Requirements driven methodology for conducting risk analyses of unclassified networks

This paper describes a simple method for local area network (LAN) administrators and their managers to assess the protection afforded by the unclassified LANs for which they are responsible. A goal of each automated information system security program is to assure that each LAN has a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, unauthorized disclosure, or unauthorized modification of the information contained in the system. This requirements driven process focuses on ensuring data availability, integrity, and confidentiality through standardization and simplification of standard industry practices. The methodology has been implemented using off-the-shelf commercially available spreadsheet software applications.