1.0 TITLE: Wireless Local Area Network Policy
1.1 EFFECTIVE DATE: April 27, 2006
1.2 TYPE OF ACTION: New
2.0 PURPOSE: To establish a common, uniform use policy for all state agencies regarding the acquisition, installation, management and use of Wireless Local Area Networks (WLAN) for use by State employees, legislators, contractors, vendors, and guest users.
3.0 ORGANIZATIONS AFFECTED: All Branches, Boards, Commissions, Departments, Divisions, and agencies of state government, hereafter referred to as entities.
4.1 K.S.A 75-4709 provides that the Secretary of Administration shall make provision for and coordinate all telecommunications services for all divisions, departments and agencies of the state pursuant to policies established by the Information Technology Executive Council
4.2 K.S.A. 2005 Supp. 75-7203 authorizes the ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all state agencies.
4.3 K.S.A. 75-7221 - 75-7227 authorizes the Kansas Board of Regents for the creation, operation and maintenance of the Kan-ed network.
4.4 Additional References:
5.0 DEFINITIONS: The following definitions are applied throughout this policy:
5.1 Wireless Local Area Network (WLAN) is a local area network (LAN) that users access through a wireless connection. 802.11 standards specify WLAN technologies. WLANs may connect directly to various enterprise networks in the State of Kansas, including the KANWIN neetwork, or may connect indirectly via the Internet and Virtual Private Networks (VPN). The State of Kansas defines WLANs in the following categories:
5.1.1 Business Class Network: Business Class Networks are WLANs that are owned and operated by the State of Kansas and are used by State empolyees and other authorized persons to access internal information technology resources.
5.1.2 Guest Network: a WLAN owned and operated by the State of Kansas to provide access to the Internet and State websites, and applications that are publicly accessible via the Internet. The use of Guest Networks is limited to those persons visiting State-owned facilities that have a business need to communicate over the Internet. Guest Networks are not intedned to be used as Public hotspots and do not provide free, open access. All Guest Networks installed by State agencies shall be logically separated and fire-walled from Business Class Networks and internal State Networks.
5.1.3 Public Hot Spot: a wireless LAN node that provides Internet connection and virtual private network (VPN) access from a given location. Public places, such as airports, hotels and coffee shops, may provide wireless access for customers. Public Hotspots may or may not protect WLAN network traffic through the use of encryption. When using a hotspot, the user shall always assume that the network is open and not secure in any way.
5.1.4 Home Network: A home network is privately owned by the State employee. Home networks typically deploy inexpensive, off-the-shelf, wireless access points, routers, and network interface cards, that may or may not conform to State security requirements for encryption, authentication protocols, VPN support, or other security mechanisms.
5.2 KITA: Kansas Information Technology Architecture, also referred to as the State of Kansas Technical Architecture, describes the information systems infrastructure that supports applications used by the State.
5.3 Security Mechanisms: Software or hardware devices used to secure a network or computer system. Examples of security mechanisms include passwords, firewalls, antivirus software, virtual private networks and encryption protocols.
5.4 Personal Firewall: also referred to as a desktop firewall, is a software application used to protect a single internet-connected computer from intruders. Personal firewalls protect the integrity of desktop or laptop computers' operating systems and files systems from malicious computer code, by screening traffic in the same way that network based screening firewalls protect an enterprise network, filtering inbound and outbound traffic.
5.5 User Registration: User registration is the act of identifying a user to the network, with subsequent measures of authenticating and authorizing the user. Registration requirements may vary based on the security level of the network accessed, as well as the business reasons for accessing the network.
5.6 Private Network: a network not owned by the State, that is accessed by users of State WLAN networks. For example, a vendor accessing their own corporate network from the State's WLAN network.
5.7 Virtual Private Network (VPN): is a network that uses a public telecommunication infrastructure. A VPN uses tunneling and encryption protocols to maintain privacy across the public network.
5.8 Mobile Computing Device: a laptop computer, handheld computer, cellphone, blackberry wireless communicator, or other portable computing device used for data communications and/or data storage.
5.9 Academic Network: Academic wireless networks are designed to maintain academic traditions of free and open access to information which is not sensitive and which is intended to be available to the public (Internet resources) or to the local campus community.
5.10 DISC: The Division of Information Systems and Communications.
6.0 POLICY: In order to establish a common, uniform policy for all state agencies regarding the acquisition, installation, management, and use of wireless local area networks, the following WLAN policies are established. This policy supersedes any and all State agency WLAN policy(s). This policy shall be the governing document for all State agency WLAN policy. Any State agency shall have the right to make additional restrictions to their own policy but their policy shall not alter any provisions set forth in this policy.
6.1 Statement of Responsibility
6.1.1 DISC shall be the point of contact and responsible for the acquisition, installation, and management of all WLANs.
184.108.40.206 WLANs shall not be installed without prior approval from DISC.
220.127.116.11 The Secretary of Administration may, under certain conditions, delegate responsibility for acquisition, installation, and management to the agency requesting WLAN service, provided the proposed WLAN solution conforms to the standards set forth in this policy.
6.2.1 To maintain interoperability across the State Enterprise WLAN, acquisition of all WLAN hardware and software shall conform to the Wireless Interim Security and Technical Architecture, and the State of Kansas Technical Architecture.
18.104.22.168 Only WLAN hardware and software that is specified in the Wireless Interim Security and Technical Architecture or the State of Kansas Technical Architecture shall be purchased and installed.
22.214.171.124. Waivers to the State of Kansas Technical Architecture of the approved vendor for WLAN hardware and software shall be approved under the guidelines specified in ITEC Policy 4010.
6.3.1 Installation of WLANs in State agencies shall conform to the requirements of the State of Kansas Technical Architecture and DISC Policy and Procedure Memorandum 5204.01, Installation of Premise Distribution System Hardware
6.4 Management and Monitoring
6.4.1 DISC shall have responsibility and authority for monitoring and management of State WLAN networks. State Agencies deploying WLANs may choose to implement additional monitoring capabilities to provide higher levels of protection. Monitoring and management functions include: RF Channel Management and Interference, Intrusion Detection and countermeasures, network availability, performance and reliability.
126.96.36.199 The Secretary of Administration may delegate responsibility for WLAN management to agencies that have the tools and expertise to ensure that WLAN operation conforms to the standards set forth in this policy.
6.5.1. Information transmitted over WLANs is inherently insecure. At a minimum, Agency security policies for mobile computing devices used to access WLANs shall comply with security “Best Practices” and “Current Technology Standards” as defined by the Interim Wireless Security and Technical Architecture Standards of the Kansas Information Technology Architecture, DISC Policy and Procedure Memorandums, or Educause best practices as outlined for higher education.
6.5.2. Refer to the KITA Interim Draft Standard where noted.
188.8.131.52 User Security - Refer to Wireless Interim Security and Technical Architecture Standard, KITA.
184.108.40.206 Wireless Security - Refer to Wireless Interim Security and Technical Architecture Standard, KITA.
6.6 Acceptable Use
6.6.1 Each agency is responsible for ensuring that the use of WLANs by State employees and Guest Users conform with statewide WLAN policy or agency WLAN policy regarding acceptable use of the KANWIN network (ITEC policy 7220), Internet (ITEC policy 1200), and Agency enterprise networks per ITEC policy 7230 and 7230A.
6.6.2 This policy shall be in effect and enforceable when using the State’s Business Class WLAN, Guest WLAN, public hotspots or home networks.
220.127.116.11 Business Class WLAN: All traffic transmitted and received over State operated business class networks shall be encrypted.
18.104.22.168.1 Agencies are responsible for establishing and maintaining network access policies for WLANs that are consistent with established security policy regarding user logons, passwords, and other relevant security mechanisms.
22.214.171.124 Guest Networks: In order to provide WLAN based Internet access to guests and visitors in publicly accessible areas of State office buildings in a manner that protects the information technology assets of the State, a WLAN Guest network will be provided to allow non-State personnel access to the Internet.
126.96.36.199.1 Short term Guest Access: Short term Guest users who require WLAN access for a maximum of 5 consecutive days or less shall at a minimum identify themselves to the hosting agency/entity to acquire a guest login and password.
188.8.131.52.2 Long-term Guest Access: Long-term Guest users require access to the WLAN for a period in excess of five consecutive working days shall at a minimum identify themselves to the hosting entity to acquire a guest login and password.
184.108.40.206 Public Hotspots: Public “hotspot” networks provide little or no security to their users.
220.127.116.11.1 Access to State enterprise non-public networks and internal IT systems from public wireless networks, shall be secured at the device level using virtual private network (VPN) encrypted connections, personal firewalls and virus protection.
18.104.22.168.2 State Agencies shall not implement or maintain public hotspots without prior approval from the Secretary of Administration.
22.214.171.124 Home Networks: Access to State enterprise networks from home networks shall be approved by the heads of the respective State agencies through agency policy.
126.96.36.199.1 Access to State enterprise networks and internal IT systems from home WLANs shall be secured at the device level using virtual private network (VPN) encrypted connections.
6.6.3 Use of personal computing devices: Agencies are responsible for ensuring that employees who use personal computing devices (laptops, PDAs, and other wireless computing devices) on State operated WLANs and public WLANs in the course of conducting State business comply with security requirements and standards set forth in this policy.
188.8.131.52 The creation or storage of Highly Confidential or Confidential data on privately owned wireless mobile devices shall conform to established Agency security policies, or in the absence of agency policy, conform to DISC PPM 1805.01, Data Systems Security.
6.6.4 Regents Universities may implement academic networks with or without authentication protocols at their discretion or define sub-classes of use within the academic framework.
184.108.40.206 Students, faculty, staff, and campus visitors may access academic networks with their personal wireless devices as long as those devices meet the same security standards required of state-owned devices.
6.7 Network Availability and Usage
6.7.1 WLANs managed by DISC shall be accessible during normal business hours as determined by each Agency, in cooperation with DISC. Access, authorization, and authentication to agency networks and IT resources via the WLAN shall be controlled by respective agencies authentication platforms
6.7.2 Wireless networks should not be considered a substitute for wired network connections. WLAN networks are most applicable for applications such as email and web browsing.
6.7.3 Wireless network users shall employ encryption protocols for transmitting sensitive and/or confidential information over a wireless network connection. Unless secured by encrypted protocols, WLAN connections shall not be used to access private/internal State IT resources.
6.8 User Awareness and Training
6.8.1 State agencies deploying wireless local area networks shall implement user awareness training programs that educate wireless users on the acceptable use of wireless computing devices on State owned Academic, Business Class and Guest networks; public hotspots, and home networks.
220.127.116.11 All State employees shall attend user awareness training on wireless network technology and acceptable use prior to being granted access to the State WLAN networks.
6.9. Asset Management
6.9.1 All State-owned wireless devices and private wireless devices connecting to agency or “Guest” wireless networks in the State are to be registered with the respective State agency, including devices accessing “Guest” networks.
6.9.2 Users are responsible for the safekeeping and protection of State-owned hardware, and the data contained on thereon that have been issued or loaned to them and for managing them in accordance with their respective agency’s policies.
6.9.3 State-owned portable information assets shall not be left unattended unless they are in a restricted secured office area.
6.9.4 When working outside State work locations, mobile workers shall take extra precautions to protect mobile assets. Extra care shall be taken when working in transit to prevent the disclosure or compromise of sensitive and confidential information. Highly Confidential and Confidential data on State-owned mobile computing devices shall be protected by cryptographic controls and not be accessed or processed in public places where it could be observed or acquired by anyone who is not authorized to view it.
7.1 ITEC Policy 1200 - Acceptable Use of the Internet
7.2 ITEC Policy 7210 - Security Policy and Procedures for the KANWIN Network
7.3 ITEC Policy 4010 - Technical Architecture Compliance Requirements
7.4 ITEC Policy 7220 - Default Security Policy and Procedures for the KANWIN Network
7.5 ITEC Policy 7230 - General Information Technology Enterprise Security Policy
7.6 ITEC Policy 7230A - Default IT Security Requirements
7.7 DISC PPM 1805.01 - Data Systems Security.
7.8 DISC PPM 5204.01 - Installation of Premise Distribution System Hardware
8.1 Heads of entities are responsible to establish procedures for their organizations to comply with the requirements of this policy.
8.2 The Chief Information Technology Officer, Executive Branch, is responsible for the maintenance of this policy.
9.0 CANCELLATION: None