establishes controls related to the security and data integrity measures
required for secure wireless Local Area Network installations within the
state’s intranet zone to balance
the interests of the various stakeholders and increase business value for all
parties. The policy provides guidance in
decision-making and practices that optimize resource, mitigate risk, and Maximize
return on investment.
Network (LAN): a computer network that links devices within a
building or group of adjacent buildings
Set Identifier (SSID): a unique ID for naming wireless networks
The Commonwealth Office of Technology shall provide wireless
access to state government employees, contractors, and vendors through two
standard network SSIDs: KY-Secure and KY-Guest. COT may allow agencies
to use vendor-managed networks, but they must be isolated from the state’s
managed network SSIDs and shall not be used for official Commonwealth business.
Agencies shall request approval for vendor-managed
networks via the COT exceptions process.
State government employees and contractors with
state-provided wireless devices shall authenticate to KY-Secure using their
Active Directory (AD) credentials when accessing internal state resources and
networks. COT shall use AD groups to
restrict wireless access to appropriate users.
COT provides wireless Internet access to guests and vendors
of the Commonwealth through the KY-Guest network. Users must self-register to receive login
credentials prior to allowing access. This
network shall not terminate inside the intranet, separating non-Commonwealth
equipment from the Commonwealth’s networks.
COT will conduct periodic security reviews of the
wireless. COT shall review wireless LANs
periodically to minimize signal bleed outside of planned coverage areas. COT
shall apply appropriate software and firmware updates to all wireless equipment
on a regular schedule, as updates are released.
Authority: KRS 42.726
authorizes the Commonwealth Office of Technology (COT) to develop policies and
compliance processes to support and promote the effective applications of
information technology within the executive branch of state government.
Applicability: All executive branch agencies
and non-executive branch agencies using COT-managed infrastructure or services
must adhere to this policy. This
includes employees, contractors, consultants, temporaries, volunteers,
and other workers within state government.
for Compliance: Each
agency must ensure that staff within their organizational authority are made
aware of and comply with this policy. The agency is responsible for enforcing
it. Unauthorized and/or neglectful
actions regarding this policy may result in disciplinary action up to and
including dismissal. COT may require additional service
charges for remediation efforts due to non-compliance with this policy.
Maintenance: The Chief Compliance Officer, Office of the Chief
Information Security Officer and Office of IT Services & Delivery share
responsibility for maintaining this policy.
Organizations may modify this policy to fulfill their responsibilities,
but must obtain approval through an exception request. Staff should refer to their internal policy,
which may have additional information or clarification.
Office of IT Services & Delivery will
review this policy at least every two years.