Skip to main content
Internet Usage Policies in ISO 27799

Internet Usage Policies in ISO 27799

$299.00
Who trusts this:
Trusted by professionals in 160+ countries
Your guarantee:
30-day money-back guarantee — no questions asked
When you get access:
Course access is prepared after purchase and delivered via email
How you learn:
Self-paced • Lifetime updates
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Adding to cart… The item has been added

This curriculum spans the equivalent depth and structure of a multi-workshop advisory engagement, covering governance, technical controls, and operational processes for internet usage policies in healthcare, comparable to an internal capability program addressing compliance with ISO 27799, HIPAA, and NIST CSF across clinical and administrative environments.

Module 1: Establishing the Governance Framework for Internet Usage

  • Define scope boundaries for internet usage policies across clinical, administrative, and third-party user groups within a healthcare organization.
  • Select governing bodies responsible for policy approval, enforcement, and periodic review, including representation from IT, legal, compliance, and clinical leadership.
  • Determine alignment between internet usage policies and existing frameworks such as ISO 27799, HIPAA, and NIST CSF.
  • Decide whether policy ownership resides with Information Security, IT Operations, or Privacy Office based on organizational structure and risk appetite.
  • Establish escalation paths for policy violations involving patient data or unauthorized access attempts.
  • Integrate internet usage governance into enterprise risk management reporting cycles for executive oversight.
  • Negotiate authority thresholds for disabling user access during policy breaches without clinical disruption.
  • Map policy enforcement responsibilities across hybrid cloud and on-premises environments.

Module 2: Risk Assessment and Threat Modeling for Internet Access

  • Conduct threat modeling exercises to identify attack vectors introduced by unrestricted web browsing in clinical workstations.
  • Assess risks associated with personal device usage on corporate networks for internet access.
  • Quantify exposure from legacy systems that cannot support modern web filtering or TLS inspection.
  • Identify high-risk categories (e.g., social media, file-sharing, streaming) based on historical incident data and malware prevalence.
  • Perform business impact analysis when restricting access to essential external services used in telehealth or research.
  • Document risk acceptance decisions for departments requiring access to non-standard web applications.
  • Integrate findings into the organization’s overall risk register with assigned risk owners.
  • Validate risk controls through red team exercises simulating phishing and drive-by download scenarios.

Module 3: Policy Development Aligned with ISO 27799 Controls

  • Translate ISO 27799 A.8.1 (Usage of Information Assets) into enforceable rules for internet access.
  • Define acceptable use thresholds for bandwidth-intensive applications in patient care areas.
  • Specify data handling requirements for cloud-based web applications accessed via internet browsers.
  • Develop role-based internet access profiles for clinicians, billing staff, and contractors.
  • Formalize exceptions processes for temporary elevated access with time-bound approvals.
  • Include logging requirements in policy language to ensure auditability of internet activity.
  • Address secure handling of PHI when using web-based translation, email, or collaboration tools.
  • Document policy versioning, review cycles, and change management procedures.

Module 4: Technical Implementation of Web Access Controls

  • Select and configure a secure web gateway (SWG) with TLS decryption capabilities for traffic inspection.
  • Implement DNS filtering to block access to known malicious domains at the network level.
  • Configure application-aware firewalls to differentiate between legitimate and unauthorized web applications.
  • Deploy endpoint-based web filtering agents on mobile and remote devices not passing through corporate gateways.
  • Integrate web filtering logs with SIEM for centralized monitoring and correlation with other security events.
  • Test control efficacy across different network segments, including ICU networks and outpatient clinics.
  • Balance inspection depth with performance impact on EHR response times and telehealth sessions.
  • Enforce secure browsing configurations (e.g., disabling outdated TLS versions) via group policy or MDM.

Module 5: User Identity and Access Management Integration

  • Integrate web filtering systems with enterprise identity providers (e.g., Active Directory, Azure AD) for user attribution.
  • Map internet access policies to IAM roles and group memberships for dynamic enforcement.
  • Implement context-aware access rules based on user location, device compliance, and time of day.
  • Manage internet access privileges for shared clinical workstations using session-based authentication.
  • Address orphaned access risks for terminated employees with automated deprovisioning workflows.
  • Enforce step-up authentication for access to high-risk web applications (e.g., cloud storage).
  • Handle internet access for external collaborators using time-limited guest accounts with restricted profiles.
  • Monitor for privilege creep in user groups with broad internet access rights.

Module 6: Monitoring, Logging, and Audit Requirements

  • Define retention periods for internet access logs in accordance with legal and regulatory requirements.
  • Configure logging to capture user identity, timestamp, destination URL, and data volume transferred.
  • Implement log integrity controls to prevent tampering with internet usage records.
  • Establish automated alerting for anomalous browsing patterns (e.g., bulk downloads, access to dark web forums).
  • Conduct periodic audits of internet logs to verify policy compliance across departments.
  • Coordinate access to logs between security, privacy, and internal audit teams under strict authorization.
  • Prepare log data formats to support regulatory inspections and forensic investigations.
  • Balance monitoring scope with privacy expectations for non-clinical staff internet use.

Module 7: Incident Response and Policy Violation Handling

  • Classify internet-related incidents by severity (e.g., malware infection, data exfiltration, policy abuse).
  • Define response workflows for containing threats originating from web-based attacks.
  • Preserve evidence from web gateway and endpoint logs during incident investigations.
  • Coordinate with HR on disciplinary actions for repeated policy violations by staff.
  • Implement automated quarantine procedures for devices exhibiting malicious browsing behavior.
  • Notify privacy officers when internet activity results in potential PHI exposure.
  • Document root cause analysis for policy gaps revealed during incident post-mortems.
  • Update controls and training based on trends in violation types and sources.

Module 8: Third-Party and Vendor Internet Access Management

  • Enforce segmented network access for vendors requiring internet connectivity for remote support.
  • Require third parties to comply with organizational internet usage policies as part of contractual agreements.
  • Monitor and log internet activity from vendor-managed devices on the corporate network.
  • Restrict outbound connections from third-party applications to only necessary endpoints.
  • Conduct security assessments of vendor cloud services accessed via internet browsers.
  • Implement time-bound access windows for external consultants performing system maintenance.
  • Address liability concerns when vendor internet usage leads to network compromise.
  • Validate that third-party remote access tools meet encryption and logging standards.

Module 9: Continuous Improvement and Policy Evolution

  • Schedule biannual reviews of internet usage policies to reflect changes in technology and threat landscape.
  • Update filtering categories based on emerging threats (e.g., cryptocurrency mining, AI-based phishing).
  • Incorporate feedback from clinical staff on access restrictions impacting patient care workflows.
  • Measure policy effectiveness using KPIs such as reduction in malware incidents and policy violation rates.
  • Adjust controls in response to audit findings or regulatory inspection outcomes.
  • Reassess exceptions and whitelists to eliminate outdated or unnecessary allowances.
  • Align policy updates with changes in EHR integrations and telehealth platform requirements.
  • Document rationale for policy changes to support governance and compliance reporting.
!