3.1.17 has a weight of -5 points

(Access Control Family) 17/22

Protect wireless access using authentication encryption

Video:

Example of Sysytem Security Plan (SSP):

    1. System Security Plan (SSP) for wireless access:

      1. Introduction: This System Security Plan (SSP) outlines the security measures implemented to protect the wireless network in our organization. The plan adheres to the government-mandated FIPS 140-2 standard and focuses on protecting Controlled Unclassified Information (CUI) through robust encryption and access controls.

      2. System Description:

      • Name of System: Secure Wireless Network
      • System Functionality: Provides wireless connectivity to authorized users and devices within the organization.
      • Location: All company facilities

      3. Security Measures:

      • Authentication and Encryption:
        • Utilizes WPA2 encryption to ensure that all wireless traffic is fully encrypted.
        • Matches the government-mandated FIPS 140-2 for protecting CUI.
        • Implements authentication to permit access only to authorized users and devices.
      • Access Controls:
        • Only authorized users and company-owned devices are granted access to the wireless network.
        • Policies are in place to control and monitor access, including regular updates to passwords and access lists.

      4. Management Controls:

      • Regular Monitoring and Audits:
        • Continuous monitoring of the wireless network for unauthorized access or suspicious activities.
        • Periodic security audits to ensure compliance with the SSP.
      • Incident Response Plan:
        • Procedures for responding to security incidents are well-defined and adhered to.
        • Reporting mechanisms are in place to ensure timely notification and action if a breach occurs.
      • Policy Enforcement:
        • Users are educated about the policies governing wireless access.
        • Non-compliance with policies is dealt with promptly through predefined disciplinary actions.

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Actions and Milestones (POA&M) – Secure Wireless Network

    1. Introduction: This POA&M outlines the actions and milestones necessary to address identified deficiencies and improve the overall security posture of our wireless network.

    2. Deficiency Identification and Prioritization: The following table details the identified deficiencies, planned remediation activities, responsibilities, resources, and target completion dates:

    Item Deficiency Remediation Action Responsible Party Resources Required Target Completion Date
    1 Weak Authentication Methods Implement Multi-Factor Authentication IT Department MFA Software MM/DD/YYYY
    2 Outdated WPA2 Encryption Upgrade to WPA3 IT Department WPA3 Compatible Devices MM/DD/YYYY
    3 Unmonitored Access Implement Continuous Monitoring Security Team Monitoring Tools MM/DD/YYYY
    4 Lack of Incident Response Plan Develop and Document Incident Response Plan Security Team N/A MM/DD/YYYY

    3. Monitoring and Reporting:

    • Monitoring: The responsible parties will provide monthly updates on the status of each remediation activity.
    • Reporting: A quarterly review will be conducted to evaluate progress and make necessary adjustments to the plan.

    4. Risks and Mitigations:

    • Risks: The identified deficiencies may expose the wireless network to unauthorized access or potential data breaches.
    • Mitigations: The remediation activities outlined in this POA&M are aimed at reducing these risks by strengthening authentication, updating encryption standards, monitoring access, and implementing an incident response plan.

     

    Sample Policy:

    Wi-Fi Access Policy for [Company Name]

    1. Purpose: This policy defines the requirements and conditions under which access to [Company Name]’s Wi-Fi network is granted. The aim is to safeguard the network by restricting access to only company-owned devices and authorized employees.

    2. Scope: This policy applies to all employees, contractors, vendors, and other individuals who seek to access the company’s Wi-Fi network.

    3. Policy:

    • 3.1 Authorized Users: Only employees of [Company Name] or individuals expressly authorized by the IT department are allowed to access the Wi-Fi network.

    • 3.2 Authorized Devices: Access to the Wi-Fi network is restricted to company-owned devices that comply with the organization’s security standards. Personal devices are strictly prohibited from connecting to the Wi-Fi network.

    • 3.3 Authentication and Encryption: Connections to the Wi-Fi network must be authenticated using secure credentials provided by the IT department. WPA2 or WPA3 encryption must be used to secure the connection.

    • 3.4 Compliance with FIPS 140-2: Wi-Fi security must align with the government-mandated FIPS 140-2 standard.

    • 3.5 Usage Monitoring and Auditing: Wi-Fi network usage will be monitored, and access logs will be audited regularly to ensure compliance with this policy.

    4. Responsibilities:

    • 4.1 Employees: Employees must comply with this policy and report any suspicious activities or violations to the IT department.

    • 4.2 IT Department: The IT department is responsible for implementing, maintaining, and monitoring security measures in line with this policy.

    5. Policy Violation: Violations of this policy may result in disciplinary action, up to and including termination of employment.

    6. Review and Updates: This policy will be reviewed and updated regularly to ensure its relevance and effectiveness.

    7. Acknowledgment: All employees must acknowledge that they have read, understood, and agree to comply with this Wi-Fi Access Policy.

    Signature:________________________ Date: _______________

     

    RELEVANT INFORMATION:

    Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. See [NIST CRYPTO].

    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.