{"id":43479,"date":"2021-12-06T16:32:27","date_gmt":"2021-12-07T00:32:27","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=43479"},"modified":"2026-03-11T11:10:42","modified_gmt":"2026-03-11T18:10:42","slug":"bppm-87-35","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-35\/","title":{"rendered":"87.35 Wireless and IoT Security"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Wireless and IoT Security<\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.35<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br>&nbsp; &nbsp;<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 &nbsp;&nbsp; Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 &nbsp;&nbsp; Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 &nbsp;&nbsp; Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 &nbsp;&nbsp; Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 &nbsp;&nbsp; Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 &nbsp;&nbsp; Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 &nbsp;&nbsp; Information System Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 &nbsp;&nbsp; Office of Information Security and Assurance (OISA)<\/a><\/li>\n<li><a href=\"#Three_4\">3.4 &nbsp;&nbsp; Technical Coordination Responsibilities<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 &nbsp;&nbsp; Requirements<\/a>\n<ul>\n<li><a href=\"#Four_1\">4.1 &nbsp;&nbsp; Wireless Guest Network<\/a><\/li>\n<li><a href=\"#Four_2\">4.2 &nbsp;&nbsp; IoT Wireless Network<\/a><\/li>\n<li><a href=\"#Four_3\">4.3 &nbsp;&nbsp; Bluetooth Networking<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 &nbsp;&nbsp; Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0&nbsp;&nbsp; Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1 &nbsp;&nbsp;Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.<\/p>\n<p>To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2 &nbsp;&nbsp;Specific Policy Overview and Purpose<\/h4>\n<p>Wireless networks provide unique advantages but also pose security and administrative challenges that necessitate a high level of technical coordination and adherence to strict requirements. This policy sets forth the roles, responsibilities, and requirements for ensuring the integrity of WSU\u2019s wireless networks.<\/p>\n<h3 id=\"Two_0\">2.0 &nbsp;&nbsp;Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0 &nbsp;&nbsp;Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1 &nbsp;&nbsp;Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2&nbsp;&nbsp; Information System Owners<\/h4>\n<p>Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.&nbsp;<\/p>\n<h4 id=\"Three_3\">3.3 &nbsp;&nbsp;Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/wireless-and-iot-standard.pdf\/\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/02\/wireless-and-iot-security-procedure.pdf\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h4 id=\"Three_4\">3.4&nbsp; &nbsp; Technical Coordination Responsibilities<\/h4>\n<p>Wireless networks allow for accelerated delivery of network connectivity at a lower cost than traditional wired networks. However, wireless and Internet of Things (IoT) networks present unique security and administrative challenges, including the following:<\/p>\n<ul>\n<li>Shared Spectrum \u2013 Wireless data networks using IEEE 802.11 operate in shared radio frequency spectrum. All wireless devices within a given coverage area contend for access to the same spectrum, increasing the risk of interference, degraded availability, and unauthorized wireless activity. Lower\u2011frequency wireless spectrum is particularly susceptible to interference from non\u2011Wi\u2011Fi devices such as consumer electronics, Bluetooth devices, and consumer IoT equipment.<\/li>\n<li>Nonoverlapping Channels \u2013 Wireless spectrum is constrained by a finite number of nonoverlapping channels, which varies based on available spectrum and selected channel width. Narrower channel widths provide a greater number of non-overlapping channels and improved spectrum reuse, while wider channel widths reduce the number of available channels and increase the likelihood of co\u2011channel interference in dense deployments.<\/li>\n<li>Security \u2013 Wireless networks inherently transmit data over the air, making them more susceptible to eavesdropping, unauthorized access, and malicious interference than wired networks. Strong authentication, encryption, and access control mechanisms are required to prevent rogue devices, unauthorized access points, impersonation attacks, and other threats to the WSU network.<\/li>\n<li>Segmentation and Isolation \u2013 Wireless and IoT devices must be logically segmented from enterprise resources to limit the impact of a compromised device in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-12\/\">87.12<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-05\/\">87.05<\/a>.<\/li>\n<li>Monitoring and Detection \u2013 Wireless and IoT environments require continuous monitoring to: establish baselines, detect rogue access points, unauthorized devices, anomalous behavior, and potential security incidents in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\/\">UPPM 87.50<\/a>. Due to the dynamic nature of wireless connectivity, traditional wired security controls may not be sufficient.<\/li>\n<li>Device Lifecycle Management \u2013 Secure deployment of wireless and IoT devices requires defined processes for device onboarding, configuration, firmware updates, and decommissioning in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">87.30<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">87.40<\/a>, and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">87.72<\/a>. Unsupported, end-of-life, or unmanaged devices pose an ongoing security risk to the wireless network.<\/li>\n<\/ul>\n<p>Because of the shared nature of the wireless spectrum, technical coordination is necessary to ensure optimal performance of WSU\u2019s wireless network. Central Information Technology departments are exclusively responsible for the architecture, configuration and management of 802.11 access points or other related wireless technologies. These departments include WSU Information Technology Services (ITS) in Pullman, Spokane, Tri-Cities, Vancouver, and Everett, hereafter referred to collectively as WSU Central ITS (<a href=\"mailto:its.node@wsu.edu\">its.node@wsu.edu<\/a>).&nbsp; WSU extension sites and Research Extension Centers (RECs) remain the responsibility of the College of Agriculture, Human, and Natural Resource Sciences (CAHNRS).<\/p>\n<h3 id=\"Four_0\">4.0 &nbsp;&nbsp;Requirements<\/h3>\n<p>WSU Central ITS must maintain an approval process to authorize wireless networks. Only authorized wireless networks, devices, and clients will be allowed.<\/p>\n<p>Systems must disable embedded wireless networking capabilities when not intended for use in accordance with WSU\u2019s Access Control and Authorization Policy.<\/p>\n<ul>\n<li>The ability to configure wireless networking capabilities must be explicitly authorized for moderate- and high-impact systems.<\/li>\n<\/ul>\n<p>Wireless networks that support access to moderate- and high-impact systems must use methods to reduce the probability that signals from wireless access points can be received outside of WSU controlled boundaries.<\/p>\n<p>Units must not deploy 802.11 access points or other related wireless technologies without coordination and written consent from the appropriate WSU Central ITS group.<\/p>\n<ul>\n<li>Wireless access is to be deployed in a manner such that access meets the greater needs of the campus and usage is not to be restricted to a specific use and\/or unit.<\/li>\n<\/ul>\n<p>To maintain compatibility between the various components of the wireless LAN, and to provide spare equipment in case of failure, WSU Central ITS must specify the equipment to be used in the wireless LAN.<\/p>\n<ul>\n<li>Unauthorized equipment that interferes with approved equipment, or that does not comply with security policy requirements, is to be removed.<\/li>\n<\/ul>\n<p>WSU Central ITS must maintain an inventory of all authorized wireless networks. The inventory must document the purpose and owner of each wireless network. The use of ad hoc, or peer-to-peer wireless networks, is not permitted.&nbsp;<\/p>\n<p>WSU Central ITS is to regularly monitor the WSU network to ensure that only authorized wireless access devices are connected.<\/p>\n<p>Non-authorized access devices, and devices that do not meet WSU Security Standards, must be identified, and removed from the network upon detection.<\/p>\n<p>Rogue access device scanning is to be completed in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-12\/\">UPPM 87.12<\/a>.<\/p>\n<p>WSU Central ITS must establish configuration and connection requirements for wireless access.<\/p>\n<p>Access to the WSU wireless network must be authorized by WSU Central ITS.<\/p>\n<p>To prevent unauthorized clients, all wireless access is to be connected to WSU Central ITS-managed authentication services.<\/p>\n<ul>\n<li>Unauthenticated access to services on the WSU wireless LAN is not permitted. Authentication services include, but may not be limited to, MAC Auth and 802.1X Authentication.<\/li>\n<\/ul>\n<p>Authentication to access wireless networks is to be performed in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-05\/\">UPPM 87.05<\/a>.<\/p>\n<p>WSU must monitor wireless traffic to detect for indications of compromise in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\">UPPM 87.50<\/a>.&nbsp;<\/p>\n<p>Wireless access devices are to be maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">UPPM 87.30<\/a>.<\/p>\n<p>All wireless access devices connected to WSU\u2019s networks must be configured securely in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-12\/\">UPPM 87.12<\/a>.<\/p>\n<p>Authorized wireless access points are to be maintained with the most recent stable security and software updates in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-32\/\">87.32<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-65\/\">87.65<\/a>, <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">87.40<\/a>, and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">87.30<\/a>.<\/p>\n<p>Authorized wireless networks that access moderate- and high-impact systems must protect information in transit in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-33\/\">UPPM 87.33<\/a>.<\/p>\n<h4 id=\"Four_1\">4.1&nbsp; &nbsp; Wireless Guest Network<\/h4>\n<p>The WSU Wireless Guest network is intended to provide temporary, internet-only wireless access to non-WSU devices for guests, visitors, and short-term users except for temporary diagnostic or troubleshooting purposes by authorized IT staff.<\/p>\n<p>Devices connected to the WSU Wireless Guest network:<\/p>\n<ul>\n<li>Are treated as outside of WSU (untrusted)<\/li>\n<li>Are segmented from other wireless networks<\/li>\n<li>Are restricted to outbound internet connectivity only<\/li>\n<li>Must not be granted access to:\n<ul>\n<li>Internal WSU networks<\/li>\n<li>Nonpublic WSU systems<\/li>\n<li>Classified WSU data (internal, confidential, or regulated)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Managed WSU devices, including but not limited to employee workstations, administrative systems, and instructional or laboratory computers, must not connect to the WSU Wireless Guest network without coordination and written consent from the WSU Central ITS group.<\/p>\n<h4 id=\"Four_2\">4.2&nbsp; &nbsp; IoT Wireless Network<\/h4>\n<p>A separate wireless network is to be maintained exclusively for Internet of Things (IoT) devices requiring wireless connectivity but lacking support for standard WSU Wireless authentication mechanisms.<\/p>\n<p>IoT Network Access Requirements:<\/p>\n<ul>\n<li>Must connect only to the designated WSU IoT wireless network<\/li>\n<li>Must register to an approved identity<\/li>\n<li>Must be approved and managed through a central registration and\/or authorization process managed by WSU Central ITS<\/li>\n<\/ul>\n<p>IoT registration is intended only for devices that meet one or more of the following criteria:<\/p>\n<ul>\n<li>Do not support WSU wireless authentication protocols (e.g. WPA2\/WPA3 enterprise)<\/li>\n<li>Do not process, store, or manage classified under UPPM 87.53 as:\n<ul>\n<li>Internal<\/li>\n<li>Confidential<\/li>\n<li>Regulated<\/li>\n<\/ul>\n<\/li>\n<li>Are application-specific IoT or embedded devices, including but not limited to:\n<ul>\n<li>Environmental controllers<\/li>\n<li>Network connected security cameras<\/li>\n<li>Smart displays or signage<\/li>\n<li>Voice controlled personal assistance devices<\/li>\n<li>Building automation<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Devices that do not meet these criteria must use approved WSU managed wireless services.<\/p>\n<h4 id=\"Four_3\">4.3&nbsp; &nbsp; Bluetooth Network<\/h4>\n<p>Bluetooth Personal Area Network (PAN) \/ Tethering is not supported.<\/p>\n<h3 id=\"Five_0\">5.0&nbsp; &nbsp; &nbsp;Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br><strong>Revisions:<\/strong>&nbsp; March 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-654\/\">654<\/a>); Dec. 2021 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-583\/\">583<\/a>); July 2020 &#8211; new policy (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-552\/\">552<\/a>)<\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Wireless and IoT Security<\/p>\n","protected":false},"author":1061,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43479"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/1061"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=43479"}],"version-history":[{"count":21,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43479\/revisions"}],"predecessor-version":[{"id":70125,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/43479\/revisions\/70125"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=43479"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=43479"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=43479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}