Back

Establish, implement, and maintain a Wireless Local Area Network Configuration Management standard.


CONTROL ID
11854
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Identify and control all network access controls., CC ID: 00529

This Control has the following implementation support Control(s):
  • Configure third party Wireless Local Area Network services in accordance with organizational Information Assurance standards., CC ID: 00751
  • Remove all unauthorized Wireless Local Area Networks., CC ID: 06309


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • If wireless local area networks (WLANs) are to be deployed, AIs should develop policies and procedures for approval, installation, operation and administration of WLANs. A risk assessment process for evaluating the sensitivity of information to be accessible via a WLAN should be formulated before a … (6.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • WPA2-Enterprise with EAP-TLS is used to perform mutual authentication for wireless networks. (Security Control: 1321; Revision: 1, Australian Government Information Security Manual, March 2021)
  • § 2.3.1 (2.3.1.040) To ensure the highest security possible, OOB (out-of-band) management should use a separate VLAN from user traffic. Access points should be managed from a wired VLAN that is used only by the network administrator and not managed from a wireless interface. § 2.3.1 (2.3.1.060) Th… (§ 2.3.1 (2.3.1.040), § 2.3.1 (2.3.1.060), § 2.3.1 (2.3.1.070), § 2.3.2 (2.3.2.030), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Network administration and management for virtual LANs (VLAN) should be accomplished with OOB management. (§ 1.2 (2.3.1.040), The Center for Internet Security Wireless Networking Benchmark, Apple Addendum, 1)
  • § 1.2 (2.3.1.040) A specially configured VLAN should be used for network administration/management using OOB management. § 1.2 (2.3.1.060) The transmit power setting should be set to the lowest possible setting required to service the access point area in order to minimize service to unneeded area… (§ 1.2 (2.3.1.040), § 1.2 (2.3.1.060), § 1.2 (2.3.1.070), § 1.2 (2.3.1.080), § 1.2 (2.3.1.090), § 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, Cisco Addendum, 1)
  • § 1.2 (2.3.1.040) A specially configured VLAN should be used for network administration/management using OOB (out-of-band) management. § 1.2 (2.3.1.060) The transmit power setting should be set to the lowest possible setting required to service the access point area in order to minimize service to… (§ 1.2 (2.3.1.040), § 1.2 (2.3.1.060), § 1.2 (2.3.1.070), § 1.2 (2.3.1.080), § 1.2 (2.3.1.090), § 1.2 (2.3.1.100), The Center for Internet Security Wireless Networking Benchmark, DLINK Addendum, 1)
  • § 3.3.1.B Do not use VLAN based segmentation with MAC address filters for segmenting wireless networks. § 4.1.1.D Use a wireless monitoring system that can track and locate all wireless devices (including Portable Electronic Devices and laptops) and report if one or more devices are missing. § 4.… (§ 3.3.1.B, § 4.1.1.D, § 4.2.1.A, § 4.2.1.C, § 4.2.1.D, § 4.4.1.A, § 4.4.1.B, § 4.4.1.C, § 4.4.1.E, § 4.5.1.A, § 4.5.1.B, § 4.6.1.A, § 4.6.1.B, § 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and profile. (Control 15.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following: - Perimeter firewalls implemented and configured to restrict unauthorized traffic - Security settings enabled with … (IVS-12, Cloud Controls Matrix, v3.0)
  • All wireless LAN (WLAN) devices, such as NICs and access points, that store, transmit, or process unclassified information should be both WiFi- and WPA2-certified. Wireless client management applications, such as Cisco wireless client, should be configured to not automatically connect to both prefer… (§ 3.1 (WIR0275), § 3.2 (WIR0168), § 3.2 (WIR0275), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • § 2.2 (WIR3080) The wireless e-mail system should be set up with the required components and the handheld devices should have the appropriate software installed. Good Mobile Messaging Server 5.0 or later; Good Mobile Internet Server 1.9 or later; DoD enclave email malware scanner. If not available,… (§ 2.2 (WIR3080), § 3.6, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • The agency shall establish Implementation Guidance for wireless technologies. (§ 5.5.7 ¶ 1(i), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • All wireless banking activities should be encrypted. (Pg E-1, Pg E-2, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Wireless access to the system must be authorized, documented, and monitored. The minimum requirements for secure wireless access are contained in NIST SP 800-48 Revision 1 and NIST SP 800-97. (§ 5.6.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • § 6.1 (WLAN client device security) The wireless security policy should contain a listing of the standard hardware and software configurations that must be implemented for each level of security. § 6.3.1 Par 4 The WLAN management traffic's integrity and confidentiality should be protected. One m… (§ 6.1 (WLAN client device security), § 6.3.1 Par 4, § 6.3.4 (Automatic connection), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • The organization must establish wireless access Implementation Guidance and usage restrictions. (App F § AC-18.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)