<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5003644&amp;fmt=gif">
Skip to content
English - Australia
Contact Us Customer Portal
  • There are no suggestions because the search field is empty.

Network & Application Security

Everything you need to know about Network & Application Security in Acorn PLMS.

DoS Protection Overview

Distributed denial-of-service (DDoS) attacks pose a significant threat to learning management platforms by overwhelming your infrastructure with malicious traffic. Acorn PLMS integrates AWS Shield and Amazon CloudFront to provide multi-layered protection against these attacks while maintaining high availability and compliance with data residency requirements across regions.
AWS Shield Protection

How AWS Shield Protects Your Platform

AWS Shield is a managed DDoS protection service that defends your Acorn PLMS infrastructure automatically. This service operates at the AWS network edge, detecting and mitigating volumetric, protocol, and application-layer attacks before they reach your systems.

Shield protection is enabled by default on all AWS resources supporting your Acorn deployment. The service provides:

  • Automatic attack detection and mitigation for common DDoS vectors
  • Real-time threat intelligence from AWS's global infrastructure
  • Seamless integration with your existing Acorn PLMS deployment without requiring manual configuration

Tier Coverage

Acorn PLMS deployments benefit from Shield Standard, which protects against most common layer 3 and 4 attacks at no additional cost. For organisations requiring advanced attack visibility and additional layer 7 (application) protection, AWS Shield Advanced is available and can be enabled through your infrastructure team.

CloudFront Content Delivery and Security

Leveraging CloudFront for DDoS Resilience

Amazon CloudFront serves as your content distribution network (CDN) and acts as a critical security layer for Acorn PLMS. By routing traffic through CloudFront's globally distributed edge locations, your platform benefits from:

  • Geographic distribution that absorbs attack traffic across AWS's global infrastructure
  • IP reputation filtering that blocks known malicious sources at the edge
  • Reduced attack surface by masking your origin infrastructure behind CloudFront
  • Capacity scaling that automatically handles traffic spikes, whether legitimate or malicious

Application-Layer Protection

CloudFront integrates with AWS WAF (Web Application Firewall), enabling you to define custom rules that protect against application-layer attacks. Your security team can configure rules to block suspicious request patterns, SQL injection attempts, and cross-site scripting (XSS) attacks targeting your Acorn PLMS interface.

Multi-Region Deployment Architecture

High Availability Through Geographic Redundancy

Acorn PLMS is designed for high availability with multi-AZ (availability zone) deployments by default across your primary region. This architecture ensures that:

  • Production services maintain continuous availability even if individual data centers experience issues
  • Tested Recovery Point Objective (RPO) and Recovery Time Objective (RTO) metrics guarantee predictable recovery during incidents
  • Cross-region backups and replication protect your data against region-wide failures

For organisations requiring additional resilience, Acorn's Infrastructure-as-Code (Terraform) supports multi-region active/standby deployments when contractually required. This capability is particularly valuable for Tier-1 services and ensures business continuity across geographic boundaries.

GDPR and Data Residency Compliance

Your DDoS protection strategy must align with data residency requirements. Acorn PLMS accommodates deployments requiring GDPR and Swiss FADP compliance through:

  • EU and US hosting options fulfilling regional data-location requirements
  • Organization and multi-region logging enabling audit trails within compliant boundaries
  • Regional record storage in countries where personnel records must remain within national borders
  • Dedicated runbooks supporting elevation of multi-AZ deployments to multi-region configurations for compliance

When configuring DDoS protection across regions, ensure your CloudFront distribution and Shield configuration respect these data residency boundaries.

DDoS Mitigation Strategies

Defense-in-Depth Approach

Effective DDoS mitigation requires layered defences:

  1. Network layer (Layer 3/4): AWS Shield automatically mitigates volumetric and protocol attacks at the AWS network edge
  2. Application layer (Layer 7): CloudFront and AWS WAF filter malicious application requests before reaching your Acorn PLMS origin servers
  3. Infrastructure layer: Multi-AZ deployment ensures that attack traffic targeting individual data centers does not affect overall platform availability

Capacity Planning

Acorn's multi-region architecture and CloudFront integration enable auto-scaling capabilities that help absorb attack traffic. Monitor your traffic patterns and ensure your infrastructure can scale to handle traffic spikes without degradation.

Incident Response

While AWS Shield provides automatic mitigation, your organisation should:

  • Monitor CloudWatch metrics for unusual traffic patterns indicating potential attacks
  • Review CloudFront access logs to identify attack sources and patterns
  • Coordinate with your infrastructure team if advanced Shield Advanced features or custom WAF rules are needed
  • Test failover procedures in multi-region deployments to ensure DDoS resilience is maintained during incidents
Compliance and Security Integration

Acorn PLMS maintains continuous compliance with international privacy legislation, including GDPR and Swiss FADP. Your DDoS protection configuration must align with these compliance requirements:

  • Ensure Shield and CloudFront are configured consistently across all regions hosting your data
  • Verify that logging and monitoring data generated by DDoS protections comply with data residency requirements
  • Review your infrastructure runbooks to confirm multi-region DDoS protection scenarios are documented
Next Steps

To optimise DDoS protection for your Acorn PLMS deployment:

  1. Verify that AWS Shield is enabled on all infrastructure supporting your platform
  2. Confirm CloudFront distribution settings align with your content delivery and security requirements
  3. Review multi-region deployment options if your organisation requires enhanced geographical resilience
  4. Consult your compliance officer regarding data residency implications of DDoS protection configurations
  5. Test failover procedures to ensure continuity during attack scenarios

For additional information on Acorn's compliance posture and hosting options, review the resources listed below.

Endpoint & Anti-Malware Protection Endpoint & Anti-Malware Protection

Acorn PLMS implements a multi-layered approach to endpoint and anti-malware protection, ensuring your organisation's data and systems remain secure from emerging threats. This article outlines the security measures Acorn deploys to protect your endpoints, prevent malware infections, and maintain data integrity across your learning management environment.

Overview of Acorn's Security Approach

Your organisation's security posture depends on robust endpoint protection that extends beyond basic antivirus solutions. Acorn PLMS integrates advanced threat prevention technologies, including endpoint detection and response (EDR) capabilities powered by industry-standard platforms such as CrowdStrike and Microsoft Defender. These tools work in conjunction with your organisation's existing security infrastructure to identify, prevent, and respond to threats in real time.

Acorn's commitment to security is underpinned by its compliance with applicable regulatory and industry requirements necessary to deliver services securely. The platform maintains comprehensive security and compliance certifications, with ongoing SOC II Type 1 audit conducted by PwC, demonstrating Acorn's commitment to auditable security controls.

Anti-Virus and Threat Prevention

Endpoint threat prevention is critical to protecting your learning environment from malware and sophisticated attacks. Acorn PLMS supports integration with leading endpoint protection platforms that provide continuous monitoring and threat detection across your organisation's devices.

These threat prevention systems operate by:

  • Real-time monitoring: Continuously scanning endpoint activities to identify suspicious behaviour and known malware signatures
  • Behavioural analysis: Detecting advanced threats that may evade traditional signature-based detection
  • Incident response integration: Automatically isolating compromised endpoints to prevent lateral movement within your network

Your security team can manage endpoint protection policies centrally, ensuring consistent protection standards across all devices accessing Acorn PLMS.

Mobile Device Management (MDM)

Mobile device management enables your organisation to maintain security and compliance when employees and users access Acorn PLMS from smartphones, tablets, and other portable devices. MDM solutions provide your IT team with the ability to:

  • Enforce security policies on mobile devices, including password requirements and encryption standards
  • Deploy and manage applications remotely
  • Monitor device compliance and respond to policy violations
  • Remotely wipe data from lost or compromised devices

By implementing MDM in conjunction with Acorn PLMS, your organisation ensures that access to sensitive learning data remains protected regardless of the device or location from which users connect.

Encrypted Hard Drives and Data Protection

Data at rest must be protected through encryption to ensure that even if physical devices are lost or stolen, your organisation's information remains secure. Acorn PLMS leverages encrypted storage across all systems, with particular attention to the protection of personal information and learning records.

Encryption protects your organisation by:

  • Full-disk encryption: Securing all data stored on local drives and endpoints
  • Database encryption: Protecting sensitive information within Acorn's infrastructure
  • Transit encryption: Ensuring data moving between devices and Acorn's cloud infrastructure remains encrypted and inaccessible to unauthorised parties

Your organisation maintains ownership of all data within Acorn PLMS, including learning content, user information, and learning records. This ownership structure ensures you retain control over encryption policies and data security practices aligned with your regulatory obligations.

Data Integrity and Backup Security

Protecting your data extends beyond preventing malware and theft—your organisation must ensure data integrity throughout backup and restore processes. Acorn PLMS relies on AWS's robust backup and snapshot systems, redundancy mechanisms, and version-controlled repositories to maintain data integrity during these critical operations.

Data integrity is ensured through:

  • Periodic audits: Regular validation of backup data to confirm consistency and completeness
  • Backup exploration: Systematic testing of backup systems to verify restoration capabilities
  • Restoration validation: Confirming that restored data matches original records with no corruption or loss

Historical records of all system activity are maintained within Acorn, providing your organisation with comprehensive audit trails for compliance verification and forensic investigation purposes.

Access Control and Role-Based Security

Endpoint protection includes controlling who can access your systems and data. Acorn PLMS implements role-based access control (RBAC) that your organisation manages directly. This structure allows you to:

  • Define user roles with specific permissions aligned to your organisational structure
  • Restrict access to sensitive data based on job function and security clearance
  • Audit access patterns to detect and respond to unauthorised activity
  • Revoke access immediately when users change roles or leave your organisation

Role-based controls work in concert with endpoint protection to ensure that even if a device is compromised, an attacker's ability to access sensitive information is limited by the legitimate user's access level.

Regulatory Compliance and Standards

Acorn PLMS operates within a framework of regulatory compliance applicable to software-as-a-service (SaaS) providers. In Australia, Acorn complies with the Privacy Act 1988 (Cth), which establishes the Australian Privacy Principles (APPs) governing collection, use, disclosure, and storage of personal information. The Notifiable Data Breaches (NDB) scheme requires Acorn to notify your organisation and the Office of the Australian Information Commissioner (OAIC) if a data breach is likely to result in serious harm.

For FERPA-compliant implementations in educational settings, Acorn provides tools and capabilities including role-based access control, report generation for end-user transparency, and optional privacy policy features to ensure your organisation meets federal education privacy requirements.

Getting Started with Endpoint Protection

To assess your organisation's endpoint protection requirements within Acorn PLMS, consult the comprehensive security and compliance information available through Acorn's Trust Center. Your organisation's IT and security teams can review current certifications, audit reports, and compliance documentation to ensure Acorn aligns with your security standards.

Implementing endpoint and anti-malware protection requires coordination between your security team and Acorn's platform capabilities. Work with your Acorn administrator to configure access controls, verify encryption standards, and establish monitoring practices that meet your organisation's security objectives.

Intrusion Detection & Prevention (IDS/IPS) in Acorn PLMS Intrusion Detection & Prevention in Acorn PLMS

Intrusion Detection and Prevention (IDS/IPS) systems form a critical layer of your organisation's network security infrastructure. Acorn PLMS integrates within a security-hardened cloud environment that implements comprehensive intrusion monitoring and prevention capabilities to safeguard your sensitive data and learning management operations.

Understanding IDS/IPS in Your Acorn Environment

Acorn PLMS operates as a cloud-based Software as a Service (SaaS) platform deployed on Amazon Web Services (AWS) infrastructure. This deployment model enables your organisation to benefit from advanced intrusion detection and prevention mechanisms without requiring on-premise infrastructure management. The cloud-based architecture ensures continuous monitoring, rapid threat response, and consistent security updates across your entire learning management ecosystem.

Both network-based and host-based intrusion monitoring are implemented within the AWS infrastructure supporting Acorn PLMS. Network-based systems monitor traffic flows and communication patterns across your learning environment, while host-based protections operate at the system level to detect suspicious activities, unauthorised access attempts, and advanced persistent threats.

Security Assessments and Compliance Framework

Your confidence in Acorn PLMS's intrusion detection and prevention capabilities is supported by rigorous third-party assessments. Both Acorn and the underlying AWS infrastructure have undergone thorough IRAP (Information Security Registered Assessors Program) assessments. These independent evaluations validate the effectiveness of security measures and ensure adherence to industry best practices and stringent requirements for protecting sensitive data.

Acorn PLMS has been independently IRAP assessed for PROTECTED-level data handling, demonstrating alignment with the Information Security Manual (ISM) and meeting the advanced security control requirements essential for government agencies and compliance-driven enterprises. This assessment framework specifically evaluates intrusion detection capabilities, threat response procedures, and data protection mechanisms relevant to your organisation's security posture.

ISO 27001 Compliance and Continuous Validation

Your organisation's data security is underpinned by ISO 27001 compliant infrastructure. Acorn PLMS is hosted on AWS infrastructure certified for ISO 27001, providing you with assurance that information security management systems meet internationally recognised standards. Acorn maintains rigorous oversight of this compliance by examining AWS's ISO 27001 scope and SOC2 reports annually, ensuring that security procedures remain aligned with internal protocols and evolving threat landscapes.

This continuous validation approach means your organisation's intrusion detection and prevention capabilities are not static. Regular annual reviews ensure that security controls adapt to emerging threats, new attack vectors, and industry developments while maintaining compliance with ISM requirements and Privacy Act 1988 obligations.

Advanced Threat Monitoring Capabilities

Acorn PLMS operates within an environment specifically designed to detect and prevent advanced persistent threats (APTs). The combination of network-based monitoring, host-based intrusion detection, and continuous security assessments provides your organisation with multi-layered threat visibility.

Your learning management operations benefit from:

  • Continuous Network Monitoring: Real-time observation of traffic patterns, unauthorised connection attempts, and anomalous data flows across your Acorn PLMS environment
  • Host-Based Detection: System-level monitoring that identifies suspicious processes, unauthorised access attempts, and potential compromise indicators on systems supporting your learning platform
  • Threat Intelligence Integration: Security controls informed by current threat intelligence and security research, enabling proactive identification of known attack signatures and emerging threat patterns
  • Incident Response Readiness: Structured procedures for detecting, investigating, and responding to security incidents with minimal disruption to your training delivery operations

Multi-Tiered Security Controls for Government and Enterprise

If your organisation works with Australian Federal Government agencies or operates in high-security compliance sectors, Acorn PLMS delivers tailored security controls specifically addressing advanced requirements. The platform has been deployed successfully with custom reporting, multi-tiered user access controls, and capacity to integrate external compliance data for various government entities.

These controls work in conjunction with intrusion detection and prevention systems to ensure that your organisation maintains visibility over user activities, access patterns, and potential security anomalies. The combination of IDS/IPS capabilities with customised access controls enables you to meet stringent compliance obligations while maintaining efficient learning operations.

Scalability and High Availability

Cloud deployment through AWS ensures that your intrusion detection and prevention infrastructure scales seamlessly with your organisation's growth. High availability architecture means that security monitoring continues uninterrupted, even during periods of peak usage or when infrastructure components require maintenance.

Your organisation avoids the complexity of managing on-premise intrusion detection systems while maintaining the robust security posture required for sensitive training delivery and performance management.

Integration with Your Security Framework

Acorn PLMS's IDS/IPS capabilities integrate seamlessly into your organisation's broader security framework. The platform aligns with ISM requirements and supports compliance with the Privacy Act 1988, making it suitable for organisations handling sensitive government or enterprise data.

When implementing Acorn PLMS, you can rely on intrusion detection and prevention controls that have been independently validated through IRAP assessments and continuously verified against ISO 27001 standards. This ensures that your learning management platform operates within a security envelope that actively detects, prevents, and responds to intrusion attempts and advanced threats.

For detailed information about Acorn PLMS's compliance certifications and security assessments, visit our compliance documentation to review independent assessment results and security controls relevant to your organisation's requirements.

Network Architecture & Firewalls Network Architecture & Firewalls

Your organisation's security posture depends on multiple layers of network protection. Acorn PLMS is designed with enterprise-grade network architecture that includes Virtual Private Clouds (VPCs), security groups, network access control lists (NACLs), Web Application Firewalls (WAF), and demilitarised zones (DMZ) to create a comprehensive defensive perimeter.

Understanding Your Network Security Layers

Acorn PLMS operates within a multi-layered network architecture designed to isolate and protect your data. Your organisation benefits from VPC isolation, which ensures that your learning and performance data resides in a segregated network environment separate from other tenants and external threats. Security groups act as stateful firewalls at the instance level, controlling inbound and outbound traffic based on rules you define. Network ACLs provide an additional stateless filtering layer at the subnet boundary, allowing you to deny or allow traffic at a more granular level.

These components work in concert: traffic first encounters NACLs at the subnet perimeter, then security groups at the instance level, and finally application-layer defences. This defence-in-depth approach ensures that unauthorised traffic is stopped before reaching your critical systems.

Web Application Firewall (WAF) and DDoS Protection

Your Acorn PLMS deployment includes Web Application Firewall capabilities that protect against common web-based attacks. The WAF inspects HTTP and HTTPS traffic for malicious payloads, SQL injection attempts, cross-site scripting (XSS), and other application-layer threats. This layer sits between your users and your application servers, filtering requests in real time.

The WAF works alongside your organisation's broader security strategy to prevent attacks from reaching your application. You can configure rules specific to your use cases, such as blocking suspicious geographic locations, rate-limiting excessive requests, or requiring additional authentication for sensitive endpoints.

DMZ and Network Segmentation

Acorn PLMS architecture includes demilitarised zone (DMZ) principles in its design. Public-facing components are isolated from your internal systems, reducing the blast radius if a perimeter defence is compromised. Your organisation's sensitive data—performance metrics, learning records, and user information—resides in protected subnets behind multiple security layers, not directly accessible from the internet.

This segmentation means that even if an external attacker compromises a public-facing component, they cannot directly access your organisation's core data. Additional authentication, encryption, and access controls protect your sensitive information.

Firewall Change Management

Security is not static. Your organisation's firewall rules and network policies require careful management as your needs evolve. Acorn PLMS operates within a change management framework that ensures network modifications are planned, tested, and documented before deployment.

When your organisation needs to modify firewall rules—such as allowing new integrations, opening ports for third-party tools, or adjusting security group policies—these changes follow a structured process:

  • Request and Approval: Changes are formally requested and reviewed against your organisation's security requirements.
  • Testing: Modifications are tested in non-production environments to ensure they achieve your goals without introducing vulnerabilities.
  • Audit Trail: All firewall changes are logged and auditable, providing visibility into who made changes, when, and why.
  • Documentation: Your organisation maintains clear documentation of active firewall rules and their business justification.

This disciplined approach prevents misconfiguration errors that could accidentally expose systems or block legitimate traffic.

Compliance and Security Certifications

Your organisation can have confidence in Acorn PLMS's network security because the platform maintains rigorous compliance certifications. Acorn is SOC 2 compliant, verified through independent audit by PwC, with SOC 2 Type II certification underway. These certifications confirm that Acorn's security controls—including network architecture, firewall management, and access controls—meet stringent industry standards.

Additionally, Acorn holds security certifications including ISO 27001, and conforms to standards such as CSA STAR and OWASP guidelines. These certifications demonstrate that network security is evaluated annually by independent assessors, not merely self-assessed. Your organisation benefits from objective, third-party verification that security controls are designed, implemented, and operating effectively.

Data Security and Integration Considerations

When your organisation integrates Acorn PLMS with other systems—such as compensation tools or HR platforms—network security remains paramount. Acorn provides REST APIs that allow secure data exchange between systems while maintaining strict access controls. Your organisation can push and pull data through authenticated, encrypted connections.

However, when integrating systems that handle highly sensitive data (such as compensation information), your organisation should engage in careful scoping to ensure that data handling meets your security and compliance requirements. Acorn's SOC 2 compliance framework provides assurance that such integrations are conducted securely, with proper encryption, access logging, and audit trails.

Your Hosting Environment

Acorn's commitment to network security extends to its hosting infrastructure. If your organisation requires visibility into the data centre hosting your systems, Acorn's hosting provider maintains SOC 2 Type II certification. Understanding your hosting provider's security posture is essential for evaluating availability, resilience, and disaster recovery capabilities. This information is available upon request and helps your organisation evaluate whether the hosting environment meets your compliance and operational requirements.

Audit Logs and Administrative Visibility

Your organisation's administrators have access to comprehensive audit logs that document network activities, firewall changes, access attempts, and system events. These logs are essential for security investigations, compliance audits, and operational troubleshooting. Multi-factor authentication (MFA) protects administrator accounts, ensuring that only authorised personnel can access these sensitive logs and modify network policies.

Next Steps

If your organisation has specific network security requirements, questions about firewall configurations, or needs to evaluate Acorn PLMS against your security compliance framework, contact Acorn support. For detailed compliance information, visit the Acorn compliance documentation.

PCI DSS Compliance and Payment Processing in Acorn PLMS PCI DSS Compliance and Payment Processing in Acorn PLMS

Understanding PCI DSS Compliance in Acorn

When your organisation processes payments through Acorn PLMS, you must understand how cardholder data is protected and where compliance responsibilities lie. Acorn has completed a PCI DSS Service Provider Assessment Questionnaire (SAQ), demonstrating our commitment to payment security standards. However, the way payment information is handled means your organisation shares responsibility for maintaining compliance.

How Acorn Handles Payment Information

Acorn PLMS facilitates transactions through integrated payment gateways, but your cardholder data is not stored or processed on Acorn's servers. Instead, payment information from transactions is captured and processed directly by the payment gateway itself. This architecture is significant because it reduces the scope of data that Acorn systems must secure, while placing specific compliance obligations on the payment processor and your organisation.

This approach means that when users enter payment information during a transaction, that sensitive data flows directly to the payment gateway rather than being transmitted through or stored within Acorn PLMS infrastructure. This design protects your transaction data and simplifies your compliance obligations.

PCI DSS Assessment Questions

Your organisation may encounter a series of PCI DSS assessment questions designed to evaluate your payment processing environment. These questions, typically identified as PCID-01 through PCID-12, cover several critical areas:

Scope and Data Handling

The initial questions assess whether your organisation stores, processes, or transmits cardholder data. Understanding your data handling practices is essential because PCI DSS compliance requirements scale based on the volume and scope of cardholder data your systems touch. If you use Acorn's payment integration correctly—allowing the payment gateway to handle all sensitive card data—your compliance scope may be reduced.

Compliance Status and Classification

Assessment questions address your organisation's current PCI DSS compliance status and your classification as either a service provider or merchant. Your classification determines which specific PCI DSS requirements apply to your organisation. Additionally, these questions verify whether you hold a valid Attestation of Compliance (AOC) and whether your payment processors are PA-DSS (Payment Application Data Security Standard) compliant.

Payment Processing Architecture

You will be asked to document your credit card transaction architecture—essentially mapping how payment data flows through your systems. You should clearly document which payment processors your organisation supports and confirm that your payment processing setup aligns with PCI DSS requirements. This documentation helps auditors and assessors understand your compliance posture.

Third-Party Payment Handling

If your organisation uses third-party payment processors or service providers, assessment questions address how those providers handle payment data. Acorn's role as a facilitator—not a processor—means you retain responsibility for selecting compliant payment processors and ensuring they meet PCI DSS standards.

Specific Compliance Question: PCID-02

One key assessment question you will encounter is PCID-02, which directly asks whether your vendor (and your organisation's payment processing environment) is compliant with the Payment Card Industry Data Security Standard. This question requires a definitive answer about your compliance status.

When answering PCID-02 and related compliance questions, you should reference: - Your current Attestation of Compliance (AOC) - Your PCI DSS assessment reports - Documentation from your payment processors confirming their compliance - Your own internal security policies and audit results

Your Compliance Responsibilities

While Acorn PLMS has completed its own PCI DSS SAQ and maintains secure payment integration, your organisation remains responsible for:

Payment Processor Selection: Ensure any payment processors you integrate with Acorn are PCI DSS compliant and PA-DSS certified where applicable.

Data Minimisation: Avoid storing or processing cardholder data within systems beyond what is necessary. By using Acorn's payment gateway integration, you can minimise your compliance scope.

Access Controls: Restrict access to payment processing functions and audit logs to authorised personnel only.

Security Monitoring: Maintain intrusion detection and monitoring systems to identify suspicious payment-related activity.

Annual Assessment: Conduct annual PCI DSS assessments to verify your compliance status and address any gaps.

Documentation: Maintain comprehensive records of your payment architecture, compliance assessments, and security policies. This documentation supports your ability to accurately answer assessment questions like PCID-02.

Getting Help with Compliance Questions

If you need detailed guidance on specific PCI DSS assessment questions or terminology, consult: - The official PCI DSS documentation maintained by the Payment Card Industry Security Standards Council - Your organisation's treasurer's office or finance department, which often oversees payment security compliance - Acorn support resources for questions specific to how payment integration functions within PLMS

Conclusion

Maintaining PCI DSS compliance in Acorn PLMS requires understanding both Acorn's role as a payment facilitator and your organisation's responsibilities as the data owner and transaction processor. By correctly implementing payment integration, selecting compliant processors, and maintaining accurate documentation, you can confidently answer PCI DSS assessment questions and protect your organisation and customers from payment security risks.

Vulnerability Scanning & Penetration Testing Vulnerability Scanning & Penetration Testing

Acorn PLMS maintains a robust security posture through regular vulnerability scanning and penetration testing. These proactive security measures help identify and remediate potential threats before they can impact your organisation's learning environment.

Overview of Security Testing Approach

Your organisation benefits from a multi-layered security testing strategy that combines automated vulnerability scanning, periodic penetration testing, and application-level security assessments. This comprehensive approach ensures that Acorn PLMS remains protected against both known vulnerabilities and emerging threats across all system components.

The security testing framework is designed to align with industry best practices and compliance standards, providing your organisation with confidence that the platform meets recognised security benchmarks.

Regular Vulnerability Scanning

Acorn PLMS undergoes regular vulnerability scans to identify potential security weaknesses within the system infrastructure and application layers. These automated scans are conducted on a scheduled basis and examine the platform for known vulnerabilities, misconfigurations, and security gaps.

Regular scanning ensures that:

  • New vulnerabilities are detected promptly upon discovery
  • Patch management priorities are informed by current threat intelligence
  • Your organisation maintains visibility into the security status of the platform
  • Remediation efforts can be prioritised based on risk severity

The results of vulnerability scans inform Acorn's security roadmap and guide resource allocation toward addressing identified issues.

Annual Penetration Testing

Beyond automated scanning, Acorn PLMS undergoes comprehensive annual penetration testing conducted by qualified security professionals. These tests simulate real-world attack scenarios to evaluate the platform's ability to withstand intentional security challenges.

Annual penetration testing provides:

  • Realistic assessment of security controls under active exploitation attempts
  • Validation that defensive measures function as intended
  • Identification of complex vulnerabilities that automated tools may miss
  • Detailed reporting on findings and recommended remediation strategies

Penetration testing encompasses both external and internal attack vectors, ensuring that your organisation's data is protected regardless of threat origin.

Web Application Scanning

Acorn PLMS is subject to rigorous web application security scanning to identify and address common application-level vulnerabilities. Your organisation's learning environment is protected through continuous assessment for critical web application threats.

SQL Injection (SQLi) Testing

SQL injection vulnerabilities could allow attackers to manipulate database queries and access sensitive data. Acorn PLMS is regularly scanned and tested to ensure that all database interactions are properly sanitised and parameterised. Your organisation can be confident that:

  • Input validation prevents malicious SQL code injection
  • Database queries use prepared statements and parameterised queries
  • User-supplied data is never directly concatenated into SQL statements

Cross-Site Scripting (XSS) Testing

Cross-site scripting attacks attempt to inject malicious scripts into web pages viewed by other users. Acorn PLMS implements comprehensive XSS protection through:

  • Output encoding and escaping of user-generated content
  • Content Security Policy (CSP) headers to restrict script execution
  • Input validation to reject potentially malicious content
  • Regular testing to identify reflected and stored XSS vulnerabilities

Your organisation's users can interact with the platform knowing that their sessions and data are protected from XSS-based attacks.

Cross-Site Request Forgery (XSRF/CSRF) Testing

Cross-site request forgery attacks trick users into performing unintended actions on your behalf. Acorn PLMS protects against XSRF threats by:

  • Implementing CSRF tokens on all state-changing operations
  • Validating token presence and authenticity on form submissions
  • Using SameSite cookie attributes to prevent cross-origin requests
  • Regular testing to ensure CSRF protections remain effective

Your organisation's administrative and user actions are protected against unauthorised cross-origin requests.

Client-Initiated Testing

Your organisation may initiate security testing efforts to validate Acorn PLMS security controls within your specific deployment environment. Client-initiated penetration testing and vulnerability assessments can be coordinated with Acorn's security team to ensure testing activities do not disrupt the learning environment.

When planning client-initiated testing:

  • Coordinate with Acorn support to schedule testing during appropriate maintenance windows
  • Provide clear scope definitions to ensure testing focuses on relevant systems
  • Document findings and share results with Acorn's security team for context
  • Allow adequate time for remediation of any identified issues

Client-initiated testing complements Acorn's ongoing security testing programme and provides your organisation with third-party validation of platform security.

Security Testing Cadence

Acorn maintains a regular schedule of security testing activities:

  • Continuous automated scanning monitors the platform for known vulnerabilities
  • Quarterly vulnerability assessments provide regular security status updates
  • Annual penetration testing validates overall security posture
  • Ad-hoc security testing is conducted following significant platform updates or in response to emerging threats

This regular cadence ensures that your organisation benefits from current threat intelligence and that security measures remain effective against evolving attack vectors.

Accessing Security Testing Information

Your organisation can request detailed information about Acorn PLMS security testing activities, including vulnerability scan results, penetration test reports, and remediation status. Security documentation is available through your Acorn account representative and helps your organisation maintain visibility into the platform's security posture.

For comprehensive information about Acorn's compliance and security testing programme, refer to the compliance documentation available through the Acorn support portal.