S 2.387 Installation, configuration, and support service for a WLAN by third party

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT, Administrator

If a WLAN is to be installed, configured or supported by an external contractor, then the points described in the following must be taken into account in addition to the recommendations in module S 1.11 Outsourcing for the WLAN:

• It should always be checked whether the WLAN installation can be performed in-house or by the organisation's own employees. A feasibility study and a cost study should be performed for this purpose.
• The security strategy and the security policy should always be created by the organisation itself and not by third parties. This prevents the possibility of there being no one in the organisation who deals with the security aspects of WLANs, and therefore of any necessary security safeguards being forgotten. It does make sense to use consulting services and the services offered by third parties when there are no resources available for this internally.
• When awarding the contract for a WLAN installation, a detailed requirements specification must be created. It must contain all minimum requirements for the WLAN components and precisely define all network components connected to the WLAN, etc. The requirements specification should be used as the basis for the contract when awarding the contract to an external contractor, and serves later on as the basis for the tests conducted for approval.
• The contractor is to be provided with the security strategy and the security policy for the use of WLANs. The contractor must be obliged in the contract to follow and implement these policies and strategies. The performance of the services agreed to in the contract must be checked regularly to enable early detection of any possible problems. The security strategy and the security policy should be a permanent part of the requirements specification.
• The contractor should possess extensive and, ideally, many years of experience in the installation and securing of WLANs. The corresponding references must be submitted, and random spot checks of the references must be made.
• The contractor must promise in the contract that he/she will not pass the configuration of the WLAN and of the WLAN components or any passwords, connection keys, access codes and access mechanisms on to any unauthorised persons. Likewise, the contractor should be made to promise that any information or data that he/she may obtain knowledge through working on the rest of the network will not be stored temporarily or handed over to any unauthorised persons.
• Before the contractor installs the WLAN, corresponding tests must be performed. The tests should test all planned security settings in detail. During this phase, any LANs connected to the WLAN are especially at risk and should be secured accordingly.
• It must be ensured that no back doors are built into the WLAN by the contractor while the contractor is installing the WLAN. All settings and configurations must be documented accurately by the contractor and handed over in full to the client upon completion of the installation.
• After finishing the installation, the approval process should be performed based on the specifications. Furthermore, the execution documentation created in the requirements specification after awarding the contract serves as the basis for testing since this documentation may specify methods for taking measurements during the approval process, for example.
• The WLAN installation should be approved with the help of an independent expert so that the technical details can also be checked precisely.
• If a wireless IDS was also purchased, then tests must be conducted in the appropriate test scenarios, which must have been specified in advance of the tendering for bids. In this case, it makes sense to first operate the WLAN in a test environment. The tests should also verify whether the entire monitoring area is also actually being monitored by the WLAN sensors. In addition, various malfunctions should be simulated.
• One of the main points of emphasis during approval is checking the documentation for completeness and any possible inconsistencies.
• If the WLAN is also to be supported after installation by an external contractor, then the contractor must also be obligated in the contract to not pass any information such as passwords, sensitive data, configuration settings, etc., on to unauthorised persons. Likewise, a contingency plan should also be created together with the contractor. When creating the contingency plan, the severity, the reaction time, the corresponding steps to take, and who must be informed in case of an emergency must be precisely defined for each possible problem that could occur in the WLAN.

Review questions:

• Has the contractor been provided with the security strategy and the security policy for WLAN usage?
• Was a contingency plan for problems in the WLAN created together with the contractor?