Server Security Policy

Version1.0.4 Last Updated2024-01-01 APPROVED

1. Overview

Unsecured and vulnerable servers are a major entry point for malicious threat actors. Consistent server installation policies, ownership, and configuration management are critical for maintaining the security of AccuCode AI’s sensitive healthcare data and AI systems.

2. Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by AccuCode AI Inc. Effective implementation of this policy will minimize unauthorized access to proprietary information, protected health information (PHI), and technology.

3. Scope

All employees, contractors, consultants, temporary and other workers at AccuCode AI Inc. and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by AccuCode AI or registered under an AccuCode AI-owned internal network domain.

4. Policy

4.1 General Requirements

4.1.1 All internal servers deployed at AccuCode AI must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs, and approved by the InfoSec team.

The following items must be met:

  • Servers must be registered within the corporate enterprise management system with up-to-date information including server contacts, hardware/OS details, and main functions
  • Configuration changes for production servers must follow appropriate change management procedures

4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.

4.2 Configuration Requirements

4.2.1 Operating System configuration should be in accordance with approved InfoSec team guidelines.

4.2.2 Unnecessary services and applications must be disabled.

4.2.3 Access to services should be logged and/or protected through access control methods.

4.2.4 The most recent security patches must be installed on the system as soon as practical.

4.2.5 Trust relationships between systems should be avoided. Always use least privilege access.

4.2.6 Privileged access must be performed over secure channels (e.g. SSH, WireGuard) when technically feasible.

4.2.7 Servers must be physically located in an access-controlled, secured environment. Servers are prohibited from operating in uncontrolled areas.

4.2.8 Per the Malware Protection Policy, all servers must have an endpoint detection and response (EDR) agent installed.

4.3 Monitoring

4.3.1 All security-related events on critical or sensitive systems must be logged and audit trails saved:

  • Security logs kept online for min. 1 week
  • Daily incremental backups retained for min. 1 month
  • Weekly full backups retained for min. 1 month
  • Monthly full backups retained for min. 180 days

4.3.2 The InfoSec team will review logs, investigate and report incidents, and prescribe corrective measures as needed. Security events include:

  • Port-scan attacks
  • Evidence of unauthorized privileged access
  • Anomalous occurrences unrelated to specific host applications

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to this policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.