Download this free Wireless Communication Policy template and use it for your organization. Scroll down to the bottom of the page for the download link.
PURPOSE
This policy prohibits access to Organization networks via unsecured wireless communication mechanisms. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by I. T. Security are approved for connectivity to Organization’s networks or within the Organization environment.
1 SCOPE
This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) within Organization’s environment. This includes any form of wireless communication device capable of transmitting packet data.
2 POLICY
2.1 Register Access Points and Cards
2.1.1 All wireless Access Points / Base Stations within Organization environment must be registered and approved by I. T. Security. These Access Points / Base Stations are subject to periodic penetration tests and audits. All wireless Network Interface Cards (i.e., PC cards) used in corporate laptop or desktop computers must be registered with the party maintaining the wireless system. I. T. Security reserves the right to view for this register whenever required.
2.1.2 Request for a wireless connection must be duly authorised by the requestor’s Unit Manager and IT Security Department. The following information should be stated in the request:
a) Purpose of the request
b) Information to be transmitted
c) Duration or period of the request3 Wireless Planning Stage
In planning, below are the considerations from security point of view:-
a) Access point architecture (i.e. Centralization/decentralize access point)
b) Fat/thin client
c) Area of coverage
d) Implementation of wireless IDS
e) Requirement for account 4 Access Point Configuration
a) Turn off service set identifier (SSID) broadcast on all internal, non-public, non-guest access points.
b) Change SSIDs on all internal, non-public, non-guest access points to unique names, and consider not using names that reveal locations or owner.
c) Limit coverage of access points to areas that need them the most, and minimize coverage in unwanted areas via careful placement access points and by limiting transmission strength (by antenna setting and transmitter output setting).
d) Whenever technology permits, migrate to the latest WLAN network interface cards (NICs), wireless drivers, supplicants, and access points on all new purchases.
e) Avoid the use of pre-shared keys (PSKs) in WPA or WPA2. WPA and WPA2 for Enterprise mode are recommended, for better authentication mechanism.
f) If public or guest access is to be allowed, use virtual LAN (VLAN) tunnels to route users to a point outside the firewall.5 Client System Configuration
a) Every laptop with a wireless NIC must have a personal firewall installed. At minimal, use operating system default firewall (i.e. Windows XP Firewall).
b) Keep WLAN card drivers and system patches up to date.
c) Turn off peer-to-peer/ad hoc networking.
d) Only one WLAN connection manager allowed to be active on a client system.
e) Wireless and wired NICs should not be allowed to be active at the same time on a client system. Isolated approach recommended.
f) Shut down split tunnels on VPNs or adjust personal firewalls to prevent exposure of client ports.6 Approved Technology
All wireless LAN access must use corporate-approved vendor products and security configurations endorsed by I.T. Security.
7 Encryption And Authentication
All connections for the wireless network must comply with at least 2 of the following requirements:-
a) Wireless implementations must maintain point to point encryption of strong cipher strength. Encryption standards must comply with Organization’s Acceptable Encryption Guideline.
b) All implementations must be able to filter unauthorised MAC address.
c) Anticipate the need to support more than one type of authentication and airlink security combination. 8 ENFORCEMENT
8.1 All staffs are required to comply with this security policy and its appendices. Disciplinary actions including termination may be taken against any Organization staffs who fail to comply with the Organization’s security policies, or circumvent/violate any security systems and/or protection mechanisms.
8.2 Staff having knowledge of personal misuse or malpractice of IT Systems must report immediately to management and IT Security.
8.3 Organization’s staff must ensure that Organization’s contractors and others parties authorized by the Organization using its internal computer systems, comply with this policy.
8.4 Where the role of the service provider is outsourced to a vendor, the outsourced vendor should ensure compliance with this policy.
Click here to download Wireless Communication Policy template.
