Malware Protection Policy
Version1.0.0 Last Updated2024-03-18 APPROVED
1. Overview
AccuCode AI Inc. is entrusted with the responsibility to provide professional management of clients’ sensitive healthcare data and documents as outlined in each of the contracts with its customers. Inherent in this responsibility is an obligation to provide appropriate protection against malware threats, such as viruses and spyware applications. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems they cover.
2. Purpose
The purpose of this policy is to outline which endpoint and server systems are required to have anti-malware applications, specifically a modern Endpoint Detection and Response (EDR) solution.
3. Scope
This policy applies to all endpoints and servers that AccuCode AI Inc. is responsible to manage. This explicitly includes any system for which AccuCode AI Inc. has a contractual obligation to administer. This also includes all server systems setup for internal use by AccuCode AI Inc., regardless of whether AccuCode AI Inc. retains administrative obligation or not.
4. Policy
AccuCode AI Inc. IT operations staff will adhere to this policy to determine which endpoints and servers will have an EDR installed on them and to deploy such applications as appropriate.
4.1 Endpoint Protection
All endpoints, including laptops, desktops, and workstations, MUST have an EDR installed and actively running to provide real-time protection against malware threats.
4.2 Server Protection
All servers MUST have an EDR installed and actively running to provide real-time protection against malware threats without exception.
4.3 Mail Server Protection
If the target system is a mail server, it MUST have either an external or internal anti-malware scanning application that scans all mail destined to and from the mail server. Local anti-malware scanning applications MAY be disabled during backups if an external anti-malware application still scans inbound emails while the backup is being performed.
4.4 Notable Exceptions
An exception to the above standards will generally be granted with minimal resistance and documentation if one of the following notable conditions apply to this system:
- The system is not a Windows, Linux or macOS platform
5. Policy Compliance
5.1 Compliance Measurement
The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
5.2 Exceptions
Any exception to the policy must be approved by the InfoSec team in advance.