fips191_29
FIPS PUB 191
defining the boundary and scope. If the methodology has already been determined, then it may
be useful to scrutinize the chosen methodology given the defined boundary and scope. If a
methodology has not been chosen, the boundary and scope information may be useful in selecting
a methodology that produces the most effective results.
3.4.2 Process 2 - Identify and Value Assets
Asset valuation identifies and assigns value to the assets of the LAN. All parts of the LAN have
value although some assets are definitely more valuable than others. This step gives the first
indication of those areas where focus should be placed. For LANs that produce large amounts
of information that cannot be reasonably analyzed, initial screening may need to be done.
Defining and valuing assets may allow the organization to initially decide those areas that can
be filtered downward and those areas that should be flagged as a high priority.
Different methods can be used to identify and value assets. The risk methodology that an
organization chooses may provide guidance in identifying assets and should provide a technique
for valuing assets. Generally assets can be valued based on the impact and consequence to the
organization. This would include not only the replacement cost of the asset, but also the effect
on the organization if the asset is disclosed, modified, destroyed or misused in any other way.
Because the value of an asset should be based
Figure 3.2 - Simple Asset Valuation
The value of the asset can be represented in terms
of the potential loss. This loss can be based on the
replacement value, the immediate impact of the loss,
and the consequence. One of the simplest valuing
techniques to indicate the loss of an asset is to use
a qualitative ranking of high, medium and low.
Assigning values to these rankings (3=high,
2=medium, and 1=low) can assist in the risk
measure process.
on more than just the replacement cost,
valuing assets is one of the most subjective of
the processes. However, if asset valuation is
done with the goal of the process in mind,
that is, to define assets in terms of a hierarchy
of importance or criticality, the relativeness of
the assets becomes more important than
placing the "correct" value on them.
The risk assessment methodology should
define the representation of the asset values.
Purely quantitative methodologies such as
FIPS 65 may use dollar values. However having to place a dollar value on some of the
consequences that may occur in todays environments may be sufficient to change the perception
of the risk management process from being challenging to being unreasonable.
Many risk assessment methodologies in use today require asset valuation in more qualitative
terms. While this type of valuation may be considered more subjective than a quantitative
approach, if the scale used to value assets is utilized consistently throughout the risk management
process, the results produced should be useful. Figure 3.2 shows one of the simplest methods
31