Network Security Policy

Version1.0.5 Last Updated2024-03-28 APPROVED

1. Overview

This document outlines the Network Security Policy for AccuCode AI, including networking, routing and VPNs.

2. Purpose

The purpose of this policy is to ensure the security, confidentiality, and integrity of AccuCode AI’s network infrastructure and the sensitive healthcare data processed by the company. This policy establishes guidelines for network configuration, access control, and security measures.

3. Scope

This policy applies to all employees, contractors, and third parties who access or manage AccuCode AI’s network infrastructure and resources.

4. Policy

4.1 Network Architecture

All network infrastructure must be hosted in private Azure virtual networks (VNets).
Network segmentation must be implemented to isolate different environments (e.g., production, development, testing) and restrict access between segments.
All network traffic between segments must be filtered and controlled using network security groups (NSGs) and access control lists (ACLs).

4.2 Remote Access

Remote access to the network must be done via a WireGuard VPN with strict role-based access control (RBAC) rules in place.
Hardware-based multi-factor authentication (MFA) must be enforced for all remote access.
VPN access must be granted on a least-privilege basis and regularly reviewed.

4.3 Device Security

No bring your own device (BYOD) equipment is allowed to connect to the corporate network.
All devices connecting to the network must be company-owned and centrally managed.
Devices must have up-to-date antivirus software, security patches, and configurations as per the company’s security standards.

4.4 Network Monitoring and Logging

Network traffic must be monitored and logged for security events and anomalies.
Logs must be retained for at least 90 days and regularly reviewed by the security team.
Security incidents must be promptly investigated and reported as per the incident response plan.

4.5 Access Control

Access to network resources must be granted based on the principle of least privilege.
User accounts must be unique and tied to an individual’s identity.
Privileged access must be strictly controlled and monitored.
Unused or dormant accounts must be disabled or removed.

4.6 Configuration Management

Network devices must be configured according to the company’s security standards and best practices.
Default settings must be changed, and unnecessary services and protocols must be disabled.
Configuration changes must follow a formal change management process and be properly documented.

4.7 Third-Party Access

Third-party access to the network must be strictly controlled and monitored.
Access must be granted only when necessary and revoked immediately after the task is completed.
Third parties must adhere to the company’s security policies and sign appropriate non-disclosure agreements (NDAs).

5. Compliance and Enforcement

All employees, contractors, and third parties must comply with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.
The InfoSec team is responsible for enforcing this policy and conducting regular audits to ensure compliance.
Exceptions to this policy must be approved by the InfoSec team and properly documented.

6. Review and Update

This policy must be reviewed and updated annually or whenever there are significant changes to the network infrastructure or security requirements.