|
|
Wireless
Risk Assessment
KEY ISSUES
- Bank
management should complete information security risk assessments
and implement appropriate policies and internal controls
before microwave networks are used.
- Microwave
systems security measures should protect bank networks and
workstations from the risks of unauthorized access, intercepted
transmissions, and network vulnerabilities.
- Return-on-investment
analysis should evaluate the total cost of ownership to
create and maintain the network, including incremental security
and authentication control costs.
RISK ASSESSMENT
What
is included in a good risk assessment?
The
primary goal of any risk assessment is to quantify the impact
of possible threats. A good risk assessment results in both
the identification of risk and an associated risk mitigation
strategy.
Threat:
The occurrence of any event (accidental or intentional)
that causes an undesirable impact upon the organization.
Factors
included in an effective risk assessment include the following:
- Asset
identification — identify
information assets to protect
- Threat
identification —identify reasonably foreseeable
internal and external threats
- Threats
that could result in unauthorized disclosure, misuse,
alteration, or destruction of customer information
- Likelihood
— chance of threat occurring
- Impact
— potential damage caused by the threat's occurrence
- Assessment
results — sufficiency of policies, procedures,
customer information systems and other arrangements in
place to control risk
- Mitigation
strategy — steps taken to reduce risk to an acceptable
level
- Exposure — the amount of residual risk.
Note
— A risk mitigation strategy can include steps can
be taken to avoid a risk altogether. For example, risk can be limited by
implementing controls, transferred through insurance
coverage, and, finally the Board can decide to
accept the residual risk and possible loss.
RISKS
SPECIFIC TO MICROWAVES
Security
- What
is the risk of signal interception?
- Is
equipment used for signal interception inexpensive and easy to buy on the street or should it be more specialized
and require more knowledge to intercept?
- Is
encryption used? Is it, unlike
WEP, a trusted encryption scheme?
- Is
the transmission secured to endpoints located in a secure
controlled location?
- How
will encryption keys be handled? Are they secure?
Stability
- How
susceptible is the signal to iinterferencee, both atmospheric and man-made noise.
- If
using an unlicensed spectrum, what is the risk of someone
else using the same spectrum, thus causing interference?
Should a licensed spectrum be used?
Disaster
recovery
- Risk
of lightning - need surge suppression equipment to protect
network if lightning hits antenna.
- Other
risks that might affect the availability of the microwave
network.
OTHER
CONSIDERATIONS
- Are
zoning, permit requirements, or other legal restrictions
on antennas considered?
- Was
a spectrum analysis completed before installation to see
if there were conflicting signals?
- If
this is going to be the bank's primary WAN telecommunications
path, which is critical to operations, does the bank have
a contingency plan?
- Is
there a service contract? What is the response time of the
vendor or repair personnel if there are problems?
- What
is the availability of equipment if repairs are needed?
May need to consider having spare equipment onsite or otherwise
readily available.
- Microwave
network performance levels should be monitored to ensure
that the performance meets business requirements (uptime
or availability monitoring).
- After
completion, testing should be performed to ensure that the
signal is in fact encrypted and that the connections are
operating properly.
|
|
