Risk Assessment Policy

Version1.0.3 Last Updated2023-10-27 APPROVED

1. Overview

This Risk Assessment Policy outlines the guidelines and procedures for conducting information security risk assessments at AccuCode AI Inc. The purpose of this policy is to identify and mitigate potential vulnerabilities in our systems, processes, and procedures, with a special emphasis on protecting Protected Health Information (PHI).

2. Purpose

The primary purpose of this policy is to authorize and empower the InfoSec team to perform periodic risk assessments, both internally and with the assistance of third-party penetration testing (pentesting) providers. By identifying areas of vulnerability, the InfoSec team can initiate appropriate remediation measures to ensure the confidentiality, integrity, and availability of sensitive data, particularly PHI.

3. Scope

Risk assessments can be conducted on any information system within AccuCode AI Inc., including applications, servers, networks, and any process or procedure by which these systems are administered and/or maintained. Additionally, risk assessments may be performed on outside entities that have signed a Third Party Agreement with AccuCode AI Inc.

4. Policy

4.1 The InfoSec team is responsible for conducting periodic risk assessments to identify potential vulnerabilities in AccuCode AI Inc.’s information systems and processes.

4.2 The execution, development, and implementation of remediation programs is the joint responsibility of the InfoSec team and the department responsible for the system area being assessed.

4.3 Employees are expected to cooperate fully with any risk assessment being conducted on systems for which they are held accountable. They are further expected to work with the InfoSec Risk Assessment Team in the development of a remediation plan.

4.4 When engaging third-party pentesting providers, the InfoSec team must ensure that appropriate measures are in place to protect PHI. This includes, but is not limited to:

  • Signing a Business Associate Agreement (BAA) with the third-party provider
  • Ensuring that the provider has adequate security controls and procedures in place to safeguard PHI
  • Limiting the scope of the pentest to minimize exposure of PHI
  • Reviewing and redacting any reports or findings that may contain PHI before sharing them with the third-party provider

4.5 The InfoSec team must maintain detailed documentation of all risk assessments, including the scope, findings, and remediation plans.

5. Policy Compliance

5.1 Compliance Measurement The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.