An organization should start by identifying its assets. An asset inventory helps it determine the value of its systems, services, and data. The value of the assets can be monetary or relative. For example, values, such as high, medium, and low, can be assigned to assets. These values do not necessarily equate only to the cost of equipment, but also include the possible business impact if the assets were damaged, offline, or lost. The value isn’t a calculated impact of any particular risk because that value can change dramatically with different issues, and that assessment comes later.
As an example, an asset inventory could have resulted in the following priorities:
This list isn’t intended to be a complete list of all assets. Instead, it provides a sample of how an organization may prioritize its assets.
Next, the threats and vulnerabilities are identified and analyzed, which is done with threat assessments, vulnerability assessments, and exploit assessments. A threat and vulnerability assessment can be performed on each asset.
For example, an assessment on the database servers could be done, which could start in several ways. One way is to consider the basics and ask some questions:
The questions asked will be different for different assets. For example, the concerns in examining a network infrastructure will be different from the concerns in examining another asset; therefore, the questions asked to identify the areas of concern will be different for each asset.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 includes extensive documentation on controls. A good way of ensuring that the right questions are asked is by using SP 800-53 to go through the control families one by one. If the controls apply to the organization, then they should be included in the plan for risk mitigation.
Next, the controls are evaluated to determine which ones should be implemented. A significant part of this step is doing the cost-benefit analysis (CBA), which is covered later in this chapter.
3.139.70.21