Automatically Forwarded Email Policy

Version1.0.4 Last Updated2024-02-22 APPROVED

1. Overview

This policy outlines the guidelines and restrictions regarding automatically forwarding emails from AccuCode AI Inc. email accounts to external email addresses. The purpose is to prevent unauthorized or inadvertent disclosure of sensitive company information.

2. Purpose

The purpose of this policy is to ensure the protection of sensitive information processed by AccuCode AI Inc., including protected health information (PHI) from hospitals and clinics, and to prevent unauthorized disclosure of such information through automatically forwarded emails.

3. Scope

This policy applies to all employees, contractors, vendors, and agents operating on behalf of AccuCode AI Inc. It covers the automatic forwarding of emails from company email accounts to external email addresses.

4. Policy

1. Employees are prohibited from setting up automatic email forwarding from their AccuCode AI Inc. email accounts to any external email address without prior approval from their manager and the Information Security (InfoSec) team.

2. Sensitive information, as defined in the AccuCode AI Inc. Data Classification and Protection Policy, must not be forwarded via email to any external party unless it is critical to business operations and the email is encrypted in accordance with the AccuCode AI Inc. Acceptable Encryption Policy.

3. Employees must exercise extreme caution when sending any email from an AccuCode AI Inc. email account to an external recipient, ensuring that no sensitive information is inadvertently disclosed.

4. The InfoSec team reserves the right to monitor and audit email forwarding settings and to revoke any unauthorized email forwarding configurations.

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to:

• Periodic reviews of email forwarding configurations
• Monitoring of email traffic
• Internal and external audits
• Feedback to the policy owner

5.2 Exceptions

Any exception to this policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. Definitions and Terms

• Email: Electronic mail, a method of exchanging messages between people using electronic devices.
• SMTP: Simple Mail Transfer Protocol, a communication protocol for electronic mail transmission.
• Forwarded Email: An email message that is automatically sent from one email account to another.
• Sensitive Information: Information that is protected against unwarranted disclosure and includes PHI, financial information, and proprietary data.
• Unauthorized Disclosure: The intentional or unintentional revelation of sensitive information to individuals who are not authorized to receive such information.

Email Policy

Version1.0.2 Last Updated2023-12-18 APPROVED

1. Overview

Electronic email is often the primary communication and awareness method in an organization. At the same time, misuse of email can pose many legal, privacy, and security risks, thus it’s important for users to understand the appropriate use of electronic communications. This is especially critical for AccuCode AI Inc., as we process sensitive healthcare documents and patient information.

2. Purpose

The purpose of this email policy is to ensure the proper use of AccuCode AI Inc.’s email system and make users aware of what is deemed as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within AccuCode AI Inc.’s network, with a strong emphasis on protecting sensitive healthcare data.

3. Scope

This policy covers appropriate use of any email sent from an AccuCode AI Inc. email address and applies to all employees, vendors, and agents operating on behalf of AccuCode AI Inc.

4. Policy

4.1 All use of email must be consistent with AccuCode AI Inc.’s policies and procedures of ethical conduct, safety, compliance with applicable laws (including HIPAA and other healthcare regulations), and proper business practices.

4.2 AccuCode AI Inc. email accounts should be used primarily for business-related purposes; personal communication is permitted on a limited basis, but non-AccuCode AI Inc. related commercial uses are prohibited.

4.3 All data contained within an email message or an attachment must be secured according to the Data Protection Standard. Special attention must be given to Protected Health Information (PHI) and healthcare records.

4.4 Any email containing PHI and/or healthcare records must be encrypted using public key cryptography. The ciphers used for encryption must be compliant with FIPS-140-3 standards.

4.5 Email should be retained only if it qualifies as a business record. Email is a business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.

4.6 Email that is identified as a business record shall be retained according to AccuCode AI Inc.’s Record Retention Schedule.

4.7 Users are prohibited from automatically forwarding email to a third party email system (noted in 4.9 below). Individual messages which are forwarded by the user must not contain confidential or above information, especially PHI.

4.8 Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct business, to create or memorialize any binding transactions, or to store or retain email on behalf of AccuCode AI Inc. Such communications and transactions should be conducted through proper channels using AccuCode AI Inc.-approved documentation.

4.9 Using a reasonable amount of AccuCode AI Inc. resources for personal emails is acceptable, but non work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from an AccuCode AI Inc. email account is prohibited.

4.10 AccuCode AI Inc. employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.

4.11 AccuCode AI Inc. may monitor messages without prior notice. AccuCode AI Inc. is not obliged to monitor email messages.

5. Policy Compliance

5.1 Compliance Measurement The InfoSec team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions Any exception to the policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Communications Equipment Policy

Version1.0.2 Last Updated2024-02-20 APPROVED

1. Overview

This document outlines the Communications Equipment Policy for AccuCode AI to ensure secure configuration and use of all communication equipment that is part of the company’s data network.

2. Purpose

The purpose of this policy is to establish requirements for the secure configuration and management of communication equipment at AccuCode AI in order to protect sensitive healthcare data processed by the company’s AI systems.

3. Scope

This policy applies to all communication equipment, including but not limited to routers, switches, firewalls, and VPN gateways, that are part of AccuCode AI’s data network and are used in the processing, storage, or transmission of healthcare data.

4. Policy

4.1 Secure Configuration

• All communication equipment must be securely configured with necessary security features enabled before being placed into service.
• Only authorized personnel with either a monitoring role (read-only privileges) or an administrator role (configuration change privileges) shall have access to manage the communication equipment.
• All commands issued by users and security events that may pose a threat to the equipment must be logged and recorded.

4.2 User Authentication

• Local user accounts are not permitted on communication equipment.
• All users must authenticate through a central repository using a secure protocol that minimizes the risk of identity theft.

4.3 Data Encryption

• All data transmitted from the communication equipment must be encrypted using a strong encryption algorithm to protect against eavesdropping and man-in-the-middle attacks.

4.4 Event Logging and Backup

• Security events recorded by the communication equipment must be stored on media that is subject to regular backups.
• The backup process must ensure the integrity of the logged information and prevent unauthorized modifications.

4.5 Administrator Password Security

• The password for the communication equipment’s administrator account must not be known by anyone on the staff managing the equipment.
• If the highest administrative privileges are required, staff must submit a request to the internal security division, providing justification and completing the necessary forms.
• The administrator password must be reset by the highest administrator after each use to maintain security.

5. Policy Compliance

5.1 Compliance Measurement

The Information Security Team will verify compliance with this policy through various methods, including but not limited to:

• Periodic walk-throughs
• Video monitoring
• Business tool reports
• Internal and external audits
• Feedback to the policy owner

5.2 Exceptions

Any exception to this policy must be approved in advance by the Information Security Team.

5.3 Non-Compliance

Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Malware Protection Policy

Version1.0.0 Last Updated2024-03-18 APPROVED

1. Overview

AccuCode AI Inc. is entrusted with the responsibility to provide professional management of clients’ sensitive healthcare data and documents as outlined in each of the contracts with its customers. Inherent in this responsibility is an obligation to provide appropriate protection against malware threats, such as viruses and spyware applications. Effective implementation of this policy will limit the exposure and effect of common malware threats to the systems they cover.

2. Purpose

The purpose of this policy is to outline which endpoint and server systems are required to have anti-malware applications, specifically a modern Endpoint Detection and Response (EDR) solution.

3. Scope

This policy applies to all endpoints and servers that AccuCode AI Inc. is responsible to manage. This explicitly includes any system for which AccuCode AI Inc. has a contractual obligation to administer. This also includes all server systems setup for internal use by AccuCode AI Inc., regardless of whether AccuCode AI Inc. retains administrative obligation or not.

4. Policy

AccuCode AI Inc. IT operations staff will adhere to this policy to determine which endpoints and servers will have an EDR installed on them and to deploy such applications as appropriate.

4.1 Endpoint Protection

All endpoints, including laptops, desktops, and workstations, MUST have an EDR installed and actively running to provide real-time protection against malware threats.

4.2 Server Protection

All servers MUST have an EDR installed and actively running to provide real-time protection against malware threats without exception.

4.3 Mail Server Protection

If the target system is a mail server, it MUST have either an external or internal anti-malware scanning application that scans all mail destined to and from the mail server. Local anti-malware scanning applications MAY be disabled during backups if an external anti-malware application still scans inbound emails while the backup is being performed.

4.4 Notable Exceptions

An exception to the above standards will generally be granted with minimal resistance and documentation if one of the following notable conditions apply to this system:

• The system is not a Windows, Linux or macOS platform

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the InfoSec team in advance.

Network Security Policy

Version1.0.5 Last Updated2024-03-28 APPROVED

1. Overview

This document outlines the Network Security Policy for AccuCode AI, including networking, routing and VPNs.

2. Purpose

The purpose of this policy is to ensure the security, confidentiality, and integrity of AccuCode AI’s network infrastructure and the sensitive healthcare data processed by the company. This policy establishes guidelines for network configuration, access control, and security measures.

3. Scope

This policy applies to all employees, contractors, and third parties who access or manage AccuCode AI’s network infrastructure and resources.

4. Policy

4.1 Network Architecture

• All network infrastructure must be hosted in private Azure virtual networks (VNets).
• Network segmentation must be implemented to isolate different environments (e.g., production, development, testing) and restrict access between segments.
• All network traffic between segments must be filtered and controlled using network security groups (NSGs) and access control lists (ACLs).

4.2 Remote Access

• Remote access to the network must be done via a WireGuard VPN with strict role-based access control (RBAC) rules in place.
• Hardware-based multi-factor authentication (MFA) must be enforced for all remote access.
• VPN access must be granted on a least-privilege basis and regularly reviewed.

4.3 Device Security

• No bring your own device (BYOD) equipment is allowed to connect to the corporate network.
• All devices connecting to the network must be company-owned and centrally managed.
• Devices must have up-to-date antivirus software, security patches, and configurations as per the company’s security standards.

4.4 Network Monitoring and Logging

• Network traffic must be monitored and logged for security events and anomalies.
• Logs must be retained for at least 90 days and regularly reviewed by the security team.
• Security incidents must be promptly investigated and reported as per the incident response plan.

4.5 Access Control

• Access to network resources must be granted based on the principle of least privilege.
• User accounts must be unique and tied to an individual’s identity.
• Privileged access must be strictly controlled and monitored.
• Unused or dormant accounts must be disabled or removed.

4.6 Configuration Management

• Network devices must be configured according to the company’s security standards and best practices.
• Default settings must be changed, and unnecessary services and protocols must be disabled.
• Configuration changes must follow a formal change management process and be properly documented.

4.7 Third-Party Access

• Third-party access to the network must be strictly controlled and monitored.
• Access must be granted only when necessary and revoked immediately after the task is completed.
• Third parties must adhere to the company’s security policies and sign appropriate non-disclosure agreements (NDAs).

5. Compliance and Enforcement

• All employees, contractors, and third parties must comply with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.
• The InfoSec team is responsible for enforcing this policy and conducting regular audits to ensure compliance.
• Exceptions to this policy must be approved by the InfoSec team and properly documented.

6. Review and Update

This policy must be reviewed and updated annually or whenever there are significant changes to the network infrastructure or security requirements.

Server Security Policy

Version1.0.4 Last Updated2024-01-01 APPROVED

1. Overview

Unsecured and vulnerable servers are a major entry point for malicious threat actors. Consistent server installation policies, ownership, and configuration management are critical for maintaining the security of AccuCode AI’s sensitive healthcare data and AI systems.

2. Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by AccuCode AI Inc. Effective implementation of this policy will minimize unauthorized access to proprietary information, protected health information (PHI), and technology.

3. Scope

All employees, contractors, consultants, temporary and other workers at AccuCode AI Inc. and its subsidiaries must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by AccuCode AI or registered under an AccuCode AI-owned internal network domain.

4. Policy

4.1 General Requirements

4.1.1 All internal servers deployed at AccuCode AI must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs, and approved by the InfoSec team.

The following items must be met:

• Servers must be registered within the corporate enterprise management system with up-to-date information including server contacts, hardware/OS details, and main functions
• Configuration changes for production servers must follow appropriate change management procedures

4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.

4.2 Configuration Requirements

4.2.1 Operating System configuration should be in accordance with approved InfoSec team guidelines.

4.2.2 Unnecessary services and applications must be disabled.

4.2.3 Access to services should be logged and/or protected through access control methods.

4.2.4 The most recent security patches must be installed on the system as soon as practical.

4.2.5 Trust relationships between systems should be avoided. Always use least privilege access.

4.2.6 Privileged access must be performed over secure channels (e.g. SSH, WireGuard) when technically feasible.

4.2.7 Servers must be physically located in an access-controlled, secured environment. Servers are prohibited from operating in uncontrolled areas.

4.2.8 Per the Malware Protection Policy, all servers must have an endpoint detection and response (EDR) agent installed.

4.3 Monitoring

4.3.1 All security-related events on critical or sensitive systems must be logged and audit trails saved:

• Security logs kept online for min. 1 week
• Daily incremental backups retained for min. 1 month
• Weekly full backups retained for min. 1 month
• Monthly full backups retained for min. 180 days

4.3.2 The InfoSec team will review logs, investigate and report incidents, and prescribe corrective measures as needed. Security events include:

• Port-scan attacks
• Evidence of unauthorized privileged access
• Anomalous occurrences unrelated to specific host applications

5. Policy Compliance

5.1 Compliance Measurement

The InfoSec team will verify compliance to this policy through various methods, including business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to this policy must be approved by the InfoSec team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.