15.10: Create Separate Wireless Network for Personal and Untrusted Devices

Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.

Asset Type

Security Function

Implementation Groups

Network

Protect

1, 2, 3

Dependencies

  • Sub-control 1.4: Maintain Detailed Asset Inventory

  • Sub-control 1.5: Maintain Asset Inventory Information

Inputs

  1. Isolated wireless network SSID(s)

  2. List of corporate wireless network SSID(s)

Operations

  1. For each corporate wireless network SSID, attempt to connect non-corporate device (M2)

  2. Determine access policy for other wireless network

Measures

  • M1 = 1 if the separate wireless network exists for personal/non-corporate devices; 0 otherwise.

  • M2 = List of corporate wireless network SSID(s) accepting non-corporate devices

  • M3 = Count of M2

  • M4 = List of corporate wireless network SSID(s)

  • M5 = Count of M4

Metrics

Logical Isolation

The overall measure fails if there is no separate network for personal/non-corporate devices (M1 = 0)

Coverage

Metric

What percentage of the total number of wireless networks exist but are misconfigured?

Calculation

M3 / M5