Remote Access Tools Policy

Version1.0.1 Last Updated2024-01-12 APPROVED

1. Overview

AccuCode AI Inc. processes sensitive healthcare documents containing protected health information (PHI). Remote access tools provide a convenient way for users and support staff to share screens and access systems remotely. However, if not properly secured and controlled, these tools can also open backdoors into the network that could lead to theft, unauthorized access or destruction of sensitive data assets.

Therefore, only approved, monitored and strictly governed remote access tools may be used on AccuCode AI’s computer systems. This policy defines the requirements for using remote access tools.

2. Scope

This policy applies to all remote access connections where either end terminates at an AccuCode AI owned or managed asset or system.

3. Policy Requirements

All remote access tools used to communicate with AccuCode AI assets and systems must adhere to the following:

3.1 Approved Tools List

Only remote access tools on the approved software list maintained by the IT department are permitted. The current approved tools are:

  • SSH (with AD auth)
  • Microsoft Remote Desktop (over VPN only)
  • Citrix GoToMyPC (over VPN only)

Procedures for secure configuration of each approved tool are provided by IT and must be followed. The list of approved tools is subject to change.

3.2 Authentication

  • All remote access tools that allow communication from external networks must require multi-factor authentication using methods such as hardware tokens, smart cards, or additional PIN/password.
  • Authentication must use Active Directory or LDAP as the user identity source.
  • Authentication protocols must be resistant to replay attacks, such as OAuth 2.0.
  • Both ends of remote access sessions must be mutually authenticated.

3.3 Access Control

  • Remote access tools must be configured to use application layer proxies rather than allowing direct connections through perimeter firewalls.
  • Connections must be encrypted end-to-end using strong encryption protocols in compliance with AccuCode AI’s network encryption policy.

3.4 Security Tools

Remote access tools must not interfere with, disable or circumvent antivirus, DLP, or other security systems.

3.5 Procurement

All remote access tools must be purchased through and approved by the IT department via the standard procurement process.

4. Policy Compliance

4.1 Compliance Measurement

The Information Security team will verify compliance to this policy through various methods, including but not limited to:

  • Reports from business tools
  • Internal and external audits
  • Feedback to the policy owner

4.2 Exceptions

Any exceptions to this policy must be approved in advance by the Information Security team.

4.3 Non-Compliance

Employees found to have violated this policy may face disciplinary action up to and including termination of employment.