|Finding ID||Version||Rule ID||IA Controls||Severity|
|Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.|
|Wireless Remote Access Policy Security Implementation Guide||2011-10-10|
|Check Text ( C-31259r3_chk )|
| Detailed Policy Requirements: |
A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (laptop or PDA):
- Device unlock password requirements
- Anti-virus application
- Personal firewall
- Client software patches kept up to date - Internet browsing though enterprise Internet gateway
- Device security policy managed by centrally-managed policy manager
- Anti-spyware app (recommended)
- Procedures after client is lost, stolen, or other security incident occurs
- Host-based Wireless Intrusion Detection and Prevention System (WIDPS)/monitor WIDPS
- Configuration requirements of wireless client - Home WLAN authentication requirements.
- Home WLAN SSID requirements.
- Separate WLAN access point required for home WLAN
- 8+-character authentication password required for home WLAN.
- Use of third-party Internet portals (kiosks) (approved or not approved)
- Use of personally-owned or contractor-owned client devices (approved or not approved)
- Implementation of health check of client device before connection is allowed
- Places where remote access is approved (home, hotels, airport, etc.)
- Roles and responsibilities:
--Which users or groups of users are and are not authorized to use organization's WLANs
--Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment
- WLAN infrastructure security:
--Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs
--Types of information that may and may not be sent over WLANs, including acceptable use guidelines
- WLAN client device security:
--The conditions under which WLAN client devices are and are not allowed to be used and operated.
--Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security.
--Limitations on how and when WLAN client’s device may be used, such as specific locations.
- Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents
- Guidelines for the protection of WLAN client devices to reduce theft
Interview the IAO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site DAA, Commander, Director, or other appropriate managers. Mark as a finding if a wireless remote access policy does not exist or is not signed.
|Fix Text (F-27725r1_fix)|
|Publish required policy.|