Educause Security Discussion mailing list archives
Re: PCI Wireless Question for other colleges/universities
From: Paul Chauvet <chauvetp () NEWPALTZ EDU>
Date: Mon, 25 Jan 2016 19:21:45 +0000
Hi Marty, Sorry for the lack of clarification! It isn't as much the "establish a process to scan for rogue wireless access points", because we have a process to detect such via our wireless system (Aruba). Our issue is more with 11.1.2b: "Is action taken when unauthorized wireless access points are found". I'm not sure what actions are viable in an environment like a college (at least with our staffing requirements), especially with ad-hoc networks and cell phones acting as access points. Is "We've made sure it isn't near a dedicated payment area if the access point wasn't transient" suitable as an action for this? I'm open to ideas. Thanks all, Paul Chauvet Information Security Officer State University of New York at New Paltz chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu> 845-257-3828 [emlogo] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Manjak, Martin Sent: Monday, January 25, 2016 1:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Wireless Question for other colleges/universities Paul, Assuming we're talking about "Establish a process to scan for rogue wireless access points on at least a quarterly basis," we were advised by our QSA that a visual inspection on CDE segments only was sufficient to satisfy this requirement. Marty Manjak ISO University at Albany From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Paul Chauvet Sent: Monday, January 25, 2016 1:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] PCI Wireless Question for other colleges/universities Hello all, I'm wondering how other colleges/universities handled a specific PCI requirement, 11.1.2, regarding unauthorized wireless access points. We have a few areas with payments going over wireless, but even if we changed things to not use wireless for payments, it appears that this requirement is applicable. We have taken appropriate steps to secure the terminals/computers, and had a skilled penetration testing company that was completely unable to break through to the payment terminals (or even through the network segmentation). We also have scanning in place that can detect rogue access points. I believe that the systems are secure but security isn't compliance. In this day and age where anyone can turn their phone into an access point, there are always a number of them, most of them being transient. What have other colleges done when faced with these situations? We're not a huge school that can afford the staff that it would take to go hunt the transient access points down. I'd appreciate anything you can share on- or off-list about this scenario. Thanks, Paul Chauvet Information Security Officer State University of New York at New Paltz chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu> 845-257-3828 [emlogo]
Current thread:
- PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Manjak, Martin (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Rumford, Charles C (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Paul Chauvet (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Manjak, Martin (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Brad Judy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Kevin Reedy (Jan 25)
- Re: PCI Wireless Question for other colleges/universities Carroll, Tim (Jan 26)
- Re: PCI Wireless Question for other colleges/universities Eric Lukens (Jan 26)