Wireless Communication Policy
With1.0 thePurpose
Wireless explosionnetworking of(Wi-Fi) Smartis Phonesprevalent and Tablets,essential pervasivefor connectivity using devices like laptops, smartphones, and tablets. However, insecure wireless connectivityconfigurations iscreate almostsignificant avulnerabilities giventhat atmalicious any organization. Insecure wireless configurationactors can provideexploit. an easy open door for malicious threat actors.
The purpose of this policy is to secureestablish the minimum security requirements for deploying, configuring, and protectconnecting wireless infrastructure devices (access points, routers) and client devices to the informationorganization's assetsnetwork. ownedThis bypolicy <Company Name>. <Company Name> provides computer devices, networks, and other electronic information systemsaims to meet missions, goals, and initiatives. <Company Name> grants access to these resources as a privilege and must manage them responsibly to maintainprotect the confidentiality, integrity, and availability of allthe organization's information assets.assets by managing the risks associated with wireless technologies.
2.0 Scope
This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to <Company Name> network. Only those wireless infrastructure devices that meet the standards specified in this policy or are granted an exception by the Information Security Department are approved for connectivity to a <Company Name> network.
All employees, contractors, consultants, temporary and other workers at <Company Name>, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of <Company Name> must adhere to this policy. This policy applies to all employees, contractors, consultants, temporary staff, vendors, and other personnel ("Users") at the organization, including affiliates and third parties who manage or use wireless infrastructure or connect devices wirelessly to the organization's network. It covers all wireless infrastructure devices thatoperating connecton organizational sites or connecting to athe <Companynetwork, Name>and network or reside on a <Company Name> site that provide wireless connectivity to endpointall devices including, but not limited to, (laptops, desktops, cellularmobile phones, andtablets, tablets.IoT devices, etc.) using wireless communications to access organizational resources. This includes any form of wireless communication device capable of transmitting packet data.
3.0 Policy Statements
Access to the organization's network via wireless technology is a privilege conditioned on adherence to the following security requirements:
3.1 General Requirements for Corporate Wireless Networks
All wireless infrastructure devices deployed within organizational facilities that reside at a <Company Name> site and connect to athe <Companyprimary Name>corporate network, or provide access to information classified as <Company Name> Confidential,Confidential or abovehigher must:(per the Data Classification Policy), must adhere to the following minimum security standards:
* **Authentication:** Must utilize strong, enterprise-grade authentication protocols (e.g., WPA2-Enterprise or WPA3-Enterprise using EAP-TLS, PEAP, or other approved EAP types) integrated with the organization's central authentication system (e.g., RADIUS, Active Directory). Pre-shared keys (PSK) are prohibited for primary corporate network access.
* **Encryption:** Must use strong encryption algorithms (e.g., AES/CCMP). Deprecated protocols like WEP or WPA/TKIP are prohibited.
* **SSID Management:** Service Set Identifiers (SSIDs) for corporate access must not be broadcast where feasible or required by specific security directives. Guest network SSIDs may be broadcast but must be segregated. Default SSIDs must be changed.
* **Device Management:** Access points must be centrally managed using organization-approved systems. Default administrative credentials must be changed immediately upon deployment using strong, unique passwords compliant with the Password Policy. Firmware must be kept up-to-date with security patches.
* **Network Segmentation:** Corporate wireless networks must be appropriately segmented from guest or other less trusted networks using VLANs and firewall rules.
* **Rogue AP Detection:** Mechanisms must be in place to detect and mitigate unauthorized (rogue) wireless access points connected to the corporate network.
* **(Placeholder: Add any other specific requirements, e.g., specific configuration settings, physical security of APs).**
Lab3.2 andRequirements for Laboratory or Isolated Wireless Device RequirementsNetworks
AllWireless labnetworks wirelessdeployed infrastructurein deviceslaboratory or other isolated environments that **do** provide access to <Company Name> Confidential or above,higher organizational data must adhere to the requirements in section 4.13.1.
Wireless Labnetworks andwithin labs or isolated wireless devicesenvironments that **do notnot** provide general network connectivity to the <Companycorporate Name>production network must:must still meet the following minimum requirements:
* **Authentication & Encryption:** Must utilize, at minimum, WPA2/WPA3 Personal (PSK) with strong, complex passphrases compliant with the Password Policy. Open (unencrypted/unauthenticated) wireless networks are strictly prohibited if handling any organizational data or connected to any equipment processing such data.
* **Network Isolation:** Must be demonstrably segregated from the corporate production network (e.g., via air gap or dedicated firewalls configured according to organizational standards). Any connection between lab/isolated networks and the corporate network requires explicit approval and security review by the designated IT authority (e.g., Precision Computer team, Lab Security Group).
* **Device Management:** Default administrative credentials must be changed. Firmware should be kept updated.
* **(Placeholder: Add any other specific lab/isolated requirements).** Adherence to specific Lab Security Policies is also required.
Home3.3 Requirements for Home/Remote Wireless Device RequirementsAccess
Connecting to the organization's network from a home or remote location via wireless must be done securely:
* **Direct Network Access:** Wireless infrastructure devices that(home providerouters) directproviding *direct* authenticated access to the <Company Name>organization's corporate network,network (e.g., via a hardware VPN tunnel directly terminating on the home router) must conformthemselves be secured according to standards defined by the designated IT authority. This typically includes using WPA2/WPA3 Personal (PSK) with a strong passphrase, changing default admin credentials, disabling insecure features (like WPS PIN), and keeping firmware updated. *(Refer to a detailed "Home Wireless Standard" or similar document if available, or detail specific requirements here).*
* **Standard Remote Access:** If a home wireless network does not meet the standards for direct corporate access, connections to the Homeorganizational Wirelessnetwork Devicemust Requirementsonly asoccur detailedvia the standard, organization-approved remote access solution (e.g., software VPN client running on the endpoint device). The security of the home Wi-Fi (using at least WPA2-PSK with a strong password) remains the user's responsibility but does not directly impact the corporate network in thethis Wirelessscenario Communication Standard.
Wireless infrastructure devices that fail to conformdue to the HomeVPN Wirelesstunnel Deviceoriginating Requirementsfrom mustthe beendpoint.
4.0 Compliance
4.1 Compliance Measurement
The designated IT authority (e.g., Precision Computer teamteam) will verify compliance towith this policy through various methods, including but not limited to, periodicwireless walk-thrus,network videoscanning, monitoring,rogue businessAP tooldetection reports,systems, internalconfiguration audits of managed devices, security assessments, review of network logs, and externalinvestigation audits,of andreported feedback to the policy owner. incidents.
4.2 Exceptions
Any exception to the standards specified in this policy mustrequires beformal, approveddocumented byjustification, risk assessment, and advance approval from the designated IT authority (e.g., Precision Computer team inor advance.Information Security).
An4.3 employeeEnforcement
Non-compliant towireless havedevices violatedmay be disconnected from the network without notice. Violations of this policy by personnel may beresult subject toin disciplinary action, up to and including termination of employment.employment or contract, consistent with organizational procedures.
5.0 Definitions
* **MAC Address (Media Access Control Address):** A unique identifier assigned to network interface controllers for communications at the data link layer. (While relevant to some wireless controls like MAC filtering, it's not a primary security mechanism required by this policy template).
* **SSID (Service Set Identifier):** A name that identifies a specific wireless network.
* **WPA2/WPA3 (Wi-Fi Protected Access versions 2 & 3):** Security protocols used to secure wireless networks. Enterprise modes use individual credentials via RADIUS; Personal modes use a Pre-Shared Key (PSK).
* **EAP (Extensible Authentication Protocol):** An authentication framework used in WPA/WPA2/WPA3 Enterprise networks (e.g., EAP-TLS, PEAP).
* **AES (Advanced Encryption Standard):** A strong encryption algorithm used within WPA2/WPA3.
* **Rogue Access Point:** An unauthorized wireless access point connected to a network.
* Acceptable Use Policy (AUP)
* Password Policy
* Remote Access Policy
* Data Classification Policy
* Lab Security Policy
Wireless(if Communicationapplicable)
* Information Security Policy (Overall)
* Baseline Workstation Configuration Standard (for client-side settings)
The following definition and terms can be found in the SANS Glossary located at:
https://www.sans.org/security-resources/glossary-of-terms/
MAC Address