252 PART 2 | Mitigating Risk As an example, your asset inventory could have resulted in the following priorities: · · · · · · · NOTE This list isn't intended to be a complete list of all assets. Instead, it provides a sample of how an organization may prioritize its assets. Chapter 7 covered identifying assets and activities in much more depth. Database servers--High File servers--High E-mail servers--High Network infrastructure--High Web server--Medium User desktop systems--Medium User laptops--Low Next, you identify and analyze threats and vulnerabilities. Chapter 8 covered how to perform threat assessments, vulnerability assessments, and exploit assessments. You can perform a threat and vulnerability assessment on each asset. For example, you can begin an assessment on the database servers. You can start several ways. One way is to consider the basics and ask yourself some questions: · Loss of confidentiality --Is the data sensitive? Are access controls in place? Should at-rest data be encrypted? Should data be encrypted when it's transferred? · Loss of integrity --Can the database recover from power loss? Are data versions required? Is configuration of the database documented? Are change management practices followed? · Loss of availability --Are reliable backups performed regularly? Are copies of backups stored offsite? What are the required hours for data availability? Are redundant drives used? Are failover clusters required? The questions you ask will be different for different assets. For example, if you are examining the network infrastructure, you'll have different concerns than if you are examining another asset. The point here isn't the specific questions you're asking. Instead, the point is that you are asking questions to identify areas of concern. Chapter 9 presented the National Institute of Standards and Technology (NIST) Special Publication 800-53. SP 800-53 includes extensive documentation on controls. A good way of ensuring you ask yourself the right questions is by using SP 800-53. Go through the control families one by one. If they apply, ensure your plan considers them. You then evaluate the controls to determine what controls to implement. A significant part of this step is the cost-benefit analysis (CBA). CBAs are covered later in this chapter. What Is the Scope of Risk Management for Your Organization? The scope of risk management indicates your area of concern. You can also think of it as your area of control. There are some things you can control and some things you can't control. For example, you can't control hurricanes or earthquakes. You can reduce the impact of these events by planning how your organization will respond. However, you can't stop them from occurring.