Not every security problem is per se caused by a hacker. Sometime, unintentionally, your own employees are causing the issue—humans are still the weakest link. As I said it is unintentional because when you don’t have a policy written down the users are not aware of what is allowed and what is not allowed. Rogue access points are something what you don’t want, but if there is not a policy defining rogue access points, your employees don’t know that they are doing something wrong.
General Policy
Even if you don’t have wireless, you should at least write down that you don’t have it. As stated in the previous paragraph you want to define the term “rogue access point.”
Statement of authority
Defines who put the WLAN policy in place and the executive management that backs the policy.
Applicable audience
Defines to whom the policy applies to.
Risk Assessment and Threat Analysis
Defines the potential wireless security risks and threat and what the impact is on the company.
Security Auditing
Defines the auditing procedures.
Violation Reporting Procedures
Defines how the WLAN security policy will be enforced.
It is hard to write a policy. The policy needs to be accepted by all departments, management, and employees. If it is too restrictive it is possible that everybody will ignore the policy. The committee that makes the policy should include all the people that are involved.
After the scope, you need to think what the risks are of a wireless attack. What do you want to protect? Healthcare records or credit card information? Once you have all the risks written down you should hire an auditing team that looks for vulnerabilities inside your wireless network. You need to obtain support from your management as well.
A policy needs to be readable by all the people in your company, so not too technical. When all the people have read it and accept it, you should tell them where they can find the policy documentation, so they can reach it to reread it or after changes.
Functional Policy
When the general policy is written, you need to make functional policies. This is more detailed on the technical aspect of the wireless network: how to use the network, what baselines are there, or how is your network designed, implemented, and how are you monitoring it afterwards.
Password policy
In this policy is written what is the minimal length, complexity, and how long the password is valid. Do the users need to change their password on the first login; are they using certificates, smart cards, or fingerprints? It is more secure to have a 2-way authentication. For example, what you know (password), what you have (smartcard), or who you are (fingerprint).
RBAC policy
Role-Based Access Control policy defines which user groups are there and where the groups have access to and what their rights are. For example, you have group for administrators that have read-write access and a group for local support with read-only access. When a user switches position within the company or leaves the company, it is easy to remove the user from the group instead of all the applications.
Change control policy
This defines when you should upgrade your wireless systems to the newest firmware.
Authentication and Encryption policy
This policy defines what kind of authentication and encryption you use within your wireless network.
Monitor policy
How do you monitor your network, but also how do you act on things you see in your network? For example, if you see a rogue access point, what are the steps that you take to remove the access point from your network. This should be defined in the monitor policy.
Physical security
How do you protect your access point from stealing? You have National Electrical Manufactures Association (NEMA) enclosures. Those enclosures protect your access points for weather, but can also protect the access point from theft. Putting the access points above the ceiling is not advised to prevent theft. Yes, hackers cannot see your access point, but the signal strength will be worse.
Government and Industry Regulation
The last part of this blog is about government and regulation. Regulations can be different per country, but there are also some that are common.
Sarbanes-Oxley act (SOX) is for corporate accounting and auditing.
Graham-Leach-Bliley Act (GLBA) is for the financial world, such as banks and other financial companies.
Health Insurance Portability and Accountability Act (HIPAA) is for protecting the patient’s information like medical records in the healthcare industry.
Payment Card Industry (PCI) is for protecting credit cards and debit card payments in stores, to be sure that customers can pay secure with their cards.
