University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Wireless and IoT Security

UPPM 87.35

For more information contact:
   Information Technology Services

1.0   Overview and Purpose

1.1   Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

  • Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
  • Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
  • Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.

To determine the potential consequence of a loss event, the Federal Information Processing Standards:

  • Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
  • Dictate which security controls are mandatory based upon the categorization level;
  • Define the strength, frequency, and formalization of those controls; and
  • Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2   Specific Policy Overview and Purpose

Wireless networks provide unique advantages but also pose security and administrative challenges that necessitate a high level of technical coordination and adherence to strict requirements. This policy sets forth the roles, responsibilities, and requirements for ensuring the integrity of WSU’s wireless networks.

2.0   Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0   Roles and Responsibilities

3.1   Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2   Information System Owners

Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation. 

3.3   Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

3.4    Technical Coordination Responsibilities

Wireless networks allow for accelerated delivery of network connectivity at a lower cost than traditional wired networks. However, wireless and Internet of Things (IoT) networks present unique security and administrative challenges, including the following:

  • Shared Spectrum – Wireless data networks using IEEE 802.11 operate in shared radio frequency spectrum. All wireless devices within a given coverage area contend for access to the same spectrum, increasing the risk of interference, degraded availability, and unauthorized wireless activity. Lower‑frequency wireless spectrum is particularly susceptible to interference from non‑Wi‑Fi devices such as consumer electronics, Bluetooth devices, and consumer IoT equipment.
  • Nonoverlapping Channels – Wireless spectrum is constrained by a finite number of nonoverlapping channels, which varies based on available spectrum and selected channel width. Narrower channel widths provide a greater number of non-overlapping channels and improved spectrum reuse, while wider channel widths reduce the number of available channels and increase the likelihood of co‑channel interference in dense deployments.
  • Security – Wireless networks inherently transmit data over the air, making them more susceptible to eavesdropping, unauthorized access, and malicious interference than wired networks. Strong authentication, encryption, and access control mechanisms are required to prevent rogue devices, unauthorized access points, impersonation attacks, and other threats to the WSU network.
  • Segmentation and Isolation – Wireless and IoT devices must be logically segmented from enterprise resources to limit the impact of a compromised device in accordance with UPPM 87.12 and 87.05.
  • Monitoring and Detection – Wireless and IoT environments require continuous monitoring to: establish baselines, detect rogue access points, unauthorized devices, anomalous behavior, and potential security incidents in accordance with UPPM 87.50. Due to the dynamic nature of wireless connectivity, traditional wired security controls may not be sufficient.
  • Device Lifecycle Management – Secure deployment of wireless and IoT devices requires defined processes for device onboarding, configuration, firmware updates, and decommissioning in accordance with UPPM 87.30, 87.40, and 87.72. Unsupported, end-of-life, or unmanaged devices pose an ongoing security risk to the wireless network.

Because of the shared nature of the wireless spectrum, technical coordination is necessary to ensure optimal performance of WSU’s wireless network. Central Information Technology departments are exclusively responsible for the architecture, configuration and management of 802.11 access points or other related wireless technologies. These departments include WSU Information Technology Services (ITS) in Pullman, Spokane, Tri-Cities, Vancouver, and Everett, hereafter referred to collectively as WSU Central ITS (its.node@wsu.edu).  WSU extension sites and Research Extension Centers (RECs) remain the responsibility of the College of Agriculture, Human, and Natural Resource Sciences (CAHNRS).

4.0   Requirements

WSU Central ITS must maintain an approval process to authorize wireless networks. Only authorized wireless networks, devices, and clients will be allowed.

Systems must disable embedded wireless networking capabilities when not intended for use in accordance with WSU’s Access Control and Authorization Policy.

  • The ability to configure wireless networking capabilities must be explicitly authorized for moderate- and high-impact systems.

Wireless networks that support access to moderate- and high-impact systems must use methods to reduce the probability that signals from wireless access points can be received outside of WSU controlled boundaries.

Units must not deploy 802.11 access points or other related wireless technologies without coordination and written consent from the appropriate WSU Central ITS group.

  • Wireless access is to be deployed in a manner such that access meets the greater needs of the campus and usage is not to be restricted to a specific use and/or unit.

To maintain compatibility between the various components of the wireless LAN, and to provide spare equipment in case of failure, WSU Central ITS must specify the equipment to be used in the wireless LAN.

  • Unauthorized equipment that interferes with approved equipment, or that does not comply with security policy requirements, is to be removed.

WSU Central ITS must maintain an inventory of all authorized wireless networks. The inventory must document the purpose and owner of each wireless network. The use of ad hoc, or peer-to-peer wireless networks, is not permitted. 

WSU Central ITS is to regularly monitor the WSU network to ensure that only authorized wireless access devices are connected.

Non-authorized access devices, and devices that do not meet WSU Security Standards, must be identified, and removed from the network upon detection.

Rogue access device scanning is to be completed in accordance with UPPM 87.12.

WSU Central ITS must establish configuration and connection requirements for wireless access.

Access to the WSU wireless network must be authorized by WSU Central ITS.

To prevent unauthorized clients, all wireless access is to be connected to WSU Central ITS-managed authentication services.

  • Unauthenticated access to services on the WSU wireless LAN is not permitted. Authentication services include, but may not be limited to, MAC Auth and 802.1X Authentication.

Authentication to access wireless networks is to be performed in accordance with UPPM 87.05.

WSU must monitor wireless traffic to detect for indications of compromise in accordance with UPPM 87.50

Wireless access devices are to be maintained in accordance with UPPM 87.30.

All wireless access devices connected to WSU’s networks must be configured securely in accordance with UPPM 87.12.

Authorized wireless access points are to be maintained with the most recent stable security and software updates in accordance with UPPM 87.32, 87.65, 87.40, and 87.30.

Authorized wireless networks that access moderate- and high-impact systems must protect information in transit in accordance with UPPM 87.33.

4.1    Wireless Guest Network

The WSU Wireless Guest network is intended to provide temporary, internet-only wireless access to non-WSU devices for guests, visitors, and short-term users except for temporary diagnostic or troubleshooting purposes by authorized IT staff.

Devices connected to the WSU Wireless Guest network:

  • Are treated as outside of WSU (untrusted)
  • Are segmented from other wireless networks
  • Are restricted to outbound internet connectivity only
  • Must not be granted access to:
    • Internal WSU networks
    • Nonpublic WSU systems
    • Classified WSU data (internal, confidential, or regulated)

Managed WSU devices, including but not limited to employee workstations, administrative systems, and instructional or laboratory computers, must not connect to the WSU Wireless Guest network without coordination and written consent from the WSU Central ITS group.

4.2    IoT Wireless Network

A separate wireless network is to be maintained exclusively for Internet of Things (IoT) devices requiring wireless connectivity but lacking support for standard WSU Wireless authentication mechanisms.

IoT Network Access Requirements:

  • Must connect only to the designated WSU IoT wireless network
  • Must register to an approved identity
  • Must be approved and managed through a central registration and/or authorization process managed by WSU Central ITS

IoT registration is intended only for devices that meet one or more of the following criteria:

  • Do not support WSU wireless authentication protocols (e.g. WPA2/WPA3 enterprise)
  • Do not process, store, or manage classified under UPPM 87.53 as:
    • Internal
    • Confidential
    • Regulated
  • Are application-specific IoT or embedded devices, including but not limited to:
    • Environmental controllers
    • Network connected security cameras
    • Smart displays or signage
    • Voice controlled personal assistance devices
    • Building automation

Devices that do not meet these criteria must use approved WSU managed wireless services.

4.3    Bluetooth Network

Bluetooth Personal Area Network (PAN) / Tethering is not supported.

5.0     Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions:  March 2026 (Rev. 654); Dec. 2021 (Rev. 583); July 2020 – new policy (Rev. 552)