Back

Establish, implement, and maintain a Wireless Local Area Network Configuration Management program.


CONTROL ID
01646
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Identify and control all network access controls., CC ID: 00529

This Control has the following implementation support Control(s):
  • Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks., CC ID: 01647
  • Refrain from using Wired Equivalent Privacy for Wireless Local Area Networks that use Wi-Fi Protected Access., CC ID: 01648
  • Conduct a Wireless Local Area Network site survey to determine the proper location for wireless access points., CC ID: 00605
  • Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks., CC ID: 04830
  • Remove all unauthorized wireless access points., CC ID: 11856


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • MAC address filtering is not used to restrict which devices can connect to wireless networks. (Security Control: 1320; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Have bi-directional antennas been furnished for all wireless devices? (Table Row XIII.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Generally, WLANs should be avoided unless there is an identified business need to deploy this technology. If deployed, WLANs should be significantly segregated from production networks and corporate networks. Only those WLANs that are installed following the most up-to-date security practices should… (§ 3-1, MasterCard Wireless LANs - Security Risks and Guidelines, December 2004)
  • The organization must ensure wireless networks that connect to the cardholder data environment or transmit cardholder data have implemented strong encryption methods. (§ 4.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • If wireless networks are connected to the cardholder environment or used to transmit cardholder data, a proper encryption methodology should be used, such as WiFi Protected Access (WPA or WPA2), IPSEC VPN, or SSL/TLS. (§ 6.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • A listing of all approved wireless networks should be reviewed by the IT auditor. The organization should create policies and procedures for wireless networks and provide guidelines to secure and control wireless networks, including authentication and data encryption. The configuration of known wire… (App A.1 (Recommendations for Wireless Networks) ¶ 2, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization should establish and maintain wireless device controls. (Critical Control 7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should verify that enterprise management tools can be used to manage all Wireless Access Points. (Critical Control 7.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following: - Perimeter firewalls implemented and configured to restrict unauthorized traffic - Security settings enabled with … (IVS-12, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established and mechanisms implemented to protect wireless network environments, including the following: • Perimeter firewalls implemented and configured to restrict unauthorized traffic • Security settings enabled with strong encryption for authentication and… (SA-10, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • For wireless devices, the organization must disable service set identifier broadcasting and enable encryption protection; place access points in secure areas; place a firewall between the wired and wireless network; use MAC address utilization; use personal firewalls on all wireless clients; shut do… (CSR 10.10.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. (§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002, Deprecated)
  • Wireless systems must be compliant with DoD Directive 8100.2, enclave security requirements, the wireless STIG requirements, and the overall network security architecture before the system is implemented. (§ 4.1.5, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Network Access Control (NAC) appliances for WLANs can be deployed using either an in-band (inline) or out-of-band (offline) architecture. An in-band NAC appliance acts as a gateway between the VPN gateway and the rest of the network. While installing the policy server out-of-band places the NAC so t… (§ 3.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • The wireless e-mail system should be set up with the required system components and software installed on the handheld device. (§ 2.2 (WIR1080), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • § 2.2 (WIR2080) The wireless e-mail system should be set up with the required components and the handheld devices should have the appropriate software installed. The required components are: Microsoft Exchange Server 2003 SP2 or Microsoft Exchange Server 2007 SP1; Microsoft Internet Security and Ac… (§ 2.2 (WIR2080), § 3.3, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • The agency shall verify that the reset function on an access point is only used when needed and only executed by authorized personnel. (§ 5.5.7.1(7), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Are there Wireless Local Area Network and Wireless Wide Area Network policies and procedures and are they adequate? (IT - WLANS Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are Wireless Local Area Networks turned off after business hours? (IT - WLANS Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union use Virtual Private Networks with the Wireless Local Area Network? (IT - WLANS Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union use Internet Protocol Security with the Wireless Local Area Network? (IT - WLANS Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • If access points (APs) and/or authentication servers (ASs) support a dedicated management interface, the network management information between the APs/ASs and the network management server should be transmitted over a dedicated management VLAN. WEP and TKIP should be disabled on all access points. (Table 8-2 Item 14, Table 8-4 Item 39, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Organizational records and documents should be examined to ensure the use of wireless technologies is restricted and authorized; wireless access is monitored, tracked, and controlled; the policy and procedures are in accordance with NIST Special Publication 800-48; and specific responsibilities and … (AC-18, AC-18.6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should ensure wireless networks and devices that use Bluetooth technology are understood from an architectural standpoint, because Bluetooth devices contain various interfaces and networking technologies. This will enable the organization to identify potential risks and vulnerabilit… (Table 4-2 Item 4, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • The organization must use other mechanisms or procedures as compensating controls in accordance with the tailoring guidance when the Industrial Control System cannot implement any or all of the wireless access components. (App I § AC-18, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)