Wireless Use Policy
This is an example wireless use policy. A wireless use policy is necessary to computer security since there is demand for wireless equipment in every organization today. The wireless use policy may specify that no wireless equipment should be used but this would not be very good since that may cause some to violate the policy. It is best to set conditions and specify equipment that is approved for wireless use in order to minimize security risk associated with wireless.
This wireless use policy defines the use of wireless devices in the organization and specifies how wireless devices shall be configured when used.
This policy is designed to protect the organizational resources against intrusion by those who would use wireless media to penetrate the network.
This policy applies to all wireless devices in use by the organization or those who connect through a wireless device to any organizational network.
4.0 Risk Assessment
The use of wireless technology has historically been a serious security risk to organizations. This is because it can be an easy access point to gain access to an organizational network. In addition data sent across it may be readable sometimes even when it is encrypted due to some of the vulnerabilities of the encryption schemes used. Therefore this policy requires a risk assessment any time a new type of wireless device is added to the network. Several items must be assessed including:
- Is this a new technology?
- Does this device use encryption and if so how well tested is the encryption protocol?
- What is the cost of implementing a secure encryption protocol?
- Has this type of device been used on our network before?
- Can this device be configured to only allow authorized users to access it or the network through it?
- How easy will it be for an attacker to fool this device into allowing unauthorized access? What methods may be used?
- What secure authentication schemes are available and what cost or overhead is associated with their implementation and maintenance?
- How practical is wireless use considering the cost, potential loss, and added convenience?
The authentication mechanisms of all approved wireless devices to be used must be examined closely. The authentication mechanism should be used to prevent unauthroized entry into the network. One authentication method shall be chosen. The following must be considered.
- How secure is the authentication mechanism to be used?
- How expensive is the authentication mechanism to be used?
The encryption mechanisms of all approved wireless devices to be used must be examined closely. The encryption mechanism will be used to protect data from being disclosed as it travels through the air. The following must be considered.
- How secure is the encryption mechanism?
- How sensitive is the data traveling through the wireless device?
- How expensive is the encryption mechanism?
The SSID of the wireless device shall be configured in sucy manner so it does not contain or indicate any information about the organization, its departments, or its personnel including organization name, department name, employee name, employee phone number, email addresses, or product identifiers.
4.4 Access Points
All wireless access points and wireless devices connected to the organizational network must be registered and approved by the designated IT department representative. All wireless devices are subject to IT department audits and penetration tests without notice.
The acting CIO or highest level member of IT management shall have final authority over the management and security of wireless devices and wireless networking. This person may delegate these authorities as they see fit. It is strongly recommended that this person has significant experience and training in the IT field along with a substantial understanding of computer security concepts. This person should be responsible for the operation of the network.
6.0 Network Separation
This policy requires that parts of the network containing and supporting wireless devices directly (the wireless network) be separated from the part of the network that does not support wireless connections. The part of the network supporting wireless devices or connections shall be considered less trusted than the part of the network that does not. All file servers and internal domain controlling servers shall be separated from the wireless network using a firewall. One or more intrusion detection devices shall monitor the wireless network for signs of intrusion and log events. The type of logged events will be determined by the network administrator.
7.0 Allowable Wireless Use
- Only wireless devices approved by make and model shall be used.
- All wireless devices must be checked for proper configuration by the IT department prior to being placed into service.
- All wireless devices in use must be checked monthly for configuration or setup problems.
Since improper use of wireless technology and wireless communications can open the network to additional sniffing and intrusion attacks, authorized and proper use of wireless technology is critical to the security of the organization and all individuals. Employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal.