Part 1 1.In your browser,?navigate?to and?read?the Remote Access Policy? template at?https://www.sans

Part 1

1.In your browser, navigate to and read the “Remote Access Policy” template

at https://www.sans.org/information-security-policy/.

2. Using your favorite search engine, locate a remote access policy for a higher

education institution.

3. Using your favorite search engine, locate a remote access policy for a

healthcare provider.

Question:

Write a brief summary of the information during your research. In your summary, focus

on the key elements of the remote access policy. You should also identify any unique

elements of remote access policies for higher education and healthcare institutions.

Be sure to provide links to the remote access policies you identified in steps 2 and 3.

Part2

As you found in your research, different industries have similar but different policies. When

using a policy template, it is important to ensure that the template matches the needs of your

specific industry and business.

1. Review the following risks and threats found in the Remote Access Domain:

o The organization is a local credit union that has several branches

and locations throughout the region.

o Online banking and use of the internet are the bank’s strengths,

given its limited human resources.

o The customer service department is the organization’s most critical

business function.

o The organization wants to be in compliance with the Gramm-Leach-

Bliley Act (GLBA) and IT security best practices regarding its

employees.

o The organization wants to monitor and control use of the internet by

implementing content filtering.

o The organization wants to eliminate personal use of organization-

owned IT assets and systems.

o The organization wants to monitor and control use of the e-mail

system by implementing e-mail security controls.

o The organization wants to implement security awareness training

policy mandates for all new hires and existing employees. Policy

definitions are to include GLBA and customer privacy data

requirements, in addition to a mandate for annual security

awareness training for all employees.

Question:

Identify a security control or countermeasure to mitigate each risk and threat identified

in the Remote Access Domain. These security controls or countermeasures will

become the basis of the scope of the Remote Access Domain policy definition to help

mitigate the risks and threats commonly found within the Remote Access Domain.

Part 3

3. Review the following characteristics of the fictional Healthwise Health Care

Provider:

o Healthwise has several remote health care branches and locations

throughout the region.

o Online access to patients’ medical records through the public

Internet is required for remote nurses and hospices providing in-

home medical services.

o Online access to patients’ medical records from remote clinics is

facilitated through a virtual private network (VPN) and a secure web

application front-end over the public Internet.

o The organization wants to be in compliance with the Health

Insurance Portability and Accountability Act (HIPAA) and IT security

best practices regarding remote access through the public internet.

o The organization wants to monitor and control the use of remote

access by implementing system logging.

o The organization wants to implement a security awareness training

policy mandating that all new hires and existing employees obtain

remote access security training. Policy definition is to include

HIPAA and electronic protected health information (ePHI) security

requirements and a mandate for annual security awareness training

for all remote or mobile employees.

Questions:

Create an organization-wide remote access policy for Healthwise Health Care:

 

Healthwise Health Care

Remote Access Policy for Remote Workers and Medical Clinics

 

Policy Statement?

Define your policy verbiage.

 

Purpose/Objectives?

Define the policy’s purpose as well as its objectives and policy definitions

 

Scope?

Define whom this policy covers and its scope. What elements, IT assets, or organization-

owned assets are within this policy’s scope?

 

Standards?

Does the policy statement point to any hardware, software, or configuration standards? If

so, list them here and explain the relationship of this policy to these standards. In this case,

Remote Access Domain standards should be referenced, such as encryption standards and

VPN standards; make any necessary assumptions.

 

Procedures?

Explain how you intend to implement this policy for the entire organization.

 

Guidelines?

Explain any roadblocks or implementation issues that you must overcome in this section

and how you will surmount them per defined guidelines. Any disputes or gaps in the

definition and separation of duties responsibility may need to be addressed in this section.