Server Audit Policy

Version1.0.3 Last Updated2023-12-20 APPROVED

1. Overview

This Server Audit Policy outlines the requirements and guidelines for conducting audits on servers owned or operated by AccuCode AI Inc. The purpose of this policy is to ensure that all servers are configured according to the company’s security policies and applicable regulatory compliance standards.

2. Purpose

The purpose of this policy is to:

  • Ensure the integrity, confidentiality, and availability of information and resources processed by AccuCode AI’s servers
  • Verify conformance to the company’s security policies
  • Meet applicable regulatory compliance requirements, such as HIPAA, for protecting PHI (Protected Health Information) and PII (Personally Identifiable Information)

3. Scope

This policy applies to all servers owned or operated by AccuCode AI Inc., as well as any server present on the company’s premises, regardless of ownership or operation.

4. Policy

AccuCode AI Inc. hereby provides its consent to allow authorized personnel to access its servers to the extent necessary to perform scheduled and ad hoc audits of all servers.

4.1 Specific Concerns

Servers used by AccuCode AI support critical business functions and store sensitive company information, including PHI and PII. Improper configuration of servers could lead to the loss of confidentiality, availability, or integrity of these systems.

4.2 Guidelines

  • Approved and standard configuration templates shall be used when deploying server systems
  • All system logs shall be sent to a central log review system
  • All sudo/administrator actions must be logged
  • Use a central patch deployment system
  • Host security agents, such as antivirus software, shall be installed and kept up-to-date
  • Network scans shall be conducted to verify that only required network ports and shares are in use
  • Verify administrative group membership
  • Conduct baselines when systems are deployed and upon significant system changes
  • Changes to configuration templates shall be coordinated with approval from the change control board

4.3 Responsibility

The InfoSec team shall conduct audits of all servers owned or operated by AccuCode AI Inc. Server and application owners are encouraged to perform this work as needed.

4.4 Relevant Findings

All relevant findings discovered during the audit shall be listed in the tracking system to ensure prompt resolution or appropriate mitigating controls.

4.5 Ownership of Audit Report

All results and findings generated by the InfoSec team must be provided to appropriate management within one week of project completion. This report will become the property of AccuCode AI Inc. and be considered company confidential.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team shall never use access required to perform server audits for any other purpose. The team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. Logging Requirements

6.1 General Requirements

All systems that handle PHI, PII, accept network connections, or make access control decisions shall record and retain audit logging information sufficient to answer the following questions:

  1. What activity was performed?
  2. Who or what performed the activity, including where or on what system the activity was performed from (subject)?
  3. What the activity was performed on (object)?
  4. When was the activity performed?
  5. What tool(s) was the activity used to perform the activity?
  6. What was the status (such as success vs. failure), outcome, or result of the activity?

6.2 PHI and PII Logging Requirements

In addition to the general logging requirements, systems handling PHI and PII must adhere to the following:

  1. PHI and PII must never be logged in clear text.
  2. If PHI or PII must be logged, it should be redacted, masked, or hashed.
  3. Access to systems containing PHI and PII must be logged.
  4. Failed access attempts to systems or data containing PHI and PII must be logged.

6.3 Activities to be Logged

Logs shall be created whenever any of the following activities are requested to be performed by the system:

  1. Create, read, update, or delete PHI or PII
  2. Create, update, or delete information not covered in #1
  3. Initiate or accept a network connection
  4. User authentication and authorization for activities covered in #1 or #2
  5. Grant, modify, or revoke access rights
  6. System, network, or services configuration changes
  7. Application process startup, shutdown, or restart
  8. Application process abort, failure, or abnormal end
  9. Detection of suspicious/malicious activity

6.4 Elements of the Log

Logs shall identify or contain at least the following elements, directly or indirectly:

  1. Type of action
  2. Subsystem performing the action
  3. Identifiers for the subject requesting the action
  4. Identifiers for the object the action was performed on
  5. Before and after values when action involves updating data
  6. Date and time the action was performed, including time-zone
  7. Whether the action was allowed or denied by access-control mechanisms
  8. Description and/or reason-codes of why the action was denied