Sample On Premise Wireless Access Technology Guideline

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 16:01, 2 August 2009 by Mdpeters (talk | contribs) (Created page with '==Document History== <br> {| id="table1" width="100%" border="1" | bgcolor="#C0C0C0" | '''Version''' | bgcolor="#C0C0C0" | '''Date''' | bgcolor="#C0C0C0" | '''Revised By''' | bgc…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Document History


Version Date Revised By Description
<Version number> <Current date> <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: <Future date>


Sample On Premise Wireless Access Technology Guideline


The Company On Premise Wireless Access Technology Guidelines defines objectives for establishing specific standards on the assessment and ongoing management of wireless technologies utilized for the extension of network infrastructure.

The On Premise Wireless Access Technology guidelines builds on the objectives established in the Sample Asset Protection Standard, and provides specific instructions and requirements for assessing and prioritizing technology requirements.

Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to and use of Company Information Assets, are covered by this standard and must comply with associated guidelines and procedures.

Information assets are defined in the Sample Asset Identification and Classification Standard.

Risk refers to the likelihood of loss, damage, or injury to information assets. Risk is present if a threat can exploit an actual vulnerability to adversely impact a sensitive information asset.

Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.

Vulnerabilities refer the weaknesses in information system and procedures including technical, organizational, procedural, administrative, or physical weaknesses.

Requirements


The following keystone components are required when implementing wireless access technology. While more stringent configurations are encouraged, these elements are required at a minimum to provide an acceptable level of security to the enterprise.

Access Point Authentication

Employee Access

  1. Digital Certificate/EAP-TLS/802.1x/Active Directory Group Membership.
  2. Credentials are passed from the wireless client to the associated access point. The access point is configured to perform a RADIUS request from an established RADIUS server. The RADIUS server will validate all user access requests against a predefined account residing on the corporate Microsoft Active Directory server.
  3. During the authentication process, provided that the certificate CN, SN values are valid, and a binary comparison of the certificate is successful, and the user’s account in the correct Active Directory group, access is granted.
    • Access will be denied if any of the above three required components are invalid.

Third Party Access

  1. Third part access is provisioned by Information Security with the use of a rotating WPA-PSK pass-phrase.

Firewall Restrictions

Employee Access

  1. Company employees are provisioned normal network access.

Third Party Access

  1. Third party network access is restricted to the HTTP (TCP port 80) and HTTPS (TCP port 443) protocols and only to destinations outside of the company.
  2. Access to the internal network or DMZ networks is prohibited.
  3. Internal access that may be required is passed through the Company SSL VPN solution and restricted to only the systems that are needed.

Access Point Management

  1. Wireless access points are manageable by Information Security.
    • All successful or failed access attempts are logged (successful/denied client association/authentication, accepted sessions, denied sessions, IPS filtering of sessions, etc).
    • Association attempts (both successful and failed) are monitored by Information Security and suspicious activity is subsequently reported.

Encryption

  1. All wireless access points will utilize WPA2 with AES for session security and encryption. All other encryption technology preceding the encryption listed above has been proven to not be secure and its usage in production environments is prohibited.


Responsibilities


The Chief Information Security Officer (CISO) approves the On Premise Wireless Access Technology Guidelines. The CISO also is responsible for ensuring the development, implementation, and maintenance of the On Premise Wireless Access Technology Guidelines.

Company management is responsible for ensuring that the On Premise Wireless Access Technology Guidelines is properly communicated and understood within its respective organizational units. Company management also is responsible for planning vulnerability assessment activities.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the On Premise Wireless Access Technology Guidelines and associated guidelines; ensuring vulnerability assessments are performed; and participating in the planning and closing phases of vulnerability assessments.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; participating in vulnerability assessments; assisting with prioritizing assessed vulnerabilities; and notifying appropriate Company personnel of identified and assessed vulnerabilities on information systems for which they are responsible.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for reporting suspected or actual vulnerabilities to Information Security in a timely manner.

Enforcement and Exception Handling


Failure to comply with the Sample Asset Management Policy and associated standards, guidelines, and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the On Premise Wireless Access Technology Guidelines should be submitted to the CISO in accordance with the Sample Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the On Premise Wireless Access Technology Guideline.

Review and Revision


The On Premise Wireless Access Technology Guideline will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer