Remote Access Policy

Version1.0.2 Last Updated2024-01-16 APPROVED

1. Overview

Remote access to AccuCode AI’s corporate network is essential to maintain our team’s productivity, especially with many employees working from home. However, remote access often originates from networks with lower security postures that may already be compromised. While these remote networks are beyond AccuCode AI’s direct control, we must mitigate the risks to the best of our ability, particularly given the sensitive protected health information (PHI) we handle.

2. Purpose

The purpose of this policy is to define rules and requirements for connecting to AccuCode AI’s network from any remote host. These rules aim to minimize the potential exposure to damages which may result from unauthorized access to PHI and other sensitive data. Damages include the loss of PHI, damage to public image, fines, and other financial liabilities.

3. Scope

This policy applies to all employees and contractors with an AccuCode AI-owned or personally-owned computer used to connect to the corporate network to do work on behalf of AccuCode AI. This covers any remote access connections, including email and intranet access.

4. Policy

Employees and contractors with remote access privileges to AccuCode AI’s network must ensure their remote access connection is as secure as an on-site connection.

When accessing the network from a personal computer, authorized users are responsible for preventing access by non-authorized users, including family members. Performing illegal activities through the network is strictly prohibited.

4.1 Requirements

  • 4.1.1 Secure remote access must use encryption (e.g. VPN) and strong passphrases.

  • 4.1.2 Authorized users shall protect their login credentials, even from family members.

  • 4.1.3 When connecting to AccuCode AI’s network, the remote host must not be connected to any other network simultaneously, with the exception of personal networks under the complete control of the authorized user.

  • 4.1.4 Use of external resources requires advance approval from InfoSec.

  • 4.1.5 All remote hosts must have up-to-date antivirus software.

  • 4.1.6 Personal equipment must not be used for remote access.

4.2 Protecting PHI When Working Remotely

  • Ensure home workspace cannot be viewed by others, including family.
  • Lock computer when not in use. Never leave it unattended and accessible.
  • Do not print PHI at home.
  • Do not store PHI on removable media.
  • Only discuss PHI in private where conversations cannot be overheard.
  • Report any potential PHI breaches immediately, even if unintentional.

5. Policy Compliance

The InfoSec team will verify compliance to this policy through various methods, including audits and business tool reports. Any exceptions must be approved by InfoSec in advance. Employees found to have violated this policy may face disciplinary action, up to and including termination.