An organization should start by identifying its assets. An asset inventory helps it determine the value of its systems, services, and data. The value of the assets can be monetary or relative. For example, values, such as high, medium, and low, can be assigned to assets. These values do not necessarily equate only to the cost of equipment, but also include the possible business impact if the assets were damaged, offline, or lost. The value isn’t a calculated impact of any particular risk because that value can change dramatically with different issues, and that assessment comes later.

As an example, an asset inventory could have resulted in the following priorities:

• Database servers—High
• File servers—High
• Email servers—High
• Network infrastructure—High
• Web server—Medium
• User desktop systems—Medium
• User laptops—Low

Next, the threats and vulnerabilities are identified and analyzed, which is done with threat assessments, vulnerability assessments, and exploit assessments. A threat and vulnerability assessment can be performed on each asset.

For example, an assessment on the database servers could be done, which could start in several ways. One way is to consider the basics and ask some questions:

• Loss of confidentiality—Is the data sensitive? Are access controls in place? Should at-rest data be encrypted? Should data be encrypted when it’s transferred?
• Loss of integrity—Can the database recover from power loss? Are data versions required? Is configuration of the database documented? Are change management practices followed?
• Loss of availability—Are reliable backups performed regularly? Are copies of backups stored off-site? Are backups checked to ensure they can be restored? What are the required hours for data availability? Are redundant drives used? Are failover clusters required?

The questions asked will be different for different assets. For example, the concerns in examining a network infrastructure will be different from the concerns in examining another asset; therefore, the questions asked to identify the areas of concern will be different for each asset.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 includes extensive documentation on controls. A good way of ensuring that the right questions are asked is by using SP 800-53 to go through the control families one by one. If the controls apply to the organization, then they should be included in the plan for risk mitigation.

Next, the controls are evaluated to determine which ones should be implemented. A significant part of this step is doing the cost-benefit analysis (CBA), which is covered later in this chapter.