Extranet Policy

Version1.0.3 Last Updated2023-10-16 APPROVED

1. Purpose

This document outlines the policy for third-party organizations connecting to AccuCode AI Inc. networks for the purpose of transacting business related to the company.

2. Scope

This policy applies to all connections between third parties that require access to non-public AccuCode AI Inc. resources, regardless of the technology used for the connection (e.g., telco circuit or VPN). Connections to third parties such as Internet Service Providers (ISPs) or the Public Switched Telephone Network do not fall under this policy.

3. Policy

3.1 Security Review

All new extranet connectivity requests must undergo a security review conducted by the InfoSec team. The review ensures that access aligns with business requirements and adheres to the principle of least access.

3.2 Business Case

All production extranet connections must be accompanied by a valid written business justification, approved by a project manager in the extranet group. Lab connections must be approved by the team responsible for lab security.

3.3 Point of Contact

The Sponsoring Organization must designate a Point of Contact (POC) responsible for the portions of this policy and the Third Party Agreement that pertain to them. The relevant extranet organization must be promptly informed of any changes to the POC.

3.4 Modifying or Changing Connectivity and Access

All access changes must be accompanied by a valid business justification and are subject to security review. Changes must be implemented via the corporate change management process. The Sponsoring Organization is responsible for notifying the extranet management group and/or InfoSec of any material changes to their originally provided information.

3.5 Terminating Access

When access is no longer required, the Sponsoring Organization must notify the responsible extranet team, which will terminate the access as appropriate. The extranet and lab security teams must conduct annual audits of their respective connections to ensure that all existing connections are still needed and that the provided access meets the connection’s needs. Deprecated connections or those no longer used to conduct business will be terminated immediately. InfoSec and/or the extranet team will notify the POC or the Sponsoring Organization of any changes prior to taking action.

4. Policy Compliance

4.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

4.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

4.3 Non-Compliance

Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.