8.1.1 Access to each system is restricted to authorized individuals and the level of access is appropriate and consistent with job responsibilities.
8.1.2 A formal administration and approval process to grant access to all users is in place to ensure that access is added, modified and deleted in a timely manner.
8.1.3 Access is regularly reviewed by the Asset Owner or delegate to ensure it remains appropriate and commensurate with job responsibilities.
8.1.4 Network activity is monitored to identify and prevent unauthorized activity.
8.1.5 Application changes are appropriately tested and validated prior to being placed into production processes and that the associated controls operate as intended and support financial reporting requirements
8.1.6 Mechanisms are implemented to ensure recoverability of all required data
8.1.7 Anti-virus software is deployed at appropriate points in the ACE Network.
8.1.8 A periodic review of key operating systems and database security configurations are undertaken to ensure they remain consistent with ACE's security standards
8.1.9 Information in any format (electronic, paper, etc.) is to be assigned to a designated authority (Asset Owner) who is responsible for ensuring it is classified and protected accordingly.
8.1.10 Asset Owners and/or Asset Custodians must maintain an inventory for all ACE assets which must be subsequently managed and protected.
8.1.11 All remote access via the Internet, public network, or un-trusted network must be secured using an approved remote access process.
8.1.12 All external connections into the ACE Network must be through an ACE approved firewall for access control and monitoring. No external connections are allowed to connect directly to any ACE Network, Information Asset or related systems.
8.1.13 Assessments of security related software vulnerabilities and exploits are to be carried out regularly.
, agencies, legal entities, joint ventures and Third Parties.