fips191_26
FIPS PUB 191
is that the user is not only provided with a risk analysis methodology, but also with an awareness
and understanding of the agency policies that have derived the baseline controls. In organizations
where the responsibility for security resides with someone who is not a security practitioner, this
approach may provide enough knowledge and direction to provide effective security.
Other methodologies and approaches are available. Some require a manual process; others are
implemented in software. Whatever risk analysis method is chosen by an organization, it must
be effective in helping to implement effective LAN security and thus reduce the risk to the LAN.
3.2 Participants
LAN security should address the concerns and needs of the organization as a whole. This
perspective can only be obtained by including representatives from relevant areas of the
organization. Minimally this should include:
LAN Management is responsible for the operation of the LAN. LAN Management can
provide the risk assessment group the correct LAN configurations, including hardware,
software, data, and functionality mapping. LAN Management can also determine the
immediate impacts that can occur if a threat is realized.
Organizational Management is responsible for supporting the LAN security policy by
providing funding to implement required security services and making a commitment to
ensure compliance with policy goals. Organizational management has the proper perspective
in assessing the longterm consequences to the organization if a threat is realized.
Security Personnel are responsible for ensuring that organizational security policies are
developed and adhered to.
Data and Application Owners are responsible for ensuring that their data and applications
are adequately protected and are available to authorized users.
LAN Users are responsible for providing accurate information about their applications, data
and LAN usage.
The above list generally represents those individuals involved in the risk analysis of most
computer systems and applications (with the exception of LAN management if there is no
network). What is unique about this list with regard to forming a team to assess LAN risks is
that each group listed above may be multiplied to account for each part of an organization the
LAN serves, each application that is processed on the LAN, and for the different requirements
and mandates that are in place throughout the organization. The requirements of the "LAN
owner" in addition to the needs of many data and application owners have to all be considered.
28