User's Guide
Reports
241
x MITS wireless compliance report - The Management of Information Technology Security (MITS)
is an operational security standard established by Treasury Board of Canada Secretariat. This
standard (established in 2004) defines baseline security requirements that Canadian federal
departments must fulfill to ensure the security of information and information technology (IT) assets
under their control.
MITS seeks to protect the confidentiality, integrity, and availability of information and IT assets.
This report assesses the wireless security posture of the organization and identifies wireless
vulnerabilities that may compromise the confidentiality of information and IT assets.
The following sections from MITS are relevant to wireless deployments.
Part I, Section 4:This section makes senior managers in each department responsible for
establishing and maintaining internal controls to high level of IT security. This MITS report is the
first step in establishing internal controls to protect confidential information and IT assets against
wireless exposure.
Part II, Section 10: This section requires each department shall establish an IT security policy. This
MITS report establishes the existence of a wireless security policy.
Part II, Section 12.11.2: This section requires internal audits to be carried out for all security risks.
This MITS report can be used as an audit document describing wireless security risks.
Part III, Section 16: This section requires the establishment of safeguards to protect the
confidentiality, integrity, and availability of information and IT assets. Periodic generation and
archival of this MITS report establishes that your organization has the safeguards to protect
confidential information and IT assets against wireless exposure.
Part III, Section 17: This section requires monitoring and detection of security incidents. Periodic
generation and archival of this MITS report establishes that your organization has the capabilities
to monitor and detect of wireless security incidents.
Since wireless environments change dynamically, it is recommended that you conduct a MITS
wireless vulnerability assessment at least once every 15 days. Archive the MITS Wireless
Compliance reports. Establish an ongoing wireless security program to fix the top vulnerabilities
and to minimize your wireless security exposure.
The sections of this report list the wireless vulnerabilities detected in your network and the severity
of security risk caused by these vulnerabilities.
x PCI DSS 3.0 Wireless Compliance Report
Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 published in November
2013 defined recommended security controls for protecting cardholder data. PCI DSS was defined
by a consortium of credit card companies, including VISA and Mastercard. The requirements of the
PCI standard apply to all members, merchants, and service providers that store, process and
transmit cardholder data.
The following sections from PCI DSS, Version 3.0 are relevant from the perspective of protecting
cardholder data from unauthorized wireless access. This report is intended to be simply an aide to
review PCI DSS 3.0 compliance of WLAN deployments. It is not meant to automatically fulfill PCI
DSS 3.0 requirements related to your WLAN network. Consult a PCI Qualified Security Auditor
(QSA) for obtaining compliance certification.
1. Requirement 1.2: Deny traffic from 'untrusted' networks and hosts, except for protocols
necessary in the cardholder's data environment. This report provides a list of rogue or
misconfigured wireless access points detected during the report interval. Unauthorized cardholder
data access is possible through these access points.
2. Requirement 2.1.1: Change vendor-supplied defaults for wireless equipment. For wireless
equipment,default password, SSID, WEP key and security settings should be changed. WPA or
WPA2 should be used wherever possible. This report provides a list of wireless access points
using default SSID or security configurations.
3. Requirement 4.1.1: Verify that wireless networks transmitting cardholder data use appropriate
encryption methods. Reliance on WEP (Wired Equivalent Privacy) for cardholder data protection
should be avoided. This report provides a list of wireless access points and clients communicating
using open or insecure encryption methods.