HostedDB - Dedicated UNIX Servers

fips191_30 FIPS PUB 191 for valuing assets. Throughout this discussion of the risk management process, a simple technique for valuing assets (as shown in Figure 3.2), determining risk measure, estimating safeguard cost, and determining risk mitigation will be presented.  This technique is a simple, yet valid technique; it is being used here to show the relationship between the processes involved in risk management.  The technique is  not  very  granular  and  may  not  be  appropriate  for  environments  where  replacement  costs, sensitivities of information and consequences vary widely. One of the implicit outcomes of this process Figure 3.3 - Defining the LAN Configuration Hardware configuration - includes servers, workstations,    PCs,    peripheral    devices,    external connections,   cabling   maps,   bridges   or   gateway connections, etc. Software  configuration  -  includes  server  operating systems, workstation and PC operating systems, the LAN operating system, major application software, software    tools,    LAN    management    tools,    and software   under   development. This   should   also include the location of the software on the LAN and from where it is commonly accessed. Data  -  Includes  a  meaningful  typing  of  the  data processed  and  communicated  through  the  LAN,  as well as the types of users who generally access the data.     Indications  of  where  the  data  is  accessed, stored   and   processed   on   the   LAN   is   important. Attention to the sensitivity of the data should also be considered. is that a detailed configuration of the LAN, as well    as    its    uses    is    produced. This configuration  should  indicate  the  hardware incorporated,    major    software    applications used, significant information processed on the LAN,  as  well  as  how  that  information  flows through the LAN.    The degree of knowledge of the LAN configuration will depend on the defined   boundary   and   scope. Figure   3.3 exemplifies some of the areas that should be included. After  the  LAN  configuration  is  completed, and the assets are determined and valued, the organization should have a reasonably correct view  of  what  the  LAN  consists  of  and  what areas of the LAN need to be protected. 3.4.3   Process   3   -   Identify   Threats   and Determine Likelihood The  outcome  of  this  process  should  be  a strong indication of the adverse actions that could harm the LAN, the likelihood that these actions could occur, and the weaknesses of the LAN that can be exploited to cause the adverse action. To reach this outcome, threats and vulnerabilities need to be identified and the likelihood that a threat will occur needs to be determined. Large amounts of information on various threats and vulnerabilities exist.   The Reference and Further  Reading  Sections  of  this  document  provide  some  information  on  LAN  threats  and vulnerabilities.    Some  risk  management  methodologies  also  provide  information  on  potential threats  and  vulnerabilities.    User  experience  and  LAN  management  experience  also  provide insight into threats and vulnerabilities. 32