HostedDB - Dedicated UNIX Servers
fips191_27 FIPS PUB 191 The ultimate goal of effective  overall  LAN security may not be met if strong team leadership is  not  in  place  from  the  beginning.    For  example,  organizations  that  lack  strong  centralized management of the LAN may have a difficult time assessing needs in any hierarchical manner, since each local manager or application owner may view his needs as a priority over other local managers and application owners, regardless of what the risk analysis results indicate. Initially, those within the organization charged with performing the risk analysis need to make some determination regarding the proposed scope and boundary of the risk analysis.   With this information, the necessary participants in the risk process can be chosen. 3.3 Elements of Risk Management Operation of a LAN involves risk. The term  risk management is commonly used to define the process  of  determining  risk,  applying  controls  to  reduce  the  risk,  and  then  determining  if  the residual  risk  is  acceptable. Risk  management  supports  two  goals:  measure  risk  (risk assessment) and selecting appropriate controls that will reduce risk to an acceptable level (risk mitigation). Issues that should be addressed when assessing LAN security include: 1. Assets - What should be protected? 2. Threats - From what do the assets need protection and what is the likelihood that a threat will occur? 3.  Impacts  -  What  are  the  immediate  damages  if  the  threat  is  realized  (e.g.  disclosure  of information, modification of data)? 4.  Consequences -  What are  the long-term  effects  of the  threat  being realized  (e.g. damage  to reputation of organization, loss of business)? 5. Controls - What are the effective security measures (security services and mechanisms) needed to protect the assets? 6. Risk - After implementation of the security controls, is the remaining risk acceptable? The goal of risk assessment is to determine the risk to the LAN.   The risk assessment process is conducted in two steps.   The first step defines the boundary of the environment, determines the scope of the assessment and selects the appropriate methodology to use. In step two the risk analysis is conducted.  The risk analysis can be broken down into asset identification, threat and vulnerability identification, likelihood assessment, and risk measure. The goal of risk mitigation is to apply effective security controls such that the residual risk to 29