Is your office Wi-Fi secured (WPA2/WPA3, separate guest network)?
Demonstrate that office wireless networks enforce strong encryption standards and implement network segmentation to isolate guest devices from corporate resources.
Description
What this control does
This control requires that office wireless networks implement modern encryption protocols (WPA2 or WPA3) to prevent eavesdropping and unauthorized access, and maintain network segmentation by isolating guest devices on a separate wireless network with restricted access to internal resources. WPA2 uses AES encryption and robust authentication mechanisms, while WPA3 adds enhanced protections against brute-force attacks and forward secrecy. Segregating guest traffic prevents visitors' potentially compromised devices from accessing corporate systems, databases, and file shares while still providing internet connectivity.
Control objective
What auditing this proves
Demonstrate that office wireless networks enforce strong encryption standards and implement network segmentation to isolate guest devices from corporate resources.
Associated risks
Risks this control addresses
- Unauthorized individuals intercept unencrypted wireless traffic to capture credentials, session tokens, or sensitive business data transmitted over the network
- Attackers within wireless range perform brute-force attacks against weak WPA/WEP passwords or exploit known cryptographic vulnerabilities in outdated protocols
- Guest devices infected with malware pivot from the wireless network to compromise internal servers, workstations, or network-attached storage
- Visitors or unauthorized users gain access to internal applications, databases, or file shares by connecting to an unsegmented wireless network
- Rogue access points configured with identical SSIDs capture employee credentials through evil twin attacks when corporate wireless lacks proper authentication
- Passive adversaries conduct long-term surveillance by capturing wireless traffic for offline cryptanalysis when weak encryption is employed
- Compliance violations occur when payment card data or protected health information traverses inadequately secured wireless networks
Testing procedure
How an auditor verifies this control
- Obtain a current inventory of all authorized wireless access points including SSIDs, hardware models, firmware versions, and physical locations
- Review wireless network configuration exports or access point management console screenshots showing enabled security protocols for corporate and guest networks
- Verify that corporate SSIDs enforce WPA2-Enterprise with 802.1X authentication or WPA3-Personal with strong pre-shared keys meeting organizational complexity requirements
- Confirm guest wireless networks implement WPA2 or WPA3 encryption and are configured as separate VLANs or network segments with no routing to internal subnets
- Examine firewall or access control list rules to validate that guest network traffic cannot reach corporate IP ranges, file servers, or administrative interfaces
- Perform walk-through testing by connecting a test device to the guest network and attempting to access internal resources such as file shares, intranet sites, or database servers
- Review network architecture diagrams to confirm logical separation between guest and corporate wireless infrastructure including separate DHCP scopes and internet egress paths
- Interview IT staff to verify procedures for periodic password rotation on pre-shared key networks and certificate management for enterprise authentication systems