compliances , security

Sample – Corporate Minimal Wireless Security Requirements

February 27, 2013

By default, all wireless network segments are prohibited from connecting to the corporate production network, unless authorized by the employee’s first line manager and the Director IT Security Services

  • The Security Service Manager must be informed when wireless segments are connected to the corporate network.
  • The Security Service Manager must approve any deviations from the security standards established herein.
  • For guest wireless access connected through a standalone broadband connection, notice and approval is not required but compliance with the following configuration standard is still required.

Minimum Wireless Security Design Requirements

When authorized, wireless segments will comply with the following design requirements:

  • Position the location of Wireless Access Points (WAPs) to restrict the wireless signal to inside the building as much as possible.
  • Locate WAPs in secured areas to prevent unauthorized physical access and user manipulation where practical.
  • Change “easily identifiable” SSID broadcasting that would identify the WAP as a corporate asset with the exception of the wireless Guest Network.
  • Disable the ability to configure or manage the WAPs via wireless.
  • Maintain an up-to-date inventory of all WAPs and a diagram that identifies the physical and logical location.
  • Change default passwords and encryption keys on all WAPs.
  • Change default SNMP community strings on all wireless APs.
  • Disable promiscuous broadcasting of MAC address.
  • Transmission encryption will be implemented with WPA2 or better.
  • Disable all vendor supplied user accounts and default passwords.

Wireless Access Point Network Configuration

  • Place a firewall between the wireless network and corporate production network as determined by a risk assessment.
  • Test and deploy software patches and updates in accordance with patch management standards.

Wireless Access Points Connected to Corporate Networks

  • Configure each WAP to log all system activity and send logs to a central log server.
  • Deploy Intrusion Detection Systems (IDS) / Intrusion Protection Systems (IPS) on the wireless network to report suspicious activity (wireless event logs).

Wireless Requirements For Clinical Systems

  • All clinical systems with wireless capabilities must be tested for compliance to the requirements listed above prior to releasing to the production environment.

Monitoring

  • Review wireless event log files.
  • Continuously monitor to detect rogue and friendly WAPs.
  • Perform vulnerability scanning of wireless access points

Report rogue WAPs to the Manager, Security Service Management.