HostedDB - Dedicated UNIX Servers
fips191_34 FIPS PUB 191 The  relationship  between  risk  acceptance  testing  and  safeguard  selection  can  be  iterative. Initially, the organization needs to order the different risk levels that were determined during the risk assessment.  Along with this the organization needs to decide the amount of residual risk that it  will  be  willing  to  accept  after  the  selected  safeguards  are  implemented.    These  initial  risk acceptance decisions can be factored into the safeguard selection equation.  When the properties of the candidate safeguards are known, the organization can reexamine the risk acceptance test measures and determine if the residual risk is achieved, or alter the risk acceptance decisions to reflect  the  known  properties  of  the  safeguards.    For  example  there  may  be  risks  that  are determined to be too high.  However after reviewing the available safeguards, it may be realized that  the  currently  offered  solutions  are  very  costly  and  cannot  be  easily  implemented  into  the current  configuration  and  network  software.     This  may  force  the  organization  into  either expending the resources to reduce the risk, or deciding through risk acceptance that the risk will have to be accepted because it is currently too costly to mitigate. Many sources exist that can provide information on potential safeguards (See the Reference and Further  Reading  Sections).    The  methodology  discussed  here  defines  safeguards  in  terms  of security services and mechanisms.     A security service is the sum of mechanisms, procedures, etc.  that  are  implemented  on  the  LAN  to  provide  protection.     The  security  services  (and mechanisms) provided in Section 2 can be used as a starting point.   The security services should Figure 3.7 - Comparing Risk and Cost To   calculate   risk/cost   relationships   use   the   risk measure and the cost measure associated with each threat/mechanism  relationship  and  create  a  ratio of the  risk  to  the  cost  (i.e.,  risk/cost).   A  ratio  that  is less   than   1   will   indicate   that   the   cost   of   the mechanism  is  greater  than  the  risk  associated  with the  threat.     This  is  generally  not  an  acceptable situation (and may be hard to justify) but should not be  automatically dismissed.   Consider that  the risk value is a function of both the loss measure and the likelihood  measure.     One  or  both  of  these  may represent  something  so  critical  about  the  asset  that the  costly  mechanism  is  justified.    This  situation may occur when using simple methodologies such as this one. be related to the threats defined in the risk assessment. In most cases the need for a specific service should   be   readily   apparent. If the   risk acceptance   results   indicate   that   a   risk   is acceptable, (i.e.,  existing  mechanisms  are adequate)   then   there   is   no   need   to   apply additional   mechanisms   to   the   service   that already exists. After    the    needed    security    services    are determined,   consider   the   list   of   security mechanisms   for   each   service. For   each security    service    selected,    determine    the candidate mechanisms that would best provide t h a t s e r v i c e . U s i n g t h e threat/vulnerability/risk relationships developed  in  the  previous  processes,  choose those    mechanisms    that    could    potentially reduce  or  eliminate  the  vulnerability  and  thus  reduce  the  risk  of  the  threat.   In  many  cases,  a threat/vulnerability relationship will yield more than one candidate mechanism.  For example the vulnerability  of  using  weak  passwords  could  be  reduced  by  using  a  password  generator mechanism, by using a token based mechanism, etc.   Choosing the candidate mechanisms is a 36