Lab #6 - Assessment Worksheet
Elements of a Remote Access Domain Policy
Course Name: IAA202
Student Name: Dương Chí Hùng
Instructor Name: Hồ Hải
Lab Due Date: 27/6/2021
Overview
Remote Access Domain Risks & Threats
Brute force user ID and password attacks
Multiple login retries and access control
attacks
Unauthorized remote access to IT
systems, applications, and data
Privacy data or confidential data is
compromised remotely
Data leakage in violation of existing Data
Classification Standards
Mobile worker laptop is stolen
Risk Mitigation Tactic / Solution
- Increase the password complexity
requirement
- Put attempt capping on login
- Restrict the number of attempt
whenever login
- Setup IAM System for company
- Setup Permissions Level for the
system
- Monitor Access logging full time
- Apply Encryption on data
- Ensure database safety by
increase security on firewall
- Hire a third party professional on
Data Classification Standards for
auditing and implementing better
security
- Remove UUID of the the laptop
out of the system
- Trigger auto data purge on laptop
if available
- Install better data encryption on
drive
Mobile worker token or other lost or
stolen authentication device
Remote worker requires remote access to - Use Proxy Server to direct
medical patient online system through
the public Internet
Users and employees are unaware of the
risks and threats caused by the public
Internet
- Revoke Access Token the
Database
- Provide the worker the new one
- Migrate worker personal data to
the new one
connection to the data center
- Use data encryption to make sure
no data leakage
- Host seminars on Internet Security
- Publish a guideline on safety on
the internet
- Have employee safety training
when using the internet
 Lab #6 - Assessment Worksheet
Elements of a Remote Access Domain Policy

Course Name: IAA202

Student Name: Dương Chí Hùng
Instructor Name: Hồ Hải
Lab Due Date: 27/6/2021

ABC Healthcare Provider

Remote Access Policy for Remote Workers & Medical Clinics

Policy Statement
ABC Healthcare Provider is committed to managing the confidentiality, integrity,
and availability of their information technology (IT) networks, systems, and
applications (IT Systems). This includes establishing guidelines for Remote Access
to the Organization's critical information assets maintained within the IT Systems.
Remote User responsibilities are described below:
- Remote Users must ensure that their Remote Hosts used to access IT Resources
meet all security expectations specified in the End User Security Guidelines prior
to accessing any.
- It is the responsibility of Remote Users to take reasonable precautions to ensure
their remote access connections are secured from interception, eavesdropping,
or misuse.
- All Remote Users are responsible for following applicable policy, including the all
Handling Requirements, when handling any data remotely accessed within the
course of the Remote User’s job function. Policies to follow and actions to
perform include, but are not limited to.
- All Remote Users are expected to only remotely access data in accordance with
IT policies.
- Do not save or store sensitive or restricted data on the Remote Host used to
access.
Purpose/Objectives
The remote access policy is designed to prevent damage to the organizational
network or computer systems and to prevent compromise or loss of data.
Scope
This policy applies to all ABC Health Providers employees, contractors, vendors
and agents with an ABC HealthCare Provider owned or personally-owned
computer or workstation used to connect to the ABC HealthCare Provider
network. This policy applies to remote access connections used to do work on
behalf of ABC HealthCare Provider including reading or sending email and viewing
intranet web resources. Remote access implementations that are covered by this
policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL,
VPN, SSH, and cable modems, etc.
All Remote Users must follow the security requirements set forth in this standard
for any Remote Host accessing IT Resources prior to such access, as well as any
guidelines, procedures, or other requirements issued by their departmental IT
units and/or the owners of the IT Resource which are to be remotely accessed.
Procedures
This policy is applied to every employee, contractor, consultant, temporary, and
other workers of ABC Healthcare Provider, including all personnel affiliated with
third parties. Remote Access to ABC Healthcare Provider IT Systems is a privilege
granted through the user provisioning process to exempt workforce members.
Users of Remote Access must have a submitted Remote Access Request form on
file with IT, users of Remote Access to access Meditech must have a signed
Confidentiality agreement. All remote access into ABC Healthcare Provider
networks across the Internet must use approved VPN technology, and the remote
access must be approved in advance by the Department Authorizer. Devices that
will be used for remote access that are not ABC Healthcare Provider owned
equipment must be configured to comply with the provisions of this policy.
+ Compliance Measurement:

The Infosec Team will verify compliance to this policy through various methods,
including but not limited to, periodic walk-thrus, video monitoring, business tool
 reports, internal and external audits, and inspection, and will provide feedback
to the policy owner and appropriate business unit manager.
+ Exceptions:
Any exception to the policy must be approved by Remote Access Services and
the Infosec Team in advance.
+ Non-Compliance:
An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
Guildlines
Any employee, contractor, or other third parties found to have violated this policy
may be subject to disciplinary action, up to and including termination of
employment. Criminal charges could be brought forth if it is deemed that
violation of this policy also violates any local, state or federal law. Physicians with
active privileges, business associates, vendors, and/or other individuals (Users) as
approved by ABC Healthcare Provider Leadership. Remote Access privileges
granted to Users will be restricted to the minimum necessary information
required to carry out job responsibilities, terms of business agreements, or as
further defined by ABC Healthcare Provider leadership.
 Lab #6 - Assessment Worksheet
Elements of a Remote Access Domain Policy

Course Name: IAA202

Student Name: Dương Chí Hùng
Instructor Name: Hồ Hải
Lab Due Date: 27/6/2021

Lab Assessment Questions & Answers

1. What are the biggest risks when using the public Internet as a WAN or
transport for remote access to your organization’s IT infrastructure?
The biggest risk while using the public internet as a wide area network is security
as eavesdropping attack is common with unsecure Wi-Fi network as hackers can
easily access your data and passwords.

2. Why does this mock healthcare organization need to define a Remote Access
Policy to properly implement remote access through the public Internet?
The mock XYZ Health care provider needs to define a remote access policy so that
it can access public internet that connects to the healthcare so that only
authorized personal is able to access the network.

3. What is the relationship between an Acceptable Use Policy (AUP) and a

Security Awareness & Training Policy?
The acceptable use policy is a component of the security awareness and training
policy. This component specifies what users can and cannot do on company
resources while the security awareness and training policy specifies security as a
whole throughout the organization.

4. One of the major prerequisites for this scenario was the requirement to
support nurses and healthcare professionals that are mobile and who visit
patients in their homes. Another requirement was for remote clinics to access a
shared patient medical records system via a web browser. Which type of secure
remote VPN solution is recommended for these two types of remote access?
They would Remote Access VPN to support the nurses that are mobile who visits
patients in their home and site-to-site VPN for accessing medical records.

5. When trying to combat unauthorized access and login attempts to IT systems

and applications, what is needed within the LAN-to-WAN Domain to monitor
and alarm on unauthorized login attempts to the organization’s IT
infrastructure?
Specifically saying, IPS/IDS will log any unauthorized access on the
System/Application domain and log monitor on each workstation on Workstation
domains.

6. Why is it important to mobile workers and users about the risks, threats, and
vulnerabilities when conducting remote access through the public Internet?
Data breach, Packet Sniffing are a thing. So it would be advisable for users to
apply best practice when remote accessing the infrastructure online.

7. Why should social engineering be included in security awareness training?

Nowadays, Scammer are pretty common, they would use method likes sending
phishing mail, giving false information and maybe fake the company email itself to
scam everyone. It would be advisable to have social engineer as a category in
security awareness training.

8. Which domain (not the Remote Access Domain) throughout the seven
domains of a typical IT infrastructure supports remote access connectivity for
users and mobile workers needing to connect to the organization’s IT
infrastructure?

The WAN Domain.

9. Where are the implementation instructions defined in a Remote Access Policy
definition? Does this section describe how to support the two different remote
access users and requirements as described in this scenario?

The implementation instructions are defined in Remote Access Domain.

10. A remote clinic has a requirement to upload ePHI data from the clinic to the
organization’s IT infrastructure on a daily basis in a batch-processing format.
How should this remote access requirement be handled within or outside of this
Remote Access Policy definition?

Remote access requirement should be handled to authorized member of the

company and with the use of active directory other users can use the VPN user
access.

11. Why is a remote access policy definition a best practice for handling remote
employees and authorized users that require remote access from home or on
business trips?

Remote access policy is best practice for handling remote employees and
authorized users as it gives the user the security and flexible way to access
network from anywhere.

12. Why is it a best practice of a remote access policy definition to require

employees and users to fill in a separate VPN remote access authorization form?

It is best practice of a remote access policy as it makes sure there are no

repudiation of the user so that only authorized person can access the important
documents.
13. Why is it important to align standards, procedures, and guidelines for a
remote access policy definition?

It is important to align standards, procedures, and guidelines for a remote access

policy for the data remains confidential as required by the law.

14. What security controls, monitoring, and logging should be enabled for
remote VPN access and users?

The security controls, monitoring and logging should be enabled for remote VPN
access and users are multifactor authentication of users, to monitor there is an
account and computer audit policy and for logging event administrators will send
access request or notification.

15. Should an organization mention that they will be monitoring and logging
remote access use in the Remote Access Policy Definition?

Yes, an organization should mention that it will be monitoring and logging remote
access use in its remote access policy so that the organization will ensure
transparency so that the employee will know the policy.