fips191_30
FIPS PUB 191
for valuing assets.
Throughout this discussion of the risk management process, a simple technique for valuing assets
(as shown in Figure 3.2), determining risk measure, estimating safeguard cost, and determining
risk mitigation will be presented. This technique is a simple, yet valid technique; it is being used
here to show the relationship between the processes involved in risk management. The technique
is not very granular and may not be appropriate for environments where replacement costs,
sensitivities of information and consequences vary widely.
One of the implicit outcomes of this process
Figure 3.3 - Defining the LAN Configuration
Hardware
configuration
-
includes
servers,
workstations, PCs, peripheral devices, external
connections, cabling maps, bridges or gateway
connections, etc.
Software configuration - includes server operating
systems, workstation and PC operating systems, the
LAN operating system, major application software,
software tools, LAN management tools, and
software under development.
This should also
include the location of the software on the LAN and
from where it is commonly accessed.
Data - Includes a meaningful typing of the data
processed and communicated through the LAN, as
well as the types of users who generally access the
data. Indications of where the data is accessed,
stored and processed on the LAN is important.
Attention to the sensitivity of the data should also be
considered.
is that a detailed configuration of the LAN, as
well as its uses is produced.
This
configuration should indicate the hardware
incorporated, major software applications
used, significant information processed on the
LAN, as well as how that information flows
through the LAN. The degree of knowledge
of the LAN configuration will depend on the
defined boundary and scope.
Figure 3.3
exemplifies some of the areas that should be
included.
After the LAN configuration is completed,
and the assets are determined and valued, the
organization should have a reasonably correct
view of what the LAN consists of and what
areas of the LAN need to be protected.
3.4.3 Process 3 - Identify Threats and
Determine Likelihood
The outcome of this process should be a
strong indication of the adverse actions that could harm the LAN, the likelihood that these actions
could occur, and the weaknesses of the LAN that can be exploited to cause the adverse action.
To reach this outcome, threats and vulnerabilities need to be identified and the likelihood that
a threat will occur needs to be determined.
Large amounts of information on various threats and vulnerabilities exist. The Reference and
Further Reading Sections of this document provide some information on LAN threats and
vulnerabilities. Some risk management methodologies also provide information on potential
threats and vulnerabilities. User experience and LAN management experience also provide
insight into threats and vulnerabilities.
32