fips191_24
FIPS PUB 191
3 RISK MANAGEMENT
A systematic approach should be used to determine appropriate LAN security measures.
Deciding how to address security, where to implement security on the LAN, and the type and
strength of the security controls requires considerable thought. This section will address the issues
involving risk management of a LAN. The elements that are common to most risk management
processes will be examined in terms of the unique properties of a LAN that may require special
considerations beyond the risk process of a centralized system or application. In presenting this
information, a simple risk management methodology will be introduced that may be considered
as a candidate among the different methodologies and techniques that are currently available.
It is the readers task to determine the appropriate level of protection required for his or her
LAN. This is accomplished through risk management. [KATZ92] defines risk management as
the process of:
estimating potential losses due to the use of or dependence upon automated information
system technology,
analyzing potential threats and system vulnerabilities that contribute to loss estimates, and
selecting cost effective safeguards that reduce risk to an acceptable level.
There are many risk management methodologies that an organization may use. However all
should incorporate the process defined above.
3.1 Current Approaches
One of the most important considerations in choosing a methodology or technique is that the
results obtained from the risk assessment be useful in providing LAN security.
If the
methodology is too complicated to use, if it requires input data that is too detailed, or if it
produces results that are too intricate to infer what the risk to the LAN actually is, the
methodology will not be useful and will not lead to effective LAN security. On the other hand,
if the methodology does not allow for reasonable granularity in its definition of variables such
as loss, likelihood and cost, the results produced may be too simple and may not reflect the true
risk to the LAN. Those responsible within the organization should adopt the risk assessment
approach that provides a technique that is understandable, easily used, and produces results that
helps the organization to effectively secure its LANs.
In 1979, NIST published FIPS 65 [FIPS65] which described a quantitative method for performing
risk analysis. This document was issued as a guideline and not a standard. Therefore the use
of FIPS 65 is not mandatory for performing risk analysis. [KATZ92] points out that its primary
26