Find Resources and Connect with members on topics that interest you.

Applications

Audit

Business Processes

Career Management

Cloud Computing/Virtualization

COBIT

Controls and Monitoring

Country

Databases

Fraud and Computer Crime

Governance and Management

Industry

Information Security

IT Service Management

Mobile/Wireless

Operating Systems

Privacy/Data Protection

Regulations

Risk

Standards

Access Control

Application Controls

Application Security

Audit Guidelines

Audit Standards

Audit Tools and Techniques

Basel

Big Data

Business Analytics/Intelligence

Business Continuity-Disaster Recovery Planning

Business Process Management

Career Management

Casinos and Gambling

Certification

CGEIT Exam Study Community 2013

Change Management

CISA Exam Study Community 2013

CISM Exam Study Community 2013

Cloud Computing

COBIT (4.1 and earlier) - Use it Effectively

COBIT (4.1 and earlier) Implementation

COBIT 5 - Implementation

COBIT 5 - Use It Effectively

Compliance

Computer Crime

Continuous Monitoring/Auditing

Controls Monitoring

CRISC Exam Study Community 2013

CyberSecurity

Enterprise Architecture

Enterprise Data Management

Financial Reporting Compliance

Forensics

Frameworks

Fraud

Governance of Enterprise IT

Green IT

Healthcare

HIPAA

HP Non-Stop (Tandem)

Identity Management

IFRS

Incident Management

India

Information Security Management

Information Security Policies/Procedures

Intrusion Prevention/Detection

ISAE 3402

ISO/IEC 20000

ISO/IEC 27000 Series

ISO/IEC 38500

ITIL

J-SOX

Mobile Computing

Network Security

Oracle

Oracle Database

Oracle E-Business Suite

OS/400

PCI DSS

PeopleSoft

Performance Measurement

Physical Security

Privacy/Data Protection

Project/Program/Portfolio Management (P3M)

Quality Standards

Risk Assessment

Risk Management

SAP

Sarbanes-Oxley (SOX)

Security Tools

Security Trends

Service Management

SharePoint

Solvency II

SQL Server

Strategic Planning/Alignment

Students

Unix-like

Value Delivery

Virtualization

Windows

Wireless

XBRL

Young Professionals

z/OS-OS/390

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

ME - Monitor and Evaluate

Application Controls

Process Controls

Please sign in to see your topics.

Wireless Scanning

Most of the security framework suggests to perform wireless scanning in the operational and critical areas of the organization. One of the reason is to ensure any internal wireless access points should be secured to ensure no member can misuse wireless points for unauthorized content sharing.

Present question is to understand the process or mitigation control for the external (neighboring offices) wireless access points which gets noticed in critical/operational areas of organization. How this can be dealt with and any specific mitigation control in such scenario

Can someone provide more insights on this security gap
Posted by PramodLNS on January 24, 2012 10:42AM
You must sign in to rate content.
(Unrated)

Comments

RE: Wireless Scanning


Requirement 11.1 is to test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

This requires the entity being assessed to test for unauthorized or rouge wireless access points connected to the cardholder data environment (CDE) as determined by the initial scoping.

By external Wireless APs I'm assuming you mean APs that may belong to a neighboring business or which are connected to a network which has been determined to be out of scope for PCI (i.e. not in scope). In this case there is no need to mitigate against external wireless APs which are detected as part of the quarterly wireless scanning activity because there should be no way to get from the wireless AP to the CDE (provide the other PCI controls e.g. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment are correctly implemented).  

Unauthorized APs which are detected during a scan and are found to be connected to the CDE should be handled in accordance with the entities incident response plan (see requirement 12.9.5)  

Authorized wireless APs (i.e. APs which are part of the CDE and are used to transmit cardholder data) which are detected during the scan must be implemented in line with requirements 1.1.2, 1.2.3, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.
Matt286 at 1/27/2012 12:21:53 AM
You must sign in to rate content.
(1 ratings)

RE: Wireless Scanning


Requirement 11.1 is to test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

This requires the entity being assessed to test for unauthorized or rouge wireless access points connected to the cardholder data environment (CDE) as determined by the initial scoping.

By external Wireless APs I'm assuming you mean APs that may belong to a neighboring business or which are connected to a network which has been determined to be out of scope for PCI (i.e. not in scope). In this case there is no need to mitigate against external wireless APs which are detected as part of the quarterly wireless scanning activity because there should be no way to get from the wireless AP to the CDE (provide the other PCI controls e.g. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment are correctly implemented).  

Unauthorized APs which are detected during a scan and are found to be connected to the CDE should be handled in accordance with the entities incident response plan (see requirement 12.9.5)  

Authorized wireless APs (i.e. APs which are part of the CDE and are used to transmit cardholder data) which are detected during the scan must be implemented in line with requirements 1.1.2, 1.2.3, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.
Matt286 at 1/27/2012 12:21:53 AM
You must sign in to rate content.
(1 ratings)

RE: Wireless Scanning


Requirement 11.1 is to test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

This requires the entity being assessed to test for unauthorized or rouge wireless access points connected to the cardholder data environment (CDE) as determined by the initial scoping.

By external Wireless APs I'm assuming you mean APs that may belong to a neighboring business or which are connected to a network which has been determined to be out of scope for PCI (i.e. not in scope). In this case there is no need to mitigate against external wireless APs which are detected as part of the quarterly wireless scanning activity because there should be no way to get from the wireless AP to the CDE (provide the other PCI controls e.g. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment are correctly implemented).  

Unauthorized APs which are detected during a scan and are found to be connected to the CDE should be handled in accordance with the entities incident response plan (see requirement 12.9.5)  

Authorized wireless APs (i.e. APs which are part of the CDE and are used to transmit cardholder data) which are detected during the scan must be implemented in line with requirements 1.1.2, 1.2.3, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.
Matt286 at 1/27/2012 12:21:53 AM
You must sign in to rate content.
(1 ratings)

Leave a Comment

* required

You must login to leave a comment.

« Return to All Discussions « Return to Topic