My client has only recently allowed the use of wireless NICs on their corporate laptops. Their sales force hopes to use the technology to send orders, retrieve email and so on. I have been charged with writing a policy governing the acceptable types of PCMCIA cards and also how the technology is to be used.
I have concerns about users connecting to unsecured networks. Do you know of any policy document templates I could use as a starting point? Also, any advice about security would be greatly appreciated.
Balancing the needs of a mobile workforce with information security risk management is definitely a challenge. First, I recommend that a risk analysis be performed so that you will better understand how and where the introduction of wireless capabilities could increase their risk.
Most of the security concerns around wireless for your mobile users can be addressed by implementing current technology following best practice guidelines. One of the biggest challenges is dealing with public Wi-Fi hot spot usage. It may be convenient, but the security risks can be substantial. One of the biggest risks is that their wireless communications could be intercepted. This is usually something that can only be addressed by a written policy.
Your policy should help to drive good decisions by mobile users. For example, decide which open access points they will and will not connect to. The policy should stipulate that open access points are only to be used if the access point owner implicitly communicates that the access point is for general public use. The policy should also require the use of desktop firewall and intrusion protection software in addition to the usual antivirus software. But none of this will guarantee that users are completely protected. The policy also needs to require that encryption be used when any confidential information is being transferred.
I know of some companies that have gone wireless, but not with 802.11 Wi-Fi. Instead they use a wireless data service from one of the wireless carriers, along with a data card, to reduce or eliminate some of the risks, at the cost of bandwidth.
Read more about wireless security on SearchSecurityChannel.com.
Dig Deeper on Managed network security services
Related Q&A from Ken Smith
Even Linux is not immune to security threats, particularly in heterogeneous computing environments, and therefore securing your client's Linux ... Continue Reading