Communications Equipment Policy
Version1.0.2 Last Updated2024-02-20 APPROVED
1. Overview
This document outlines the Communications Equipment Policy for AccuCode AI to ensure secure configuration and use of all communication equipment that is part of the company’s data network.
2. Purpose
The purpose of this policy is to establish requirements for the secure configuration and management of communication equipment at AccuCode AI in order to protect sensitive healthcare data processed by the company’s AI systems.
3. Scope
This policy applies to all communication equipment, including but not limited to routers, switches, firewalls, and VPN gateways, that are part of AccuCode AI’s data network and are used in the processing, storage, or transmission of healthcare data.
4. Policy
4.1 Secure Configuration
- All communication equipment must be securely configured with necessary security features enabled before being placed into service.
- Only authorized personnel with either a monitoring role (read-only privileges) or an administrator role (configuration change privileges) shall have access to manage the communication equipment.
- All commands issued by users and security events that may pose a threat to the equipment must be logged and recorded.
4.2 User Authentication
- Local user accounts are not permitted on communication equipment.
- All users must authenticate through a central repository using a secure protocol that minimizes the risk of identity theft.
4.3 Data Encryption
- All data transmitted from the communication equipment must be encrypted using a strong encryption algorithm to protect against eavesdropping and man-in-the-middle attacks.
4.4 Event Logging and Backup
- Security events recorded by the communication equipment must be stored on media that is subject to regular backups.
- The backup process must ensure the integrity of the logged information and prevent unauthorized modifications.
4.5 Administrator Password Security
- The password for the communication equipment’s administrator account must not be known by anyone on the staff managing the equipment.
- If the highest administrative privileges are required, staff must submit a request to the internal security division, providing justification and completing the necessary forms.
- The administrator password must be reset by the highest administrator after each use to maintain security.
5. Policy Compliance
5.1 Compliance Measurement
The Information Security Team will verify compliance with this policy through various methods, including but not limited to:
- Periodic walk-throughs
- Video monitoring
- Business tool reports
- Internal and external audits
- Feedback to the policy owner
5.2 Exceptions
Any exception to this policy must be approved in advance by the Information Security Team.
5.3 Non-Compliance
Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.