Docstoc

wireless

Document Sample
wireless Powered By Docstoc
					Initial Wireless Networking Audit for Higher Educational Institutions
Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>

Area, Process, or Objective      Risks (Process or Objective         Loss Potential   Expected or Observed               Control   T   Audit Test Steps                         W/P
                                                                     Exposure Occur                                      Eval
                                 Control Failure)                                     Controls                                                                                  Ref.
A. Deployment of new             1. Deployment of wireless           H        M       A. Deployment authority is                       Evaluate expected controls               E1
technologies (such as Wireless   technologies adds intolerable or                     clearly established.                             through the following steps:
technologies) is managed to      undesirable stress to, or hinders
ensure effective and efficient   performance of, other critical                       * NOTE: Step 1 can be                        5   1. Identify where wireless
use of computing resources to    university systems.                                  accomplished by using a                          networks exist and what
achieve campus and university                                                         notebook computer or PDA (if                     organizations or persons deployed
objectives.                                                                           central IT organizations do not                  the networks.
                                                                                      already do this) with a wireless
                                                                                      PC card. Lucent Orinoco cards                1   2. Evaluate the technology
                                                                                      and clients clearly identify                     components and asset
                                                                                      networks and access points as                    management processes used to
                                                                                      well as interference and signal                  maintain the wireless networks.
                                                                                      strength. PDAs such as the
                                                                                      Compaq IPAQ work well and                    1   3. Identify who has access to
                                                                                      are much easier to carry around                  network devices/closets or
                                                                                      at the expense of some data and                  whether existing jacks were
                                                                                      a less robust client.                            sufficient to implement wireless.

                                                                                      B. Assessment of technology                  1   1. Determine what factors                E2
                                                                                      impact on critical systems prior                 prompted the implementers to use
                                                                                      to deployment.                                   wireless technologies.

                                                                                                                                   1   2. Determine how implementers
                                                                                                                                       evaluated the impact of the
                                                                                                                                       technology against current
                                                                                                                                       technical strategy, existing
                                                                                                                                       systems, and alternative
                                                                                                                                       approaches.

                                                                                                                                   1   3. Identify critical, sensitive, or
                                                                                                                                       confidential systems that are
                                                                                                                                       hosted within the wireless sub-
                                                                                                                                       network, or that are used regularly
                                                                                                                                       by people on the wireless sub-
                                                                                                                                       network.
                                 2. Wireless technologies are        H        M       A. Direction and guidance                    2   1. Ensure sufficient policies,           E3

                                                                                                                                                     A3
          Wireless Networking Audit                                                                                                       Filename   90b2b13d-3e4b-4bee-84a7-
                                                                                                                                                     4056c42d0442.doc
                                                                                                                                          Auditor                 Date    6/22/2011
                                                                                                                                          Reviewer                Date

                                                   Document: 90b2b13d-3e4b-4bee-84a7-4056c42d0442.doc              Page 1 of 5
Initial Wireless Networking Audit for Higher Educational Institutions
Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>

                                  used in a manner that does not                  pertaining to shared systems                   procedures, and guidelines are
                                  promote university objectives or                and the use of technology in                   available to implementers to assist
                                  utilize their benefits effectively.             support of university objectives               in proper implementation of
                                                                                  is available and easily                        wireless systems.
                                                                                  identifiable by those
                                                                                  empowered to impact shared                 1   2. Identify and review equipment
                                                                                  systems.                                       and component standards that
                                                                                                                                 ensure consideration of total cost,
                                                                                                                                 compatibility, and system
                                                                                                                                 integration of wireless
                                                                                                                                 technologies.

                                                                                  B. Technical guidance and                  1   1. Identify authorities and               E4
                                                                                  support is readily available to                appropriate contacts for wireless
                                                                                  define, and to assist in                       issue resolution and assistance on
                                                                                  implementing appropriate                       campus and with the community.
                                                                                  deployment where skills or                     Determine if implementers can
                                                                                  resources are insufficient to                  identify these authorities, have
                                                                                  ensure alignment with                          reasonable access to them, and if
                                                                                  university objectives and                      they were consulted prior to
                                                                                  technical strategies.                          implementing the technology.

                                                                                                                             1   2. Identify any support personnel
                                                                                                                                 or help systems that enable
                                                                                                                                 implementers to achieve
                                                                                                                                 successful wireless deployment.

                                                                                                                             1   3. Obtain technical strategy and
                                                                                                                                 objectives documentation for the
                                                                                                                                 campus, and determine if wireless
                                                                                                                                 networking appears supportive of
                                                                                                                                 these objectives.

B. Wireless technologies          1. Weaknesses in the new              H   M     A. A business case or                      1   1. Determine what benefits                F1
provide additional benefit in a   technologies outweigh the                       cost/benefit analysis is pursued               prompted the adoption of wireless
cost-effective manner.            benefits they provide.                          prior to implementation to                     technologies, and what negatives
                                                                                  ensure added value from the                    are considered by implementers.
                                                                                  new technology.

                                                                                                                                                A3
          Wireless Networking Audit                                                                                                 Filename    90b2b13d-3e4b-4bee-84a7-
                                                                                                                                                4056c42d0442.doc
                                                                                                                                    Auditor                  Date    6/22/2011
                                                                                                                                    Reviewer                 Date

                                                     Document: 90b2b13d-3e4b-4bee-84a7-4056c42d0442.doc        Page 2 of 5
Initial Wireless Networking Audit for Higher Educational Institutions
Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>

                                                                                                              1   2. Obtain and review any existing
                                                                                                                  business case documents
                                                                                                                  pertaining to the introduction of
                                                                                                                  wireless technologies.

                                                                                                              1   3. Determine how high-impact
                                                                                                                  potential technologies are
                                                                                                                  identified.

                                                                    B. Testing and evaluation of              1   1. Identify any systemic or               F2
                                                                    technologies is completed prior               sponsored efforts to evaluate
                                                                    to widespread use to evaluate                 wireless technologies and review
                                                                    benefits and assess weaknesses                their results through interviews
                                                                    of the technology.                            with implementers and central
                                                                                                                  computing services.

                                                                    C. Integration with existing              1   1. Using the list of wireless             F3
                                                                    infrastructure is planned and                 networks identified step A1A1
                                                                    supportive of technical                       above, determine how many of
                                                                    strategies and tactics.                       these projects consulted with
                                                                                                                  central computing in the
                                                                                                                  deployment of their wireless
                                                                                                                  networks.

                                                                                                              1   2. Determine if current
                                                                                                                  implementations are using
                                                                                                                  channels 1, 6, and 11 to maximize
                                                                                                                  bandwidth management
                                                                                                                  effectiveness. (1,4,7,11
                                                                                                                  sometimes used – minimal
                                                                                                                  overlap for dense implementation
                                                                                                                  requirements)
                                                                                                              1   3. Determine how wireless
                                                                                                                  systems are detected and their
                                                                                                                  performance impact monitored
                                                                                                                  and measured.

                                                                                                              1   4. Identify any training or
                                                                                                                  knowledge requirements
                                                                                                                                 A3
       Wireless Networking Audit                                                                                     Filename    90b2b13d-3e4b-4bee-84a7-
                                                                                                                                 4056c42d0442.doc
                                                                                                                     Auditor                  Date    6/22/2011
                                                                                                                     Reviewer                 Date

                                       Document: 90b2b13d-3e4b-4bee-84a7-4056c42d0442.doc       Page 3 of 5
Initial Wireless Networking Audit for Higher Educational Institutions
Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>

                                                                                                                 applicable to those managing
                                                                                                                 wireless network components.

                                                                    D. Known weaknesses are                  2   Determine if known weaknesses             F4
                                                                    compensated for by alternative               are understood and considered by
                                                                    controls.                                    analyzing the following regarding
                                                                                                                 existing systems:

                                                                                                                 1. Identify whether MAC address
                                                                                                                 registration is used.

                                                                                                                 2. Identify whether WEP is used
                                                                                                                 (40bit or 128bit.)

                                                                                                                 3. Determine if alternative
                                                                                                                 encryption/security schemes such
                                                                                                                 as IPSec, SSH, and SSL are
                                                                                                                 employed to compensate for WEP
                                                                                                                 weaknesses.

                                                                                                                 4. Determine if a virtual network
                                                                                                                 (VPN) used on wireless networks
                                                                                                                 to further protect them and
                                                                                                                 segregate them from wired nets.

                                                                                                                 5. Determine if any external
                                                                                                                 authentication/authorization
                                                                                                                 systems are employed. (Such as
                                                                                                                 RADIUS servers for authen.)

                                                                                                                 6. Determine if wireless networks
                                                                                                                 are intended to be closed (SSID
                                                                                                                 identification required) or open.

                                                                                                                 7. Determine what password
                                                                                                                 controls are in place. Identify the
                                                                                                                 length, and hardening/
                                                                                                                 composition factors such as

                                                                                                                                A3
       Wireless Networking Audit                                                                                    Filename    90b2b13d-3e4b-4bee-84a7-
                                                                                                                                4056c42d0442.doc
                                                                                                                    Auditor                  Date    6/22/2011
                                                                                                                    Reviewer                 Date

                                       Document: 90b2b13d-3e4b-4bee-84a7-4056c42d0442.doc      Page 4 of 5
Initial Wireless Networking Audit for Higher Educational Institutions
Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>

                                                                                                                                              expirations, repeat password
                                                                                                                                              controls, etc.

OPTIONAL                                                                                  * Use of a wireless “sniffer”                  5    If prudent after preliminary work,        E2
                                                                                          such as AiroPeek can also be                        analyze network traffic using a
WAIVE – NOT NECESSARY                                                                     useful in determining who owns                      network monitor (such as
                                                                                          or is managing a particular                         AiroPeek) for sensitive or critical
                                                                                          wireless network in case                            content such as Social Security
                                                                                          identifying a contact is difficult                  numbers, credit card numbers,
                                                                                          through traditional means.                          health information, grades or
                                                                                                                                              other transcript information,
                                                                                                                                              human resources data, etc.

                                                                                                                                         26
                                                                                                                                         to
                                                                                                                                         31


1.   Area, Process, or Objectives column identifies the control objective or process to be reviewed. Include a brief process definition and purpose or objective.
2.   The Risks section is used to describe what can go wrong in the process that would impact the effective or efficient achievement of the noted objective(s).
3.   Determine the Loss Potential (Materiality) of the risk by rating the likelihood of occurrence as H - High; M - Medium; or L – Low. Identify the most likely level of exposure
     (impact) to the business if this risk item were to occur—again using H, M, or L. This rating can reflect potential $ loss, impact on institutional objective(s), or potential for
     negative public exposure or opinion as appropriate per the area or objective.
4.   Expected or Observed Controls are activities or best practices commonly used to manage the risks identified.
5.   Evaluate the Controls by rating them.              (A = Adequate, NS = Needs Strengthening, U = Unsatisfactory)
6.   T = Time estimate for test step in days. Any step is assumed to require 1 day unless it is repeated elsewhere in the program.
7.   Define the Audit Test Steps necessary to test the effectiveness of the controls in addressing the risks. Audit Tests should be properly documented and referenced.




                                                                                                                                                             A3
          Wireless Networking Audit                                                                                                              Filename    90b2b13d-3e4b-4bee-84a7-
                                                                                                                                                             4056c42d0442.doc
                                                                                                                                                 Auditor                  Date    6/22/2011
                                                                                                                                                 Reviewer                 Date

                                                      Document: 90b2b13d-3e4b-4bee-84a7-4056c42d0442.doc               Page 5 of 5

				
DOCUMENT INFO