These are the requirements that Justice Agencies accessing CJI must adhere to as state in the Criminal Justice Information Services (CJIS) Security Policy. 1. Perform validation testing to ensure rogue APs (Access Points) do not exist in the 802.11 Wireless Local Area Network (WLAN) and to fully understand the wireless network security posture. 2. Maintain a complete inventory of all Access Points (APs) and 802.11 wireless devices. 3. Place APs in secured areas to prevent unauthorized physical access and user manipulation. 4. Test AP range boundaries to determine the precise extent of the wireless coverage and design the AP wireless coverage to limit the coverage area to only what is needed for operational purposes. 5. Enable user authentication and encryption mechanisms for the management interface of the AP. 6. Ensure that all APs have strong administrative passwords and ensure that all passwords are changed in accordance with Section 5.6.2.1. 7. Ensure the reset function on APs is used only when needed and is only invoked by authorized personnel. Restore the APs to the latest security settings, when the reset functions are used, to ensure the factory default settings are not utilized. 8. Change the default service set identifier (SSID) in the APs. Disable the broadcast SSID feature so that the client SSID must match that of the AP. Validate that the SSID character string does not contain any agency identifiable information (division, department, street, etc.) or services. 9. Enable all security features of the wireless product, including the cryptographic authentication, firewall, and other privacy features. 10. Ensure that encryption key sizes are at least 128-bits and the default shared keys are replaced by unique keys. 11. Ensure that the ad hoc mode has been disabled unless the environment is such that the risk has been assessed and is tolerable. Note: some products do not allow disabling this feature; use with caution or use different vendor. 12. Disable all nonessential management protocols on the APs and disable hypertext transfer protocol (HTTP) when not needed or protect HTTP access with authentication and encryption. 13. Enable logging (if supported) and review the logs on a recurring basis per local policy. At a minimum logs shall be reviewed monthly. 14. Segregate, virtually (e.g. virtual local area network (VLAN) and ACLs) or physically (e.g. firewalls), the wireless network from the operational wired infrastructure. Limit access between wireless networks and the wired network to only operational needs. 15. When disposing of access points that will no longer be used by the agency, clear access point configuration to prevent disclosure of network configuration, keys, passwords, etc. I hope this helps. Please let me know if you have any follow-up questions. [OR_-_State_Police_Badge] Greg Verharst CJIS Information Security Officer, Oregon State Police Greg.Verharst@xxxxxxxxxxx Desk: (503) 934-2335 - THIS IS A NEW NUMBER - PLEASE NOTE!!! Fax: (503) 378-2121 - THIS IS A NEW NUMBER - PLEASE NOTE!!! OSP Helpdesk: (503) 934-0199 From: oagitm-bounce@xxxxxxxxxxxxx [mailto:oagitm-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Gardner Sent: Tuesday, June 24, 2014 9:32 AM To: 'oagitm@xxxxxxxxxxxxx' Subject: [oagitm] WIFI All, I have a general question about WIFI? Do you provide it at your facilities and to what extent do you secure it. We currently provide public WIFI that is segregated from our wired network, but it is only a partially managed solution that blocks sites by categories. We are getting pressure to provide WIFI to all employees and the public with the employees being able to access all network files and work related resources. That would be a significant cost to secure and provide that type of service, so I just wanted to see how/ and what everyone else was doing with WIFI at this point? Jim Gardner Information Systems Manager 800 Exchange, Suite 300 Astoria, OR 97103 Phone: 503-325-8662 This message has been prepared on resources owned by Clatsop County, Oregon. It is subject to the Internet and Online Services Use Policy and Procedures of Clatsop County.