Policies

This is a current policy list for PCG Systems employees and it’s clients.

These will be updated as needed and you are agreeing to adhere to the policies as they sit today along with any future changes.

Should you have questions, please email info@pcgsystems.com

General Support Scope Policy (Version 2025.1)

Purpose

The General Support Scope defines the minimum hardware, software, and security standards required for devices and systems to be fully supported by PCG Systems. Systems outside these standards may not be eligible for proactive management or guaranteed response.

Supported Assets

Endpoints – Corporate-owned devices with vendor-supported warranties and operating systems. Must be three years old or newer, or covered under a PCG lifecycle plan.
Mobile Devices – Corporate-owned, enrolled in mobile device management, with current operating systems and licensed security applications.
Multimedia Devices – Business-grade printers, scanners, and fax systems with active vendor maintenance agreements.
Servers – Vendor-supported hardware (Windows Server 2012 or newer), under warranty or lifecycle plan, no older than seven years.
Network Storage – Corporate-owned devices with vendor-supported warranty and offsite backup licensing.
Network Infrastructure – Business-grade routers, switches, and firewalls under vendor maintenance or warranty agreements.

Security Requirements

  • Multifactor authentication required on all systems.
  • No shared or generic accounts.
  • Passwords must follow PCG’s security standards.
  • All assets must be enrolled in approved monitoring, patching, and antivirus platforms.
  • Unsupported or end-of-life systems must be replaced within 180 days of onboarding.

Lifecycle Compliance

PCG may limit support or charge additional remediation fees for devices outside lifecycle standards. Clients are responsible for replacing outdated or unsupported systems as advised.

Exceptions

Any exceptions to this scope must be approved in writing by PCG Systems and documented in the client’s agreement.

Copyright © 2025 PCG Systems LLC. All rights reserved.

Artificial Intelligence Enablement Policy (Version 2025.2)

Purpose

The AI Enablement Policy establishes standards for the responsible and secure use of artificial intelligence tools within PCG Systems. It ensures that all AI-assisted work aligns with PCG’s data protection, confidentiality, and ethical standards.

Scope

Applies to all employees, contractors, and partners using AI tools for PCG or client-related work, including chatbots, code assistants, and AI-driven analytics.

Approved AI Tools

Only PCG-approved AI tools may be used for business purposes. Use of unapproved or consumer-grade AI systems for client data or PCG internal information is prohibited.

Data Protection

  • No client data, credentials, or sensitive information may be entered into public AI tools.
  • All prompts and outputs must avoid identifying clients, users, or systems.
  • AI outputs must be verified by human review before use in deliverables.
  • AI systems must not be used to make autonomous decisions affecting client systems without human validation.

Responsible Use

AI may assist with documentation, analysis, automation, and content generation, but employees remain fully accountable for accuracy and compliance.

AI-generated materials must never misrepresent authorship, violate copyright, or breach confidentiality.

Compliance and Monitoring

Use of AI tools is monitored for security and ethical compliance. Misuse may result in suspension of access, disciplinary action, or contract termination.

Policy Integration

This policy operates alongside the Information Security Policy, Generic Support Scope, and Employee Handbook. All employees must complete AI-awareness training during onboarding and annually thereafter.

Copyright © 2025 PCG Systems LLC. All rights reserved.

Information Security Policy (Version 2025.3)

1. Purpose

At PCG Systems, safeguarding information is central to how we operate. As a Managed IT Services Provider, we manage critical infrastructure and sensitive data for our clients across multiple industries. This Information Security Policy defines the principles, controls, and responsibilities that ensure the confidentiality, integrity, and availability of all systems and data under our care.

Our objective is to deliver secure, reliable technology services in compliance with leading frameworks such as NIST SP 800-171, CIS Controls, and ISO 27001, while preserving trust, transparency, and accountability with every client we serve.

2. Scope

This policy applies to all employees, contractors, vendors, and partners of PCG Systems. It governs all company-managed networks, systems, and data repositories, as well as all client environments, assets, and platforms under PCG management, including on-premise, cloud, and hybrid infrastructure.

3. Core Security Principles

  1. Confidentiality – Information is accessible only to authorized individuals.
  2. Integrity – Data must remain accurate, complete, and protected from unauthorized alteration.
  3. Availability – Systems must remain operational and resilient to disruptions.
  4. Accountability – Every system access or configuration change must be auditable.
  5. Continuous Improvement – Security controls are reviewed, tested, and refined regularly to align with emerging threats.

4. Governance and Oversight

The Managing Partner and Operations Manager oversee all security strategy, compliance, and risk management efforts.

The Security Team enforces policies, conducts monitoring, manages incidents, and ensures compliance with both internal and client-specific requirements.

All employees must follow security protocols, complete required cybersecurity training, and immediately report suspicious activity or suspected breaches.

Clients share responsibility for maintaining internal controls, user behavior, and adherence to PCG-issued security recommendations.

5. Data Ownership and Liability

All data created or stored by clients within systems managed by PCG Systems remains the property of the client. PCG retains administrative access solely for delivering contracted services and system management.
PCG Systems is not liable for loss, corruption, or unauthorized disclosure of data resulting from user actions, third-party application behavior, unapproved changes, or events outside PCG’s control.

6. Use of Third-Party Vendors

PCG Systems partners with trusted vendors including Microsoft, Fortinet, SentinelOne, Avanan, and NinjaOne to deliver secure managed services. While due diligence is exercised to evaluate vendor reliability and security,

PCG cannot guarantee the performance or integrity of any third-party platform.

PCG Systems shall not be liable for downtime, vulnerabilities, or damages caused by third-party systems or vendor service interruptions.

7. Shared Security Responsibilities

Information security is a shared responsibility between PCG and its clients. Clients must maintain appropriate safeguards for their environments, enforce employee security awareness and multifactor authentication, and notify PCG immediately of suspected incidents.

PCG ensures that systems within its management scope remain compliant with best practices, continuously monitored, and backed by layered protection.

8. Access Control and Authentication

Access follows the principle of least privilege. All systems require multifactor authentication for administrative or remote access.

Passwords must contain at least fifteen characters, include upper- and lowercase letters, numbers, and special characters, avoid reuse, and be managed through an approved password manager.

Shared or generic accounts are prohibited. Access changes are logged, reviewed, and revoked upon termination of employment or contract.

9. Device and Endpoint Security

Only corporate-owned or lifecycle-approved devices may access PCG or client resources. Devices must be encrypted and protected by SentinelOne and NinjaOne monitoring. Systems must remain patched with vendor-supported operating systems. Lost or stolen devices must be reported immediately for remote lock or wipe.

10. Network and Infrastructure Protection

All networks are protected by business-grade firewalls with current firmware. Segmentation separates production, guest, and administrative traffic. Advanced intrusion detection and analytics tools continuously monitor for anomalies. Vulnerability assessments and penetration tests are performed regularly.

11. Cloud and Email Security

All cloud tenants use multifactor authentication, Avanan Cloud Security, and Microsoft Defender for phishing and malware prevention. Suspicious emails are quarantined automatically, and phishing simulations are conducted through CyberHoot. Data stored in Microsoft 365, SharePoint, OneDrive, or Egnyte is protected by encryption, version control, and data loss prevention.

12. Data Backup and Retention

All client and company data is backed up to redundant, encrypted locations. Backups are tested and verified regularly. Data is retained in accordance with contractual and regulatory requirements. Upon termination of services, PCG retains data for thirty days unless otherwise directed in writing, after which it is securely destroyed under NIST SP 800-88 standards.

13. Incident Response Framework

PCG maintains a formal Incident Response Framework aligned with NIST methodology.

Incident Severity Levels
Critical – Ransomware, widespread outage, or confirmed data breach.
High – Privileged account compromise or suspected data exposure.
Medium – Single-system compromise requiring remediation.
Low – Informational or false-positive alerts.

Escalation Flow

  1. Detection and Initial Report – Any employee or monitoring system detecting an anomaly must report immediately via Halo or to support@pcgsystems.com.
  2. Containment – Isolate affected devices or accounts.
  3. Escalation – High or Critical events are escalated to the Operations Manager and Managing Partner within one hour.
  4. Notification – Clients are notified of confirmed incidents within seventy-two business hours.
  5. Eradication and Recovery – Remove malicious components and restore systems from backups.
  6. Post-Incident Review – Conduct root cause analysis and implement improvements.

Cyber Insurance Coordination
PCG Systems maintains Cyber Liability Insurance to cover its own breach response and investigation obligations. Clients must maintain their own cyber liability or data breach insurance for their organization’s potential losses and recovery costs. Each party’s coverage applies only to its own liabilities.

14. Acceptable Use

Employees, contractors, and partners may use PCG resources only for legitimate business purposes. Prohibited activities include unauthorized access, transmission of malicious software, sharing confidential information through unapproved channels, or using PCG systems for illegal or unethical activities. Violations may result in disciplinary action or termination.

15. Security Awareness and Training Program

PCG’s Security Awareness and Training Program ensures every employee understands their role in protecting company and client information.

Administration – Managed through CyberHoot. Content is reviewed quarterly.

Training Schedule

  • Weekly instructional modules with short quizzes.
  • Monthly phishing walkthroughs.
  • Quarterly phishing simulations.
  • Immediate remediation training after failed simulations.

Responsibilities

Employees must complete all training on time, report suspicious messages, and apply safe practices.
Managers must enroll new hires, monitor completion rates, and review metrics quarterly.

Non-Compliance

Failure to complete training may result in warnings, temporary suspension of access, or disciplinary action.

This section replaces the previous standalone User Awareness Training Policy.

16. Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination, and potential legal action. PCG reserves the right to suspend services or access when security concerns threaten clients or the broader network.

17. Policy Integration and Hierarchy

This policy works in coordination with:

  • Generic Support Scope (GSP)
  • AI Enablement Policy (AIEP)
  • Terms of Service and Membership Agreement
  • Privacy and Data Handling Policy

The Information Security Policy governs all matters related to cybersecurity and data protection.

18. Review and Updates

Reviewed annually or following regulatory or operational changes. Updates are published and communicated to all employees and clients.

19. Contact and Reporting

For questions or to report a security concern:
support@pcgsystems.com | 303-529-2929

20. Employee, Client and Partner Acknowledgment

By engaging PCG Systems, employees and clients acknowledge understanding of this policy and their shared responsibility in maintaining security.

Copyright © 2025 PCG Systems LLC. All rights reserved.