CIS Control 15: Wireless Access Control
The processes and tools used to track/control/prevent/correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.
15.1: Maintain an Inventory of Authorized Wireless Access Points
- Maintain an inventory of authorized wireless access points connected to the wired network.
15.2: Detect Wireless Access Points Connected to the Wired Network
- Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network.
15.3: Use a Wireless Intrusion Detection System
- Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points connected to the network.
15.4: Disable Wireless Access on Devices if Not Required
- Disable wireless access on devices that do not have a business purpose for wireless access.
15.5: Limit Wireless Access on Client Devices
- Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks.
15.6: Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
- Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
15.7: Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
- Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
15.8: Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication
- Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication.
15.9: Disable Wireless Peripheral Access to Devices
- Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).
15.10: Create Separate Wireless Network for Personal and Untrusted Devices
- Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.
Figure: System Entity Relationship Diagram
You can also learn more about the CIS controls here.
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises