Find Resources and Connect with members on topics that interest you.

Applications

Audit

Business Processes

Career Management

Cloud Computing/Virtualization

COBIT

Controls and Monitoring

Country

Databases

Fraud and Computer Crime

Governance and Management

Industry

Information Security

IT Service Management

Mobile/Wireless

Operating Systems

Privacy/Data Protection

Regulations

Risk

Standards

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

ME - Monitor and Evaluate

Application Controls

Process Controls

Please sign in to see your topics.

Subscribe to this discussion

Wireless Scanning

Most of the security framework suggests to perform wireless scanning in the operational and critical areas of the organization. One of the reason is to ensure any internal wireless access points should be secured to ensure no member can misuse wireless points for unauthorized content sharing.

Present question is to understand the process or mitigation control for the external (neighboring offices) wireless access points which gets noticed in critical/operational areas of organization. How this can be dealt with and any specific mitigation control in such scenario

Can someone provide more insights on this security gap
Posted by PramodLNS on January 24, 2012 10:42AM
You must sign in to rate content.
(Unrated)

Comments

RE: Wireless Scanning


Requirement 11.1 is to test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

This requires the entity being assessed to test for unauthorized or rouge wireless access points connected to the cardholder data environment (CDE) as determined by the initial scoping.

By external Wireless APs I'm assuming you mean APs that may belong to a neighboring business or which are connected to a network which has been determined to be out of scope for PCI (i.e. not in scope). In this case there is no need to mitigate against external wireless APs which are detected as part of the quarterly wireless scanning activity because there should be no way to get from the wireless AP to the CDE (provide the other PCI controls e.g. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment are correctly implemented).  

Unauthorized APs which are detected during a scan and are found to be connected to the CDE should be handled in accordance with the entities incident response plan (see requirement 12.9.5)  

Authorized wireless APs (i.e. APs which are part of the CDE and are used to transmit cardholder data) which are detected during the scan must be implemented in line with requirements 1.1.2, 1.2.3, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.
Matt286 at 1/27/2012 12:21:53 AM
You must sign in to rate content.
(1 ratings)

RE: Wireless Scanning


Requirement 11.1 is to test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

This requires the entity being assessed to test for unauthorized or rouge wireless access points connected to the cardholder data environment (CDE) as determined by the initial scoping.

By external Wireless APs I'm assuming you mean APs that may belong to a neighboring business or which are connected to a network which has been determined to be out of scope for PCI (i.e. not in scope). In this case there is no need to mitigate against external wireless APs which are detected as part of the quarterly wireless scanning activity because there should be no way to get from the wireless AP to the CDE (provide the other PCI controls e.g. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment are correctly implemented).  

Unauthorized APs which are detected during a scan and are found to be connected to the CDE should be handled in accordance with the entities incident response plan (see requirement 12.9.5)  

Authorized wireless APs (i.e. APs which are part of the CDE and are used to transmit cardholder data) which are detected during the scan must be implemented in line with requirements 1.1.2, 1.2.3, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.
Matt286 at 1/27/2012 12:21:53 AM
You must sign in to rate content.
(1 ratings)

RE: Wireless Scanning


Requirement 11.1 is to test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

This requires the entity being assessed to test for unauthorized or rouge wireless access points connected to the cardholder data environment (CDE) as determined by the initial scoping.

By external Wireless APs I'm assuming you mean APs that may belong to a neighboring business or which are connected to a network which has been determined to be out of scope for PCI (i.e. not in scope). In this case there is no need to mitigate against external wireless APs which are detected as part of the quarterly wireless scanning activity because there should be no way to get from the wireless AP to the CDE (provide the other PCI controls e.g. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment are correctly implemented).  

Unauthorized APs which are detected during a scan and are found to be connected to the CDE should be handled in accordance with the entities incident response plan (see requirement 12.9.5)  

Authorized wireless APs (i.e. APs which are part of the CDE and are used to transmit cardholder data) which are detected during the scan must be implemented in line with requirements 1.1.2, 1.2.3, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.
Matt286 at 1/27/2012 12:21:53 AM
You must sign in to rate content.
(1 ratings)

Leave a Comment

* required

You must login to leave a comment.

« Return to All Discussions « Return to Topic