during these assessments, ensuring continuous improvement of the platform's security controls.

Your Right to Independent Testing

Your organisation has the right to perform its own vulnerability assessments and penetration testing against Acorn's infrastructure at no additional cost. This capability is particularly valuable if your institution maintains internal security teams capable of conducting these evaluations. You can schedule independent testing at mutually agreed times to verify Acorn's security posture aligns with your own risk management requirements.

Vulnerability Scanning Before Release

Acorn employs authenticated vulnerability scanning as part of its development process prior to deploying new releases. This practice focuses on regression testing and ensures that previously non-existent security risks are not introduced into the known, secured environment. By scanning before release, Acorn verifies that new features and functionality do not inadvertently create vulnerabilities or weaken existing security controls.

Monitoring for Common Web Vulnerabilities

Acorn's security programme includes monitoring and protection against common web application vulnerabilities, including SQL injection, cross-site scripting (XSS), cross-site request forgery (XSRF), and other threats identified in industry frameworks like OWASP. This adherence to secure coding best practices protects the confidentiality, integrity, and availability (CIA triad) of your data. Acorn's development teams are trained to design security into applications rather than treating it as an afterthought.

Vulnerability Scan Results and Transparency

When vulnerability scans are conducted, the results are documented and tracked against mitigation actions. Your organisation can request summaries of vulnerability scan findings or, in many cases, review full reports to understand the security posture of systems processing your data. This transparency supports your own compliance obligations and risk management processes.

Patch and Vulnerability Management

Acorn follows a severity-based Service Level Agreement (SLA) approach to vulnerability and patch management. Critical and high-severity vulnerabilities are addressed with expedited timelines, ensuring rapid remediation of significant risks. Dependency updates are tracked in a formal backlog, with expedited processing paths established for critical issues.

Importantly, software updates and patches are deployed only upon your organisation's approval. This approach ensures that Acorn PLMS patches do not create operational disruptions during critical periods of your events or activities. You maintain control over the timing and sequencing of updates, allowing you to balance security improvements with operational continuity.

Infrastructure and Security Alignment

Acorn PLMS is hosted in a Tier 1 data centre managed by Amazon Web Services (AWS), a leading cloud service provider. Acorn examines AWS's ISO 27001 certification scope and SOC 2 reports annually to ensure that cloud infrastructure security procedures align with Acorn's internal security protocols. This layered approach to security—combining Acorn's application-level controls with AWS's infrastructure-level protections—provides defence in depth for your data.

System Integrity and Change Management

Acorn's documented patch management process ensures that system changes are executed only according to established policy. This focus on change control protects system integrity by preventing unauthorised or unvetted modifications. Your organisation can rely on Acorn's formal processes to validate that all changes, from security patches to feature updates, have undergone appropriate testing and review before deployment.

Building Trust Through Evidence

Acorn's commitment to regular external vulnerability scanning, penetration testing, and transparent reporting of results provides your organisation with externally verified evidence of security controls. When vendors can attest to security practices and provide third-party documentation, it builds justified trust in the platform protecting your institutional data.

Next Steps

To review Acorn's penetration test results, SOC 2 report, or to schedule your own independent security assessment, contact Acorn's security team. Your organisation's security and compliance requirements are paramount, and Acorn is committed to providing the documentation and access needed to validate that Acorn PLMS meets your institutional standards.

Data Classification & Handling Data Classification & Handling

Acorn PLMS enforces rigorous data classification and handling procedures to ensure your organisation's sensitive information—including Protected Health Information (PHI)—remains secure throughout its lifecycle. This article outlines the policies, technical controls, and best practices governing data management within the Acorn PLMS environment.

Understanding Your Data Security Framework

Your organisation's data is protected through multiple layers of security controls designed to classify, label, and handle sensitive information appropriately. Acorn PLMS operates as a cloud-based solution hosted on AWS, which fundamentally shapes how data is managed and transported. Because data resides in our secure cloud infrastructure, the need for removable media is eliminated in standard operations. This design significantly reduces data exposure risks associated with physical transportation and offline storage.

When you access Acorn PLMS or manage sensitive data, you are operating within a comprehensive security model that combines technical controls, device management, and threat prevention.

Device Access and Encryption Requirements

Acorn PLMS requires that all access to sensitive information—including PHI—occurs exclusively through company-issued devices. These devices must meet specific security standards:

Company-Imaged Laptops: You can only access Veralto information and sensitive data using a company-imaged laptop equipped with an encrypted hard drive. This requirement applies whether you are accessing the system from your office or working remotely. The encrypted hard drive ensures that even if a device is lost or stolen, your organisation's data remains protected.

Device Management Controls: Your company-issued laptops are managed through Microsoft Intune Mobile Device Management (MDM). This centralized management system enforces security policies, controls device configurations, and maintains compliance with your organisation's data handling standards.

Removable Media Policies and Controls

Acorn PLMS has adopted formal policies and practices to control the use of removable media on company devices. By default, the use of removable media—including USB devices, external drives, and other portable storage—is blocked on all Acorn-issued employee laptops through Microsoft Intune MDM controls.

In the rare circumstance when removable media is necessary for legitimate business purposes, select employees may receive exemptions from this block based on their role requirements. When removable media must be used in exceptional cases to establish or provide the service, Acorn PLMS ensures that all data is encrypted and password protected before transport. Under standard operations, customer data should never be placed on removable media; however, when unavoidable exceptions occur, encryption safeguards are mandatory.

For detailed information about physical security policies governing removable media, refer to the Acorn_PhysicalSecurityPolicy.pdf documentation.

Endpoint and Server Threat Prevention

All workstations and servers within the Acorn PLMS environment are equipped with advanced threat prevention software:

Internal Employee Computers: Your organisation's internal employee workstations run Microsoft Defender antivirus software with regularly updated signatures. This solution provides real-time protection against viruses, malware, and emerging threats.

Source Threat Prevention: Acorn PLMS deploys CrowdStrike source threat prevention software on workstations to provide additional layers of threat detection and prevention.

Server-Level Protection: All servers hosting Acorn PLMS infrastructure have antivirus software deployed and configured to automatically update and scan for the latest viruses and malware. These scans run continuously to ensure threats are detected and eliminated promptly. For details on automatic update schedules and patch management procedures, refer to Section 5.2.1 in Acorn_PatchManagement.pdf.

Cloud-Based Architecture and Endpoint Requirements

Because Acorn PLMS is a cloud-based solution hosted on AWS, endpoint devices do not require antivirus software to be installed locally. The application architecture eliminates the need for traditional endpoint antivirus requirements; instead, threat prevention is managed at the infrastructure and access layer through the controls outlined above.

Your organisation benefits from this cloud-based design because:

  • Reduced Client-Side Burden: Endpoint devices do not require antivirus software installation, reducing configuration complexity and support overhead.
  • Centralized Protection: Threat prevention is managed at the Acorn PLMS infrastructure level, ensuring consistent protection across all users and access points.
  • Automatic Updates: Infrastructure-level antivirus software updates automatically without requiring individual endpoint management.

Sensitivity Labeling and PHI Protection

When handling sensitive data and PHI within Acorn PLMS, you should classify information according to your organisation's data classification policies. Sensitivity labeling helps ensure that:

  • Data is handled appropriately based on its classification level
  • Access is restricted to authorised personnel only
  • Encryption and additional protections are applied to high-sensitivity information
  • Audit trails track access to sensitive records

All access to classified information must occur through secure, company-issued devices with encryption enabled. Combined with the access controls, device management, and threat prevention measures outlined above, these procedures ensure PHI and other sensitive information remains protected throughout its lifecycle.

Best Practices for Data Handling

When working with data in Acorn PLMS, follow these practices:

  1. Use Approved Devices Only: Always access sensitive data using your company-imaged laptop with an encrypted hard drive.
  2. Avoid Removable Media: Do not transfer sensitive data to removable media unless you have received explicit authorisation and exemption from your security administrator.
  3. Maintain Device Security: Keep your laptop updated, lock your device when unattended, and report any lost or stolen devices immediately.
  4. Verify Encryption: Before any data transport occurs, confirm that encryption and password protection have been applied.
  5. Report Security Concerns: If you suspect a security incident or policy violation, report it to your organisation's security team immediately.

Support and Policy Documentation

For comprehensive information about physical security policies, patch management procedures, and additional data handling guidelines, consult the following documentation:

  • Acorn_PhysicalSecurityPolicy.pdf
  • Acorn_PatchManagement.pdf (Section 5.2.1)

These resources provide detailed policies governing your organisation's data classification, handling, and protection requirements.

Encryption (In Transit & At Rest) Encryption Overview

Acorn PLMS implements a multi-layered encryption strategy to protect your organization's data across all states—whether in transit across networks or at rest within our infrastructure. This comprehensive approach ensures that sensitive information remains secure and compliant with industry standards and organizational requirements.

Data in Transit Protection

HTTPS and TLS Encryption

All data traveling between your web browser and Acorn PLMS is protected by HTTPS, which leverages Transport Layer Security (TLS) encryption. Your organization can be confident that every page and interaction within the system is encrypted as it moves across the internet or your organization's intranet.

Acorn PLMS uses TLS 1.3 or newer standards for all data transmissions. This means that regardless of whether you're accessing the platform from an external network or internal infrastructure, your data is protected with current cryptographic standards. This protection extends to all types of sensitive data you may transmit through the system, including personally identifiable information (PII), financial data, health information, biometric data, and Social Security numbers.

Password Transmission Security

Passwords are never transmitted in clear text. When you or your users submit passwords through any transmission method within Acorn PLMS, they are always encrypted using TLS 1.3 or newer standards before being sent across any network. This means attackers cannot intercept and read passwords during transmission, even if they gain access to network traffic.

Single Sign-On (SSO) Considerations

If your organization uses Single Sign-On (SSO) to pass user information to Acorn PLMS, you benefit from streamlined user provisioning while maintaining security. SSO integration with Acorn PLMS eliminates the need for bulk data transfers via SFTP or SFTP with PGP encryption for user authentication purposes, simplifying your security infrastructure while maintaining robust protection.

Data at Rest Protection

AWS Key Management Service (KMS) Architecture

Acorn PLMS uses Amazon Web Services (AWS) Key Management Service as its preferred encryption and key management solution for protecting data at rest. AWS KMS provides a managed, secure infrastructure for creating, storing, and controlling cryptographic keys used to encrypt your organization's data.

Your organization's data at rest is encrypted using a Customer Master Key (CMK) managed through AWS KMS. This approach ensures that only authorized personnel and systems can decrypt your data. Even if someone gains physical or digital access to storage devices, the encrypted data remains unreadable without the proper CMK credentials.

Key Management and Rotation

Acorn PLMS enforces strict key access policies through AWS KMS, ensuring that encryption keys are used only by authorized components of the system. Regular key rotation is implemented as part of AWS KMS best practices, meaning encryption keys are periodically replaced to further reduce the risk of unauthorized decryption, even in hypothetical scenarios where a key might be compromised.

These key management capabilities provide your organization with audit trails and control over who can access encryption keys and when those keys are used.

Data Segregation and Security

When your organization's data is encrypted with a Customer Master Key through AWS KMS, that encryption provides a layer of logical segregation. Each organization's data remains protected by its encryption context, ensuring that even if multiple organizations' data were stored on the same physical infrastructure, the encryption keys and access policies prevent unauthorized cross-organization access.

Backup and Archive Encryption

Comprehensive Backup Protection

Your organization's data remains encrypted throughout its lifecycle, including when stored on backup devices such as disk, tape, or other storage media. Acorn PLMS applies the same AWS KMS encryption standards to backup data as it does to active data at rest.

This means that backups of your organization's data—whether retained for disaster recovery, compliance, or archival purposes—are protected by the same encryption keys and access policies that protect your active data. Your organization can confidently maintain long-term backups without concerns about data security, as encrypted backups are useless to unauthorized parties without access to the encryption keys.

Email and Spoofing Protection

Beyond encryption, Acorn PLMS implements additional security measures to protect your organization's communications. The system is configured to comply with strict requirements preventing email spoofing, ensuring that email communications from Acorn PLMS cannot be forged or impersonated. This protects your organization and your users from phishing attacks and fraudulent communications that might appear to come from the system.

Best Practices and Standards Compliance

Acorn PLMS encryption implementation follows AWS security best practices for protecting data at EC2 instances and storage. Your organization benefits from encryption standards that align with industry recommendations and compliance frameworks including those required by organizations handling sensitive personal, financial, health, or biometric data.

Summary

Your organization's data in Acorn PLMS is protected by: - TLS 1.3 or newer for all data in transit - AWS Key Management Service with Customer Master Keys for all data at rest - Strict key access policies and regular key rotation for ongoing security - Encryption applied to backups and archived data - Protection against email spoofing for secure communications

This multi-layered approach ensures that your organization's sensitive data remains confidential and secure throughout its lifecycle within Acorn PLMS.

Key Management Key Management

Encryption key management is fundamental to protecting your institutional data within Acorn PLMS. Your organisation's data security depends on properly managed encryption keys, controlled access to those keys, and adherence to key rotation practices. Acorn implements key management through AWS Key Management Service (KMS) and adopts industry best practices to ensure your encryption keys remain secure throughout their lifecycle.

Overview of Encryption Key Management

Acorn PLMS leverages AWS KMS to manage encryption keys for data at rest and in transit. Rather than managing cryptographic keys yourself, your organisation benefits from AWS's managed key infrastructure, which handles the operational complexity of key storage, rotation, and access control. This approach reduces the burden on your IT team while maintaining the security standards required for institutional data protection.

Encryption keys are the foundation of data confidentiality. When keys are compromised or improperly managed, the security of encrypted data is undermined. Acorn's key management strategy ensures that only authorised systems and users can access encryption keys, and that keys are rotated regularly to minimise the window of exposure if a key is ever compromised.

AWS KMS Integration

Acorn PLMS operates within AWS's cloud environment and uses AWS KMS as the central service for encryption key lifecycle management. AWS KMS provides:

  • Centralised key storage: Your encryption keys are stored securely in AWS-managed hardware security modules (HSMs), isolated from your applications and databases.
  • Audit trails: All key access and usage is logged, allowing your organisation to track who accessed which keys and when.
  • Automated key management: AWS handles the operational aspects of key security, including key backup and disaster recovery.
  • Integration with AWS services: KMS integrates seamlessly with other AWS services used by Acorn PLMS, such as S3, RDS, and EBS, enabling transparent encryption without application code changes.

By using AWS KMS, your organisation does not need to manage the underlying key infrastructure yourself. Instead, you define access policies, and AWS enforces them consistently across all key operations.

Cloud Provider Access Restrictions

Access to encryption keys is restricted using AWS Identity and Access Management (IAM) policies and KMS-specific key policies. These controls ensure that only authorised principals—whether users, applications, or services—can perform specific operations on encryption keys.

Acorn PLMS implements the principle of least privilege, meaning each user and service is granted only the minimum permissions necessary to perform their function. For example:

  • Application servers can decrypt data but cannot create or delete keys.
  • Administrative users can manage key policies but are separate from operational users who only use encryption.
  • Cross-organisation access to keys is explicitly denied unless there is a documented business requirement.

These restrictions are enforced at multiple layers:

  1. IAM policies define which AWS principals can assume roles or perform actions.
  2. KMS key policies specify which principals can use specific keys and what operations they can perform.
  3. VPCs and security groups restrict network-level access to services that handle encryption keys.

Your organisation benefits from these controls because they prevent unauthorised key access, even in the event of a compromised credential or misconfigured system. If an attacker gains access to an application server, they cannot simply extract encryption keys because the application's IAM role does not grant key deletion or export permissions.

Key Rotation Strategy

Key rotation is the process of retiring an old encryption key and replacing it with a new one. Regular key rotation limits the amount of data encrypted under a single key, reducing the potential impact if a key is ever compromised.

Acorn PLMS follows AWS best practices for key rotation:

  • Automatic key rotation: AWS KMS can be configured to automatically rotate customer master keys (CMKs) on an annual basis. This rotation is transparent to applications—old key material is retained for decrypting previously encrypted data, while new encryption operations use the new key material.
  • Manual key rotation: For scenarios requiring more frequent rotation or compliance with specific regulatory requirements, your organisation can initiate manual key rotation through AWS KMS.
  • Rotation tracking: All key rotations are logged in AWS CloudTrail, providing an audit trail of when rotations occurred and who initiated them.

Key rotation is particularly important for compliance with standards such as HIPAA, FERPA, and PCI-DSS, which often mandate regular key rotation as a control requirement. By implementing automatic rotation, Acorn PLMS helps your organisation meet these requirements without requiring manual intervention for each key rotation event.

Security Considerations

Acorn PLMS's key management approach is reinforced by other security controls:

  • Modern cryptography: Encryption uses current, industry-standard algorithms (AES-256 for symmetric encryption, RSA for key wrapping) rather than deprecated or weak ciphers.
  • TLS/HSTS enforcement: Data in transit is protected using modern Transport Layer Security (TLS) protocols, ensuring that encryption keys are never transmitted in cleartext.
  • Security headers: Acorn implements security headers (such as Content Security Policy) to prevent attacks that might otherwise expose key information through browser vulnerabilities.
  • Web Application Firewall (WAF): AWS WAF filters malicious requests before they reach your application, reducing the attack surface through which key information might be exposed.
  • Intrusion detection and prevention: Network-based and host-based monitoring systems detect suspicious activity that might indicate an attempt to compromise key material.

Monitoring and Compliance

Your organisation can monitor encryption key usage through:

  • AWS CloudTrail: Logs all API calls related to KMS, including key creation, rotation, and decryption operations.
  • AWS CloudWatch: Alerts can be configured to notify your security team if unusual key access patterns are detected.
  • KMS key policies and IAM audit: Regular reviews of who has access to encryption keys ensure that permissions remain aligned with your organisation's security posture.

These monitoring capabilities support compliance audits and help your organisation demonstrate to regulators that encryption keys are properly managed and protected.

Best Practices for Your Organisation

To maximise the security benefits of Acorn PLMS's key management:

  1. Review IAM policies regularly to ensure that key access is limited to authorised principals.
  2. Enable automatic key rotation if your compliance requirements do not mandate more frequent rotation.
  3. Monitor CloudTrail logs for unusual key access patterns.
  4. Document the business purpose of any cross-team or cross-organisation key access requests.
  5. Work with your Acorn support team to understand key rotation schedules and any implications for your specific deployment.

By leveraging Acorn PLMS's AWS KMS integration and access controls, your organisation can maintain strong encryption key security without bearing the operational burden of managing the underlying key infrastructure.