Initial Wireless Networking Audit for Higher Educational Institutions Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.

edu>
Area, Process, or Objective A. Deployment of new technologies (such as Wireless technologies) is managed to ensure effective and efficient use of computing resources to achieve campus and university objectives. Risks (Process or Objective Control Failure) 1. Deployment of wireless technologies adds intolerable or undesirable stress to, or hinders performance of, other critical university systems.
Exposure Occur

Loss Potential

Expected or Observed Controls A. Deployment authority is clearly established. * NOTE: Step 1 can be accomplished by using a notebook computer or PDA (if central IT organizations do not already do this) with a wireless PC card. Lucent Orinoco cards and clients clearly identify networks and access points as well as interference and signal strength. PDAs such as the Compaq IPAQ work well and are much easier to carry around at the expense of some data and a less robust client. B. Assessment of technology impact on critical systems prior to deployment.

Control Eval

Audit Test Steps Evaluate expected controls through the following steps:

W/P Ref. E1

1. Identify where wireless networks exist and what organizations or persons deployed the networks. 2. Evaluate the technology components and asset management processes used to maintain the wireless networks. 3. Identify who has access to network devices/closets or whether existing jacks were sufficient to implement wireless. 1. Determine what factors prompted the implementers to use wireless technologies. 2. Determine how implementers evaluated the impact of the technology against current technical strategy, existing systems, and alternative approaches. 3. Identify critical, sensitive, or confidential systems that are hosted within the wireless subnetwork, or that are used regularly by people on the wireless sub-network. E2

W/P Index/ Wireless Networking Audit

W/P Index

A3

Filename Auditor Reviewer

78394260.doc Date Date 12/11/2011

Document: 78394260.doc

Page 1 of 5

Initial Wireless Networking Audit for Higher Educational Institutions Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>
2. Wireless technologies are used in a manner that does not promote university objectives or utilize their benefits effectively.
H M

A. Direction and guidance pertaining to shared systems and the use of technology in support of university objectives is available and easily identifiable by those empowered to impact shared systems.

1. Ensure sufficient policies, procedures, and guidelines are available to implementers to assist in proper implementation of wireless systems. 2. Identify and review equipment and component standards that ensure consideration of total cost, compatibility, and system integration of wireless technologies. 1. Identify authorities and appropriate contacts for wireless issue resolution and assistance on campus and with the community. Determine if implementers can identify these authorities, have reasonable access to them, and if they were consulted prior to implementing the technology. 2. Identify any support personnel or help systems that enable implementers to achieve successful wireless deployment. 3. Obtain technical strategy and objectives documentation for the campus, and determine if wireless networking appears supportive of these objectives.

E3

B. Technical guidance and support is readily available to define, and to assist in implementing appropriate deployment where skills or resources are insufficient to ensure alignment with university objectives and technical strategies.

E4

W/P Index/ Wireless Networking Audit

W/P Index

A3

Filename Auditor Reviewer

78394260.doc Date Date 12/11/2011

Document: 78394260.doc

Page 2 of 5

Initial Wireless Networking Audit for Higher Educational Institutions Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>
B. Wireless technologies provide additional benefit in a cost-effective manner. 1. Weaknesses in the new technologies outweigh the benefits they provide.
H M

A. A business case or cost/benefit analysis is pursued prior to implementation to ensure added value from the new technology.

1. Determine what benefits prompted the adoption of wireless technologies, and what negatives are considered by implementers. 2. Obtain and review any existing business case documents pertaining to the introduction of wireless technologies. 3. Determine how high-impact potential technologies are identified.

F1

B. Testing and evaluation of technologies is completed prior to widespread use to evaluate benefits and assess weaknesses of the technology. C. Integration with existing infrastructure is planned and supportive of technical strategies and tactics.

1. Identify any systemic or sponsored efforts to evaluate wireless technologies and review their results through interviews with implementers and central computing services. 1. Using the list of wireless networks identified step A1A1 above, determine how many of these projects consulted with central computing in the deployment of their wireless networks. 2. Determine if current implementations are using channels 1, 6, and 11 to maximize bandwidth management effectiveness. (1,4,7,11 sometimes used minimal overlap for dense implementation requirements)
W/P Index A3

F2

F3

W/P Index/ Wireless Networking Audit

Filename Auditor Reviewer

78394260.doc Date Date 12/11/2011

Document: 78394260.doc

Page 3 of 5

Initial Wireless Networking Audit for Higher Educational Institutions Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>
1 3. Determine how wireless systems are detected and their performance impact monitored and measured. 4. Identify any training or knowledge requirements applicable to those managing wireless network components. Determine if known weaknesses are understood and considered by analyzing the following regarding existing systems: 1. Identify whether MAC address registration is used. 2. Identify whether WEP is used (40bit or 128bit.) 3. Determine if alternative encryption/security schemes such as IPSec, SSH, and SSL are employed to compensate for WEP weaknesses. 4. Determine if a virtual network (VPN) used on wireless networks to further protect them and segregate them from wired nets. 5. Determine if any external authentication/authorization systems are employed. (Such as RADIUS servers for authen.) F4

D. Known weaknesses are compensated for by alternative controls.

W/P Index/ Wireless Networking Audit

W/P Index

A3

Filename Auditor Reviewer

78394260.doc Date Date 12/11/2011

Document: 78394260.doc

Page 4 of 5

Initial Wireless Networking Audit for Higher Educational Institutions Contributed December 7, 2001 by Jim Dillon <jim.dillon@cusys.edu>
6. Determine if wireless networks are intended to be closed (SSID identification required) or open. 7. Determine what password controls are in place. Identify the length, and hardening/ composition factors such as expirations, repeat password controls, etc.
OPTIONAL WAIVE NOT NECESSARY

* Use of a wireless sniffer such as AiroPeek can also be useful in determining who owns or is managing a particular wireless network in case identifying a contact is difficult through traditional means.

If prudent after preliminary work, analyze network traffic using a network monitor (such as AiroPeek) for sensitive or critical content such as Social Security numbers, credit card numbers, health information, grades or other transcript information, human resources data, etc.

E2

26 to 31

1. 2. 3. 4. 5. 6. 7.

Area, Process, or Objectives column identifies the control objective or process to be reviewed. Include a brief process definition and purpose or objective. The Risks section is used to describe what can go wrong in the process that would impact the effective or efficient achievement of the noted objective(s). Determine the Loss Potential (Materiality) of the risk by rating the likelihood of occurrence as H - High; M - Medium; or L Low. Identify the most likely level of exposure (impact) to the business if this risk item were to occuragain using H, M, or L. This rating can reflect potential $ loss, impact on institutional objective(s), or potential for negative public exposure or opinion as appropriate per the area or objective. Expected or Observed Controls are activities or best practices commonly used to manage the risks identified. Evaluate the Controls by rating them. (A = Adequate, NS = Needs Strengthening, U = Unsatisfactory) T = Time estimate for test step in days. Any step is assumed to require 1 day unless it is repeated elsewhere in the program. Define the Audit Test Steps necessary to test the effectiveness of the controls in addressing the risks. Audit Tests should be properly documented and referenced.

W/P Index/ Wireless Networking Audit

W/P Index

A3

Filename Auditor Reviewer

78394260.doc Date Date 12/11/2011

Document: 78394260.doc

Page 5 of 5