This section contains AccuCode AI’s policies and standards related to user access control, authentication, and identity management. These policies aim to ensure that access to company systems and data is properly controlled, monitored, and audited.
If you have any questions or concerns about these policies, please contact the InfoSec team at security@accucodeai.com.
Effective authentication is critical for protecting AccuCode AI’s systems, data, and user accounts. This section outlines the standards and requirements for implementing secure authentication mechanisms across the organization.
All employees and third-parties must adhere to these authentication policies. Questions or concerns should be directed to the InfoSec team at security@accucodeai.com.
Version1.0.3 Last Updated2024-03-28 APPROVED
Passwords are a critical component of information security. Passwords serve to protect access to user accounts, data, and systems. However, a poorly constructed or easily guessed password can compromise the strongest defenses. This guideline provides best practices for creating strong passwords and using additional security measures such as hardware-based two-factor authentication (2FA) and password managers.
The purpose of these guidelines is to provide best practices for the creation of strong passwords and the use of additional security measures to protect user accounts and sensitive data.
This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.
The Infosec team will verify compliance to this policy through various methods, including but not limited to password cracking exercises, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Infosec team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Version1.0.3 Last Updated2023-10-16 APPROVED
This document outlines the policy for third-party organizations connecting to AccuCode AI Inc. networks for the purpose of transacting business related to the company.
This policy applies to all connections between third parties that require access to non-public AccuCode AI Inc. resources, regardless of the technology used for the connection (e.g., telco circuit or VPN). Connections to third parties such as Internet Service Providers (ISPs) or the Public Switched Telephone Network do not fall under this policy.
All new extranet connectivity requests must undergo a security review conducted by the InfoSec team. The review ensures that access aligns with business requirements and adheres to the principle of least access.
All production extranet connections must be accompanied by a valid written business justification, approved by a project manager in the extranet group. Lab connections must be approved by the team responsible for lab security.
The Sponsoring Organization must designate a Point of Contact (POC) responsible for the portions of this policy and the Third Party Agreement that pertain to them. The relevant extranet organization must be promptly informed of any changes to the POC.
All access changes must be accompanied by a valid business justification and are subject to security review. Changes must be implemented via the corporate change management process. The Sponsoring Organization is responsible for notifying the extranet management group and/or InfoSec of any material changes to their originally provided information.
When access is no longer required, the Sponsoring Organization must notify the responsible extranet team, which will terminate the access as appropriate. The extranet and lab security teams must conduct annual audits of their respective connections to ensure that all existing connections are still needed and that the provided access meets the connection’s needs. Deprecated connections or those no longer used to conduct business will be terminated immediately. InfoSec and/or the extranet team will notify the POC or the Sponsoring Organization of any changes prior to taking action.
The InfoSec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the InfoSec team in advance.
Employees found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Version1.0.5 Last Updated2024-01-23 APPROVED
Mobile devices such as smartphones and tablets can create added risk and potential targets for data loss, especially given the sensitive nature of the healthcare documents processed by AccuCode AI. As such, their use must be in alignment with appropriate standards, and encryption technology should be used when possible to protect sensitive data.
This document describes AccuCode AI’s Information Security requirements for encrypting data at rest on mobile devices to ensure the confidentiality and integrity of sensitive healthcare information.
This policy applies to any mobile device issued by or used for business which contains stored data owned by AccuCode AI Inc.
All mobile devices containing stored data owned by AccuCode AI must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, smartphones, and tablets. Users are expressly forbidden from storing data on devices that are not issued by AccuCode AI, such as storing email or sensitive documents on a personal device.
Laptops must employ full disk encryption with an approved software encryption package that is FIPS 140-3 compliant. BitLocker (for Windows) and FileVault (for macOS) are recommended encryption solutions.
Any data stored on a smartphone or tablet must be saved to an encrypted file system using AccuCode AI-approved software that is FIPS 140-3 compliant. AccuCode AI shall also employ remote wipe technology to remotely disable and delete any data stored on a smartphone or tablet which is reported lost or stolen. Mobile Device Management (MDM) solutions should be used to enforce encryption and remote wipe capabilities.
All encryption keys and passphrases must meet complexity requirements described in AccuCode AI’s Password Protection Policy. Keys should be securely stored and managed using a FIPS 140-3 compliant key management system.
The loss or theft of any mobile device containing AccuCode AI data must be reported immediately to the Information Security team.
The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Information Security team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Version1.0.3 Last Updated2023-12-25 APPROVED
Passwords are a critical aspect of computer security. A weak or compromised password can result in unauthorized access to our most sensitive data and/or exploitation of our resources. All staff, including contractors and vendors with access to systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for the secure use and protection of all work related passwords.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any facility, has access to the network, or stores any non-public information.
4.1.1 All user-level and system-level passwords must conform to the Password Construction Standards.
4.1.2 Users must use a separate, unique password for each of their work related accounts. Users may not use any work related passwords for their own, personal accounts.
4.1.3 Staff are required to use authorized, approved password managers to securely store and manage all their work related passwords.
4.1.4 User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges. In addition, hardware-based multi-factor authentication is required for any privileged accounts.
4.2.1 Passwords should be changed only when there is reason to believe a password has been compromised or fails to meet our Password Creation Requirements. We do not recommend the use or setting of regular password expiration.
4.3.1 Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, Confidential information.
4.3.2 Passwords must not be inserted into email/chat messages or other forms of electronic communication, nor revealed over the phone to anyone.
4.3.3 Passwords may be stored only in password managers authorized by the organization.
4.3.4 Do not use the “Remember Password” feature of applications (for example, web browsers).
4.3.5 Any individual suspecting that their password may have been compromised must report the incident and change all relevant passwords.
Application developers must ensure that their programs contain the following security precautions:
4.4.1 Applications must support authentication of individual users, not groups.
4.4.2 Applications must not store passwords in clear text or in any easily reversible form.
4.4.3 Applications must not transmit passwords in clear text over the network.
4.4.4 Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
4.5.1 Hardware-based multi-factor authentication is required and must be used whenever possible, not only for work related accounts but personal accounts also.
The Infosec team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the Infosec team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Version1.0.2 Last Updated2024-01-16 APPROVED
Remote access to AccuCode AI’s corporate network is essential to maintain our team’s productivity, especially with many employees working from home. However, remote access often originates from networks with lower security postures that may already be compromised. While these remote networks are beyond AccuCode AI’s direct control, we must mitigate the risks to the best of our ability, particularly given the sensitive protected health information (PHI) we handle.
The purpose of this policy is to define rules and requirements for connecting to AccuCode AI’s network from any remote host. These rules aim to minimize the potential exposure to damages which may result from unauthorized access to PHI and other sensitive data. Damages include the loss of PHI, damage to public image, fines, and other financial liabilities.
This policy applies to all employees and contractors with an AccuCode AI-owned or personally-owned computer used to connect to the corporate network to do work on behalf of AccuCode AI. This covers any remote access connections, including email and intranet access.
Employees and contractors with remote access privileges to AccuCode AI’s network must ensure their remote access connection is as secure as an on-site connection.
When accessing the network from a personal computer, authorized users are responsible for preventing access by non-authorized users, including family members. Performing illegal activities through the network is strictly prohibited.
4.1.1 Secure remote access must use encryption (e.g. VPN) and strong passphrases.
4.1.2 Authorized users shall protect their login credentials, even from family members.
4.1.3 When connecting to AccuCode AI’s network, the remote host must not be connected to any other network simultaneously, with the exception of personal networks under the complete control of the authorized user.
4.1.4 Use of external resources requires advance approval from InfoSec.
4.1.5 All remote hosts must have up-to-date antivirus software.
4.1.6 Personal equipment must not be used for remote access.
The InfoSec team will verify compliance to this policy through various methods, including audits and business tool reports. Any exceptions must be approved by InfoSec in advance. Employees found to have violated this policy may face disciplinary action, up to and including termination.
Version1.0.1 Last Updated2024-01-12 APPROVED
AccuCode AI Inc. processes sensitive healthcare documents containing protected health information (PHI). Remote access tools provide a convenient way for users and support staff to share screens and access systems remotely. However, if not properly secured and controlled, these tools can also open backdoors into the network that could lead to theft, unauthorized access or destruction of sensitive data assets.
Therefore, only approved, monitored and strictly governed remote access tools may be used on AccuCode AI’s computer systems. This policy defines the requirements for using remote access tools.
This policy applies to all remote access connections where either end terminates at an AccuCode AI owned or managed asset or system.
All remote access tools used to communicate with AccuCode AI assets and systems must adhere to the following:
Only remote access tools on the approved software list maintained by the IT department are permitted. The current approved tools are:
Procedures for secure configuration of each approved tool are provided by IT and must be followed. The list of approved tools is subject to change.
Remote access tools must not interfere with, disable or circumvent antivirus, DLP, or other security systems.
All remote access tools must be purchased through and approved by the IT department via the standard procurement process.
The Information Security team will verify compliance to this policy through various methods, including but not limited to:
Any exceptions to this policy must be approved in advance by the Information Security team.
Employees found to have violated this policy may face disciplinary action up to and including termination of employment.