Solutions
Who We Serve
Insights & Events
About
Contact
Solutions Who We Serve Insights & Events About Contact

Information Security Policy

Aprio Holdings, LLC (together with its subsidiaries and affiliates, “Aprio” or the “Company”) is committed to protecting the confidentiality, integrity, and availability of information entrusted to us by our clients, partners, and employees. We maintain a comprehensive Information Security Management System (ISMS) designed to safeguard physical and electronic information assets, minimize business risk, ensure regulatory and contractual compliance, and support business continuity.

Governance & Leadership

Aprio’s information security program is led by the Chief Information Security Officer (CISO) and overseen by an ISMS Committee composed of cross-functional leadership. The Chief Executive Officer and Managing Partner affirms that the implementation and continual improvement of the ISMS will be supported with adequate resources to achieve the objectives set forth in this policy and satisfy all identified requirements.

Program governance is structured to ensure that security objectives align with business strategy, that control effectiveness is regularly assessed, and that accountability is clearly defined across the organization.

Scope & Applicability

This policy applies to all Aprio employees, contractors, vendors, consultants, and other third parties who access, create, process, store, transmit, or dispose of Aprio information assets in any form — physical or electronic. All personnel are required to comply with Aprio’s information security policies and are expected to understand their roles and responsibilities in protecting the Company’s information assets.

Program Framework & Objectives

Aprio’s ISMS is aligned with industry-recognized frameworks, including the NIST Cybersecurity Framework (CSF), and follows a risk-based approach to identifying, protecting, detecting, responding to, and recovering from threats to our information assets.

The objectives of the program are to:

  • Follow a risk-based, reasoned approach commensurate with fiduciary and compliance responsibilities
  • Protect the operational integrity of the business and the information entrusted to us
  • Maintain compliance with applicable statutory, regulatory, and contractual obligations
  • Address the expectations of our clients, partners, and the markets we serve
  • Adapt to the evolving business and threat landscape
  • Foster a culture of security awareness across the organization

Key Control Domains

Aprio maintains policies, standards, and controls across the following security domains:

Cybersecurity & Data Protection
Defense-in-depth measures to protect technology infrastructure and data against physical and cyber threats
Risk Management
Ongoing identification, assessment, and remediation of cybersecurity and data privacy risks
Access Control & Identity Management
Controls governing access to systems, data, and facilities based on the principle of least privilege
Data Classification & Handling
Safeguards for data throughout its lifecycle, including classification, storage, transmission, and disposal
Data Privacy
Administrative, technical, and physical controls to protect personal and sensitive data in accordance with applicable privacy requirements
Incident Response
A structured incident handling capability encompassing detection, analysis, containment, recovery, and stakeholder communication
Business Continuity & Disaster Recovery
Contingency planning to ensure the availability of business-critical operations during adverse conditions
Third-Party Risk Management
Due diligence, risk assessment, and ongoing oversight of third-party service providers
Vulnerability & Patch Management
Continuous attack surface management and risk-based remediation of technical vulnerabilities
Security Awareness & Training
Role-based training programs to foster a security-minded workforce
Compliance
Mechanisms to demonstrate due diligence with applicable statutory, regulatory, and contractual obligations
Information Assurance
Ongoing monitoring and validation of security controls to ensure continued effectiveness

Continual Improvement

Aprio is committed to the continual improvement of its information security program. The ISMS Committee regularly reviews program objectives, assesses control effectiveness, and adapts the program to address emerging threats, evolving regulatory requirements, and changes in the business environment.

 

Contact

To report a security concern or for inquiries related to Aprio’s information security program, please contact us at [email protected].