Personnel & Physical Security

Background Checks & Screening

Maintaining a secure workforce starts with comprehensive background checks and screening procedures. Acorn PLMS supports your organisation's ability to track, manage, and automate background check workflows for new hires and existing employees, ensuring compliance with regulatory requirements and organisational security policies.

Overview of Background Check Types

Your organisation can implement three primary categories of pre-hire screening through integrated systems within Acorn PLMS:

Criminal Background Checks Criminal history verification is essential for positions with fiduciary responsibilities, access to sensitive data, or roles involving vulnerable populations. These checks typically search local, state, and national databases to identify any prior convictions or charges that may affect employment suitability.

Educational Verification Educational credentials verification confirms that candidates possess the qualifications they claim. This includes verification of degrees, diplomas, certifications, and attendance records from educational institutions. For roles requiring specific credentials, this screening type protects your organisation from hiring unqualified personnel and ensures compliance with professional licensing requirements.

Employment Verification Employment history checks validate a candidate's previous work experience, job titles, dates of employment, and salary history through direct contact with prior employers. This screening confirms the accuracy of information provided in applications and resumes, establishing a foundation of trust before onboarding.

Integrating Background Checks into Your Workflow

Acorn PLMS integrates across your existing systems and supports hierarchical organisational mapping to automate background check assignment based on role and compliance needs. During the implementation phase, your organisation works with a dedicated Customer Success Officer to configure how background checks are triggered in your learner journey.

Your team can define automatic assignment rules so that: - New hires in specific roles automatically receive background check training and verification workflows - Compliance-sensitive positions trigger mandatory screening before access to resources - Regulatory requirements are mapped to job classifications, ensuring no candidate bypasses required screening

This automation reduces administrative overhead and ensures consistent application of screening policies across your entire organisation.

Re-Screening Frequency and Compliance

Re-screening frequency depends on your industry, regulatory environment, and risk profile. While initial pre-hire screening is standard, many organisations implement periodic re-screening to maintain ongoing security and compliance.

Factors Influencing Re-Screening Decisions: - Regulatory Requirements: Financial services, healthcare, education, and government sectors often mandate re-screening on fixed intervals (typically every 3–5 years) - Role Sensitivity: High-risk positions involving access to sensitive data, financial systems, or vulnerable populations may require annual re-screening - Risk Assessment: Organisations can implement tiered re-screening based on job classification, with critical roles receiving more frequent verification - Industry Standards: Peer organisations in your sector often establish de facto re-screening standards that inform best practices

Within Acorn PLMS, you can automate re-screening workflows by setting up recurring training assignments linked to employee role and tenure. Your organisation can trigger re-screening reminders and manage verification status through the platform's comprehensive reporting capabilities.

Managing Background Check Records and Compliance Documentation

Acorn PLMS provides centralised tracking of background check status for all learners. Your administrators can: - View completion status and verification results for criminal, educational, and employment checks - Track dates of initial screening and any re-screening events - Generate compliance reports demonstrating that your organisation has conducted appropriate due diligence - Monitor expiration dates for time-limited certifications or screening validations

This centralised record-keeping ensures that your organisation maintains audit trails necessary for regulatory compliance and demonstrates due diligence should background check decisions be challenged.

Support for Background Check Administration

As you implement and manage background check workflows, Acorn provides comprehensive support throughout the process.

Implementation Support: During your eight-week implementation period, a dedicated Customer Success Officer works with your team to configure background check automation, define role-based assignment rules, and establish compliance workflows. Bi-weekly check-in meetings and a dedicated Teams chat enable real-time collaboration between your project team and Acorn's experts.

Ongoing Technical Support: Following implementation, Acorn's Support Team is available to assist with configuration questions, workflow adjustments, and integration issues. For North American clients, standard support is available Monday through Friday from 7:00 AM to 5:00 PM PST. Critical incidents receive 24/7/365 coverage with rapid response times. Support is accessible via email at support@acorn.works, phone, or the Acorn support portal, with an average response time of under 30 minutes.

Help Resources: A comprehensive Help Center at https://help.acorn.works/hc/en-us provides detailed tutorials and how-to articles for managing background checks and screening workflows within the platform.

Best Practices for Background Check Management

Document Your Policy: Establish a written background check policy defining which positions require screening, what types of checks are required, re-screening frequency, and decision criteria. Share this policy with all candidates during recruitment.

Ensure Consistent Application: Implement screening requirements uniformly across all candidates for the same role, avoiding selective or discriminatory application.

Maintain Confidentiality: Restrict access to background check results to authorised personnel only. Acorn PLMS supports role-based access controls to protect sensitive verification information.

Stay Current with Regulations: Monitor changes to local, state, and federal laws affecting background check practices. Your organisation's policies should evolve to remain compliant.

Communicate Transparently: Inform candidates that background checks will be conducted and obtain required consent before beginning any screening process.

Scaling Background Check Operations

As your organisation grows, Acorn PLMS scales with you. The platform's auto-assignment capabilities and integration across systems mean that background check workflows remain efficient whether you're screening dozens or thousands of new hires annually. Your organisation can add new screening vendors, adjust compliance rules, or expand re-screening programs without reimplementing core systems.

For ongoing strategic guidance on optimising your background check program, consider Acorn's optional Strategic Account Manager (SAM) service, which includes quarterly business reviews, usage monitoring, and recommendations for process improvements—available at $7,500 annually.

Next Steps

Work with your dedicated Customer Success Officer during implementation to configure background check workflows that align with your organisation's compliance requirements and risk profile. Visit the Help Center for detailed configuration guides, and reach out to Acorn Support at support@acorn.works with any questions about managing background checks in Acorn PLMS.

Employee Security Policies Employee Security Policies

Effective employee security policies form the foundation of a secure learning management environment. Within Acorn PLMS, you can establish and enforce comprehensive security frameworks that protect sensitive organisational information while ensuring all personnel understand their responsibilities regarding data handling, system access, and acceptable use practices.

Overview of Security Policy Management

Your organisation's security posture depends on clear, consistently enforced policies that govern how employees interact with Acorn PLMS and handle confidential information. Security policies establish the rules and expectations that protect intellectual property, personal data, and system integrity. By implementing these policies within your learning management framework, you create accountability and reduce risk exposure across your organisation.

Acorn PLMS provides the infrastructure to document, communicate, and track employee acknowledgment of security policies. This systematic approach ensures that every employee receives consistent messaging about security expectations from their first day onward.

Confidentiality Agreements

Confidentiality agreements define what information employees can access, how they may use that information, and the consequences of unauthorised disclosure. These agreements are particularly critical in environments where employees have access to proprietary learning materials, performance data, or strategic business information through your PLMS.

Within Acorn PLMS, you can:

Document confidentiality requirements specific to different employee roles or departments
Track acknowledgment of confidentiality agreements as part of your onboarding workflow
Maintain audit trails showing when employees reviewed and accepted these agreements
Update policies systematically and re-communicate changes to affected personnel

Confidentiality agreements should clearly articulate the types of information considered confidential, permitted uses, retention requirements, and the disciplinary consequences of violations. By integrating these agreements into your PLMS, you create a documented record of employee awareness and acceptance.

Acceptable Use Policies

Acceptable use policies (AUPs) establish guidelines for how employees should interact with your PLMS, what constitutes appropriate system use, and prohibited activities. Well-defined AUPs protect system security, ensure compliance with regulations, and maintain a professional learning environment.

Your acceptable use policy should address:

Authorised uses of system access and learning content
Password management and authentication practices
Restrictions on sharing credentials or account access
Prohibited activities (unauthorised access attempts, data exfiltration, harassment)
Mobile device and remote access expectations
Data handling requirements for sensitive information
Consequences for policy violations

Acorn PLMS enables you to communicate these policies clearly, requiring explicit employee acknowledgment before granting system access. This approach creates a clear understanding of expectations and provides legal documentation of policy communication.

New-Hire Security Training

Security training during onboarding establishes positive security habits from the beginning of employment. New hires learn not only how to use Acorn PLMS effectively, but also the security responsibilities that accompany system access.

Your new-hire security training curriculum should include:

Overview of confidentiality agreements and acceptable use policies
Explanation of data classification and handling requirements
Password creation and protection best practices
Phishing awareness and social engineering prevention
Procedures for reporting suspected security incidents
Role-specific security considerations
System access and authentication processes

Within Acorn PLMS, you can structure new-hire security training as mandatory courses that employees must complete before or immediately after receiving system access. By tracking completion and assessment results, you maintain documentation of training delivery and employee understanding.

Integrating security training into your onboarding workflow ensures that security awareness becomes part of your organisational culture rather than an afterthought. Employees who understand security expectations from day one are more likely to maintain secure practices throughout their tenure.

Disciplinary Processes

Disciplinary processes provide structure for addressing security policy violations fairly and consistently. Clear procedures protect both your organisation and individual employees by establishing documented, equitable responses to misconduct.

Your disciplinary process should define:

Investigation procedures for reported violations
Documentation requirements for incidents and investigations
Progressive discipline framework (warnings, suspension, termination)
Appeal or review opportunities for affected employees
Confidentiality protections during investigation
Communication protocols with legal and HR departments
Record retention for disciplinary actions

Acorn PLMS supports disciplinary workflows by enabling you to document incidents, track corrective actions, and maintain audit trails of all security-related personnel decisions. This documentation proves essential during employment disputes or compliance audits.

Effective disciplinary processes balance accountability with fairness. Consistent application of policies builds employee trust that violations will be addressed equitably. Conversely, inconsistent enforcement undermines policy credibility and creates legal exposure for your organisation.

Implementation Best Practices

Successfully implementing employee security policies requires strategic planning and ongoing management. Consider these practices:

Regular Policy Review – Periodically assess your security policies against evolving threats, regulatory changes, and organisational needs. Update policies proactively rather than reactively in response to incidents.

Clear Communication – Ensure all employees understand security policies through multiple communication channels. Use your PLMS to make policies accessible and track employee awareness.

Consistent Enforcement – Apply disciplinary processes uniformly across your organisation. Inconsistent enforcement creates perception of unfairness and reduces policy effectiveness.

Training Reinforcement – Security training should not be a one-time onboarding event. Incorporate regular security awareness refreshers into your learning program.

Incident Documentation – Maintain detailed records of security incidents, investigations, and disciplinary actions. This documentation supports future decision-making and provides evidence of organisational diligence.

Leveraging Support Resources

If you require assistance implementing or refining your employee security policies, Acorn offers comprehensive support. You can access our Help Center and Acorn Academy for resources, tutorials, and guides related to policy management and PLMS administration. Support is available 24/7 via email at support@acorn.works for inquiries and technical questions.

During implementation, you have direct access to a dedicated Customer Success Officer who can advise on security policy configuration and best practices for your organisation. For real-time collaboration, you can establish a dedicated Teams chat for quick communication with the Acorn support team.

Consider the optional Technical Account Manager (TAM) service for ongoing strategic guidance on security framework optimisation, quarterly business reviews aligned to security metrics, and benchmarked insights comparing your security practices against industry standards. The TAM provides goal-setting sessions and system architecture recommendations tailored to your organisation's security requirements.

Conclusion

Robust employee security policies protect your organisation's information assets while establishing clear expectations for personnel conduct. By implementing confidentiality agreements, acceptable use policies, security training, and disciplinary processes within Acorn PLMS, you create a comprehensive framework that promotes security awareness and accountability across your entire workforce.

Physical Security Controls Physical Security Controls

Physical security controls form the foundation of your organisation's overall security posture. These controls protect your facilities, personnel, and sensitive assets by managing access, monitoring activity, and establishing secure work environments. Acorn PLMS enables you to document, train, and manage your physical security protocols effectively.

Understanding Physical Security Controls

Physical security controls encompass multiple layers of protection designed to prevent unauthorised access and mitigate security risks. Your organisation likely employs several complementary control types to create a comprehensive security framework.

Badge Access Systems control entry to facilities and restricted areas through credential-based authentication. These systems create audit trails of personnel movement and ensure only authorised individuals access sensitive zones.

Security Guards provide active monitoring and response capabilities, managing access points, patrolling facilities, and responding to security incidents in real time.

Locks and Physical Barriers create the foundation of access control, from traditional mechanical locks to advanced electronic locking systems that integrate with your broader security infrastructure.

Cameras and Video Surveillance monitor activity in key areas, providing both deterrent value and evidence collection capabilities for security investigations.

Alarm Systems detect unauthorised entry attempts, environmental hazards, or suspicious activity, alerting security personnel and emergency services when necessary.

Secure Work Areas designate spaces where sensitive activities occur, combining multiple control types to restrict access and protect confidential information.

Managing Security Documentation with Acorn PLMS

Your organisation can leverage Acorn's comprehensive document management capabilities to centralise and maintain all physical security documentation.

Acorn includes a data repository within the Acorn Catalog where you can store security policies, procedures, and related materials. All documents in the catalog benefit from version control, ensuring you always reference the current security protocols. This prevents confusion arising from outdated procedures and maintains consistency across your organisation.

You are not limited by file storage constraints. Acorn supports unlimited file storage, allowing you to maintain comprehensive security documentation including:

Physical security policies and procedures
Badge access protocols and credential management guidelines
Security guard duty schedules and incident reporting procedures
Lock maintenance and key control documentation
Camera placement diagrams and surveillance protocols
Alarm system documentation and emergency procedures
Secure work area access logs and restricted material handling procedures

Training Personnel on Physical Security Controls

Effective physical security depends on personnel understanding and following established procedures. Acorn PLMS provides multiple training delivery methods to ensure your team receives proper instruction.

Assessments allow you to verify that personnel understand physical security requirements before granting access to restricted areas. You can create scenario-based assessments testing knowledge of badge access procedures, alarm response protocols, or secure area entry requirements.

External Learning Functionality enables you to integrate physical security training from external providers into your learning management system. Many organisations supplement internal training with specialist security vendor courses on topics like CCTV operation, access control system administration, or emergency response procedures.

Momentum Product Integration offers additional options for delivering comprehensive security training and managing certification demonstration videos or other multimedia security content. You can attach employee records and store certification videos without file size limitations, creating a complete training and compliance record for each team member.

Your organisation can track which personnel have completed required physical security training, verify their understanding through assessments, and maintain audit trails demonstrating compliance with security training requirements.

Documenting Security Certifications and Competencies

Many physical security roles require formal certifications—such as security guard licenses, access control system administration credentials, or emergency response certifications. Acorn PLMS provides robust document management capabilities for storing these certifications alongside employee records.

You can attach multiple file types including PDF certificates, demonstration videos, training records, and renewal documentation. The system maintains complete version history, allowing you to track certification updates and renewal dates. This centralised approach eliminates the risk of lost certifications and simplifies compliance verification during audits.

Accessing Support Resources

Acorn provides comprehensive online support documentation and training resources to help you implement and maintain physical security documentation within the system. Standard support includes access to these materials, helping your administrators configure document repositories, set up training courses, and establish assessment protocols for your physical security program.

Best Practices for Physical Security Documentation

When implementing physical security controls documentation in Acorn PLMS, consider these practical approaches:

Organise by Control Type: Create separate course or document sections for badge access, guard procedures, lock systems, surveillance, alarms, and secure areas. This structure makes content easy to locate and update.

Version Control Your Procedures: Leverage Acorn's version control capabilities whenever security procedures change. Ensure all personnel receive updated training on modified protocols.

Combine Documentation and Training: Use Acorn to both document your physical security controls and provide mandatory training. Link assessments to documentation so personnel verify understanding of actual procedures.

Maintain Certification Records: Store all security-related certifications and credentials in employee records. Use Acorn's unlimited file storage to maintain complete audit trails.

Create Scenario-Based Assessments: Develop assessments reflecting real security situations your organisation faces, from badge access errors to alarm response procedures.

By centralising physical security documentation, training, and certification management within Acorn PLMS, your organisation ensures all personnel understand and follow security protocols while maintaining comprehensive compliance records.

Removable Media & Device Policies Removable Media & Device Policies

Removing media and portable devices represent a significant security risk to your organization. Uncontrolled access to USB drives, external hard drives, and other removable storage can lead to unauthorized data exfiltration, malware introduction, and compliance violations. Acorn PLMS provides integrated capabilities to help you establish, enforce, and monitor comprehensive removable media policies across your organization.

Understanding Removable Media Risks

Removing media presents multiple attack vectors that can compromise organizational security. USB drives and external storage devices can be lost, stolen, or deliberately misused to extract sensitive information. Additionally, removable media from unknown sources can introduce malware and other threats into your network infrastructure.

Your organization's removable media policy should address these risks through a combination of technical controls, user training, and enforcement mechanisms. Acorn PLMS enables you to implement these controls systematically across your personnel and devices.

Implementing USB and Removable Media Restrictions

Acorn PLMS supports enforcement of USB and removable media restrictions through multiple methods:

Policy Definition

You can define granular policies that specify which users, roles, or departments are permitted to use removable media. Your policies should clearly indicate whether removable media is prohibited entirely, restricted to authorized devices only, or permitted with specific approval workflows.

When establishing these policies, consider your organization's operational requirements. Some departments may require removable media access for legitimate business purposes, while others can operate entirely without it. Your policy should reflect this differentiation and be regularly reviewed for continued applicability.

Device-Level Enforcement

Your organization can configure endpoint controls to enforce removable media restrictions at the device level. These controls prevent users from accessing USB ports, disabling optical drives, or otherwise limiting physical connections that could facilitate unauthorized data transfer.

Implementing device-level restrictions requires careful coordination with your IT operations team to ensure that legitimate business processes are not disrupted. You should maintain documentation of any exceptions and the business justification supporting them.

Mobile Device Management (MDM) Integration

Acorn PLMS integrates with your organization's Mobile Device Management (MDM) solutions to extend removable media policies to mobile devices and tablets. This integration ensures consistent security posture across all device categories.

MDM Enrollment and Policy Application

Your MDM system can enforce policies that restrict removable media access on enrolled mobile devices. You should ensure that all mobile devices used for business purposes are enrolled in your MDM solution before granting access to sensitive data.

Through MDM integration, you can:

Disable file-sharing capabilities that circumvent removable media restrictions
Control cloud storage integration that could replicate the risks of removable media
Monitor and log all file transfer activities on managed devices
Remotely enforce policy updates across your mobile device fleet

Monitoring and Compliance Verification

You can use Acorn PLMS reporting capabilities to verify MDM policy compliance across your device fleet. Regular compliance reports help you identify devices that are non-compliant with removable media policies and take corrective action.

Your organization should establish a regular audit schedule to review MDM policy compliance and address any gaps identified through reporting.

Secure Media Disposal Procedures

When removable media reaches end-of-life or must be repurposed, proper disposal is essential to prevent data recovery. Your organization should establish documented procedures for secure media disposal.

Decommissioning Process

Before any removable media leaves your organization's control, you must ensure complete data destruction. Acorn PLMS can track media lifecycle events, including when devices are marked for disposal.

Your decommissioning process should include:

Data Sanitization: Use certified data destruction tools that meet or exceed NIST SP 800-88 guidelines for your target media type. Verify that sanitization was successful through documented evidence.
Physical Destruction: For highly sensitive data or media that cannot be reliably sanitized, physical destruction is the most secure option. You should use certified destruction services and retain certificates of destruction.
Inventory Tracking: Maintain detailed records of all media destroyed, including serial numbers, destruction method, and date of destruction.

Documentation and Compliance

You should document all media disposal activities within Acorn PLMS or your connected systems to provide evidence of compliance with data protection regulations. This documentation supports audit requirements and demonstrates due diligence in protecting sensitive data.

Future Enhancements and Planning

Acorn PLMS is continuously evolving to address emerging security threats and new device categories. Your organization can access the Acorn product roadmap to understand planned enhancements to removable media and device policy capabilities. The quarterly product roadmaps and patch notes provide visibility into upcoming innovations, allowing you to align your security strategy with platform evolution.

By staying informed about product roadmap updates, you can proactively plan for enhanced capabilities and ensure your organization maximizes the value of your Acorn PLMS investment.

Best Practices for Removable Media Policy

Effective removable media policies require more than technical controls. You should combine enforcement with clear communication and regular training.

Clear Communication: Ensure all personnel understand your organization's removable media policy and the security rationale behind it.
Regular Training: Include removable media security in your organization's security awareness training programs.
Exception Management: Establish a formal process for requesting and approving removable media exceptions based on documented business need.
Periodic Review: Review your removable media policy at least annually and update it based on changes in organizational structure, technology, and threat landscape.
Incident Response: Include removable media violations in your incident response procedures and investigate policy violations promptly.

By implementing comprehensive removable media policies within Acorn PLMS, your organization significantly reduces the risk of unauthorized data access and strengthens your overall security posture.

Staff Access & Provisioning Staff Access & Provisioning

Effective access provisioning is critical to maintaining security and compliance in your organisation. Acorn PLMS supports a structured approach to managing internal staff access and vendor personnel permissions, ensuring that users have only the permissions necessary to perform their roles.

Overview of Access Provisioning

Access provisioning in Acorn PLMS is built on core security principles designed to protect sensitive data and maintain operational integrity. Your organisation can implement controls that align with industry standards and regulatory requirements. By establishing clear provisioning workflows, you reduce the risk of unauthorised access and ensure accountability across all user accounts.

Least-Privilege Principle

The least-privilege principle is fundamental to secure access management. This approach ensures that each user—whether internal staff or vendor personnel—receives only the minimum permissions required to complete their assigned tasks.

When provisioning access in Acorn PLMS, you should:

Define role-based permissions specific to job functions. Rather than granting broad administrative access, assign granular permissions tied to defined roles.
Limit data visibility to only the information users need. Sales staff may need different data access than compliance teams or operations personnel.
Restrict system actions based on role requirements. For example, data entry staff may read and write records, but only administrators can modify system configurations.
Document permission rationales to maintain clarity on why each user has their assigned access level.

Regularly reviewing and adjusting permissions ensures they remain appropriate as roles evolve and staff responsibilities change.

Separation of Duties for Vendor Personnel

When working with external vendors or contractors, separation of duties prevents conflicts of interest and reduces fraud risk. Acorn PLMS supports structured access controls that enforce these separation principles.

Key considerations include:

Segregate incompatible functions between vendors. A vendor managing data entry should not also approve or verify that data. Similarly, an external auditor should not have access to systems they are auditing.
Limit vendor access to systems and data essential for their contracted services only. Avoid granting access to modules, records, or functions outside the scope of their engagement.
Establish access duration controls so vendor access automatically expires when contracts end or roles change.
Maintain audit trails showing all vendor actions in the system. This transparency supports compliance reviews and accountability.
Use distinct vendor accounts rather than sharing credentials. Each vendor representative should have an individual account linked to their organisation and role.

Internal Staff Access Provisioning

Provisioning access for internal staff requires a systematic approach that balances security with operational efficiency.

Onboarding Process

When new staff join your organisation, follow these provisioning steps:

Identify the role and associated permission requirements based on the position description.
Request approval from the appropriate manager or access control administrator.
Create the user account in Acorn PLMS with role-based permissions aligned to their job function.
Provide access credentials securely and ensure the user completes any required training.
Document the provisioning decision and approval for compliance records.

Role Management

Maintain clear role definitions within Acorn PLMS. Roles should align with your organisational structure and reflect the actual permissions needed. Common roles might include:

Data Entry Operators: Create and update records within assigned modules.
Reviewers/Approvers: Access and approve workflows, reports, and submissions.
Administrators: Manage user accounts, system configuration, and compliance settings.
Auditors: Access read-only views of data and audit logs for compliance review.
Managers: View performance data and reports for their teams while respecting privacy boundaries.

Each role should have clearly defined permissions that you regularly audit and adjust.

Access Review Cycles

Regular access reviews are essential to maintaining a secure environment. You should conduct access reviews at defined intervals—typically annually or semi-annually—and more frequently if your organisation experiences significant changes.

Conducting an Access Review

Generate an access report from Acorn PLMS showing all active user accounts, their assigned roles, and associated permissions.
Distribute the report to department managers and supervisors for validation.
Verify each user's access is still appropriate for their current role. Check for:
Staff who have changed positions and may require different access.
Employees who have left the organisation and whose accounts should be deactivated.
Vendor accounts that have expired or are no longer needed.
Document findings and request corrections or updates.
Remove excess permissions or deactivate accounts that are no longer justified.
Obtain sign-off from managers confirming the review is complete and accurate.

Offboarding Process

When staff depart, immediately disable their access:

Revoke all system credentials and permissions in Acorn PLMS.
Reassign or archive any active workflows or tasks they owned.
Review their recent actions for any outstanding compliance issues.
Document the offboarding date and reason for access removal.
Retain audit logs for the required compliance period.

Vendor Access Deprovisioning

When vendor relationships end, promptly remove access:

Disable all vendor user accounts immediately upon contract termination or project completion.
Conduct a final audit of vendor actions to ensure no unauthorised changes were made.
Document the deprovisioning date and verify all vendor data access is terminated.
Maintain records for the compliance period required by your industry.

Best Practices for Ongoing Access Management

Automate where possible to reduce manual errors in provisioning and deprovisioning.
Train managers and administrators on least-privilege principles and separation of duties.
Monitor access logs regularly to identify unusual activity or policy violations.
Maintain detailed documentation of all access decisions and reviews for audit purposes.
Communicate policy changes clearly to all staff and vendors affected by new access controls.

By implementing structured access provisioning with regular review cycles, your organisation strengthens security, demonstrates compliance, and maintains user accountability in Acorn PLMS.

Unknown Subcategory 29.6: Personnel & Physical Security Overview Personnel & Physical Security: Subcategory 29.6

Understanding Compliance and Data Protection Requirements

When evaluating learning management systems for your organisation, security and compliance form the foundation of any responsible implementation. Subcategory 29.6 within Personnel & Physical Security focuses on ensuring that your platform vendor meets stringent data protection standards, maintains transparent security practices, and supports your institution's risk assessment frameworks.

Acorn PLMS is designed with these principles at its core. Your organisation can rely on Acorn's commitment to security certifications, compliant infrastructure deployment, and comprehensive vendor assessment support.

FedRAMP Compliance and Data Storage

One of your primary concerns when selecting a learning management system should be where sensitive data resides and how it is protected. Acorn PLMS addresses this through its deployment model using AWS services.

Your organisation's Sensitive Personally Identifiable Information (SSI) can be securely saved on US FedRAMP certified servers. Acorn deploys customer instances of its platform using AWS services located in your customer's local jurisdiction, ensuring full compliance with FedRAMP requirements. This means your data remains protected under rigorous federal standards while remaining accessible within your geographic region.

FedRAMP certification provides assurance that your data handling practices meet or exceed government-level security requirements. You can reference the complete scope of FedRAMP-compliant AWS services at https://aws.amazon.com/compliance/services-in-scope/FedRAMP/.

Vendor Assessment and HECVAT Framework

Your institution likely maintains a security or risk assessment program that requires careful evaluation of third-party vendors. Acorn supports this process through alignment with established vendor assessment frameworks.

The HECVAT (Higher Education Community Vendor Assessment Tool) Analyst Reference guide serves as an essential resource for your assessment team. You can use this reference guide to evaluate vendor responses in relation to your institution's specific environment. The context of HECVAT questions can vary depending on implementation specifics unique to your organisation, so the recommendations and follow-up response templates provided are designed to improve your assessment and reporting capabilities without being prescriptive.

This flexible approach recognises that security requirements differ across institutions. Your team has the flexibility to adapt these guidelines to your particular risk tolerance, compliance obligations, and operational needs. By using Acorn's support materials alongside the HECVAT framework, you strengthen your vendor selection process and create more comprehensive security documentation.

Session Recording and Data Archiving

Beyond data storage, your organisation may need to record and archive live learning sessions for compliance, accessibility, or reference purposes. Acorn PLMS supports the addition of video recordings of live sessions as video activities within a session.

This capability enables on-demand access for participants who cannot attend live sessions and provides archiving for future reference. Your organisation can maintain a complete record of training delivery, support regulatory requirements that demand documentation of personnel training, and offer flexibility to learners across different schedules and time zones.

Long-term Reliability and Partnership Stability

When evaluating any platform, your organisation should consider vendor stability and customer satisfaction as indicators of long-term viability. Acorn has maintained a 98% retention rate dating back to its inception in 2014. This metric reflects consistent customer satisfaction and platform reliability over a decade of operation.

Your investment in Acorn PLMS benefits from a vendor whose day-one clients have remained engaged partners. This retention rate demonstrates that Acorn continues to meet evolving security, compliance, and functional requirements across its customer base.

Reference Customers and Industry-Specific Experience

Your organisation may operate in specialised sectors with unique compliance and training requirements. Acorn can provide reference customers in manufacturing and food production verticals, offering peer perspectives on platform implementation in regulated industries.

These references include organisations such as the International Food Protection Training Institute (IFPTI), Virginia Cooperative Extension (focused on agriculture and natural resources), and the Federation of Virginia Food Banks alongside their partnered network of eight food banks across Virginia. Speaking with peers in your industry provides valuable insight into how Acorn PLMS performs under sector-specific pressures and compliance demands.

Implementation Considerations for Your Organisation

As you evaluate Subcategory 29.6 requirements within your Personnel & Physical Security framework, prioritise:

Data location and certification: Confirm that your SSI storage aligns with your jurisdiction and compliance requirements through FedRAMP certification
Vendor assessment processes: Leverage the HECVAT framework and Acorn's supporting materials to conduct thorough security evaluations
Session and training documentation: Utilise recording and archiving capabilities to maintain compliance records and support learner accessibility
Vendor stability: Evaluate long-term platform viability and customer satisfaction metrics
Industry alignment: Connect with reference customers in your sector to validate platform suitability