jim.dillon at cusys.edu
Mon Aug 13 17:01:23 GMT 2001
Now that WEP is a proven 15 minute bust, and MAC addresses are proven
spoofable (according to traffic on this list), do any of you address
content exposure through policies or guidelines at your .EDU's? If you
have anything remotely like any of the rudimentary examples below, I'd like
to know what they are and that you have them.
- For Wireless Subnets, only non-sensitive applications should be hosted.
- No E-Commerce applications or any form of financial transaction is
allowed to be hosted from OurSchools.EDU wireless subnet.
- No machines on Wireless subnets should store or transmit data of a
sensitive nature such as credit card numbers, private student information,
legal or attorney privileged data, or any FERPA/HIPAA controlled privacy
- Potential users of Wireless subnet A should use the sensitive and
critical data evaluation checklist to determine if their data might be
sensitive to public exposure.
- All users of Wireless subnet A must acknowledge these policies and agree
to abide by them before access is granted to Wireless subnet A.
- No interfaces should be developed or trusts should be granted from within
wireless subnet A to any of the schools Systems of Record. (Such as ....)
- Any exceptions to the above must be approved by Tech Authority A,
Chancellor B, and Security Officer C, etc.
- Wireless technology may be used/shouldn't be used for the following
purposes or applications: ... (whatever the list may be, servers, mail
servers, computer hosted testing, personnel records, grade books, etc.)
Granted, such policies would be difficult to enforce, except through stiff
big-brother tactics and clear authority, and violations would be
exceedingly difficult to locate through monitoring, but perhaps such
policies could enlighten a few of the user community to their
exposures? Of course this assumes a tighter/better wired option is
available for such things, and this is a questionable assumption at best.
Second question: Apart from the difficulty in identifying an undesired
participant through a plug/port, and performance issues, anyone want to
propose a list of wireless problems/exposures that are greater than the
exposures in a wired network? Apart from mobility and the cost advantage
of trying to back-fit cables and closets into an unfit building, any truly
Thanks for your help. Personal contact info is in the signature block below.
Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Dept. Phone: 303-492-9730
More information about the unisog