Wireless Security Policy (10.7) 1

Information  Technology  Security  Plan    Wireless  Security  Policy  (10.7)          Responsible  executive:    CIO       Approval  date:  7/01/2016  Responsible  office:    ITS       Effective  date:    7/01/2016    

Related  policies:    IT  Security  Plan,  Network  Access  Policy     1.0 Policy  Statement    Wireless  networking  is  an  extension  of  the  university's  existing  wired  network  infrastructure.  It  allows  users  with  wireless  devices  such  as  laptops  and  other  smart  devices  to  access  university  network  resources  and  the  public  Internet.    All  wireless  devices  and  access  points  connected  to  the  university  network  must  be  configured  and  approved  by  Information  Technology  Services.    2.0 Reason  for  Policy    Wireless  access  is  available  in  virtually  all  university  buildings  and  common  areas.  This  policy  provides  guidelines  for  best  practices  as  they  relate  to  providing  and  using  the  university  wireless  network.    3.0 Applicability   This  policy  applies  to  all  employees,  students,  contractors  and  other  affiliates  who  connect  a  device  to  the  SSU  wireless  network  capable  of  transmitting  a  data  packet.    This  policy  applies  to,  but  is  not  limited  to,  laptops,  desktops  and  mobile  devices  (e.g.,  cellular  phone  and  personal  digital  assistant).    4.0 Policy  4.1 Wireless  Access  Point  Guidelines    

• Information  Technology  Services  (ITS)  is  solely  responsible  for  the  deployment  and  management  of  wireless  access  points  and  associated  devices.  

• Any  unauthorized  wireless  access  point  or  associated  device  will  be  disabled  and  removed  from  the  network.  

• ITS  will  manage  the  wireless  spectrum  in  a  manner  that  ensures  the  greatest  connectivity  and  roaming  ability.  

• Windows  Active  Directory  is  used  to  determine  identity,  authentication  and  appropriate  levels  of  security  for  access  to  the  wireless  network.  

• Attempts  to  bypass  security  or  to  damage  the  wireless  service  passively  and/or  actively  are  strictly  prohibited.  

Wireless Security Policy (10.7) 2

• Wireless  networks  are  not  a  substitute  for  wired  network  connections.    Wireless  should  be  viewed  as  an  augmentation  to  the  wired  network  to  extend  the  network  for  general  access  to  common  and  transient  areas.  

• Wireless  networking  is  most  applicable  for  uses  such  as  email  and  web  browsing.    Unless  using  encrypted  protocols,  wireless  devices  should  not  be  used  for  connecting  to  the  university’s  administrative  systems  such  as  human  resources,  student,  and  financial  information  systems,  or  other  systems  that  contain  sensitive  information.  

• Wireless  access  points  provide  a  shared  bandwidth.  As  the  number  of  users  increase  the  available  bandwidth  per  user  diminishes.    Before  deploying  wireless  networking  in  common  areas,  ITS  will  perform  wireless  capacity  planning  to  calculate  the  ideal  quantity,  placement  and  configuration  of  access  points.  

• Users  of  wireless  should  consider  all  unencrypted  communications  over  the  network  as  insecure.  

• Wireless  network  users  will  employ  encrypted  protocols  for  transmitting  sensitive  and/or  confidential  information  over  a  wireless  network  connection.  These  encrypted  protocols  include,  but  are  not  limited  to,  Secure  Sockets  Layer  (SSL)  for  web  communication,  Secure  Shell  for  application  connectivity,  and  IPSEC  for  remote  access  and  802.1x  for  wireless  connectivity.  

• The  wireless  network  will  be  monitored  to  detect  exceptions  or  abnormal  network  activities.    Systems  generating  abnormal  network  activity  will  be  disabled  from  the  network.