Communications Equipment Policy

Version1.0.2 Last Updated2024-02-20 APPROVED

1. Overview

This document outlines the Communications Equipment Policy for AccuCode AI to ensure secure configuration and use of all communication equipment that is part of the company’s data network.

2. Purpose

The purpose of this policy is to establish requirements for the secure configuration and management of communication equipment at AccuCode AI in order to protect sensitive healthcare data processed by the company’s AI systems.

3. Scope

This policy applies to all communication equipment, including but not limited to routers, switches, firewalls, and VPN gateways, that are part of AccuCode AI’s data network and are used in the processing, storage, or transmission of healthcare data.

4. Policy

4.1 Secure Configuration

• All communication equipment must be securely configured with necessary security features enabled before being placed into service.
• Only authorized personnel with either a monitoring role (read-only privileges) or an administrator role (configuration change privileges) shall have access to manage the communication equipment.
• All commands issued by users and security events that may pose a threat to the equipment must be logged and recorded.

4.2 User Authentication

• Local user accounts are not permitted on communication equipment.
• All users must authenticate through a central repository using a secure protocol that minimizes the risk of identity theft.

4.3 Data Encryption

• All data transmitted from the communication equipment must be encrypted using a strong encryption algorithm to protect against eavesdropping and man-in-the-middle attacks.

4.4 Event Logging and Backup

• Security events recorded by the communication equipment must be stored on media that is subject to regular backups.
• The backup process must ensure the integrity of the logged information and prevent unauthorized modifications.

4.5 Administrator Password Security

• The password for the communication equipment’s administrator account must not be known by anyone on the staff managing the equipment.
• If the highest administrative privileges are required, staff must submit a request to the internal security division, providing justification and completing the necessary forms.
• The administrator password must be reset by the highest administrator after each use to maintain security.

5. Policy Compliance

5.1 Compliance Measurement

The Information Security Team will verify compliance with this policy through various methods, including but not limited to:

• Periodic walk-throughs
• Video monitoring
• Business tool reports
• Internal and external audits
• Feedback to the policy owner

5.2 Exceptions

Any exception to this policy must be approved in advance by the Information Security Team.

5.3 Non-Compliance

Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Malware Protection Policy

Version1.0.0 Last Updated2024-03-18 APPROVED

1. Overview

AccuCode AI Inc. is entrusted with the responsibility to provide professional management of clients’ sensitive healthcare data and documents as outlined in each of the contracts with its customers. Inherent in this responsibility is an obligation to provide appropriate protection against malware threats, such as viruses and spyware applications. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems they cover.

2. Purpose

The purpose of this policy is to outline which endpoint and server systems are required to have anti-malware applications, specifically a modern Endpoint Detection and Response (EDR) solution.

3. Scope

This policy applies to all endpoints and servers that AccuCode AI Inc. is responsible to manage. This explicitly includes any system for which AccuCode AI Inc. has a contractual obligation to administer. This also includes all server systems setup for internal use by AccuCode AI Inc., regardless of whether AccuCode AI Inc. retains administrative obligation or not.

4. Policy

AccuCode AI Inc. IT operations staff will adhere to this policy to determine which endpoints and servers will have an EDR installed on them and to deploy such applications as appropriate.

4.1 Endpoint Protection

All endpoints, including laptops, desktops, and workstations, MUST have an EDR installed and actively running to provide real-time protection against malware threats.

4.2 Server Protection

All servers MUST have an EDR installed and actively running to provide real-time protection against malware threats without exception.

4.3 Mail Server Protection

If the target system is a mail server, it MUST have either an external or internal anti-malware scanning application that scans all mail destined to and from the mail server. Local anti-malware scanning applications MAY be disabled during backups if an external anti-malware application still scans inbound emails while the backup is being performed.

4.4 Notable Exceptions

An exception to the above standards will generally be granted with minimal resistance and documentation if one of the following notable conditions apply to this system:

• The system is not a Windows, Linux or macOS platform

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

Network Security Policy

Version1.0.5 Last Updated2024-03-28 APPROVED

1. Overview

This document outlines the Network Security Policy for AccuCode AI, including networking, routing and VPNs.

2. Purpose

The purpose of this policy is to ensure the security, confidentiality, and integrity of AccuCode AI’s network infrastructure and the sensitive healthcare data processed by the company. This policy establishes guidelines for network configuration, access control, and security measures.

3. Scope

This policy applies to all employees, contractors, and third parties who access or manage AccuCode AI’s network infrastructure and resources.

4. Policy

4.1 Network Architecture

• All network infrastructure must be hosted in private Azure virtual networks (VNets).
• Network segmentation must be implemented to isolate different environments (e.g., production, development, testing) and restrict access between segments.
• All network traffic between segments must be filtered and controlled using network security groups (NSGs) and access control lists (ACLs).

4.2 Remote Access

• Remote access to the network must be done via a WireGuard VPN with strict role-based access control (RBAC) rules in place.
• Hardware-based multi-factor authentication (MFA) must be enforced for all remote access.
• VPN access must be granted on a least-privilege basis and regularly reviewed.

4.3 Device Security

• No bring your own device (BYOD) equipment is allowed to connect to the corporate network.
• All devices connecting to the network must be company-owned and centrally managed.
• Devices must have up-to-date antivirus software, security patches, and configurations as per the company’s security standards.

4.4 Network Monitoring and Logging

• Network traffic must be monitored and logged for security events and anomalies.
• Logs must be retained for at least 90 days and regularly reviewed by the security team.
• Security incidents must be promptly investigated and reported as per the incident response plan.

4.5 Access Control

• Access to network resources must be granted based on the principle of least privilege.
• User accounts must be unique and tied to an individual’s identity.
• Privileged access must be strictly controlled and monitored.
• Unused or dormant accounts must be disabled or removed.

4.6 Configuration Management

• Network devices must be configured according to the company’s security standards and best practices.
• Default settings must be changed, and unnecessary services and protocols must be disabled.
• Configuration changes must follow a formal change management process and be properly documented.

4.7 Third-Party Access

• Third-party access to the network must be strictly controlled and monitored.
• Access must be granted only when necessary and revoked immediately after the task is completed.
• Third parties must adhere to the company’s security policies and sign appropriate non-disclosure agreements (NDAs).

5. Compliance and Enforcement

• All employees, contractors, and third parties must comply with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.
• The InfoSec team is responsible for enforcing this policy and conducting regular audits to ensure compliance.
• Exceptions to this policy must be approved by the InfoSec team and properly documented.

6. Review and Update

This policy must be reviewed and updated annually or whenever there are significant changes to the network infrastructure or security requirements.

Server Security Policy

Version1.0.4 Last Updated2024-01-01 APPROVED

1. Overview

Unsecured and vulnerable servers are a major entry point for malicious threat actors. Consistent server installation policies, ownership, and configuration management are critical for maintaining the security of AccuCode AI’s sensitive healthcare data and AI systems.

2. Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by AccuCode AI Inc. Effective implementation of this policy will minimize unauthorized access to proprietary information, protected health information (PHI), and technology.

3. Scope

All employees, contractors, consultants, temporary and other workers at AccuCode AI Inc. and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by AccuCode AI or registered under an AccuCode AI-owned internal network domain.

4. Policy

4.1 General Requirements

4.1.1 All internal servers deployed at AccuCode AI must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs, and approved by the InfoSec team.

The following items must be met:

• Servers must be registered within the corporate enterprise management system with up-to-date information including server contacts, hardware/OS details, and main functions
• Configuration changes for production servers must follow appropriate change management procedures

4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.

4.2 Configuration Requirements

4.2.1 Operating System configuration should be in accordance with approved InfoSec team guidelines.

4.2.2 Unnecessary services and applications must be disabled.

4.2.3 Access to services should be logged and/or protected through access control methods.

4.2.4 The most recent security patches must be installed on the system as soon as practical.

4.2.5 Trust relationships between systems should be avoided. Always use least privilege access.

4.2.6 Privileged access must be performed over secure channels (e.g. SSH, WireGuard) when technically feasible.

4.2.7 Servers must be physically located in an access-controlled, secured environment. Servers are prohibited from operating in uncontrolled areas.

4.2.8 Per the Malware Protection Policy, all servers must have an endpoint detection and response (EDR) agent installed.

4.3 Monitoring

4.3.1 All security-related events on critical or sensitive systems must be logged and audit trails saved:

• Security logs kept online for min. 1 week
• Daily incremental backups retained for min. 1 month
• Weekly full backups retained for min. 1 month
• Monthly full backups retained for min. 180 days

4.3.2 The InfoSec team will review logs, investigate and report incidents, and prescribe corrective measures as needed. Security events include:

• Port-scan attacks
• Evidence of unauthorized privileged access
• Anomalous occurrences unrelated to specific host applications

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to this policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.