|Finding ID||Version||Rule ID||IA Controls||Severity|
|Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site.|
|Wireless Remote Access Policy Security Implementation Guide||2013-03-12|
|Check Text ( C-31259r4_chk )|
| Detailed Policy Requirements: |
A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet):
- Device unlock password requirements.
- Client software patches kept up to date - Internet browsing though enterprise Internet gateway.
- Device security policy managed by centrally-managed policy manager.
- Procedures after client is lost, stolen, or other security incident occurs.
- Configuration requirements of wireless client - Home WLAN authentication requirements.
- Home WLAN SSID requirements.
- Separate WLAN access point required for home WLAN.
- 8+-character authentication password required for home WLAN.
- Use of third-party Internet portals (kiosks) (approved or not approved).
- Use of personally-owned or contractor-owned client devices (approved or not approved).
- Implementation of health check of client device before connection is allowed.
- Places where remote access is approved (home, hotels, airport, etc.).
- Roles and responsibilities:
--Which users or groups of users are and are not authorized to use organization's WLANs.
--Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment.
- WLAN infrastructure security:
--Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs.
--Types of information that may and may not be sent over WLANs, including acceptable use guidelines.
- WLAN client device security:
--The conditions under which WLAN client devices are and are not allowed to be used and operated.
--Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security.
--Limitations on how and when WLAN client’s device may be used, such as specific locations.
--Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol.
- Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents.
- Guidelines for the protection of WLAN client devices to reduce theft.
Interview the IAO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site DAA, Commander, Director, or other appropriate managers. Mark as a finding if a wireless remote access policy does not exist or is not signed.
|Fix Text (F-27725r3_fix)|
|Publish Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority.|