Name : Đào Quốc Trung
StudentID : SE151141
Course name : IAP301
Lab #6 – Assessment Worksheet
Elements of a Remote Access Domain Policy
Remote Access Domain Risks & Threats
Brute force user ID and password attacks
Multiple login retries and access control
attacks
Unauthorized remote access to IT systems,
applications, and data
Privacy data or confidential data is
compromised remotely
Data leakage in violation of existing Data
Classification Standards
Mobile worker laptop is stolen
Mobile worker token or other lost or stolen
authentication device
Remote worker requires remote access to
medical patient online system through the
public Internet
Users and employees are unaware of the
risks and threats caused by the public
Internet
Risk Mitigation Tactic/Solution
Complex passwords, multi-factor
authentication, and account lockout after
failed login attempts
Account lockout after failed login attempts,
and limit the number of login retries. Also,
monitor and log all login attempts for
suspicious activities.
Use a VPN or other secure remote access
solutions that authenticate and encrypt all
remote connections. Also, implement proper
access controls and permissions to restrict
unauthorized access.
Use encryption to protect sensitive data
during transmission and storage. Also,
implement proper access controls and
permissions to restrict unauthorized access.
Use data loss prevention (DLP) tools to
detect and prevent data leakage. Also,
educate employees on data handling policies
and procedures.
Use full disk encryption to protect data on
laptops and other mobile devices. Also,
implement device tracking and remote wipe
capabilities.
Implement multi-factor authentication to
reduce the risk of unauthorized access. Also,
have a policy in place for reporting lost or
stolen authentication devices and revoking
access.
Use secure remote access solutions that
authenticate and encrypt all remote
connections. Also, restrict access to the
patient system to only authorized personnel
with a legitimate need-to-know.
Provide regular security awareness training
and education to employees to increase their
understanding of the risks and threats
associated with remote access. Also,
 establish clear policies and guidelines for
remote access to ensure compliance and
security.

Define a Remote Access Policy to Support Remote

Healthcare Clinics

ABC Healthcare Provider

Remote Access Policy for Remote Workers & Medical Clinics

Policy Statement
This policy aims to establish guidelines and procedures for remote access to ABC Healthcare
Provider's information technology (IT) systems, applications, and data. It also aims to ensure
compliance with HIPAA and IT security best practices while accessing the organization's
resources through the public Internet.

Purpose/Objectives
The purpose of this policy is to:
• Provide remote access to employees and medical staff for their work-related tasks
• Safeguard confidential patient data and comply with HIPAA regulations
• Ensure the security of remote access to ABC Healthcare Provider's resources
• Protect ABC Healthcare Provider's IT assets from unauthorized access or misuse
• Minimize the risks associated with remote access through proper security measures
and control
Scope
This policy applies to all remote and mobile employees, medical staff, and authorized
contractors who access ABC Healthcare Provider's IT resources through the public Internet.
It impacts the Remote Access Domain of the organization's IT infrastructure. The following
IT assets fall within the scope of this policy:
• Laptops, tablets, and smartphones owned by ABC Healthcare Provider
• Access to patient medical records through the public Internet using SSL VPN secure
web application front-end
• Remote access to IT systems, applications, and data through secure VPN connections
• Any other IT assets used for remote access to ABC Healthcare Provider's resources
• Standards
• This policy complies with the following IT security standards:
 • HIPAA regulations regarding electronic personal healthcare information (ePHI)
• SSL VPN standards for remote access to patient medical records
• Encryption standards for securing remote access to IT resources
Procedures

• All employees and medical staff must complete remote access security training
annually.
• Remote access to ABC Healthcare Provider's resources must be authorized by the
appropriate manager or supervisor.
• Remote workers must use secure VPN connections for remote access to IT systems,
applications, and data.
• All laptops, tablets, and smartphones owned by ABC Healthcare Provider must have
updated anti-virus software installed and enabled before being used for remote access.
• Remote workers must use strong passwords and enable two-factor authentication for
remote access.
• The organization's IT department must monitor and control remote access by
implementing system logging and VPN connections.
• All remote and mobile employees must follow the organization's Data Classification
Standard and ensure the confidentiality, integrity, and availability of data accessed
remotely.
Guidelines
ABC Healthcare Provider will conduct regular audits and reviews of the remote access policy
to ensure compliance with HIPAA regulations and IT security best practices. Any violations
of this policy will be subject to disciplinary action and may result in termination of
employment or contract. All employees and medical staff are responsible for complying with
this policy and reporting any suspicious or unauthorized access to IT resources.

Define a Remote Access Policy to Support Remote

Healthcare Clinics
Lab Assessment Questions & Answers
1. What are the biggest risks when using the public Internet as a WAN or transport
for remote access to your organization’s IT infrastructure?
- The biggest risks when using the public Internet as a WAN or transport for remote access
to an organization's IT infrastructure include unauthorized access, data interception, data
theft, malware infections, and denial of service attacks.
2. Why does this mock healthcare organization need to define a Remote Access
Policy to properly implement remote access through the public Internet?
 - This mock healthcare organization needs to define a Remote Access Policy to properly
implement remote access through the public Internet because of the security and
compliance risks associated with remote access to patient medical records systems. The
policy helps to ensure that remote access is only granted to authorized users and devices
and that security controls are implemented to protect sensitive data.
3. What is the relationship between an Acceptable Use Policy (AUP) and a Security
Awareness & Training Policy?
- An Acceptable Use Policy (AUP) defines what is allowed and not allowed when using an
organization's IT resources, while a Security Awareness & Training Policy outlines the
security training requirements for employees and users to help prevent security incidents
caused by human error. Both policies are complementary and important for overall IT
security.
4. One of the major prerequisites for this scenario was the requirement to support
nurses and healthcare professionals that are mobile and who visit patients in
their homes. Another requirement was for remote clinics to access a shared
patient medical records system via a web browser. Which type of secure remote
VPN solution is recommended for these two types of remote access?
- An SSL VPN solution is recommended for both types of remote access as it provides
secure access to web applications and resources through a web browser.
5. When trying to combat unauthorized access and login attempts to IT systems
and applications, what is needed within the LAN-to-WAN Domain to monitor
and alarm on unauthorized login attempts to the organization’s IT
infrastructure?
- To monitor and alarm on unauthorized login attempts to an organization's IT
infrastructure, intrusion detection and prevention systems (IDPS) can be implemented
within the LAN-to-WAN Domain.
6. Why is it important to mobile workers and users about the risks, threats, and
vulnerabilities when conducting remote access through the public Internet?
- It is important to educate mobile workers and users about the risks, threats, and
vulnerabilities when conducting remote access through the public Internet so they can be
aware of potential security incidents and take appropriate precautions to protect sensitive
data.
7. Why should social engineering be included in security awareness training?
- Social engineering should be included in security awareness training because it is a
common tactic used by attackers to trick users into divulging sensitive information or
taking actions that compromise security.
8. Which domain (not the Remote Access Domain) throughout the seven domains
of a typical IT infrastructure supports remote access connectivity for users and
mobile workers needing to connect to the organization’s IT infrastructure?
- The WAN Domain supports remote access connectivity for users and mobile workers
needing to connect to an organization's IT infrastructure.
9. Where are the implementation instructions defined in a Remote Access Policy
definition? Does this section describe how to support the two different remote
access users and requirements as described in this scenario?
- Implementation instructions are typically defined in the Procedures section of a Remote
Access Policy definition. This section should describe how to support the two different
remote access users and requirements as described in the scenario.
10. A remote clinic has a requirement to upload ePHI data from the clinic to the
organization’s IT infrastructure on a daily basis in a batch-processing format.
 How should this remote access requirement be handled within or outside of this
Remote Access Policy definition?
- The remote access requirement to upload ePHI data from the remote clinic to the
organization's IT infrastructure on a daily basis should be handled within the Remote
Access Policy definition, specifying the appropriate security controls and protocols to
protect the data during transmission.
11. Why is a remote access policy definition a best practice for handling remote
employees and authorized users that require remote access from home or on
business trips?
- A remote access policy definition is a best practice for handling remote employees and
authorized users that require remote access because it helps to ensure that remote access
is granted only to authorized users and devices and that security controls are implemented
to protect sensitive data.
12. Why is it a best practice of a remote access policy definition to require employees
and users to fill in a separate VPN remote access authorization form?
- Requiring employees and users to fill in a separate VPN remote access authorization form
is a best practice because it helps to ensure that remote access is granted only to
authorized users and devices and that security controls are implemented to protect
sensitive data.
13. Why is it important to align standards, procedures, and guidelines for a remote
access policy definition?
- Aligning standards, procedures, and guidelines for a remote access policy definition helps
to ensure that security controls are consistently implemented and that all employees and
users understand and follow the same security protocols when accessing sensitive data
remotely.
14. What security controls, monitoring, and logging should be enabled for remote
VPN access and users?
- Security controls, monitoring, and logging that should be enabled for remote VPN access
and users include authentication and access controls, data encryption, intrusion detection
and prevention, and logging and audit trails for remote access activity.
15. Should an organization mention that they will be monitoring and logging remote
access use in their Remote Access Policy Definition?
- Yes, an organization should mention that they will be monitoring and logging remote
access use in their Remote Access Policy Definition to inform users of the security
measures in place and to deter unauthorized access attempts.