Hello and welcome to the risk identification, monitoring and analysis discussion. In this module, we are going to be going through and talking about the following objectives. You will see them on the screen in front of you. We take a look at describing the risk management process, what is risk, how do we manage it, how do we know when we see it, how do we identify and what do we do with it. These are all important questions, that, as a security practitioner, we want to have good answers for, and we will strive to figure those out along the way. Our performance security assessment activities, how do we probe and figure out and measure and monitor, for what security may be, what it may actually not be, and how do we differentiate between what is going on and what should be going on, and we will talk about vulnerability assessments, threat assessments, penetration testing, things of that nature. Describe processes for operating and maintaining and monitoring systems. How do we do those things in terms of monitoring, that will be required for us to know, what at any given moment, the current state of a system may be, so I will be very important in the context of risk. How do we identify events of interest. Not everything that happens in a system is something we need to know about, or even indeed want to know about and pay attention to. But many things are, and we have to figure out how to differentiate between the two, and then take our time to understand the things that are important, and assess them as required to then, have informed and educated decisions about what we should do next. Describe the various source systems, where do things come from, they may come from desktops, they may come from laptops, they may come from servers. Information that is important to us may come from boundary or border gateway devices, like firewalls, and routers, IDSs, Intrusion Detection Systems, IPSs, Intrusion Prevention Systems. These are all things we have to monitor and think about and be aware of, and then interpreting report findings or interpreting reporting findings from monitoring results. We want to make sure we understand that once we get information, from any or all of these devices, we may be monitoring, what does it really mean? What does it mean when a firewall tells us to drop a traffic packet, or change the flow of traffic, so that it blocks the flow from that particular IP address inbound, because it seems to be violating, one or more of the rules or conditions that we specified equal bad behavior. What does that really mean? And we have to understand that, in the context of the action, but also in the broader context of the things going on around us in the environment. And, we will have something to say about that and talk about that again, relating all this back to the idea of risk management and the understanding of risk on a broader, and institutional way. Let us begin by talking about understanding the risk management process, what risk management is, we will define risk management, and really take a look under the covers a little bit, and try to better understand risk for what it is, and the impact it can have, inside of our organization. In this particular area, we will be dealing with risk visibility and reporting risk management concepts. As you can see, risk assessment, risk treatment and of course audit findings. Let us begin by talking about what is known as the risk register. When we think about the risk register, what we have to understand is, how to keep track of risk, right? What is a risk? How do we define it? When we figure out what it is and we identify that activity A or activity B is indeed a risk, where do we make note of that? Where do we understand that? And how do we write that down so we can refer back to it over time? This is what the risk register allows us to do. It literally registers risks. It keeps track of them for us and helps us to understand them historically, looking back over time, and also contextually, in the moment, so we see the exact risk we may be dealing with, and those that we may or may have not had time or opportunity to deal with over the last number of X number of minutes, days, weeks, months, but ultimately, over time, the risk that have existed in the system and the things we are doing with them, is what we want to examine. So, risk registers away for the organization to know what the possible exposure to risk is, at any given moment in time. Helps us to keep stakeholders aware of issues, gives us a snapshot, if you will, of what the risk environment looks like, so we can report back to a stakeholder. This is what we think the risk looks like, and this is what it will be at this moment in time, or the risk level is going to look like, it tracks the responses to the issues associated with risk. So that way, we can see what actions we are taking, which risks are being dealt with, which ones we are ignoring, or just choosing not to take on at the moment. And as a result of that, we have a very hopefully accurate and complete picture of what risk may look like in the organization.