This document aims to ensure application of Information Security best practices for mobile and tele-communications. This policy prohibits access to ASCL networks via unsecured wireless communication mechanisms. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by the ASCL Information Security Department are approved for connectivity to ASCL's networks.

2.0 SCOPE

This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of ASCL's internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to ASCL's networks do not fall under the purview of this policy.

3.0 POLICY

ASCL employees and authorized third parties (customers, vendors, etc.) can use dial-in connections to gain access to the ASCL network. Dial-in access should be strictly controlled, using one-time password authentication.

It is the responsibility of employees with dial-in access privileges to ensure a dial-in connection to ASCL is not used by non-employees to gain access to company information system resources. An employee who is granted dial-in access privileges must remain constantly aware that dial-in connections between their location and ASCL are literal extensions of ASCL's corporate network, and that they provide a potential path to the company's most sensitive information. The employee and/or authorized third party individual must take every reasonable measure to protect ASCL's assets.

Analog and non-GSM digital cellular phones cannot be used to connect to ASCL's corporate network, as their signals can be readily scanned and/or hijacked by unauthorized individuals. Only GSM & CDMA standard digital cellular phones are considered secure enough for connection to ASCL's network. For additional information on wireless access to the ASCL network, consult the Wireless Communications Policy.

Note: Dial-in accounts are considered to be 'needed' accounts. Account activity is monitored, and if a dial-in account is not used for a period of six months the account will expire and no longer function. If dial-in access is subsequently required, the individual must request a new account as described above.

To comply with this policy, wireless implementations must: Maintain point to point hardware encryption of at least 56 bits. Maintain a hardware address that can be registered and tracked, i.e., a MAC address. Support strong user authentication which checks against an external database such as TACACS+, RADIUS or something similar.

4.0 ENFORCEMENT

Any person bound by this policy who intentionally and/or knowingly violates this policy shall be subject to action deemed fit by the Governing Board of the Asian School of Cyber Laws and shall also be liable to pay adequate and prompt compensation. Such action shall not preclude adequate civil and / or criminal remedy as per the applicable law.

5.0 DEFINITIONS

1. User Authentication: A method by which the user of a wireless system can be verified as a legitimate user independent of the computer or operating system being used.

This document is created on 12-02-2002 and has been updated last on 22-02-2003. Please note that this document is updated on a regular basis and the latest version can be obtained from: