SIST-TP CEN/TR 16674:2014

SLOVENSKI STANDARD
01-september-2014
Informacijska tehnologija - Analiza metodologij za ocenjevanje vpliva na
zasebnost v povezavi z RFID
Information technology - Analysis of privacy impact assessment methodologies relevant
to RFID
Informationstechnik - Analyse der RFID- Datenschutzfolgenabschätzung für spezifische
Sektoren
Technologie de l’information - Analyse des méthodes d’évaluation de l’impact sur la vie
privée adaptées à la RFID
Ta slovenski standard je istoveten z: CEN/TR 16674:2014
ICS:
35.040.50 Tehnike za samodejno Automatic identification and
razpoznavanje in zajem data capture techniques
podatkov
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN/TR 16674
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
June 2014
ICS 35.240.60
English Version
Information technology - RFID privacy impact assessment
analysis for specific sectors
Technologies de l'information - Analyse des méthodes Informationstechnik - Analyse der RFID-
d'évaluation de l'impact sur la vie privée adaptées à la RFID Datenschutzfolgenabschätzung für spezifische Sektoren

This Technical Report was approved by CEN on 20 January 2014. It has been drawn up by the Technical Committee CEN/TC 225.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 16674:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .4
Introduction .5
1 Scope .6
2 Terms and definitions .6
3 Symbols and abbreviations .7
4 Risk analysis for wireless RFID communications and RFID devices .8
4.1 Introduction .8
4.2 RFID technologies .8
4.3 The RFID system architecture .9
4.4 The challenge of having millions of readers in the hands of individuals . 10
4.5 Lessons from the risk environment concerning wireless networks . 11
4.6 Conclusion and a way forward . 13
5 The relationship of the RFID PIA process and methodologies standards to the privacy law . 14
5.1 Privacy requirements . 14
5.2 Definitions . 16
5.2.1 General . 16
5.2.2 Five types of privacy . 17
5.2.3 Personal data . 18
5.2.4 Processing . 18
5.2.5 Processor . 18
5.2.6 Controller . 18
5.2.7 Data security . 18
5.2.8 Data minimization . 19
5.2.9 Purpose binding . 20
5.2.10 Openness . 21
5.2.11 Individual Access. 21
5.2.12 Consent . 21
5.2.13 Limiting Use, Disclosure and Retention . 23
5.2.14 Accuracy . 23
5.2.15 Unique identifiers. 23
5.2.16 Accountability . 23
5.2.17 RFID operator . 24
5.3 Accountable Technology . 24
5.4 Applying Data Protection Concepts in practice . 24
5.5 Technical/business considerations . 25
6 RFID and personal information . 25
6.1 DPD . 25
6.2 Personal information written in a tag . 25
6.3 Unique identifier . 25
6.4 Tracking and profiling . 26
6.5 Proportionality of wearable RFID tags . 26
6.6 Technical issues with unknown legal consequences. 27
7 Standards organizations and risk management standards . 27
7.1 Standards organizations . 27
7.2 Risk management standards . 28
7.2.1 General . 28
7.2.2 AS/NZS 4360 . 29
7.2.3 BS7799 (ISO17799) . 29
7.2.4 NIST SP 800-30 . 29
7.2.5 RFRM . 29
7.2.6 COBIT . 30
7.2.7 HIPAA . 30
7.2.8 ITIL . 31
7.2.9 ISMS . 31
7.2.10 ISO/IEC 27001 . 31
7.2.11 ISO/IEC 27002 . 31
7.2.12 ISO/IEC 27005 . 31
7.2.13 ISO TR 13335 . 31
8 Legal supported PIA methodology . 32
8.1 Background information . 32
8.2 Analysis of five PIAs . 34
8.3 Findings . 34
8.3.1 The application operator perspective . 34
8.3.2 The consumer and public interest perspective . 35
8.4 Audit report on the use of wireless technologies . 36
9 Proposed methodologies for RFID PIA process . 36
9.1 Initial Decision Tree . 36
9.2 Critique on the initial decision tree . 37
9.3 Relevance of the 2011 RFID PIA Framework . 38
9.3.1 General . 38
9.3.2 Framework reviews by others . 38
9.3.3 Scope of work for the 2011 RFID PIA Framework . 38
10 The reasoning for addressing the privacy assessment at the periphery for RFID. 41
10.1 The role played by RFID in the lives of individuals . 41
10.1.1 The nature of RFID possession by individuals . 41
10.1.2 The degree of exposure to RFID risks . 41
10.2 Where RFID technology is the determining factor for privacy assessment . 42
10.2.1 The Privacy assessment technology layers . 42
10.2.2 The role of RFID technology in privacy assessment . 43
10.3 Privacy assets . 43
11 The case for a cost-effective PIA process . 44
11.1 Templates . 44
11.2 Understanding the technology . 45
11.3 Monitoring RFID threats and vulnerabilities . 45
11.4 Assisting the SME PIA process . 46
12 Conclusions . 47
Bibliography . 48

Foreword
This document (CEN/TR 16674:2014) has been prepared by Technical Committee CEN/TC 225 “AIDC
Technologies”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
This Technical Report is one of a series of related deliverables, which comprise mandate 436 Phase 2. The
other deliverables are:
— EN 16570, Information technology — Notification of RFID — The information sign and additional
information to be provided by operators of RFID application systems
— EN 16571, Information technology — RFID privacy impact assessment process
— EN 16656, Information technology - Radio frequency identification for item management - RFID Emblem
(ISO/IEC 29160:2012, modified)
— CEN/TR 16684, Information technology — Notification of RFID — Additional information to be provided
by operators
— CEN/TS 16685, Information technology — Notification of RFID — The information sign to be displayed in
areas where RFID interrogators are deployed
— CEN/TR 16669, Information technology — Device interface to support ISO/IEC 18000-3
— CEN/TR 16670, Information technology — RFID threat and vulnerability analysis
— CEN/TR 16671, Information technology — Authorisation of mobile phones when used as RFID
interrogators
— CEN/TR 16672, Information technology — Privacy capability features of current RFID technologies
— CEN/TR 16673, Information technology — RFID privacy impact assessment analysis for specific sectors
Introduction
In response to the growing deployment of RFID systems in Europe, the European Commission published in
2007 the Communication COM (2007) 96 ‘RFID in Europe: steps towards a policy framework’. This
Communication proposed steps which needed to be taken to reduce barriers to adoption of RFID whilst
respecting the basic legal framework safeguarding fundamental values such as health, environment, data
protection, privacy and security.
In December 2008, the European Commission addressed Mandate M/436 to CEN, CENELEC and ETSI in the
field of ICT as applied to RFID systems. The Mandate M/436 was accepted by the ESOs in the first months of
2009. The Mandate addresses the data protection, privacy and information aspects of RFID, and is being
executed in two phases. Phase 1, completed in May 2011, identified the work needed to produce a complete
framework of future RFID standards. The Phase 1 results are contained in the ETSI Technical Report TR 187
020, which was published in May 2011.
Phase 2 is concerned with the execution of the standardization work program identified in the first phase.
This Technical Report is one of eleven deliverables for M/436 Phase 2. From a content point of view, and
despite their name, most Privacy Impact Assessments in the world have a narrow focus, namely data
protection rather than privacy protection. The result is that many PIAs are restricted to legal compliance
checks and do not include societal aspects. That is reflected in the form of some PIAs, which are limited to
checklists. Increasingly, however, PIA methodologies include narrative descriptions of the systems assessed
and the environments in which they will operate, which help to understand better the potential privacy and
data protection risks.
Also most PIAs are limited to risk assessment and do not include risk management. Thus, they can be used to
identify and assess privacy and data protection risk without suggesting solutions or mitigation strategies,
thereby restricting their usability.
This deliverable will begin with research of methodologies used for wireless technologies and the risks
associated at within that part of the wireless system from the data carrier to the communication from the
'interrogator' or data capture device to the application system. The reason for this approach is to understand
approaches used by security experts and that are not incorporated into any existing standards. This approach
makes sense because it moves from the generic wireless towards the specific RFID issues. The intention is to
draw relevant 'lessons' from a range of wireless technologies that can be applied to RFID technologies and
applications. Risk management will focus on areas that accept the inherent risks of the given technology.
1 Scope
The scope of this Technical Report (TR) is to identify methodologies that are used for, or have been
considered applicable to, wireless technologies. These methodologies are analyzed to identify features that
are applicable to RFID.
Based on the Industry RFID PIA Framework endorsed by the Article 29 Data Protection Working Party, the
Technical Report focuses on proposing risk analysis methodologies suitable for the data capture area of an
RFID system. This includes the RFID tag, the interrogator, the air interface protocol used for communication
between them, and the communication from the interrogator to the application.
The Technical Report also proposes risk management features based on the inherent capabilities of a number
of RFID technologies that conform to standardized RFID air interface protocols. This should provide enough
information to enable the proposed privacy control features to be applied to other RFID technologies including
those with proprietary air interface protocols and tag architectures. The risk management features exclude
fundamental privacy by design features because these should be the subject of revisions and enhancements
to technology standards. The risk management features defined in this Technical Report are considered
applicable to current and future implementations of RFID based on existing technology. As such, this
Technical Report is considered as input into a standard procedure for undertaking an RFID Privacy Impact
Assessment.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
controller
natural or legal person, public authority, agency or any other body which alone or jointly with others
determines the purposes and means of the processing of personal data; where the purposes and means of
processing are determined by national or Community laws or regulations, the controller or the specific criteria
for his nomination may be designated by national or Community law
2.2
data subject
identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably
likely to be used by the controller or by any other natural or legal person, in particular by reference to an
identification number, location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person
2.3
data subject's consent
any freely given specific and informed indication of his wishes by which the data subject signifies his
agreement to personal data relating to him being processed
2.4
personal data
any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is
one who can be identified, directly or indirectly, in particular by reference to an identification number or to one
or more factors specific to his physical, physiological, mental, economic, cultural or social identity
2.5
PIA process
process based on a privacy and data protection risk management approach focusing mainly on the
implementation of the EU RFID Recommendation and consistent with the EU legal framework and best
practices
2.6
privacy
the claim of individuals (.) to determine for themselves when, how and to what extent information about them
is communicated to others" and as a mean "(.) for achieving individual goals of self-realisation
2.7
privacy impact assessment
methodology (a systematic process) for assessing the impacts on privacy of a project, policy, program,
service, product or other initiative that involves the processing of personal information and, in consultation with
stakeholders, for taking remedial actions as necessary in order to avoid or minimize negative privacy impacts
2.8
processing
any operation or set of operations which is performed upon personal data or sets of personal data, whether or
not by automated means, such as reading, collection, recording, organization, structuring, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, erasure or destruction
2.9
processor
natural or legal person, public authority, agency or any other body which processes personal data on behalf of
the controller
2.10
accountability
responsibility of an organization for personal information in its possession or custody, including information
that has been transferred to a third party for processing
2.11
wireless network
any type of computer network that is not connected by cables of any kind
3 Symbols and abbreviations
CEN Comité Européen de Normalisation
COBIT Control Objectives for Information and related Technology
DPD Directive Personal Data
NOTE 1 Directive 95/46/EC on the protection of individuals with regard to the processing of
personal data and on the free movement of such data
DPIA
Data Protection Impact Assessment
DPR  General Data Protection
NOTE 2 Regulation on the Protection of Individuals with regard to the processing of personal
data and on the free movement of Such Data
ECHR
European Convention on Human Rights EU: European Union
ECtHR European Court of on Human Rights
ENISA
European Network and Information Security Agency
GDPR General Data Protection Regulation
ITIL Information Technology Infrastructure Library
NFC Near Field Communication
NIST
National Institute of Standards and Technology
OECD Organization for Economic Co-operation and Development
PBD Privacy by Design
NOTE 3 Related to Data Protection.
PCC Privacy Commissioner of Canada
PIA  Privacy Impact Assessment
PLD Personal Locating Device
RTLS Real Time Location Systems
SDLC System Development Life Cycle
TAS3
Trusted Architecture for Securely Shared Services
NOTE 4 EU research project Trusted Architecture for Securely Shared Services, Privacy
Requirements, v.2.0, 2009
TDOA Time Difference Of Arrival
TRA
Threat and Risk Assessment
Tri  Triangulation
WAP
Wireless Access Point
WiFi Wireless Ethernet
4 Risk analysis for wireless RFID communications and RFID devices
4.1 Introduction
As stated in the scope, the TR is to identify methodologies that are used for, or have been considered
applicable to, wireless technologies. These methodologies are analyzed to identify features that are applicable
to RFID. Furthermore, based on the Industry RFID PIA Framework endorsed by the Article 29 Data Protection
Working Party, the TR focuses on proposing risk analysis methodologies suitable for the data capture area of
an RFID system. This includes the RFID tag, the interrogator, the air interface protocol used for
communication between them, and the communication from the interrogator to the application.
The RFID PIA framework is based on Opinion 9/2011 on “The Revised Industry Proposal for a Privacy and
Data Protection Impact Assessment Framework for RFID Applications”. Opinion 9/2011 has been influenced
by the requirements mentioned in the analysis of ENISA Position on the Industry Proposal for a Privacy and
Data Protection Impact Assessment Framework for RFID Applications [of March 31, 2010] July 2010
The title of Recommendation (2009/387/EC) makes it very clear that the Commission has an objective to see
the implementation of privacy and data protection principles in RFID applications, and for this to be partly
achieved by RFID operators undertaking a privacy impact assessment (PIA). Much of the work approved
under Mandate M436 Phase 2 extends this principle into more practical processes.
Unfortunately there is no evidence of a standards-based procedure for undertaking a PIA for applications
using RFID technology. The TR therefore focuses on three strands of research:
— principles that are appropriate to RFID based on the research undertaken to prepare this TR;
— analysis of PIAs that are relevant to the RFID PIA, but not directly associated with RFID, from five
countries (Australia, Canada, New Zealand, UK and USA) and discussed more fully in Clause 7;
— comparison between the intended approach and some European interim developments.
4.2 RFID technologies
The Recommendation, provides the following definition of RFID in Paragraph 3 (a):
‘Radio frequency identification (RFID)’ means the use of electromagnetic radiating waves or reactive field
coupling in the radio frequency portion of the spectrum to communicate to or from a tag
This means that RFID applies to all RFID technologies specified by the ISO/IEC 18000 series of standards
plus what some experts consider to be a different technology: smart cards. Thus, ISO/IEC 14443,
ISO/IEC 15693, ISO/IEC 18092, ISO/IEC 21481, and the Japanese FeliCa (JIS X6319-4) all fall within the
scope of the Recommendation. In fact any standardized or proprietary radio frequency technology operating
within the regulated ranges, as listed here, fall within the scope of the Recommendation:
— <125 kHz to 134 kHz
— 13,56 MHz
— 433 MHz
— 860 MHz to 960 MHz
— 2,45 GHz
— 5,8 GHz (although there are no standards in the ISO/IEC 18000 series that address this yet.
NOTE Further details of the RFID privacy capabilities are provided in CEN/TR 16672 Information technology -
Privacy capability features of current RFID technologies.
4.3 The RFID system architecture
Each RFID air interface protocol has different characteristics; the most obvious is the frequency at which the
protocol operates. This impacts on power capabilities and read range. Even at a given frequency there are
often multiple protocols, each of which offers the RFID application particular features. Currently the ability to
have interoperable protocols is low. Interoperability between frequencies is rare, because the laws of physics
vary according to frequency particularly between low frequency (125kHz to 133 kHz) and high frequency
(13,56 MHz) on one hand and all the other higher frequencies.
Each specific air interface protocol defines the communication rules between the RFID interrogator (or reader)
and the RFID tag. There are no explicit standards for the interrogator and the tag; instead products are
required to conform to mandatory components of the protocol, and may support some of the optional features.
Such optional features include the size of memory, even whether some defined areas of memory are
supported. The optional features also include a number of commands, e.g. the support for sensors but also
more basic features. For a given air interface protocol, tags have more optional (i.e. opt-out) features than
interrogators; but this does not mean that interrogators are required to support all the features of a protocol.
Generally an RFID application is built around a particular air interface protocol, and there can be many
variants in the capabilities of tags that are available. In true open systems the RFID operator is dependent on
the RFID tags (and hence their capabilities) provided by others in the value chain. Although not a truism, a
rule of thumb is that tags with increasing capabilities tend to be more expensive; so the purchaser of the tags
will tend not to over-specify requirements for capabilities. Until the Recommendation was published, few RFID
operators consider privacy requirements, and CEN/TR 16672 clearly identifies that potential privacy
enhancing features are not available in many RFID technologies.
Some of the protocols are considered fairly stable with little or no developments over recent years. Others,
particularly ISO/IEC 18000-63, are under continual development with more features added with each revision.
This adds to the complexity, because whereas tags with new features can be implemented reasonably
quickly, changing the interrogator infrastructure involves longer-term investment decisions. But even if some
advanced tags are introduced, not all tags in an application will change. This is particularly the case where the
RFID tag or smart card has a viable life of many years.
The air interface is based on wireless communications, and as such is vulnerable to noise, which interferes
with the communication, and to various threats. Because the interface is wireless, most protocols have no
means of restricting additional reads of the tag. In fact, in open systems it is essential that the tag remains
readable to any authorised reader. Conversely this can also be exploited, as indicated by CEN/TR 16672.
Additionally other mechanisms can be used to read data, such as eavesdropping. As RFID is a read / write
technology, it is also possible to change data on the tag again for legitimate reasons (e.g. a chain of custody)
and less legitimate reasons.
Besides the tag, the air interface protocol and the interrogator, there are other components to the RFID
system. The interrogator needs to communicate with the application to receive instructions that are converted
to air interface commands, and to send back responses from the tag e.g. the data read form the tag. The air
interface transmits bits of data that need to be created (commands) and interpreted (responses). Device
interface protocols and data encoding and decoding rules are needed to perform some of these functions. Not
all air interface protocols and applications use standardized rules for this, although this is increasing – and
essential in open system applications. Some specific standards are discussed in CEN/TR 16673: Information
technology - RFID privacy impact assessment analysis for specific sectors.
In some cases the communication between interrogator and application is carried out over wired networks, but
this requires readers to be in fixed locations. Wireless communications are also, and increasingly used,
particularly with RFID enabled smart-phones and tablet computers. A particular case is with the use of near
field communication (NFC). This can bring additional opportunities to the individual smart-phone owner.
Where these are designed applications authorised by the RFID operator, this enhanced functionality adds to
the application. But the other side of the coin is that making millions of smart-phones as RFID readers does
have potential negative implications discussed below.
4.4 The challenge of having millions of readers in the hands of individuals
It is fairly easy to create an RFID reader, by using in-built features of NFC-enabled smart-phones. Originally
focused on one air interface protocol dealing with smart cards, there are concerns that there is technology
creep and these phones are able to read (and write) to tags compliant with other HF protocols. Some RFID
operators are extending their applications to make use of the fact that RFID readers are increasingly present.
The positives are addressed, but less so the negative aspects. These fall into two broad categories:
— The capability to change data on the tag, which can lead to disruptions of the intended application e.g.
even to render the tag unreadable. This is predominantly a security issue for the application, but does
have privacy implications too.
— The capability to read data from the tag beyond the scope of the application and beyond the domain of
the RFID operator.
There have been developments for smart-phones to support the UHF-based protocols, particularly from
Korea, but development has been slower than expected. However, it is feasible. Furthermore, there are many
readers for most of the popular readers that can be connected to a USB port, some looking little different than
a memory stick.
All of this means that individuals holding RFID tags or smart cards are probably unaware that tags and cards
that they are holding can be read beyond the boundary of a particular RFID application. Some evidence has
been presented in CEN/TR 16673; one example is of the recent capability to change data on RFID tags in the
library sector, another is the capability to read data from some contactless payment cards.
Thus, intruders can launch denial of service attacks, steal identities, violate the privacy of legitimate users,
insert viruses or malicious code, and disable operations.
The draft version of CEN/TR 16674: Information technology - RFID privacy impact assessment analysis for
specific sectors identifies a number of threats that have been recorded in literature and shown to be possible.
As a protocol reaches a critical mass of tags or cards in circulation, combined with low cost reading devices
capable of reading the tags, this type of issue will spread. A properly structured PIA process can identify the
risks and countermeasures that might be implemented.
4.5 Lessons from the risk environment concerning wireless networks
All computer systems are subject to different forms of threat, but wireless networks can suffer from additional
threats because of the fact that there are various means of intercepting a wireless transmission that are not
possible with a wired network. For RFID this applies to the air interface and wireless communication between
the interrogator and the application. The US-based National Institute of Standards and Technology (NIST)
recommends that before establishing wireless networks and using handheld devices, organizations should
use risk management processes to assess the risks involved, to take steps to reduce the risks to an
acceptable level, and to maintain that acceptable level of risk. Using risk management processes, managers
can protect systems and information in a cost-effective manner by balancing the operational and economic
costs of needed protective measures with the gains in mission capability to be achieved through the
application of new technology.
The following is an abstract from NIST’s report “Security for Wireless Networks and Devices”. Apart from
some details, this information is considered highly relevant to RFID.
NIST points out that each new development will present new security risks, which shall be addressed to
ensure that critical assets remain protected. Actions that organizations should take to protect the
confidentiality, integrity, and availability of all systems and information include:
a) Assess risks, test and evaluate system security controls for wireless networks more frequently than for
other networks and systems. Maintaining secure wireless networks is an ongoing process that requires
greater effort than that required for other networks and systems.
The following steps that can be taken to improve the management of wireless networks include:
— Maintain a full understanding of the topology of the wireless network.
— Label and keep inventories of the fielded wireless and handheld devices.
— Create backups of data frequently.
— Perform periodic security testing and assessment of the wireless network.
— Perform ongoing, randomly timed security audits to monitor and track wireless and handheld devices.
— Apply patches and security enhancements.
— Monitor the wireless industry for changes to standards that enhance security features and for the
release of new products.
— Monitor wireless technology for new threats and vulnerabilities.
b) Perform a risk assessment; develop a security policy and determine security requirements before
purchasing wireless technologies.
The risks associated with the use of wireless technologies are considerable, and many products provide
inadequate protection. Organizations should plan to protect their essential operations before they adopt
wireless technologies. Common administration problems include installing equipment with “factory
default” settings, failing to control or inventory access points, not implementing the security capabilities
provided, and not developing or installing security architectures that are suitable to the wireless
environment. The use of firewalls between wired and wireless systems should be considered. Other good
practices are to block unneeded services and ports, and to use strong cryptography. Often the risks can
be addressed, but the tradeoffs between technical solutions and costs shall be considered as well.
Organizations may want to postpone the installation of wireless networks until more robust, open, and
secure products are available.
Organizations should perform security assessments prior to implementation of wireless technologies to
determine the specific threats and vulnerabilities that wireless networks will introduce in their
environments. In performing the assessment, they should consider existing security policies, known
threats and vulnerabilities, legislation and regulations, safety, reliability, system performance, the life-
cycle costs of security measures, and technical requirements. Once the risk assessment is complete, the
organization can begin planning and implementing the measures that it will put in place to safeguard its
systems and lower its security risks to a manageable level. The organization should periodically reassess
the policies and measures that it puts in place because computer technologies and malicious threats are
continually changing.
c) Effective risk management should be integrated into the System Development Life Cycle (SDLC) of an IT
system. The SDLC includes five phases: initiation, development or acquisition, implementation, operation
or maintenance, and disposal. NIST has issued recommendations for conducting the risk management
process in NIST SP 800-30, Risk Management Guide for Information Technology Systems. This
document is available online at http://csrc.nist.gov/publications/nistpubs/index.html.
d) Maintain an awareness of the technical and security implications of wireless and handheld device
technologies.
Wireless technologies present unique security challenges due in part to the relative immaturity of the
technology, incomplete security standards, flawed implementations, limited user awareness, and lax
security and administrative practices. In a wireless environment, data is broadcast using radio
frequencies. As a result, data may be captured when it is broadcast. The distances needed to prevent
eavesdropping vary considerably because of differences in building construction, wireless frequencies
and attenuation, and the capabilities of high-gain antennas. The safe distance can vary up to kilometers,
even when the nominal or claimed operating range of the wireless device is less than a hundred meters.
e) Carefully plan for the installation of wireless technologies.
The security of wireless networks and devices should be considered from the initial planning stage
because it is much more difficult to address security once deployment and implementation have occurred.
A detailed, well-designed plan can point the way to better security decisions about configuring wireless
devices and network infrastructure. The plan will support decisions concerning the tradeoffs between
usability, performance, and risk. It is necessary to apply security management practices and controls to
maintain and operate secure wireless networks.
f) Organizations should identify their information system assets, and develop, document and implement
policies, standards, procedures, and guidelines to ensure confidentiality, integrity, and availability of
information system resources. NIST recommends the following steps:
— The information system security policy should directly address the use of 802.11, Bluetooth, and
other wireless technologies.
— Configuration/change control and management practices should ensure that all equipment has the
latest software release, including security feature enhancements and patches for discovered
vulnerabilities.
— Standardized configurations should be employed to reflect the security policy, and to ensure change
of default values and consistency of operations.
— Security training is essential to raise awareness about the threats and vulnerabilities inherent in the
use of wireless technologies.
— Robust cryptography is essential to protect data transmitted o
...