WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION



Similar documents
REMOTE ACCESS POLICY OCIO TABLE OF CONTENTS

MCOLES Information and Tracking Network. Security Policy. Version 2.0

UF IT Risk Assessment Standard

APHIS INTERNET USE AND SECURITY POLICY

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

ICANWK406A Install, configure and test network security

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Office of Inspector General

Research Information Security Guideline

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Estate Agents Authority

Data Management Policies. Sage ERP Online

Cyber Self Assessment

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

US Postal Service - Effective Security Policies and Controls For Wireless Networks

University of Sunderland Business Assurance PCI Security Policy

HIPAA Security Alert

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Audit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

PCI DSS Requirements - Security Controls and Processes

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Office of Inspector General

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Critical Controls for Cyber Security.

Technical Standards for Information Security Measures for the Central Government Computer Systems

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

FedRAMP Standard Contract Language

TSA audit - How Well Does It Measure Network Security?

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Miami University. Payment Card Data Security Policy

HANDBOOK 8 NETWORK SECURITY Version 1.0

Standard: Event Monitoring

CHIS, Inc. Privacy General Guidelines

Central Agency for Information Technology

Recommended Wireless Local Area Network Architecture

Security Issues in Cloud Computing

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

United States Trustee Program s Wireless LAN Security Checklist

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Office of Inspector General

Automation Suite for. 201 CMR Compliance

SCAC Annual Conference. Cybersecurity Demystified

933 COMPUTER NETWORK/SERVER SECURITY POLICY

March

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Network Security Policy

How To Secure Your Store Data With Fortinet

Introduction. PCI DSS Overview

Wireless Local Area Network Deployment and Security Practices

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

The Protection Mission a constant endeavor

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Security COMPLIANCE Checklist For Employers

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Supplier Information Security Addendum for GE Restricted Data

Security in Wireless Local Area Network

THE INFORMATION TECHNOLOGY INFRASTRUCTURE

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Evaluation Report. Office of Inspector General

Course: Information Security Management in e-governance

Closing Wireless Loopholes for PCI Compliance and Security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Guideline on Auditing and Log Management

Policy Title: HIPAA Access Control

13 Ways Through A Firewall

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

ADM:49 DPS POLICY MANUAL Page 1 of 5

Accounting and Administrative Manual Section 100: Accounting and Finance

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Hardware Inventory Management Greater Boston District

Office of Inspector General

SECURITY CONSIDERATIONS FOR LAW FIRMS

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Procedure Title: TennDent HIPAA Security Awareness and Training

Deploying Firewalls Throughout Your Organization

Best Practices for PCI DSS V3.0 Network Security Compliance

Consensus Policy Resource Community. Lab Security Policy

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

PCI Data Security Standards (DSS)

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Network Security Administrator

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

Information Blue Valley Schools FEBRUARY 2015

Enterprise Computing Solutions

Transcription:

United States Department of Agriculture Marketing and Regulatory Programs Grain Inspection, Packers and Stockyards Administration Directive GIPSA 3140.5 11/30/06 WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION 1. PURPOSE This Directive defines the security requirements for Wireless Local Area Network (WLAN) implementation. WLAN equipment includes but is not limited to: hubs, routers, switches, workstations, and servers. 2. REPLACEMENT HIGHLIGHTS This Directive replaces GIPSA Directive 3140.5, dated 6/8/05. 3. REFERENCES a. Office of Management and Budget (OMB) Circular A-130, Security of Federal Automated Information Resources, Appendix III. b. Public Law 100-235, Computer Security Act of 1987. c. National Institute of Standards and Technology (NIST) Special Publication, 800-48, Wireless Network Security. d. The Privacy Act of 1974. e. Federal Information Processing Standard Publication 140-2, Security Requirements for Cryptographic Modules. f. OMB Memorandum M06-16 (Clay Johnson memo). g. U.S. Department of Agriculture, Office of the Chief Information Officer Memorandum, dated 7/13/2006 (Lynn Allen memo). 4. BACKGROUND Wireless devices and technology save countless hours and have changed the way in which many Federal agencies do business. These devices make staying in touch easy, offer flexibility and portability, can offer dramatic cost savings, and interact easily with other computer resources. However, as a group, they represent serious security threats to the U.S. Department of Agriculture (USDA) agencies and staff offices. Transmissions using wireless devices are unprotected; sensitive information could be compromised, malware could be spread, or Distribution: GIPSA Originating Office: GIPSA-OA

these devices could be used as a back door to the GIPSA or USDA networks. Wireless networks have all of the vulnerabilities of wired networks and introduce new technology risks. The airwave medium for these networks makes the loss of confidentiality, integrity, and denial of services attacks easier than ever before. 5. POLICY a. All GIPSA facilities will follow the Agency approach for the implementation of WLAN. Staff offices wishing to use WLAN must coordinate with the GIPSA Information Technology (IT) staff first; there are no exceptions. This strategy will consider recommendations contained in the: (1) TSAC USDA Wireless Strategy Report, dated March 2003, (2) NIST Interagency Report 6981, dated April 2003, and (3) Special Publication 800-48, Wireless Network Security. b. All GIPSA facilities will follow policy guidance from CS-034 Cyber Security Guidance Regarding Portable Electronic Devices (PED) and Wireless Technologies. c. All implementations of wireless technology require that a formal risk assessment be conducted in the environment where this technology will operate prior to deployment of the WLAN. d. Staff offices will plan and execute measures to safeguard their systems and lower security risks to a manageable level using the Procedures in this Directive, and Checklists provided by the USDA Cyber Security Office. e. Strong encryption and authentication techniques will be used in the transmission and storage of sensitive information. All GIPSA WLAN implementation will use the assumption that sensitive but unclassified (SBU) data is being transmitted. f. The GIPSA IT Staff will be responsible for the development of a formal Wireless Plan that documents use of this technology and planned implementations. Elements of this plan will also be documented and submitted to the Agency Information Systems Security Program Manager (ISSPM) for the Overall Agency Security Plan, including funding levels and countermeasures employed. 6. PROCEDURES All GIPSA facilities will follow the procedures below for use of wireless connectivity. a. Internal GIPSA Wireless Connectivity (WLAN). Page 2

(1) GIPSA internal wireless networks will only be accessed by GIPSA purchased and approved equipment no personal/non-gipsa equipment will be used in any wireless connectivity including both networked and non-networked GIPSA equipment, and any GIPSA supplied access point. To ensure a secure internal environment these devices will be locked down at the Media Access Control (MAC) address level. (2) Additions/modifications to MAC addresses will be accomplished via the GIPSA Network Account Management procedures and must include a Network User Modification Form. (3) WLAN devices will be configured to a specific use. In addition, WLAN connectivity devices will only be configured for access by a GIPSA IT Network Administrator. Any unauthorized connectivity to any GIPSA wireless device is strictly prohibited. (4) GIPSA IT will grant WLAN connectivity only for specific machines, specific purposes, and/or at specific times, through single points of access only (i.e., no roaming configurations). (5) USDA, Office of Cyber Security, requires all agencies and staff offices to conduct wireless technology risk assessments and complete the appropriate checklists found in CS-034, Cyber Security Guidance Regarding Portable Electronic Devices (PED) and Wireless Technology to assess the security posture and countermeasures necessary to ensure all security requirements are satisfied. The risk assessment and checklists must be completed by the wireless requester prior to any wireless implementation. b. External wireless connectivity to the GIPSA WAN. GIPSA allows wireless laptop connectivity to the GIPSA network, using non-gipsa wireless connections (such as hotels, or home wireless networks), with the following stipulations: (1) GIPSA users will use the connection for GIPSA business ONLY. (2) A secure, encrypted connection must be used to reduce the risk of unauthorized monitoring of data (GIPSA currently uses VPN encryption for all of its remote connections to the GIPSA WAN). GIPSA laptop users are strictly forbidden to connect a GIPSA laptop to a non-gipsa connection without the use of VPN. Page 3

(3) Full connection to the GIPSA LAN (including log in and network drives) is required for all wireless connectivity using GIPSA computers. On a very limited basis, users may connect a GIPSA laptop to a wireless connection without fully connecting (logging in) to the GIPSA network. However, all GIPSA laptops must be connected fully to the network on a regular basis to ensure that automatic patching, updates, and anti-virus requirements are fulfilled. 7. RESPONSIBILITIES a. Agency Management and the Chief Information Officer will: (1) Implement applications of WLAN in accordance with policy and procedures; (2) Ensure that Agency guidelines are developed, implemented, and followed to include requirements for technology plans, risk assessments, and strict physical accountability; (3) Require that the appropriate Wireless Technology Checklist be completed prior to installations, strict security controls be employed, and standardized configurations be established and monitored; (4) Ensure that encryption, authentication, and VPN Technology are employed, where appropriate; b. The Agency Information Systems Security Program Manager (ISSPM) will: (1) Coordinate and manage the security control required for WLAN; (2) Assist Agency managers in completing the appropriate checklists, as required; (3) Routinely monitor Agency implementation of these devices and technology to ensure that policy and procedures are followed; advise Agency managers in cases of lax security controls or improper use; (4) Ensure the completion of the development of technology implementation plans; and (5) Update the Overall Agency Security Plan to reflect the funding and planned implementation of WLAN. Page 4

c. The Agency Systems or Network Administrators will: 8. EXCEPTIONS (1) Provide appropriate administrative access and permissions for WLAN based job requirements; (2) Install encryption, VPN Technology, and require strong authentication for these devices. All GIPSA WLAN implementations will be considered to be handling SBU data and all instances will be configured as SBU; (3) Install standardized configurations, strict security features, profiles, and disable modems; (4) Verify appropriate security controls are in place using the appropriate checklists. There are no exceptions to this policy. 9. COMPLIANCE AND SANCTIONS All Federal personnel who work with GIPSA Information System resources are individually and personally responsible for applying the appropriate security measures and for complying with Federal, USDA, and GIPSA policies and procedures on the subject. Willful failure to comply may result in punishment, including dismissal, under the Computer Fraud and Abuse Act and other appropriate Federal statutes. 10. INQUIRIES /s/ James E. Link Administrator a. Direct inquiries or requests for changes to this policy to the GIPSA ISSPM at (202) 690-0044. b. This Directive is available on the Internet at http://www.aphis.usda.gov/library/gipsa/gipsa.html Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information