144 PART 2 | Mitigating Risk · E-mail servers --Some larger organizations have 10 or more e-mail servers to manage e-mail. Trained personnel are dedicated to primarily managing these servers. Personnel ensure e-mail delivery. They also manage spam filtering and malicious attachments. · Web servers --An organization can have dozens of Web servers configured in one or more Web farms. A Web farm can generate a significant amount of revenue and have dedicated personnel to manage it. · Database servers --Many organizations have a large amount of data stored in databases. Large databases are stored on dedicated servers. The knowledge needed to manage these servers is specialized, so some organizations have dedicated database administrators to manage them. · Configuration and change management --This section oversees configuration and changes to either all servers or all systems. The team may be responsible for building new servers. They also coordinate and document all change requests. A small organization may perform a risk assessment for many systems at the same time. However, a larger organization will likely separate the risk assessments. For example, a larger organization that performs a risk assessment on Web servers, database servers, and firewalls at the same time can face problems. Three separate sections with three separate managers would need to implement the recommendations. The goals and schedules could compete with internal priorities. However, if the organization assesses a single section at a time, the results are easier to implement. For example, you could perform three separate RAs. You could assess the Web servers, database servers, and firewalls separately. Each assessment would have specific recommendations targeted for the owners of the system. Identifying Assets and Activities Within Risk Assessment Boundaries Asset valuation is the process of determining the fair market value of an asset. This is one of the first priorities of risk management. You can determine the value from the replacement value of the asset. You can determine the value based on either what the asset provides to the organization, or the cost to recover the asset. It's also possible to determine the value using a combination of both values. Once you know the value of your assets, you can then prioritize their importance. If an asset is worth $1,000, it needs one level NOTE of protection. If another asset is worth $1 million, it needs another This section introduces assets level of protection. and activities related to risk It is important that you evaluate only assets that are within the assessment. Chapter 7 covers boundary of the RA. Scope creep occurs when you start evaluating these topics in greater depth. assets outside the scope of the RA. This results in wasted time and wasted resources.