II.C.9(a) Wireless Network Considerations
A wireless LAN (WLAN) is a medium of network connectivity, supported by radio wave transmissions that provides more convenient network access to employees or devices that need flexibility to connect to multiple locations within the institution's facilities. Because the user is not physically connected to the network and the wireless signal is broadcast and available to others, wireless networks are inherently less secure than wired networks and require additional scrutiny, controls, and oversight. Wireless access points are the devices that broadcast the radio wave signals and should be physically secure to prevent compromise and securely configured to provide the same level of control as a wired connection. Wireless gateways can allow management to implement more complex access controls, including advanced identity management capabilities and services to detect and remediate malicious software.
Policies should prohibit installation of wireless access points and gateways without approval and formal inclusion in the hardware inventory. Network monitoring systems should be configured to detect the addition of new devices. Alternatively, network access control (NAC) systems could prevent the recognition of any unauthorized device.A NAC system typically provides an IP address only after validating that the newly connected device is authorized, by means of some identification (such as a computer's physical address-MAC address-or certificate) or pre-installed client software. Management should consider limiting the WLAN signal to authorized areas, within the boundaries of the institution, if feasible. Management should use an industry-accepted level of encryption with strength commensurate with the institution's risk profile on the institution's wireless networks.
Malicious insiders and attackers may also set up rogue or unauthorized wireless access points and trick employees into connecting. Such access points allow attackers to monitor employee activities. The institution should scan the network regularly to detect rogue access points and consider implementing NAC systems to prevent the successful connection of unauthorized devices.
The institution may provide guests with access to a wired or wireless network. The guest network generally is used to provide access to the Internet and should be configured to prevent access to any portion of the production network.
Institutions often provide remote network connectivity for employees or third-party service providersIn some cases, the institution provides remote access via VPN to a third-party service provider. Controls over third-party access should be commensurate with the sensitivity and criticality of the system and information accessed. who are not located within or around the institution's facilities. This connectivity presents operational advantages, but steps should be taken to ensure that the connection is encrypted and secured. VPN connections should be used for both broadband networks and wireless air card connections to isolate and encrypt remote traffic to institution networks. IP geolocation information may not always be available when using broadband networks, which can limit the effectiveness of monitoring. Therefore, management should consider implementing compensating controls, such as restricting access to network resources.
II.C.9 Network Controls
II.C.10 Change Management Within the IT Environment