Security Control 7:
Wireless Device Control

Protect restricted information from being transmitted over unencrypted wireless or through unauthorized access points: Encrypt wireless traffic. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

7.1

Ensure that all wireless access points are manageable using enterprise management tools. Do not install access points without local network engineer and security input.

[additional details]

Access points designed for home use often lack such enterprise management capabilities, and should therefore be avoided in enterprise environments.

REQ REQ REQ

7.2

Disable peer-to-peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need.

REQ REQ OPT

7.3

Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need.

REQ REQ OPT

7.4

For devices that do not have an essential wireless business purpose, disable wireless access in the hardware configuration, with password protections to lower the possibility that the user will override such configurations.

REQ REC OPT

7.5

Ensure that all wireless traffic leverages at least advanced encryption standard (AES) encryption used with at least WiFi Protected Access 2 protection.

REQ REC OPT

7.6

Network vulnerability scanning tools should be configured to detect wireless access points connected to the wired network.

[additional details]

Identified devices should be reconciled against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.

REQ OPT OPT

Additional Reading