AC-18-727 Wireless Access

Wireless Access

Wireless Access
Access Control
Security Systems Management
August 17, 2016

The information security office and networking group shall oversee all wireless implementation at Agency owned and leased locations; any other wireless access connected to Agency networks is unauthorized. The information security office shall publish a list of approved wireless SSIDs and configuration criteria. All wireless SSIDs connected to a trusted Agency network shall utilize 802.1X computer authentication and WPA2-Enterprise encryption. All wireless SSIDs connected to an untrusted (guest) Agency network do not require encryption; however, users shall be informed of and acknowledge the absence of encryption prior to initiating a session.

Unauthorized parties gain access to resources by exploiting vulnerabilities in unsecured wireless networks.
The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections.
Wireless access (guest or local) is locked with a password mechanism.
State organizations shall establish the requirements and security restrictions for installing or providing access to the state organization information resources systems. The wireless policy shall address the following topic areas: 1. Wireless Local Area Networks. Ensure that Service Set Identifiers (SSID) values are changed from the manufacturer default setting. Some networks should not include organizational or location information in the SSID. Additional equipment configuration recommendations are included in the Wireless Security Guidelines. 2. Types of information that may be transmitted via wireless networks and devices with or without encryption including mission critical information or sensitive personal information. State organizations shall not transmit confidential information via a wireless connection to, or from a portable computing device unless encryption methods, such as a Virtual Private Network (VPN), Wi-Fi Protected Access, or other secure encryption protocols that meet appropriate protection or certification standards, are used to protect the information. 3. Prohibit and periodically monitor any unauthorized installation or use of Wireless Personal Area Networks on state organizational IT systems by individuals without the approval of the state organization information resources manager.
Obtain access control policy; procedures addressing wireless implementation and usage (including restrictions); NIST Special Publications 800-48 and 800-97; activities related to wireless authorization, monitoring, and control; information system audit records; other relevant documents or records and ascertain if (I) the organization establishes usage restrictions and implementation guidance for wireless technologies; (ii) the organization authorizes, monitors, and controls wireless access to the information system; and (iii) the wireless access restrictions are consistent with NIST Special Publications 800-48 and 800-97. (iv) the organization uses authentication and encryption to protect wireless access to the information system.