<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5003644&amp;fmt=gif">
Skip to content
English - Australia
Contact Us Customer Portal
  • There are no suggestions because the search field is empty.

Secure Development & Change Management

Everything you need to know about Secure Development & Change Management in Acorn PLMS.

Change Management Process

A robust change management process is essential for maintaining system stability, security, and compliance within Acorn PLMS. This article guides you through implementing structured procedures that protect your organization's data and learning environment while ensuring all stakeholders remain informed of critical updates.

Change management in Acorn PLMS encompasses all modifications to your system configuration, data structures, integrations, and operational procedures. Your organization must establish formal processes that govern how changes are proposed, evaluated, tested, and deployed. This systematic approach minimizes disruptions, reduces security risks, and maintains data integrity throughout your learning environment.

Why Change Management Matters

Without structured change management, your organization risks introducing security vulnerabilities, causing unintended data loss, or disrupting critical learning operations. By implementing the procedures outlined in this guide, you can control risk exposure and maintain compliance with data protection regulations.

Authorization and Approval Workflows

Every change to your Acorn PLMS environment must follow your organization's authorization procedures. Your change management process should define clear approval hierarchies and decision-making criteria.

Establishing Authority Levels

You should define different authorization levels based on change scope and risk. Minor configuration adjustments may require approval from a single administrator, while major system modifications might demand review from your IT leadership, security team, and compliance officers. Document these authority levels clearly so all stakeholders understand who holds approval responsibility for each change category.

Documentation Requirements

Your authorization process must include comprehensive documentation of each change request. You should record the change description, business justification, proposed implementation date, affected systems or users, estimated duration, and rollback procedures. This documentation creates an audit trail and ensures decision-makers have sufficient information to approve or reject changes confidently.

Impact Analysis

Before implementing any change, you must conduct a thorough impact analysis to identify potential consequences across your Acorn PLMS environment.

Scope Assessment

Your impact analysis should identify which system components, user groups, data sets, and integrations the change will affect. Consider both direct impacts (immediate effects on targeted systems) and indirect impacts (ripple effects on dependent systems or processes). You should document how the change might affect user workflows, data access permissions, reporting accuracy, and third-party integrations.

Risk Evaluation

Assess the risks associated with your proposed change. You must evaluate the potential for data loss, security exposure, performance degradation, user disruption, or compliance violations. Your organization should classify changes by risk level—low, medium, or high—based on scope, criticality, and complexity. Higher-risk changes warrant more extensive testing and validation before deployment.

Testing and Validation Procedures

Comprehensive testing is non-negotiable before deploying changes to your production Acorn PLMS environment. Your testing strategy should validate functionality while ensuring no unintended consequences occur.

Test Environment Setup

You should conduct all testing in a dedicated environment that mirrors your production configuration. This staging environment must contain representative data sets without exposing live user information. Test your changes thoroughly in this isolated environment before any production deployment.

Functional Testing

Your testing procedures should verify that the change performs its intended function correctly. You should test the specific features or configurations being modified, ensuring they operate as designed. Additionally, you must test related features and workflows to confirm the change doesn't introduce unexpected behaviors.

Regression Testing

You should execute regression tests to verify that your changes don't break existing functionality. Test critical user workflows, reporting functions, data exports, user authentication, and any features dependent on the modified components. Your organization should maintain a regression test checklist specific to Acorn PLMS to ensure consistent testing coverage across all changes.

Performance and Security Testing

If your change affects system performance, database queries, or integration endpoints, you must conduct performance testing under realistic load conditions. For changes involving access controls, authentication, or data handling, you should include security testing to confirm no vulnerabilities are introduced.

Validation and Sign-Off

Once testing is complete, you must obtain formal validation that the change is ready for production deployment.

Stakeholder Review

Your validation process should include review by representatives from affected departments—training teams, administrators, compliance officers, and technical staff. You should gather feedback from stakeholders who understand how the change impacts day-to-day operations and compliance requirements.

Documentation of Results

You must document all test results, including passed tests, failed tests (and their resolutions), performance metrics, and security assessments. This documentation demonstrates that the change has been properly evaluated and approved before production release.

Emergency Changes

Your organization must establish expedited procedures for emergency changes required to address critical security vulnerabilities, data protection incidents, or urgent system failures.

Emergency Authorization

You should define emergency change procedures that allow rapid approval when standard timelines are impractical. Designate authorized personnel who can approve emergency changes and establish clear criteria defining what qualifies as an emergency. Document all emergency changes with the same rigor as standard changes, even though approval cycles are accelerated.

Rapid Testing Requirements

While emergency changes may bypass some standard testing phases, you should never skip security validation or basic functional testing. Your emergency procedures should specify minimum acceptable testing before production deployment and establish clear ownership for emergency change responsibility.

Client Notification of Major Changes

When your organization implements changes that affect end users, trainers, or administrators, you must provide timely notification with sufficient detail to prepare stakeholders.

Notification Timing

You should communicate major changes well in advance—typically at least one week before deployment. Your notification should explain what is changing, why the change is necessary, how it affects users, and what users need to do differently. Include specific information about any new features, modified workflows, or changed access procedures.

Multi-Channel Communication

Your notification strategy should use multiple communication channels: system announcements within Acorn PLMS, email notifications, documentation updates, and training materials. You should ensure notifications reach all affected users, including administrators, trainers, learners, and system integrators.

Support and Documentation

You must provide comprehensive support resources for users adapting to major changes. Update user guides, create quick-reference materials, record video tutorials if appropriate, and ensure your support team is prepared to answer questions about the new or modified functionality.

Maintaining Change Records

Your organization should maintain a complete change log documenting all modifications to your Acorn PLMS environment. You should record change dates, descriptions, approval information, test results, and deployment details. This historical record supports compliance audits, troubleshooting investigations, and capacity planning decisions.

By implementing structured change management procedures aligned with these guidelines, your organization protects system stability, maintains data security, ensures regulatory compliance, and keeps stakeholders informed throughout your Acorn PLMS journey.

Patch Management: Severity-Based SLAs for Patching, Dependency Updates, and Security Fix Timelines Overview of Patch Management in Acorn PLMS

Patch management is a critical component of secure development and change management. Your organisation must establish clear Service Level Agreements (SLAs) that define response and remediation timelines based on patch severity. Acorn PLMS provides the framework to manage patches, dependency updates, and security fixes while maintaining compliance with your data governance obligations.

Severity-based SLAs ensure that critical security vulnerabilities receive immediate attention, while lower-severity patches follow more measured deployment schedules. This approach balances security urgency with operational stability.

Severity Classification and SLA Timelines

Understanding Severity Levels

Patch severity typically follows industry standards:

  • Critical: Actively exploited vulnerabilities affecting system availability or data security. These require immediate remediation, typically within hours of availability.
  • High: Significant vulnerabilities with substantial impact but not yet widely exploited. SLAs typically mandate remediation within days.
  • Medium: Moderate vulnerabilities with limited exploitability. Remediation windows typically span 1–2 weeks.
  • Low: Minor vulnerabilities with minimal operational impact. These can be bundled into regular maintenance cycles.

Your organisation should define specific SLA timelines aligned with your risk tolerance and operational capacity. Acorn PLMS allows you to document these timelines clearly so all stakeholders understand expected response times.

Data Retention and Patch Documentation

Record Keeping Requirements

When managing patches, your organisation must maintain comprehensive records of all patch activities for compliance and audit purposes. Acorn PLMS supports this requirement through structured data retention policies.

All data within Acorn is retained for a period of 7 years, ensuring that your patch history, dependency updates, and security fix timelines remain available for regulatory audits or forensic analysis. This retention period applies regardless of whether users or systems remain active within your environment.

This long-term retention is particularly important for organisations subject to regulatory audits or those that must demonstrate years of archived compliance data. Your patch records become part of your institutional audit trail, protecting your organisation in case of future security incidents or compliance investigations.

Archival and Backup Security

Patch management records, like all data in Acorn PLMS, benefit from robust security controls:

  • Encryption: Backups and archived patch records are secured using encryption, protecting data from unauthorised access or tampering.
  • Access Control: AWS Identity and Access Management (IAM) restricts who can read, write, or delete patch records and related backups.
  • Key Management: Encryption keys are managed by AWS Key Management Service (KMS), ensuring only authorised users and roles can perform operations on sensitive patch data.
  • Geographic Redundancy: Data is stored across different regions and availability zones, increasing redundancy and resilience in case of disaster.

These security measures ensure your patch management records remain confidential and tamper-proof throughout their 7-year retention period.

Managing Patch Timelines and Dependencies

Establishing Effective SLAs

Your organisation should establish clear SLAs that specify:

  • Time-to-acknowledge: How quickly your team acknowledges receipt of a patch notification.
  • Time-to-assess: How long your team has to evaluate patch severity and impact on your systems.
  • Time-to-deploy: Target deployment windows based on severity classification.
  • Dependency considerations: How dependent updates affect deployment timelines.

Dependency updates require special consideration. A critical security patch for a lower-level library may trigger cascading dependency updates throughout your application stack. Your SLAs should account for testing time required to validate that dependency updates do not introduce regressions or compatibility issues.

Coordinating Security Fixes Across Your Organisation

Security fixes often require coordination across multiple teams—development, quality assurance, operations, and security. Document your patch management workflow in Acorn PLMS to ensure:

  • Clear ownership for each patch severity level
  • Defined escalation paths when SLA timelines are at risk
  • Coordination requirements between teams for complex patches
  • Communication protocols for informing stakeholders of patch status
Data Governance During Patch Cycles

Compliance and Data Handling

During patch management activities, your organisation must maintain compliance with data governance policies. Acorn PLMS includes a data access and deletion policy that applies to all operations, including those performed during patch deployment.

When patches are deployed to your Acorn PLMS environment, your organisation remains responsible for ensuring that:

  • Data subject rights (right to access, right to be forgotten) are respected
  • Data removal requests are processed according to your privacy commitments
  • Archived patch records do not inadvertently expose sensitive information

If your organisation has enabled a privacy policy option for end users, ensure that patch activities do not conflict with user privacy commitments. Acorn will assist your organisation within reason for data removal requests related to patch operations.

Transition Planning and Service Changes

Data Availability During Contract Changes

Understand how patch management records behave if your organisation's circumstances change:

  • Service continuation: Patch records and all related data remain archived within Acorn for the full 7-year retention period, regardless of user or system activity status.
  • Service cancellation: Upon contract expiration, all institutional data—including comprehensive patch histories—will be securely destroyed. However, data remains available within the system for the duration of the retention period if needed for transition planning or regulatory requirements.
  • Data return: Your organisation can request that patch management records and related data be returned at contract completion, allowing you to maintain independent archives.

These policies ensure your organisation retains audit-ready patch records throughout the lifecycle of your Acorn PLMS deployment.

Best Practices for Severity-Based Patch Management
  • Document your SLAs: Make severity classifications and response timelines explicit and visible to all teams.
  • Test patches before production deployment: Allocate time within your SLAs for validation, especially for dependency updates.
  • Maintain audit trails: Leverage Acorn PLMS's 7-year retention to build a comprehensive patch history for compliance.
  • Communicate clearly: Ensure all stakeholders understand which patches are critical and require immediate action.
  • Review and refine: Regularly assess whether your SLA timelines are realistic and achievable.
Quality Assurance & Testing in Secure Development Quality Assurance & Testing in Secure Development

Quality assurance and testing are fundamental components of Acorn PLMS's secure development lifecycle. Your organisation can rely on comprehensive QA practices that extend beyond traditional software testing to encompass vendor management, compliance verification, and data protection protocols.

Understanding Your QA Framework

Accorn PLMS implements a layered approach to quality assurance that protects system integrity while maintaining rigorous security standards. This framework ensures that every component of the system—including third-party integrations and infrastructure services—meets your organisation's security and performance requirements before deployment.

The QA framework encompasses multiple testing layers: internal system testing, vendor control assessment, and compliance validation. Each layer is designed to identify potential risks to system integrity and address them before they affect your operations.

Vendor and Third-Party Assessment

Your organisation's data security depends significantly on how Acorn PLMS manages third-party relationships. Acorn conducts rigorous assessments of all vendors who may pose a risk to system integrity.

Vendor Access Controls

Accorn maintains strict limitations on third-party access to customer data. Except for Amazon Web Services (AWS), which provides essential hosting infrastructure, Acorn's contractors do not have direct access to your customer data. This segregation of access minimises exposure and reduces the attack surface available to external parties.

Backup vendors, hosting services, equipment support providers, and other third parties engaged by Acorn PLMS do not receive access to Veralto's data or other customer information. This policy ensures that data handling remains contained within your organisation and Acorn's controlled environment.

Control Review Process

When third-party involvement is necessary, Acorn reviews vendor controls to assess compliance with security standards. This assessment process examines internal controls and security measures, allowing your organisation to understand the risk profile of any vendor who interacts with your systems or data.

Third-Party Integration Management

Many organisations leverage third-party training and content providers to enhance their learning programmes. Acorn PLMS supports integration with partners such as LinkedIn Learning, Go1, Percipio, and Mind Tools while maintaining strict data protection protocols.

When you opt to incorporate third-party training content, Acorn's integration process includes specific data protection measures. Details on how your organisation's data is handled during these integrations are documented in Acorn's Privacy Policy third-party data protection guidance. Review these details before enabling third-party integrations to understand exactly how your data flows and what protections apply.

Data Confidentiality Standards

Accorn abides by strict standards of client data confidentiality. Third-party service providers must adhere to Acorn's rules and procedures, which prohibit selling, trading, or unauthorised disclosure of customer information. Your organisation retains full confidence that customer data is not leveraged for commercial purposes outside your control.

Compliance Assessment and HIPAA Considerations

For organisations operating in regulated industries, Acorn PLMS provides comprehensive compliance assessment capabilities. The HIPAA assessment framework (HIPAA-01 through HIPAA-29) evaluates vendor compliance with HIPAA Privacy and Security Rules and the HITECH Act.

HIPAA Assessment Scope

These assessment questions examine critical security and operational areas:

  • Workforce training and security awareness programmes
  • Regulatory monitoring and compliance tracking
  • Designation of security officers and compliance leadership
  • Risk analysis and vulnerability management
  • Risk mitigation and remediation procedures
  • Password and authentication requirements
  • Access controls and user management
  • Logging and audit trail capabilities
  • Backup and data retention policies
  • Disaster recovery and business continuity procedures
  • Business Associate Agreement (BAA) readiness
  • Subcontractor BAA requirements and enforcement

If your organisation operates under HIPAA obligations, consult your Chief HIPAA Security Officer or refer to HIPAA documentation to determine which assessment areas apply to your deployment.

Data Processing and Geographic Considerations

Accorn PLMS processes, transfers, and accesses customer data exclusively from Canada. This geographic limitation ensures consistent legal jurisdiction and simplifies compliance with privacy regulations. Your organisation can operate with confidence that data remains within predictable regulatory boundaries.

Best Practices for Your Organisation

Before deploying production systems, verify that all vendor assessments have been completed and documented. Request copies of vendor control assessments for third parties that will interact with your systems.

When integrating third-party training content, review Acorn's Privacy Policy third-party data protection documentation to understand data flow and protection mechanisms. Confirm that your organisation's data governance policies align with the integration approach.

For regulated industries, coordinate with your compliance and legal teams to confirm that HIPAA assessments (or equivalent frameworks) have been completed and that Business Associate Agreements are in place for all vendors handling protected information.

Maintain ongoing oversight by scheduling periodic reviews of vendor assessments. As your organisation's risk profile changes or new vendors are introduced, ensure that updated assessments are conducted and documented.

Summary

Accorn PLMS's quality assurance framework protects your organisation through strict vendor management, limited third-party data access, comprehensive compliance assessment, and clear data confidentiality standards. By understanding these QA practices and maintaining active oversight of third-party integrations, your organisation can deploy learning systems with confidence in their security posture.

Release Management & Roadmap Release Management & Roadmap

Accurate release management and a transparent roadmap are essential to your organisation's ability to plan system upgrades, manage change across your environment, and ensure continuity of service. Acorn PLMS provides a structured approach to versioning, support lifecycles, and secure product evolution.

Understanding Our Release Strategy

Acorn PLMS follows a disciplined release cadence designed to balance innovation with stability. Our release management process ensures that updates are delivered in a predictable manner, allowing your organisation to plan deployments without disruption to critical learning operations.

Each release includes security patches, performance improvements, and new functionality aligned with your organisation's evolving requirements. We communicate release dates, feature sets, and migration guidance well in advance, enabling your IT and learning teams to coordinate effectively.

Version Support Strategy

Our version support model ensures you receive timely security updates and bug fixes for your current deployment. Acorn PLMS maintains clearly documented support windows for each version, specifying when patches will be provided and when end-of-life occurs.

This approach allows your organisation to:

  • Plan upgrade paths based on your operational schedule
  • Maintain compatibility with your existing learning infrastructure
  • Ensure uninterrupted access to critical performance data and functionality
  • Receive security and compliance patches within defined timeframes

When planning your deployment timeline, consult the version support schedule to confirm the support duration for your target release. This ensures your organisation remains on a supported version and has adequate time to plan future upgrades.

Product Roadmap and Technology Direction

Acorn PLMS's product direction is shaped by customer needs, emerging learning technologies, and market best practices. Our roadmap outlines planned enhancements to the platform, including new capabilities, integrations, and performance optimisations.

The roadmap provides visibility into:

  • Planned feature development aligned with secure development practices
  • Technology modernisations that strengthen platform performance and security
  • Integration capabilities that extend Acorn PLMS functionality
  • Infrastructure improvements that enhance reliability and scalability

Your organisation can use this roadmap to align learning initiatives with planned platform capabilities, ensuring your investment in Acorn PLMS continues to meet long-term strategic objectives.

Data Handling and Compliance Across Releases

As Acorn PLMS evolves, our commitment to secure data handling remains constant. Your organisation's performance data, learner information, and configuration data are protected throughout all release cycles and platform changes.

Data Isolation and Privacy

Acorn PLMS maintains strict data isolation between clients. Your organisation's personal data is never comingled with data from other Acorn PLMS clients in cloud services. This architectural principle is maintained across all releases and updates, ensuring your data remains segregated and secure regardless of platform changes or version updates.

This isolation is a foundational design principle that protects your organisation's:

  • Learner personal information
  • Performance and assessment data
  • Custom configurations and learning pathways
  • Organisational reporting and analytics

International Data Transfer Compliance

If your organisation transfers or processes personal data across international borders—whether within your own organisation or through Acorn PLMS sub-contractors—Acorn PLMS implements appropriate compliance measures.

Acorn PLMS agrees to all requirements necessary for the lawful transfer of personal data outside the EU, UK, and Switzerland. This includes:

  • Acceptance of your organisation's Data Protection Addendum (DPA)
  • Implementation of Standard Contractual Clauses (SCCs) for international data transfers
  • Coordination with sub-contractors to ensure equivalent data protection standards
  • Documentation of transfer mechanisms and compliance protocols

These commitments ensure that as Acorn PLMS releases updates and evolves the platform, international compliance requirements are maintained and your organisation meets its own regulatory obligations.

Planning Your Organisation's Release Updates

When evaluating Acorn PLMS releases for your organisation, consider:

  1. Support Timeline: Verify the support window for your current version and plan upgrades accordingly to remain on supported releases.

  2. Feature Alignment: Review the product roadmap to ensure planned capabilities align with your learning and performance objectives.

  3. Data Security: Confirm that new releases maintain data isolation and comply with international data protection regulations relevant to your organisation.

  4. Deployment Planning: Coordinate with your IT team to schedule updates during low-impact periods and ensure testing environments are available.

  5. Compliance Verification: If your organisation processes personal data internationally, verify that new releases maintain appropriate data transfer mechanisms and contractual protections.

Staying Informed

Your organisation receives regular communication about upcoming releases, including feature summaries, upgrade paths, and any required configuration changes. This ensures your learning and IT teams can plan effectively and maintain continuity of service.

As Acorn PLMS continues to evolve, the core principles of secure data handling, version support clarity, and transparent roadmap communication remain central to our product strategy. This enables your organisation to confidently deploy updates while maintaining security, compliance, and operational continuity.

Contact your Acorn PLMS account manager or support team for specific questions about release timing, version support windows, or how upcoming features align with your organisation's strategic objectives.

Secure SDLC & Code Review Secure SDLC & Code Review

Acorn PLMS operates a formal, risk-based Information Security Management System (ISMS) aligned to the NIST Risk Management Framework (RMF). This structured approach ensures that security and privacy considerations are embedded throughout your organisation's use of the platform and Acorn's own development practices.

Risk-Based Security Governance

Acorn's security program is governed by clear accountability structures. The Board and Audit-Risk Committee provide strategic oversight, while the Chief Information Security Officer (CISO) manages day-to-day security governance. A dedicated Data Protection and Privacy Officer works alongside control owners and system owners to ensure that security decisions are informed by risk assessments and aligned to your organisation's threat landscape.

This governance model means that security isn't treated as an afterthought—it's integrated into the platform's architecture and operational procedures from the outset.

Threat Assessment and Risk Management

Acorn conducts formal threat and risk assessments on a per-system basis. These assessments identify potential vulnerabilities and security exposures across the platform's infrastructure and applications. Once threats are identified, appropriate controls are selected, implemented, and continuously monitored. All identified risks are tracked in a formal risk register under CISO governance, with clear treatment or acceptance decisions documented.

This systematic approach ensures that your organisation can understand the security posture of Acorn PLMS and how residual risks are being managed.

Security Standards and Policies

Acorn enforces security requirements through an enterprise Information Security Policy backed by a mapped suite of technical and operational standards, including:

  • Identity and Access Management (IAM): Controls over who can access the system and what they can do
  • Data Management and Classification: Policies governing how data is handled, stored, and protected based on sensitivity
  • Cryptography: Standards for encryption and key management
  • Cloud Configuration: Security hardening and baseline configurations for cloud infrastructure
  • Application Security and Secure SDLC: Requirements for secure coding, code review, and security testing practices
  • Operational Security: Controls for incident response, change management, and ongoing monitoring

These standards provide a structured framework for embedding security across development, deployment, and operations.

Secure Development Practices

Acorn's application security program includes periodic reviews of Secure Software Development Lifecycle (SSDLC) adherence. This means that code review, static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) are performed as part of the development process.

These practices help identify and remediate security defects before code is deployed to production, reducing the risk that vulnerabilities could be exploited in the live environment.

Continuous Monitoring and Assurance

Acorn maintains continuous visibility into security across the platform through centralised logging, detection systems, and cloud-native monitoring tools including AWS CloudTrail, Config, Security Hub, and Inspector. This real-time monitoring enables rapid detection of suspicious activities or configuration drift.

Assurance is reinforced through multiple channels:

  • Internal audits: Regular reviews of policies, procedures, and control effectiveness
  • Independent assessments: External security evaluations such as IRAP (Information Security Registered Assessors Program) and production verification testing
  • Compliance oversight: Security steering and audit committees that review findings and remediation progress

All identified issues are tracked to closure, ensuring accountability and continuous improvement.

Data Privacy and Protection

Acorn takes data privacy seriously. Your organisation's data will not be used in any form of AI training. When onboarding with Acorn, your organisation must agree to Acorn's current Privacy Policy. Acorn can enable privacy policy options within your tenancy for end users to accept when joining your instance; however, the content of those policies is your organisation's responsibility to define.

Acorn's privacy and data protection compliance is managed by a dedicated group comprising the CEO, CTO, and key infrastructure staff members. This team conducts annual audits of all privacy and data protection policies and procedures to ensure ongoing compliance.

All Acorn staff are required to complete annual privacy training and are bound by confidentiality obligations in their employment contracts and code of conduct. This ensures that personal data and sensitive information are treated with appropriate care by everyone who handles it.

Learning Content and Compliance

For topics like Information Security, Privacy, HIPAA, and HR compliance, Acorn has established preferred partnerships with leading content providers such as LinkedIn Learning, Go1, Percipio, and Mind Tools. During content discovery, Acorn identifies your organisation's topic and learning module preferences to recommend pre-built content that can be natively integrated into your Acorn instance. This allows your organisation to quickly stand up compliant, secure development training without building everything from scratch.

Regulatory Standing

Acorn PLMS has not been subject to any regulatory investigation, enforcement action, or litigation relating to the privacy or security aspects of its products or services. There is no pending or threatened regulatory enforcement or litigation concerning data privacy, information security, or security policy and compliance programs.

Next Steps

For detailed information about Acorn PLMS's privacy practices and compliance program, consult the Privacy Policy or visit the Compliance section of the Acorn website. For specific questions about privacy and data protection, contact Sam Garnett at sam.garnett@acorn.works.