Title

The organization must define a time period for monitoring of unauthorized wireless connections to information systems, including scans for unauthorized wireless access points. (Cat II impact)

Discussion

Wireless technologies include, but are not limited to, microwave, satellite, packet radio (UHF/VHF), Wi-Fi, and Bluetooth. Wireless networks present similar security risks to those of a wired network, and since the open airwaves are the communications medium for wireless technology, an entirely new set of risks are introduced. Implementing wireless computing and networking capabilities in accordance with the organization defined wireless policy, within organization-controlled boundaries, allowing only authorized and qualified personnel to configure wireless services, and conducting periodic scans for unauthorized wireless access points greatly reduces vulnerabilities.

Check Content

Review the organization's access control and security policy, procedures addressing wireless implementation and usage (including restrictions), wireless scanning reports, and any other relevant documentation. The objective is to verify the organization has: (i) established a requirement for monitoring the wireless connection environment for unauthorized access, (ii) established a requirement of periodic scans to be conducted for unauthorized wireless access points, and (iii) established a time period at which these activities are to be conducted. If the organization has not defined the time period for monitoring or scanning, this is a finding.

Fix Text

Define the time period for monitoring of unauthorized wireless connections to information systems to include the time period for performing scans to identify unauthorized wireless access points.

Additional Identifiers

Rule ID:

Vulnerability ID: V-35920

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.