Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-25035 | WIR-WRA-002 | SV-30837r4_rule | ECWN-1 | Low |
Description |
---|
Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site. |
STIG | Date |
---|---|
Commercial Mobile Device (CMD) Policy Security Technical Implementation Guide (STIG) | 2013-01-17 |
Check Text ( C-31259r4_chk ) |
---|
Detailed Policy Requirements: A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager. Recommend the policy includes required security controls for the DoD-owned/operated wireless client (PDA, smartphone, or tablet): - Device unlock password requirements. - Client software patches kept up to date - Internet browsing though enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Procedures after client is lost, stolen, or other security incident occurs. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs. --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment. - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client’s device may be used, such as specific locations. --Avoid connecting to WLAN access points with WEP security due to the security issues with this protocol. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft. Check Procedures: Interview the IAO and/or the site wireless device administrator and determine if the site has a wireless remote access policy (or a wireless section in a general remote access policy). Verify the policy has been signed by the site DAA, Commander, Director, or other appropriate managers. Mark as a finding if a wireless remote access policy does not exist or is not signed. |
Fix Text (F-27725r3_fix) |
---|
Publish Wireless Remote Access Policy signed by the site DAA, Commander, Director, or other appropriate authority. |