HostedDB - Dedicated UNIX Servers
fips191_28 FIPS PUB 191 the LAN is acceptable.  Risk mitigation involves three steps: determining those areas where risk Figure 3.1 - Risk Management Process 1. Define the Scope and Boundary and Methodology 2. Identify and Value Assets, 3. Identify Threats and Determine Likelihood, 4. Measure Risk, 5. Select Appropriate Safeguards, 6. Implement and Test Safeguards, 7. Accept Residual Risk. is unacceptable; selecting effective safeguards, and evaluating the controls and determining if the residual risk to the LAN is acceptable. Organizations can select from a variety of risk management methodologies.   The goal is for an  organization  to  choose  the  most  effective approach     for     the     organization. The methodology discussed here consists of seven processes (outlined in Figure 3.1). 3.4 Risk Assessment 3.4.1  Process  1  -  Define  the  Scope  and Boundary, and Methodology This process determines the direction that the risk  management  effort  will  take.   It  defines how much of the LAN (the boundary) and in how  much  detail  (the  scope)  the  risk  management  process  should  entail.     The  boundary  will define those parts of the LAN that will be considered. The boundary may include the LAN as a whole or parts of the LAN, such as the data communications function, the server function, the applications,  etc.    Factors  that  determine  the  boundary  may  be  based  on  LAN  ownership, management or control. Placing the boundary around a part of the LAN controlled elsewhere may result in cooperation problems that may lead to inaccurate results.  This problem stresses the need for cooperation among those involved with the ownership and management of the different parts of the LAN, as well as the applications and information processed on it. The scope of the risk management effort must also be defined.   The scope can be thought of as a logical outline showing, within the boundary,  the depth of the risk management process.  The scope distinguishes the different  areas of the LAN (within the boundary) and the different levels of detail used during the risk management process.  For example some areas may be considered at a higher or broader level, while other areas may be treated in depth and with a narrow focus. For  smaller  LANs,  the  boundary  may  be  the  LAN  as  a  whole,  and  the  scope  may  define  a consistent level of detail throughout the LAN.     For larger LANs, an organization may decide to place the boundary around those areas that it controls and to define the scope to consider all areas within the boundary.   However the focus on data communications, external connections, and certain applications might be more narrow.  Changes in the LAN configuration, the addition of external connections, or updates or upgrades to LAN software or applications may influence the scope. The appropriate risk management methodology for the LAN may have been determined prior to 30