---

---

FIPS PUB 191 defining the boundary and scope.   If the methodology has already been determined, then it may be  useful  to  scrutinize  the  chosen  methodology  given  the  defined  boundary  and  scope.    If  a methodology has not been chosen, the boundary and scope information may be useful in selecting a methodology that produces the most effective results. 3.4.2 Process 2 - Identify and Value Assets Asset valuation identifies and assigns value to the assets of the LAN.  All parts of the LAN have value  although  some  assets  are  definitely  more  valuable  than  others.   This  step  gives  the  first indication of those areas where focus should be placed.   For LANs that produce large amounts of  information  that  cannot  be  reasonably  analyzed,  initial  screening  may  need  to  be  done. Defining and valuing assets may allow the organization to initially decide those areas that can be filtered downward and those areas that should be flagged as a high priority. Different  methods  can  be  used  to  identify  and  value  assets.  The  risk  methodology  that  an organization chooses may provide guidance in identifying assets and should provide a technique for valuing assets.   Generally assets can be valued based on the impact and consequence to the organization.   This would include not only the replacement cost of the asset, but also the effect on the organization if the asset is disclosed, modified, destroyed or misused in any other way. Because the value of an asset should be based Figure 3.2 - Simple Asset Valuation The value of the asset can be   represented in terms of the potential loss.   This loss can be based on the replacement value, the immediate impact of the loss, and the consequence.   One of the simplest valuing techniques to indicate the loss of an asset is to use a  qualitative  ranking  of    high,  medium  and  low. Assigning    values    to    these    rankings    (3=high, 2=medium,   and   1=low)   can   assist   in   the   risk measure process. on   more   than   just   the   replacement   cost, valuing assets is one of the most subjective of the processes.   However, if asset valuation is done  with  the  goal  of  the  process  in  mind, that is, to define assets in terms of a hierarchy of importance or criticality, the relativeness of the   assets   becomes   more   important   than placing the "correct"   value on them. The   risk   assessment   methodology   should define  the  representation  of  the  asset  values. Purely   quantitative   methodologies   such   as FIPS  65  may  use  dollar  values.  However  having  to  place  a  dollar  value  on  some  of  the consequences that may occur in today’s environments may be sufficient to change the perception of the risk management process from being challenging to being unreasonable. Many  risk  assessment  methodologies  in  use  today  require  asset  valuation  in  more  qualitative terms.    While  this  type  of  valuation  may  be  considered  more  subjective  than  a  quantitative approach, if the scale used to value assets is utilized consistently throughout the risk management process, the results produced should be useful.   Figure 3.2 shows one of the   simplest methods 31