Wireless Communication Policy
|Version: 1.00||Issue Date: 11/10/2014|
A Wireless Communication Policy is necessary for computer security since there is demand for wireless equipment in every organization today. The Wireless Communication Policy may specify that no wireless equipment should be used but this would not be very good since that may cause some departments or individuals to violate the policy. It is best to set conditions and specify equipment that is approved for wireless use in order to minimize security risk associated with wireless.
This Wireless Communication Policy defines the use of wireless devices in the organization and specifies how wireless devices shall be configured when used.
This Wireless Communication Policy is designed to protect the organizational resources against intrusion by those who would use wireless media to penetrate the network. This policy prohibits access to organizational networks through unsecured or unapproved wireless communication methods.
This Wireless Communication Policy applies to all wireless devices in use by the organization or those who connect through a wireless device to any organizational network. This policy includes but is not not limited to wireless access points, wireless computers, and personal data assistants (PDAs). Wireless devices not connecting to organizational networks are not covered by this policy unless used to carry information owned or in custody of the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.
4.0 Risk Assessment
The use of wireless technology has historically been a serious security risk to organizations. This is because it can be an easy access point to gain access to an organizational network. In addition data sent across it may be readable sometimes even when it is encrypted due to some of the vulnerabilities of the encryption schemes used. Therefore this policy requires a risk assessment any time a new type of wireless device is added to the network or used to transport organizational data. Several items must be assessed including:
Is this a new technology?
Does this device use encryption and if so how well tested is the encryption protocol?
What is the cost of implementing a secure encryption protocol?
Has this type of device been used on our network before?
Can this device be configured to only allow authorized users to access it or the network through it?
How easy will it be for an attacker to fool this device into allowing unauthorized access? What methods may be used?
What secure authentication schemes are available and what cost or overhead is associated with their implementation and maintenance?
How practical is wireless use considering the cost, potential loss, and added convenience?
What are the data security needs compared with the level of security provided by the device?
The authentication mechanisms of all approved wireless devices to be used must be examined closely. The authentication mechanism should be used to prevent unauthorized entry into the network or to keep data secure. One authentication method shall be chosen. The following must be considered.
How secure is the authentication mechanism to be used?
How expensive is the authentication mechanism to be used?
The encryption mechanisms of all approved wireless devices to be used must be examined closely. The encryption mechanism will be used to protect data from being disclosed as it travels through the air. The following must be considered.
How secure is the encryption mechanism?
How sensitive is the data traveling through the wireless device?
How expensive is the encryption mechanism?
The Service Set Identifier (SSID) of the wireless device shall be configured in such manner so it does not contain or indicate any information about the organization, its departments, or its personnel including organization name, department name, employee name, employee phone number, email addresses, or product identifiers.
The wireless device should be configured so login information and data are sent in encrypted format. The wireless device should be configured to only connect to predetermined secure networks upon bootup. Connections to open networks on the internet should only be done by trained staff and it should always be manually done. Connections to open networks on the internet should only be done for business need to connect to the internet as approved by management.
Staff that will use wireless capability must be trained in the proper way to configure it and keep it secure. They will need to be able and must turn it off when connecting to any wired network.
Logging of wireless use is required to help track intruders if there is a security incident. Wireless logs must be reviewed at least daily.
4.4 Access Points
All wireless access points and wireless devices connected to the organizational network must be registered and approved by the designated IT department representative. All wireless devices are subject to IT department audits and penetration tests without notice.
The acting CIO or highest level member of IT management shall have final authority over the management and security of wireless devices and wireless networking. This person may delegate these authorities as they see fit. It is strongly recommended that this person has significant experience and training in the IT field along with a substantial understanding of computer security concepts. This person should be responsible for the operation of the network.
6.0 Network Separation
This policy requires that parts of the network containing and supporting wireless devices directly (the wireless network) be separated from the part of the network that does not support wireless connections. The part of the network supporting wireless devices or connections shall be considered less trusted than the part of the network that does not. All file servers and internal domain controlling servers shall be separated from the wireless network using a firewall. One or more intrusion detection devices shall monitor the wireless network for signs of intrusion and log events. The type of logged events will be determined by the network administrator.
7.0 Allowable Wireless Use
Only wireless devices approved by make and model shall be used.
All wireless devices must be checked for proper configuration by the IT department prior to being placed into service.
All wireless devices in use must be checked quarterly for configuration or setup problems.
Wireless devices using the original Wireless Access Protocol (WAP) are not permitted due to security issues. Only devices using WAP II or later versions, or approved VPN for encryption may be permitted.
Encryption must be a minimum of 56 bits.
A hardware address of all wireless devices must be maintained and tracked. The hardware address is not allowed to change without an exception.
All wireless devices must support and provide strong user authentication mechanisms.
All wireless devices must have some software or hardware such as a firewall which inspects traffic before it is allowed to enter the wireless device or the organizational network.
The NetBIOS protocol over TCP must be disabled on all wireless clients.
Since improper use of wireless technology and wireless communications can open the network to additional sniffing and intrusion attacks, authorized and proper use of wireless technology is critical to the security of the organization and all individuals. Employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Wireless communication around organizational facilities may be monitored to ensure no devices are operating in violation of this policy. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
9.0 Additional Requirements
A Wireless Device Approval Procedure defining the process and appropriate officials to approve wireless makes and models must exist or this policy is not effective.
Senior management must ensure that this policy is published and users agree to abide by the policy.
Publishing of offered wireless service.
Procurement should only support purchases of approved equipment.
Approved by:__________________________ Signature:_____________________ Date:_______________