Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard.
CONTROL ID 11854
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Identify and control all network access controls., CC ID: 00529
This Control has the following implementation support Control(s):
Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards., CC ID: 00751
Remove all unauthorized Wireless Local Area Networks., CC ID: 06309
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
If wireless local area networks (WLANs) are to be deployed, AIs should develop policies and procedures for approval, installation, operation and administration of WLANs. A risk assessment process for evaluating the sensitivity of information to be accessible via a WLAN should be formulated before a … (6.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks. (Security Control: 1321; Revision: 1, Australian Government Information Security Manual, March 2021)
§ 2.3.1 (2.3.1.040) To ensure the highest security possible, OOB (out-of-band) management should use a separate VLAN from user traffic. Access points should be managed from a wired VLAN that is used only by the network administrator and not managed from a wireless interface.
§ 2.3.1 (2.3.1.060) Th… (§ 2.3.1 (2.3.1.040), § 2.3.1 (2.3.1.060), § 2.3.1 (2.3.1.070), § 2.3.2 (2.3.2.030), The Center for Internet Security Wireless Networking Benchmark, 1)
Network administration and management for virtual LANs (VLAN) should be accomplished with OOB management. (§ 1.2 (2.3.1.040), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
§ 1.2 (2.3.1.040) A specially configured VLAN should be used for network administration/management using OOB management.
§ 1.2 (2.3.1.060) The transmit power setting should be set to the lowest possible setting required to service the access point area in order to minimize service to unneeded area… (§ 1.2 (2.3.1.040), § 1.2 (2.3.1.060), § 1.2 (2.3.1.070), § 1.2 (2.3.1.080), § 1.2 (2.3.1.090), § 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
§ 1.2 (2.3.1.040) A specially configured VLAN should be used for network administration/management using OOB (out-of-band) management.
§ 1.2 (2.3.1.060) The transmit power setting should be set to the lowest possible setting required to service the access point area in order to minimize service to… (§ 1.2 (2.3.1.040), § 1.2 (2.3.1.060), § 1.2 (2.3.1.070), § 1.2 (2.3.1.080), § 1.2 (2.3.1.090), § 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, 1)
§ 3.3.1.B Do not use VLAN based segmentation with MAC address filters for segmenting wireless networks.
§ 4.1.1.D Use a wireless monitoring system that can track and locate all wireless devices (including Portable Electronic Devices and laptops) and report if one or more devices are missing.
§ 4.… (§ 3.3.1.B, § 4.1.1.D, § 4.2.1.A, § 4.2.1.C, § 4.2.1.D, § 4.4.1.A, § 4.4.1.B, § 4.4.1.C, § 4.4.1.E, § 4.5.1.A, § 4.5.1.B, § 4.6.1.A, § 4.6.1.B, § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and profile. (Control 15.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following:
- Perimeter firewalls implemented and configured to restrict unauthorized traffic
- Security settings enabled with … (IVS-12, Cloud Controls Matrix, v3.0)
All wireless LAN (WLAN) devices, such as NICs and access points, that store, transmit, or process unclassified information should be both WiFi- and WPA2-certified. Wireless client management applications, such as Cisco wireless client, should be configured to not automatically connect to both prefer… (§ 3.1 (WIR0275), § 3.2 (WIR0168), § 3.2 (WIR0275), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
§ 2.2 (WIR3080) The wireless e-mail system should be set up with the required components and the handheld devices should have the appropriate software installed. Good Mobile Messaging Server 5.0 or later; Good Mobile Internet Server 1.9 or later; DoD enclave email malware scanner. If not available,… (§ 2.2 (WIR3080), § 3.6, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
The agency shall establish Implementation Guidance for wireless technologies. (§ 5.5.7 ¶ 1(i), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
All wireless banking activities should be encrypted. (Pg E-1, Pg E-2, FFIEC IT Examination Handbook - E-Banking, August 2003)
Wireless access to the system must be authorized, documented, and monitored. The minimum requirements for secure wireless access are contained in NIST SP 800-48 Revision 1 and NIST SP 800-97. (§ 5.6.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
§ 6.1 (WLAN client device security) The wireless security policy should contain a listing of the standard hardware and software configurations that must be implemented for each level of security.
§ 6.3.1 Par 4 The WLAN management traffic's integrity and confidentiality should be protected. One m… (§ 6.1 (WLAN client device security), § 6.3.1 Par 4, § 6.3.4 (Automatic connection), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
The organization must establish wireless access Implementation Guidance and usage restrictions. (App F § AC-18.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)