ACLED IT Policies and Support

How to get support from Marcum Technology

Please see below for details on how to contact Marcum’s IT support team. Remember when sending an email to the IT HelpDesk (help@marcumtechnology.com), to please copy operations@acleddata.com. 

Access Management Policy 

Introduction

The purpose of this policy is to prevent unauthorized access to ACLED information technology and systems. The policy describes the registration and de-registration process for all information technology and systems. It also describes the account naming conventions approved for use within these systems.

Scope

Applies to all employees and personnel in the organization with access to ACLED information systems.

1. Initial Security Orientation

Privileges of all associates and systems must be restricted based on the business need. This means that privileges will not be extended unless a legitimate business-oriented need for such privileges exists and that users will be granted the least privileges required. Access shall be granted based upon a unique user ID and password or other authentication item such as a token. 

Requests for new User IDs and changed privileges must be approved by the responsible Head of Department and Chief or a designated alternate before the IT Helpdesk completes these requests. This will ensure the validity of the request and provide an audit trail of all changes to access.   

• Users must have their manager's approval for access to systems or applications. All access requests, and their authorizations (granted, denied, or modified), must be documented and retained until one year after the employee has left ACLED.  

• The Executive Director, Head of Operations, and a designated alternate are authorized to inform the IT Helpdesk to disable or re-enable security for an employee. The Executive Director, Head of Department, or a designated alternate will be responsible for reviewing and distributing a terminated employee’s system files.

• A Head of Department, a designated alternate, or the Human Resource Manager shall promptly report all significant changes to employee(s) duties or employment status to the Operations Team. The Operations Team must promptly revoke all privileges no longer needed by the associate(s).

• The system or application Information Owner is the approval authority for all access requests to their system or application. Access must not be granted to a system or application unless the Information Owner has approved access. The information owner will also be responsible for continued monitoring of data access and will be responsible for ensuring access is based upon a need to know.

2. User Account Maintenance

A Department Head / Chief, a designated alternate, or the Human Resource Manager shall promptly report all significant changes in a person’s duties or employment status to the Operations Team.

At least annually, each Information and System Owner will review the access that users have to their data and systems. User lists are to be checked for the proper entries, and all inappropriate accounts must be immediately deleted. Valid accounts will also be checked for the appropriate level of access.

3. Account Control Mechanisms

Automated access control mechanisms, where available, must be implemented to allow users access to only the data and functions required to perform their duties.  

4. User Identification

• A unique User ID will be assigned to each employee and used as an identifier on each system. Additional specifications of this requirement include:

• Generic User IDs will be limited, and the purpose of their issuance will be documented. Privileges of these generic User IDs will be severely restricted. This means that extra measures will be taken to limit privileges, such as restrictions on the time of day the ID can be used, restriction of the User ID to a specific workstation, and a login expiration date.   

• Any shared accounts logging in to an ACLED system or network must be reviewed at least once annually to verify who has access to the shared account. Users of shared accounts will initially log in using a User ID that clearly indicates their identity. Whatever the operating system, logs must record all such changes of the current User ID. Exceptions may be made for servers retaining only public information.

• Associates who are granted administrative equivalent privileges to client server systems will be required to access ACLED’s system with their own unique ID.

• On UNIX servers the sudo utility will be installed and used to grant and/or limit the type of root privileges assigned to an associate while logging all commands and arguments. If the sudo utility is not compatible, then the preferred alternate method for granting root access will be to assign a non-administrative and an administrative equivalent User ID. The administrative equivalent account will be assigned a UID equal to 0. The associate will initially log in as the non-administrative account, then use the /bin/su command to gain root access.

• On Windows servers, associates will be assigned a User ID with security equivalence of the Admin or Administrator User ID.

• Accounts used by temporary vendors for remote maintenance will remain active only during the time period needed and will be set to expire in no more than 30 days.

• Accounts used by long term vendors will be considered necessary for the management of the ACLED environment and will be tracked in an exception log and reviewed annually to confirm access granted.

5. Password Characteristics

E.1 Minimum Password Length

Minimum password length is fifteen (15) characters. This means that passwords on production systems and platforms will not be shorter than fifteen (15) characters in length. System administrators should use a password with fifteen (15) characters.

E.2 Password Complexity

• Passwords must contain both lower- and upper-case characters.

• Passwords must contain both numeric and alphabetic characters.

• Password must contain a special character or symbol such as: !@#$%^&*()

• Employees/contractors are encouraged to choose passwords that are difficult to guess and avoid the characteristics below:

  • Passwords must contain at least four unique characters (e.g. aaaaa1 is not acceptable).

  • Passwords must not contain a user’s personal information or that of his or her friends, family members, or pets. Personal information includes logon ID, name, birthday, address, phone number, social security number, or any permutations thereof.

  • Passwords must not be words that can be found in a standard dictionary (English or foreign) or are publicly known slang or jargon. Such words or names followed by a single digit are also not allowed, nor are words/names spelled backward.

  • Passwords must not be based on ACLED’s name or any geographic location associated with ACLED.

• Suggestions to facilitate password creation in accordance to the policy above include:

  • Use a string of several words together as a phrase or sentence 

  • Combine punctuation or numbers with a regular word

  • Deliberately misspelled words (but not using a common misspelling)

  • Include a mix of upper and lower case letters

  • Remember to include a special character

E.3 Password Expiration

• For all systems and applications, user and system passwords will have a maximum expiration period of 90 days. 

• Passwords that do not include automatic expirations must be manually changed every 90 days.

E.4 Password History

A different unique password will be required when the existing password has been newly issued, reissued, or expires. The password may not be the same as any of the last 18 passwords used.

E.5 Lockout

The number of consecutive attempts to enter an incorrect password will be limited to six (6). After six (6) unsuccessful attempts to enter a password, the User ID will be suspended or locked for a minimum duration of 30 minutes or until reset by the Helpdesk.

E.6 Protecting Passwords

Password protection requirements are below:

• Passwords must not be shared or revealed.

• Passwords stored within an application or existing within a file must be encrypted. Encrypted and non-encrypted passwords must not be stored in readable form in batch files, automatic log-in scripts, software macros, terminal function keys, or in other locations where unauthorized persons might discover them.

• Passwords must not be displayed on the screen as they are keyed in. 

• Passwords must not be written down and left in a place where unauthorized persons might discover them. 

• The Operations Team/3rd party MSP may attempt to crack or guess users’ passwords as part of its ongoing security vulnerability auditing process. If a password is cracked or guessed during one of these audits, the user will be required to change his or her password immediately.

E.7 Password Comprise Response

All passwords must be immediately changed if they are suspected of being disclosed, or known to have been disclosed to anyone besides the authorized associate.

6. Password Administration

Controlled setup, changing, and disabling of passwords are critical to ensuring the security of ACLED’s systems. Passwords are the weakest form of authentication and access control, so any deficiencies in the assignment, changing, or prompt disabling of passwords can magnify their inherent weaknesses.

F.1 Initial Password Assignments

Newly issued or reissued passwords will be set to a unique value and will only be valid for the associate’s first session. After the first use, the associate will be forced to choose another password.

F.2 Password Resets

If password resets are to be done via phone or through an automated request, the end user’s identity must be verified before the password is reset.

F.3 Information Security Awareness Programs

All associates, contractors, and consultants will receive Information Security awareness briefings upon employment and annually thereafter. The level of detail of these briefings or reviews should be aligned with exposure based on the job role and will be designed to update the personnel on current policy, new threats to business systems, and reinforce basic IT security principles.

Security awareness is reinforced through the use of staff education, visual aids, fliers, placards, emails and other reminders used throughout the workplace. In addition, contact information for questions or concerns will be prominently displayed.

Additionally, once a year ACLED hires a third party to perform user awareness reviews by performing social engineering assessments including but not limited to phishing emails, physical security at remote locations, and phone calls. 

System administrators will be part of the security awareness training program that happens yearly and will be given the option of selecting a training relevant to their role or function that has information security components.

7. Review of User Access Rights

• User accounts and authorizations must be reviewed at least once annually for accuracy, including verification of employment status.

• Administrative accounts and authorizations must be reviewed at least every quarter for accuracy, including verification of employment status.

• Access privileges for users must be allocated on a need-to-know basis such that a user receives only the minimal access required for the user’s role or job function.

• User accounts that are inactive for more than 45 days must be disabled and/or deleted. In the event of an ongoing investigation or extended transition that is longer than 45 days, an exception must be approved by the Operations Team. 

• Immediately upon termination of a user’s employment or business relationship, all access to ACLED systems and data must be revoked.

• Variances to the revocation of user access must be approved by the Operations Team.

8. External User Access

• External users requiring internal network access (ACLED Domain Accounts) must complete an approved access agreement or have contract language that includes provisions for nondisclosure, confidentiality, business purpose, access duration, and business sponsor.

• Requests must be approved, in writing, in advance by the business sponsor and approved by the Head of Operations.

• External user accounts must, by default, expire after 45 days or less.

• Accounts may be renewed indefinitely by the business sponsor at the end of each 45-day period.

9. Emergency Access

• Holders of emergency accounts requiring internal network access (ACLED Domain Accounts) must complete an approved access agreement or have contract language that includes provisions for nondisclosure, confidentiality, business purpose, access duration, and business sponsor.

• Emergency accounts must, by default, expire after 30 days or less.

• Accounts may be renewed indefinitely by the business sponsor at the end of each 30-day period.

Compliance

Compliance with the policy is mandatory. Any system or technology that is not capable of complying should have an approved Risk Acceptance Document (RAD) on file with the Operations Team in compliance with the RAD procedure. Any and all data, systems, infrastructure, or technologies within PSI are subject to an audit to ensure compliance.

A. Exceptions

Any breach of this Policy could have severe consequences to ACLED and its ability to provide services, or maintain the integrity, confidentiality, or availability of its services. Violations of this Policy may result in disciplinary action up to and including employment or contract termination as well as legal action in accordance with applicable law.

References

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. To request a security exception, contact the Operations Team.

A. Review Schedule

This policy will be reviewed at least annually or as needed and updated to reflect changes in policy requirements or upon a change to one of the following:

• ACLED Information Security Policy

• ACLED Information Security Standards

• Other Policy, Standard, or Guideline related to this document

Acceptable Use Policy 

Introduction

The purpose of this policy is to outline the acceptable use of information technology assets owned and provided by ACLED — including desktop and laptop computer systems for its employees, data storage devices (including disks, flash drives, and other external storage devices), physical internet access providers, and mobile devices (such as iPads and other tablets and iPhones etc), as well as guidelines related to the use of voicemail, email, electronic bulletin boards and blogs, and the intranet. Each employee has a responsibility to use ACLED’s technology resources in a manner that increases productivity and is respectful of other employees.

Scope

This policy applies to all ACLED employees, contractors, consultants, temporary employees, and anyone else who is granted any access to ACLED systems.  Failure to follow this policy may lead to disciplinary action, up to and including termination of employment, as well as potential civil or criminal charges where appropriate. 

This policy also applies to all technology resources that are owned or leased by ACLED or used in or accessed from ACLED’s digital environment. This policy also applies to all activities using any ACLED-paid accounts, subscriptions, or other technical services, whether or not the activities are conducted during working hours, and whether or not the conduct uses ACLED-owned hardware.

Policy Statements

1. Acceptable uses

• Employees are responsible for exercising good judgment regarding the reasonableness of personal use. The ACLED Operations Team is responsible for creating guidelines concerning personal use of internet/intranet/extranet systems. In the absence of such policies, employees should seek guidance from the Operations Team.

• ACLED proprietary information stored on electronic and computing devices, whether they are owned or leased by ACLED, the employee or a third party, remains the sole property of ACLED. You must ensure through legal or technical means that proprietary information is protected in accordance with the ACLED Information Security Policy.

• You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of ACLED proprietary information.

• You may access, use, or share ACLED proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.

• ACLED reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy where necessary for viable reasons.

• Employees must report any weaknesses in ACLED computer security, or any incidents of possible misuse or violation of this agreement, to the Operations Team.

• All employees must notify the Operations team of their travel plans abroad via RiskPal platform or an equivalent, if they wish to take an ACLED device with them or if they wish to access any platforms (Google Drive, Slack, Asana etc), for Operations to provide them with a suitable travel protocol.

• All employees are required to properly shut down the device when travelling (within and outside of their regular country of residence).

• If travelling by air, all employees must ensure the device goes into their carry-on bag instead of a checked-in bag. 

• ACLED does not support any form of the BYOD policy and requires all employees to have a device procured by ACLED, operated via its MSP.

• Employees must immediately notify Operations of any work devices that were lost / damaged / stolen. Staff members should also advice of any personal devices that were stolen or lost, if they believe they may have stored there any ACLED sensitive data, even in violation of current policies.

• Upon termination of employment, all users are expected to return company-owned devices within 5 working days following the day of termination.

2. Unacceptable use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g. systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee of ACLED authorized to engage in any activity that is illegal under local, state, federal, or international law while using ACLED-owned resources. Employees will not engage in the use of VPN technology in countries where it is prohibited to circumvent banned websites/resources.

The lists below are by no means exhaustive but attempt to provide a framework for activities that fall into the category of unacceptable use. 

• Employees must not attempt to access any data or programs contained on ACLED systems for which they do not have authorization or explicit consent.

• Employees must not share their ACLED account(s), passwords, Personal Identification Numbers (PIN), Security Tokens (i.e. Smartcard), or similar information or devices used for identification and authorization purposes.

• Employees must not make unauthorized copies of copyrighted software.

• Employees must not use non-standard shareware or freeware software without approval from the ACLED Operations Team.

• Employees must not purposely engage in activity that may: harass, threaten or abuse others; degrade the performance of Information Resources; deprive an authorized ACLED user access to a ACLED resource; obtain extra resources beyond those allocated; circumvent ACLED computer security measures. 

• Employees must not download, install or run security programs or utilities that reveal or exploit weaknesses in the security of a system. For example, ACLED employees must not run password cracking programs, packet sniffers, or port scanners or any other non-approved programs on ACLED information resources.

• ACLED information resources must not be used for personal benefit.

• Employees must not intentionally access, create, store or transmit material which ACLED may deem to be offensive, indecent or obscene (other than in the course of academic research where this aspect of the research has the explicit approval of the ACLED official processes for dealing with academic ethical issues).

• Access to the Internet from an ACLED-owned, homebased computer must adhere to all the same policies that apply to use from the ACLED network. Employees must not allow family members or other non-employees to access ACLED computer systems.

• Employees must not otherwise engage in acts against the aims and purposes of ACLED as specified in its governing documents or in rules, regulations, and procedures.

• Employees must not connect USB drives that were obtained from unknown sources, such as conference giveaways, to ACLED resources.

The following activities are strictly prohibited, with no exceptions: 

• Violating the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by ACLED. 

• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources; copyrighted music; and the installation of any copyrighted software for which ACLED or the end user does not have an active license. 

• Exporting software, technical information, encryption software or technology in violation of international or regional export control laws. Employees should consult their appropriate manager exporting any material (software etc).  

• Introducing malicious programs into the network or server (e.g. viruses, worms, Trojan horses, or email bombs). 

• Revealing your account password to others or allowing use of your account by others, including members of your household. 

• Using an ACLED computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction or / and in violation of ACLED’s policies. 

• Using an ACLED account to make fraudulent offers of products, items, or services. 

• Making statements about warranty, expressly or implied, unless it is a part of normal job duties. 

• Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these activities are within the scope of the employee’s regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. 

• Executing any form of network monitoring that will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 

• Circumventing user authentication or security of any host, network or account. 

• Introducing honeypots, honeynets, or similar technology on the ACLED network. 

• Introducing denial of services attacks on the ACLED network. 

• Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the internet/intranet/extranet. 

• Providing information about, or lists of, ACLED employees to parties outside ACLED, without the express permission of the Head of Operations.

3. Email usage

Email is a tool to be used for business purposes only. The sending and receiving of email can be a serious security risk, and a risk to company and personal confidential information. Associates should be aware that email is not private, and unencrypted internet email is as public as a postcard that could be read by the postal carrier. Based on these facts, the following rules need to be followed:

• Avoid sending personal information via email. Personal information can include, but is not limited to, social security numbers, driver’s license numbers, and credit card information. ACLED will quarantine email that does not meet company standards. Quarantined messages that are business-justified can be released by the IT Helpdesk.

• Use of inappropriate language is prohibited, including insults, threats, and any language that may be considered sexual harassment.

• The automatic forwarding of internal email to external email addresses is prohibited.

• Associates will be added to the email administration groups after joint approval and implementation by the department head/group owner as well as the Operations Team. Periodic auditing of these groups will be done to ensure inadvertent mistakes are corrected in a timely manner. 

• Email stored on smartphones and other mobile devices falls under the same policy as all ACLED email.

• Sensitive data such as unencrypted credit card primary account numbers (PAN) must never be sent via email.

Compliance

Compliance with the policy is mandatory. Any system or technology that is not capable of complying must have an approved risk acceptance document (RAD) on file with the Operations Team, in compliance with the RAD procedure. Any and all data, systems, infrastructure, or technologies within PSI (process safety information) are subject to an audit to ensure compliance.

A. Exceptions

Any breach of this policy could have severe consequences to ACLED and its ability to provide services, or maintain the integrity, confidentiality, or availability of its services. Violations of this policy may result in disciplinary action up to and including employment or contract termination as well as legal action in accordance with applicable law.

References

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. To request a security exception, contact the Operations Team.

A. Review schedule

This policy will be reviewed at least annually or as needed and updated to reflect changes in policy requirements or upon change of one of the following:

• ACLED Information Security Policy

• ACLED Information Security Standards

• Other policy, standard, or guideline related to this document

Change Management Policy 

Introduction

The purpose of the ACLED Change Management policy is to establish the rules for creating, evaluating, implementing, and tracking changes made to ACLED Information Resources. Managing these changes is a critical part of providing a stable infrastructure.

Scope

This policy applies to all ACLED staff involved in any application, system or network changes, updates, or patches. The ACLED Change Management policy applies to any individual, entity, or process that creates, evaluates, and/or implements changes to ACLED Information Resources.

Policy Statements

This policy establishes the framework for operations related to change management.

1. General

All system, network and application changes for the Operations Team (e.g. operating system, computing hardware, networks, applications, data centres) are subject to this policy and shall follow the outlined change management procedures.

The following requirements shall be followed as a guideline in the change management process:

• Changes to the production of the information resources must be documented and classified according to their:

• Importance,

• Urgency,

• Impact, and

• Complexity

• Change documentation must include, at a minimum:

• Date of submission and date of change,

• Owner and custodian contact information,

• Nature of the change,

• Change requestor,

• Change classification(s),

• Roll-back plan,

• Change approver,

• Change implementer, and

• An indication of success or failure.

• Changes with a significant potential impact on ACLED Information Resources must be scheduled.

• ACLED Information Resource owners must be notified of changes that affect the systems they are responsible for

• Authorized change windows must be established for changes with a high potential impact.

• Changes with a significant potential impact and/or significant complexity must include usability, security, impact on testing and backout plans in the change documentation.

• Change control documentation must be maintained in accordance with the ACLED Information Retention Schedule.

• Changes made to ACLED customer environments and/or applications must be communicated to customers, in accordance with governing agreements and/or contracts.

• All changes must be approved by the Operations Team.

• Emergency changes that require an immediate implementation (i.e. break/fix, incident response, etc.) may be implemented without following the formal change control process, but may not circumvent documentation requirements, even if documented after the change.

2. Change Management Committee

The Operations Team shall convene to discuss system changes, interactions, and any perceived issues. The committee shall meet as needed but shall minimally meet monthly to discuss plans for future updates and patching.

3. Change Management Denials

The Operations Team or their designee may deny a scheduled or unscheduled change for reasons including, but not limited to:

• Inadequate change planning or unit testing

• Lack of Executive Director/SMT leadership acceptance (where applicable)

• System integration or interoperability concerns

• Missing or deficient roll-back plans

• Security implications and risks

• Timing of the change with a negative impact on key business processes

• Timeframes do not align with resource scheduling (e.g. late-night, weekends, holidays, or during special events)

4. Administration

• A Change Management Log Form shall be maintained for all changes. This log must contain, but is not limited to: 

• Date of submission and date of change

• Owner and custodian contact information

• Nature of the change

• Indications of success or failure

• Notes and follow-ons

5. Audit Controls and Management

• On-demand documented procedures and evidence of practice should be in place for this operational policy as part of the ACLED Change Management policy.  Satisfactory examples of evidence and compliance include:

• Historical logs of change events

• Archival change control notes

• Anecdotal documentation and communications showing regular compliance with the policy

Compliance

Compliance with the policy is mandatory. Any system or technology that is not capable of complying must have an approved Risk Acceptance Document on file with the Operations Team in compliance with the Risk Acceptance Document (RAD) procedure. Any and all data, systems, infrastructure or technologies within PSI are subject to an audit to ensure compliance.

A. Exceptions

Any breach of this policy could have severe consequences to ACLED and its ability to provide services or maintain the integrity, confidentiality, or availability of its services. Violations of this policy may result in disciplinary action up to and including employment or contract termination as well as legal action in accordance with applicable law.

References

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. To request a security exception, contact the Operations Team.

A. Review Schedule

This policy will be reviewed at least annually or as needed and updated to reflect changes in policy requirements or upon change of one of the following:

• ACLED Information Security policy

• ACLED Information Security Standards

• Other policies, standards, or guidelines related to this document

Compliance and Enforcement Policy 

Introduction

Information Security breaches may have a significant impact upon ACLED’s legal liability and ability to compete in the market. Security policies can only be effective if compliance with them is universal and exceptions are carefully managed. ACLED has an obligation to comply with laws, regulations, policies, and standards to preserve the confidentiality, integrity, and availability of information assets owned by or entrusted to ACLED.

Scope

This policy applies to all ACLED employees, contractors, consultants, temporary employees, and anyone else who is granted any access to the ACLED systems. Failure to follow this policy may lead to disciplinary action, up to and including termination of employment, as well as potential civil or criminal charges, where appropriate. 

This policy also applies to all Technology Resources that are owned or leased by ACLED or used on or accessed from ACLED premises. This policy also applies to all activities using any ACLED-paid accounts, subscriptions, or other technical services, regardless of whether the activities are conducted during working hours, and regardless of whether the conduct uses ACLED-owned hardware.

Policy

1. Statement

Compliance with all local, state, and federal laws, industry and regulatory requirements, ACLED policies, standards, and procedures is mandatory. Any system or technology that is not capable of complying should have an approved risk acceptance document on file or through the Risk Management Platform with the Information Security department. Any system or technology within ACLED is subject to an audit to ensure compliance.

2. Training

All ACLED employees are to be trained to understand and comply with all relevant and applicable ACLED policies. This training will occur when an employee is hired and is to be refreshed at least annually according to the employee’s role. Records will be maintained demonstrating the employee’s training record in accordance with the ACLED Data Retention and Destruction Standard.

3. Monitoring

ACLED must ensure that procedures are established, implemented, and maintained to periodically evaluate the organization's compliance with legal, regulatory, and other requirements, including industry best practices. A record must be retained of all periodic evaluations in accordance with the ACLED Data Retention and Destruction Standard.

4. Exceptions

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. Security exceptions are reviewed and, if acceptable to ACLED, subsequently granted by the ACLED Security Officer at their discretion.

5. Breach of Policies

Any breach of any ACLED policy could have severe consequences to ACLED and its ability to provide services, or maintain the integrity, confidentiality, or availability of its services. Suspected major violations of ACLED Policies will be reviewed by Human Resources/General Counsel. Confirmed violations may result in legal action in accordance with applicable law as well as disciplinary action through, up to and including employment or contract termination.

References

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. To request a security exception, contact the Operations Team.

A. Review Schedule

This policy will be reviewed at least annually or as needed and updated to reflect changes in policy requirements or upon change of one of the following:

• ACLED Information Security Policy

• ACLED Information Security Standards

• Other policy, standard, or guideline related to this document

Incident Management Policy 

Introduction

ACLED has adopted this policy to ensure quick, effective, and orderly response to suspected and/or detected security incidents.

Scope

This policy applies to any established and defined business unit or entity within the ACLED.

Definitions

Crisis Intervention Response Team (CIRT) - Personnel responsible for coordinating the response to computer security incidents in an organization.

Security Incident - In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system.  It includes unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent.

Vendor - someone who exchanges goods or services for money and supports the company operations in some way

Event - An Alert or notification created by an IT Service, Configuration Item or Monitoring tool. Events typically require IT Operations personnel to take action and often lead to Incidents being logged.

Incident - An incident is any event which is not part of the standard operation of a service, and which causes, or may cause, an interruption to, or a reduction in the quality of that service.

Incident Initiator - The source of Incident logging. The Initiator could be a client, an ACLED associate, or the system which can log an incident via monitoring tools. Knowledge Base A record of problems, known errors, resolutions and workarounds.

Problem - A condition identified by multiple incidents exhibiting common symptoms, or from one significant incident, indicative of a single error, for which the cause is unknown.

Incident Management policies

ACLED defines the following policy guidelines on performing Incident Response Management.  

ACLED will proactively monitor information system security incidents and establish procedures for prevention of such incidents and protection of the systems, networks, equipment and facilities that affect the electronic assets of ACLED.  Information Security has established processes to identify and contain incidents, resolve incidents and recover from them with follow-up reviews and analysis. In addition, ACLED will do the following:  

• Maintain an Incident Response Plan for the reporting, investigation, and remedial actions in the event of a suspected security problem or violation. 

• Maintain an active Incident Response Team that consists of staff from Operations/IT/3rd party MSP.     

• Require all workforce to report any observation of a suspected security problem or violation.

• Require all workforce to not engage in any attempt to dissuade another associate in his or her efforts to report a suspected security problem or violation.

• Require all workforce to not engage in any communication relating to the reporting or investigation of a suspected security problem or violation.  Such information is to be treated as Confidential unless otherwise noted by management.

In order to do so, IT/Operations will use different alerting sources to identify and contain incidents across the organization.

Alerting Sources

• Help Desk Reports

• ACLED staff member(s) 

• Logging System Alerts

• Intrusion Detection Systems

• Firewalls

• Crisis Intervention Response Operations/IT/3rd part MSP Team (CIRT) Daily Threat Assessments and Investigations

• Notification / Intelligence from Outside Vendors (Managed Security Service Provider; etc.)

• Notification / Intelligence from U.S. Government Investigative Agencies

Compliance

Compliance with the policy is mandatory. Any system or technology that is not capable of complying must have an approved Risk Acceptance Document on file with the Operations Team compliance with the Risk Acceptance Document (RAD) procedure. Any and all data, systems, infrastructure or technologies within PSI are subject to an audit to ensure compliance.

A. Exceptions

Any breach of this policy could have severe consequences to ACLED and its ability to provide services or maintain the integrity, confidentiality, or availability of its services. Violations of this policy may result in disciplinary action up to and including employment or contract termination as well as legal action in accordance with applicable law.

References

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. To request a security exception, contact the Operations Team.

A. Review Schedule

This policy will be reviewed at least annually or as needed and updated to reflect changes in policy requirements or upon change of one of the following:

• ACLED Information Security policy

• ACLED Information Security standards

• Other policies, standards, or guidelines related to this document

Information Security Policy 

Introduction

ACLED considers information security a high priority and an integral function of its business.  Significant effort is continuously put forth to maintain the confidentiality, integrity, and availability of customer data.  Accordingly, the following policy has been developed to prevent loss or misuse of information and to reduce information security risks.

Scope

This policy applies to ACLED facilities and information technology, ACLED information in any format, and to all employees, contractors, consultants, and employees or agents representing other corporations or organizations that are granted access to ACLED information and information systems. Information Security policies and Standards (Standards) are developed pursuant to this policy and define how the policy will be implemented.

All staff members of ACLED have a responsibility to adhere to the information security policies, and processes.  The policy statements, processes, and procedures are deemed necessary to support the minimum desired level of protection of ACLED proprietary information.

Roles and Responsibilities

The following role definitions are used throughout the various levels of policy:

Executive Director

• Executive sponsor of the Information Security policy throughout the organization.

Head of Operations

• Demonstrates commitment to the information security program throughout the organization.

• Participates in Operations/3rd party MSP policy review processes. 

• Allocates sufficient resources for operational security process development and policy compliance.

• Provides constructive feedback and communication with the IT & Security Projects Expert and security teams.

IT and Security Expert

• Directs organizational information security strategy with the support and guidance of the Executive Leadership Team.

• Leads enterprise information security policy and standards development, implementation, and maintenance.

• Manages information technology risk for ACLED enterprise-wide.

• Oversees enterprise information security strategy.

• Enforce the review security programs of third-party vendors hosting or processing ACLED data.

Operations Team

The Operations Team is responsible for monitoring performance, providing problem determination and management of Information Security Technologies and reporting on the status of Information Security throughout the company.

Information Security responsibilities include but are not limited to, ensuring:

• Security Information Event Management System Operations     

• Prevention and detection of attacks and other threats successfully compromising the availability, confidentiality or integrity of critical systems in the organization

• Management and operation of information security tools and controls company-wide.

• Measurement and reporting on compliance with ACLED Information Security policies, standards, guidelines

• Measurement and reporting on compliance with industry standards and government mandates for Information Security

Operations/3rd Party MSP team is responsible for ensuring information security is integrated throughout ACLED. This committee will be made up of the Head of Operations, IT and Security Projects Coordinator (or equivalent) and relevant Directors of in both Information Technology and Information Security groups.  Responsibilities include developing and maintaining enterprise security policies, establishing a Security Awareness and Training program, ensuring ACLED  has an effective Incident Response Team, and providing security engineering support to the Business Groups.  The committee is also responsible for ensuring that information security policies are in line with ACLED business objectives and are appropriately distributed to ACLED personnel.

The Risk Management Committee (RMC) is responsible for ensuring that the business risk and objectives are communicated to leaders in the company and mitigated by the different groups’ strategies and policies throughout ACLED. This committee will be composed of the      IT and Security Projects Coordinator, Nominated Risk Management Champions, and relevant Heads of Department.  Responsibilities include identifying and communicating risks that the company faces and creating mitigating strategies.  The committee is also responsible for ensuring that all groups are in line with the mitigation of risks, including IT security risks.

Information Security Policy

The operations and strategy of Information Security are composed of the Information Security Policy, Information Security Standards, and departmental-level information security processes and procedures. The following sections describe at a high level what each specific policy supporting the Information Security strategy details.

1. Information Protection

Information obtained, created and/or maintained by the ACLED or external service providers will be protected to ensure the confidentiality, integrity and availability of the ACLED information assets.

1) Confidential Information Security

Confidential information includes raw data and confidential, proprietary, or sensitive information as further defined in the Data Classification policy. Confidential information will be kept secure using appropriate safeguards to protect such information and to protect against unauthorized access to or use of such information. Users who have access to confidential information will use it only for legitimate ACLED business purposes. 

2) User Access

Access to ACLED information and information systems, confidential or otherwise, will be granted only to individuals who require that access for valid ACLED business purposes. Requests for access will be submitted with documented authorization and supported business needs. Each user is responsible and accountable for all assigned access credentials and will not share them with others. Remote access to the ACLED's information will be centrally controlled and monitored.

3) Segregation of Duties

Access to ACLED information, applications, and information systems will be assigned with limited scope and capabilities to meet requirements for segregation of duties requirements and regulatory compliance.

2. Information Systems Management

ACLED information systems will be established, managed and monitored to provide appropriate levels of security controls to protect ACLED information. 

1) Information Systems Access

The ACLED information systems and network information will be restricted to authorized users.

2) Information Systems Availability

Information processing systems, networks, and facilities will have sufficient capacity, redundancy and availability to protect ACLED information assets and ACLED information systems to minimize the risk of unexpected interruptions to business processes.

3) Business Continuity Planning and Recovery

Business continuity and recovery plans will be developed and maintained to achieve the service-level objectives articulated by the business in the event of business or operational disruption.

4) Information Systems Change Management

Information system and network changes will be requested by authorized ACLED requestors using a formal change management process and tool so that the stability, security and reliability of information systems are not degraded or compromised.

5) Information Systems Physical Security

All ACLED computers, networks, network connections, mobile devices, and their related components will be physically protected.

3. Information Asset Acceptable Use

ACLED management is responsible for clarifying the boundaries of acceptable business and non-business use of ACLED information assets such as computers, phones, faxes, and software.

1) Personal Use of ACLED Information Assets

ACLED information assets are provided exclusively for business use. Incidental personal use of ACLED information assets such as applications, Internet access, and phone, will be kept to a minimum. Only ACLED-installed software may be installed onto ACLED's information assets. All ACLED software is proprietary and may not be copied for personal usage.

2) Information Assets Usage Monitoring and Audit

Use of ACLED information and information systems is subject to logging, monitoring, and review by ACLED management and audit at any time. 

3) Information Ownership and Protection

All information and data created or stored on ACLED information assets or premises is considered the property of ACLED and will be protected from unauthorized use or disclosure. This includes applications, databases, systems, networks, printed documents, voice mail, fax, e-mail, instant messaging, video conferencing, and connections to external services.

4) Information on ACLED Information Assets

All information and data contained in the ACLED's information assets such as computer systems (local, remote or mobile), voice mail system, fax, email, instant messaging, and conferencing systems should be treated as confidential and is subject to the "Confidential Information” section of the Data Classification policy. ACLED information users will use only authorized ACLED information assets when dealing with ACLED information.

4. Information Security Compliance

All ACLED information users are required to become familiar with and formally acknowledge compliance with the policy and standards.

1) Information Security Compliance

All ACLED information users will comply with the policy and standards. Information users will attend annual security training and formally acknowledge they will comply with the Information Security program.

Violations of Information Security policy will be reported to departmental and Information Security management, as well as Human Resources and Internal Audit.

2) Information Security Violations

Information security violations may lead to disciplinary action up to and including termination

5. Related Information Security policies

Other security policies mandating the way information and systems should be managed and controlled are:

• Acceptable use

• Data Categorization and Handling

• User Awareness

• Vulnerability Management

• Network Security

• Cryptography and Key Management

• Logging and Monitoring

• Incident Response Plan

• Compliance and enforcement

• These policies can be found on ACLED Net

6. Information Security policies exception requests

Any action that is not consistent with Information Security policies and standards must be formally requested and approved through the Information Security policy exception and Risk Acceptance process prior to implementation, installation or use.

All Information Security policy exception requests must be made by an employee of ACLED.  They should be submitted as a ticket to the Corporate Help Desk and assigned to the Information Security Team.

Consultants, contractors, temporary or other contingent workers must receive the sponsorship of an ACLED employee for the purpose of requesting an exception to an Information Security policy.

Exception requests must be approved by the requesting person’s direct manager, and a line of business IT management and submitted to the CISO.

Compliance

Compliance with the policy is mandatory. Any system or technology that is not capable of complying must have an approved Risk Acceptance Document on file with the Operations Team in compliance with the Risk Acceptance Document (RAD) procedure. Any and all data, systems, infrastructure or technologies within PSI are subject to an audit to ensure compliance.

A. Exceptions

Any breach of this policy could have severe consequences to ACLED and its ability to provide services or maintain the integrity, confidentiality, or availability of its services. Violations of this policy may result in disciplinary action up to and including employment or contract termination as well as legal action in accordance with applicable law.

References

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate business needs. To request a security exception, contact the Operations Team.

A. Review Schedule

This policy will be reviewed at least annually or as needed and updated to reflect changes in policy requirements or upon change of one of the following:

• ACLED Information Security policy

• ACLED Information Security Standards

• Other policy, standard, or guideline related to this document

AI Policy & Guide

Version: 1.0
Effective: February 2026

1. Purpose and Scope

This policy outlines how staff, contractors, and affiliates of ACLED may use Artificial Intelligence (AI) tools in their work. Its purpose is to balance innovation and efficiency with ACLED’s responsibility to protect data integrity, intellectual property, and privacy. This policy applies to all staff using AI tools, whether free, paid, or built into other platforms (such as Microsoft Copilot or Google Workspace features). Researchers must not use AI tools as part of their routine coding assignments.

2. Core Principles

ACLED supports responsible use of AI to enhance productivity while protecting:

• Confidentiality of internal and partner data

• Integrity and accuracy of analytical outputs

• Fairness and transparency in decision-making

• Copyright and ownership of ACLED’s original data, methodology, and analysis

AI should never be used in ways that could compromise ACLED’s neutrality, data credibility, or research transparency and methodology.

3. Approved AI Tools

• Only tools explicitly approved by ACLED Operations or the Risk Committee may be used with ACLED data or systems.

• The current list of approved AI tools is maintained here 

• Staff may use approved tools for standard tasks (outlined below) without requesting additional approval.

• If a new tool or platform is needed, staff should follow the Approval Process in Section 7.

• Any paid AI tools or subscriptions intended for work purposes must be submitted through ACLED’s standard procurement process. Where demand for a particular tool becomes widespread, ACLED may evaluate organisation or team-level licences to ensure cost efficiency, security oversight, and consistency of use.

• Where an existing ACLED-approved tool provides similar functionality, IT may recommend its use in place of introducing a new platform, in order to ensure cost efficiency, security oversight, and tool consolidation.

4. Acceptable Use Examples

These examples are intended as practical guidance. Where a use case is not clearly covered, staff should apply the guiding principles in Section 2 or contact Operations.

The following use cases are considered acceptable for approved AI tools (illustrative examples, not exhaustive):

Category Examples

• Drafting & communication: Drafting internal and external communications such as vendor or partner emails and slack messages, provided no confidential or proprietary ACLED information is included and the user adheres to the prohibited use guidelines below.

• Administrative tasks: Formatting documents, summarizing meeting notes, generating outlines for reports.

• Reviewing: Using AI tools to summarise or review ACLED internal policies, as long as all sensitive, confidential, or identifying information is fully removed prior to upload.

• Coding assistance: Debugging or troubleshooting R, Python, or similar languages using de-identified or simulated data.

• Learning support: Exploring syntax, improving technical writing, or understanding new concepts.

• Brainstorming: Generating ideas for workflows, research methods, or automation projects, without uploading proprietary data.

• AI features embedded within third-party tools (e.g vendor chatbots, support bots, or AI assistants) should be treated the same as any external AI system unless the vendor provides a formal data-processing guarantee confirming that data is:

• not retained

• not used for model training

• within GDPR-compliant jurisdictions

This includes AI-enabled features used within approved operational systems (e.g HR, Operations, Finance tools such as recruitment platforms, payroll systems, expense management or vendor support portals), provided these tools have been vetted and appropriate data protection and contractual safeguards are in place.

 5. Prohibited Use and Risk Areas

The following uses are strictly prohibited (illustrative examples, not exhaustive):

• Uploading or pasting any confidential or proprietary information to AI tools except for clearly defined use cases (e.g. CV screening), and only where the tool and use case has been reviewed, vetted, and approved through internal governance processes. This includes but is not limited to:

o   Donor, client, or partner data

o   Employee or contractor records (e.g. HR files, payroll information, addresses, contracts, performance reviews, CVs or internal communications about individual staff)

o   Unpublished or internal research data, events, or source reports.

• Staff should also avoid uploading large numbers of events, even if the data is published. Uploading data in bulk increases the risk that the model may learn or reproduce ACLED content.

o   ACLED’s internal methodologies (unless already publicly available), classifications, or algorithms

• Using AI to generate or modify ACLED’s published datasets, analysis, or graphics without validation

• Using AI to generate analytical content, findings, assessments, or final sentences intended for publication or external dissemination. This helps preserve the credibility of ACLED analysis and avoid AI-detectable language.

• Using AI outputs as factual data without verification

• Using AI for data sourcing and coding

• Sharing ACLED login credentials or files with AI platforms

• Generating content that may misrepresent ACLED’s positions or data

• As stated in ACLED’s Anti-Plagiarism policy using AI-generated content without disclosure or passing it off as original work

• Using AI to generate images or videos for any public-facing, promotional, or conflict-related content. AI tools can still be used for non-creative tasks such as video editing, formatting, subtitling, or quality enhancement but not for creating new images, videos, or avatars.

• Using AI transcription or note-capturing tools for internal or external meetings, unless all participants explicitly agree. 

 6. Data Protection Rules

To ensure compliance with ACLED’s data protection framework:

• Never enter full names, email addresses (including @acleddata.com and acledcoding.com), the name of the organisation, location details of staff, partners, or sources into AI tools.

• Images, video recordings, or audio of identifiable individuals (including ACLED staff,    contractors, or external partners) must not be uploaded to or processed by any AI tool without the individual’s explicit written consent, even where the tool is used for editing, enhancement or summarisation.

• When discussing data patterns or structures, use anonymised or simulated examples.

• Do not connect AI plugins or browser extensions to ACLED systems unless approved by IT.

• Only use ACLED-approved AI tools (e.g., Microsoft Copilot) for any task involving internal data.

Violations may be treated as data breaches and referred to ACLED’s Risk Committee and in certain escalated cases to ACLED’s Ethics Committee.

7. Approval Process for New Tools or Use Cases

A simple 2-step process ensures flexibility while maintaining oversight:

1. Submit request to Operations:

o   Submit requests via the Asana form.

o   Include purpose, data sensitivity, and justification for adopting the new AI tool or use case.

2. Assessment and Approval:

o   Operations will conduct an initial review. If no significant issues are identified, the request can be approved quickly by the Operations Team.

o   If potential red flags are discovered (e.g prior data leaks, copyright concerns, or sensitive data risk), the request will be escalated to the Risk Committee for further review.

o   Assessment decisions will be logged in the ACLED Risk Register for auditing purposes.

o   Decisions will be communicated within 10 working days.

Routine, low-risk uses of already-approved tools (e.g. generating templates, brainstorming ideas) do not require additional approval. However, if in any doubt about what could be considered acceptable, please contact operations@acleddata.com

 8. Accountability and Monitoring

• All staff: Use AI responsibly and comply with this policy.

• Line Managers: Flag AI-generated content that appears non-compliant (e.g inappropriate      use cases, sensitive data risks). Address any issues directly with the staff member and escalate to IT or the Risk Committee when needed.

• Operations/IT: Maintain the list of approved tools and technical restrictions. Conduct periodic reviews.

• Risk Committee: Handles escalations and incident reviews.

ACLED may periodically monitor AI tool usage to ensure compliance and identify opportunities for improvement. Monitoring may include policy reviews, audits of approved tools, user reporting, and targeted technical controls where appropriate. Monitoring frequency and specific approaches may evolve over time based on risk, scale of use, and available safeguards.

9. Review Cycle and Version Control

This policy, as well as the approved AI Tools register, will be reviewed annually or when significant new AI tools or regulations emerge.

The latest version will always be accessible on ACLED.net

 10. Contact

For questions or to request approval for a new AI tool or use case, please contact: operations@acleddata.com

11. Glossary and Definitions

11.1 “AI tools”:

Any software, platform, or feature that uses machine learning, large language models, or generative AI to produce text, images, audio, video, code or recommendations.

11.2 “AI features embedded within third-party tools”:

AI functionality built into another product (e.g. chat boxes, note takers, assistants) that processes user-provided information.

11.3 “Confidential or Proprietary ACLED Information”:

Information that is not intended for unrestricted public use and that ACLED has a responsibility to protect. This includes, but is not limited to:

• Unpublished research data, analysis, drafts, or internal reports

• Internal methodologies, classifications, workflows, or processes

• Donor, client, partner, or vendor information

• Employee or contractor records (e.g. contracts, payroll data, addresses, CVs, performance information)

• Internal communications, decision-making records, or strategy documents

Note: Publicly available ACLED publications and high-level descriptions of ACLED’s mission or openly published methodologies may be referenced at a high level, but should not be uploaded verbatim or in bulk into AI tools.

11.4 “Drafting” (AI-assisted):

The use of AI tools to support the structure, clarity, grammar, tone, or formatting of text without generating new analytical content, conclusions, or original sentences intended for publication or external dissemination.

Drafting does not include rewriting, shortening, or generating analytical findings, assessments, or final sentences used in reports, analysis, or publications.

Further readings:

• What should I do if I need time off or can’t make a deadline?

• Password Security 

• LastPass user guide 

• Digital security