Wireless Policies

Jim Dillon jim.dillon at cusys.edu
Mon Aug 13 17:01:23 GMT 2001


Now that WEP is a proven 15 minute bust, and MAC addresses are proven 
spoofable (according to traffic on this list), do any of you address 
content exposure through policies or guidelines at your .EDU's?  If you 
have anything remotely like any of the rudimentary examples below, I'd like 
to know what they are and that you have them.

Examples:
- For Wireless Subnets, only non-sensitive applications should be hosted.
- No E-Commerce applications or any form of financial transaction is 
allowed to be hosted from OurSchools.EDU wireless subnet.
- No machines on Wireless subnets should store or transmit data of a 
sensitive nature such as credit card numbers, private student information, 
legal or attorney privileged data, or any FERPA/HIPAA controlled privacy 
element.
- Potential users of Wireless subnet A should use the sensitive and 
critical data evaluation checklist to determine if their data might be 
sensitive to public exposure.
- All users of Wireless subnet A must acknowledge these policies and agree 
to abide by them before access is granted to Wireless subnet A.
- No interfaces should be developed or trusts should be granted from within 
wireless subnet A to any of the schools Systems of Record. (Such as ....)
- Any exceptions to the above must be approved by Tech Authority A, 
Chancellor B, and Security Officer C, etc.
- Wireless technology may be used/shouldn't be used for the following 
purposes or applications: ... (whatever the list may be, servers, mail 
servers, computer hosted testing, personnel records, grade books, etc.)

Granted, such policies would be difficult to enforce, except through stiff 
big-brother tactics and clear authority, and violations would be 
exceedingly difficult to locate through monitoring, but perhaps such 
policies could enlighten a few of the user community to their 
exposures?  Of course this assumes a tighter/better wired option is 
available for such things, and this is a questionable assumption at best.

Second question: Apart from the difficulty in identifying an undesired 
participant through a plug/port, and performance issues, anyone want to 
propose a list of wireless problems/exposures that are greater than the 
exposures in a wired network?  Apart from mobility and the cost advantage 
of trying to back-fit cables and closets into an unfit building, any truly 
key/revolutionary advantages?

Thanks for your help.  Personal contact info is in the signature block below.

Jim Dillon



======================================
Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737
======================================



More information about the unisog mailing list