My client has only recently allowed the use of wireless NICs on their corporate laptops. Their sales force hopes to use the technology to send orders, retrieve email and so on. I have been charged with writing a policy governing the acceptable types of PCMCIA cards and also how the technology is to be used.
I have concerns about users connecting to unsecured networks. Do you know of any policy document templates I could use as a starting point? Also, any advice about security would be greatly appreciated.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
Balancing the needs of a mobile workforce with information security risk management is definitely a challenge. First, I recommend that a risk analysis be performed so that you will better understand how and where the introduction of wireless capabilities could increase their risk.
Most of the security concerns around wireless for your mobile users can be addressed by implementing current technology following best practice guidelines. One of the biggest challenges is dealing with public Wi-Fi hot spot usage. It may be convenient, but the security risks can be substantial. One of the biggest risks is that their wireless communications could be intercepted. This is usually something that can only be addressed by a written policy.
Your policy should help to drive good decisions by mobile users. For example, decide which open access points they will and will not connect to. The policy should stipulate that open access points are only to be used if the access point owner implicitly communicates that the access point is for general public use. The policy should also require the use of desktop firewall and intrusion protection software in addition to the usual antivirus software. But none of this will guarantee that users are completely protected. The policy also needs to require that encryption be used when any confidential information is being transferred.
I know of some companies that have gone wireless, but not with 802.11 Wi-Fi. Instead they use a wireless data service from one of the wireless carriers, along with a data card, to reduce or eliminate some of the risks, at the cost of bandwidth.
For some wireless security configuration and policy guidelines I suggest the SANS reading room.
Read more about wireless security on SearchSecurityChannel.com.
This was first published in July 2007