fips191_35
FIPS PUB 191
subjective process that will vary from one LAN implementation to another. Not every
mechanism presented in Section 2 is feasible for use in every LAN. In order for this process to
be beneficial, some filtering of the mechanisms presented needs to be made during this step.
Selecting appropriate safeguards is a subjective process. When considering the cost measure of
the mechanism, it is important that the cost of the safeguard be related to the risk measure to
determine if the safeguard will be cost-effective. The methodology chosen by the organization
should provide a measure for representing costs that is consistent with the measures used for
representing the other variables determined so far.
Figure 3.6 shows a cost measure that is
consistent with the other measuring examples presented. This cost measuring method, while
appearing to only consider the cost of the safeguard, can have the other factors mentioned above
factored in.
When a measure (or cost) is assigned to the safeguard, it can be compared to the other measures
in the process. The safeguard measure can be compared to the risk measure (if it consists of one
value, as shown in Figure 3.7) or the components of the risk measure. There are different ways
to compare the safeguard measure to the risk measure. The risk management methodology
chosen by the organization should provide a method to select those effective safeguards that will
reduce the risk to the LAN to an acceptable level.
3.5.2 Process 6 - Implement And Test Safeguards
The implementation and testing of safeguards should be done in a structured manner. The goal
of this process is to ensure that the safeguards are implemented correctly, are compatible with
other LAN functionalities and safeguards, and provide expected protection.
This process begins by developing a plan to implement the safeguards. This plan should consider
factors such as available funding, users learning curve, etc. A testing schedule for each
safeguard should be incorporated into this plan. This schedule should show how each safeguard
interacts or effects other safeguards (or mechanisms of some other functionality). The expected
results (or the assumption of no conflict) of the interaction should be detailed. It should be
recognized that not only is it important that the safeguard perform functionally as expected and
provide the expected protections, but that the safeguard does not contribute to the risk of the
LAN through a conflict with some other safeguard or functionality.
Each safeguard should first be tested independently of other safeguards to ensure that it provides
the expected protection. This may not be relevant to do if the safeguard is designed to interwork
with other safeguards. After testing the safeguard independently, the safeguard should be tested
with other safeguards to ensure that it does not disrupt the normal functioning of those existing
safeguards. The implementation plan should account for all these tests and should reflect any
problems or special conditions as a result of the testing.
37