The organization must define a time period for monitoring of unauthorized wireless connections to information systems, including scans for unauthorized wireless access points.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35920	SRG-MPOL-006	SV-47236r1_rule		Medium

Description
Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, within organization-controlled boundaries, allowing only authorized and qualified personnel to configure wireless services, and conducting periodic scans for unauthorized wireless access points greatly reduces vulnerabilities.

Description

Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, within organization-controlled boundaries, allowing only authorized and qualified personnel to configure wireless services, and conducting periodic scans for unauthorized wireless access points greatly reduces vulnerabilities.

STIG	Date
Mobile Policy Security Requirements Guide	2013-07-03

Details

Check Text ( C-44159r1_chk )
Review the organization's access control and security policy, procedures addressing wireless implementation and usage (including restrictions), wireless scanning reports, and any other relevant documentation. The objective is to verify the organization has: (i) established a requirement for monitoring the wireless connection environment for unauthorized access, (ii) established a requirement of periodic scans to be conducted for unauthorized wireless access points, and (iii) established a time period at which these activities are to be conducted. If the organization has not defined the time period for monitoring or scanning, this is a finding.

Check Text ( C-44159r1_chk )

Review the organization's access control and security policy, procedures addressing wireless implementation and usage (including restrictions), wireless scanning reports, and any other relevant documentation. The objective is to verify the organization has: (i) established a requirement for monitoring the wireless connection environment for unauthorized access, (ii) established a requirement of periodic scans to be conducted for unauthorized wireless access points, and (iii) established a time period at which these activities are to be conducted. If the organization has not defined the time period for monitoring or scanning, this is a finding.

Fix Text (F-40446r1_fix)
Define the time period for monitoring of unauthorized wireless connections to information systems to include the time period for performing scans to identify unauthorized wireless access points.