When we think about creating a Risk Register, we have to obviously take certain steps, gather certain information, and put that information out in a fairly specific way so it becomes useful to us, and you'll see that we can go ahead and create the Risk Register, record active risks that are going to be tracked within the register, and assigning unique number to each risk, so that way we can understand what it is. There is an example of what a Risk Register may look like on the screen, an entry form one anyway. You'll see it looks like we have a data risk review at the upper-right hand corner, who was compiled and reviewed by at what date and time, what the function or activity is that these risks are associated with, maybe this could be in email system, or a web server, or file and print, so we would specify that at the head of the Risk Register. We then have a reference column which allows us to specify unique tracking mechanism or identifier. The risk, we document what the risk is and what can happen, how it can happen, brief description about what we feel the circumstances are. Consequences of an event happening, what are the consequences? What are the likelihood for the risk we've just described? What's the adequacy of an existing control or controls that we may be able to use in order to be able to deal with the risk if the risk is that somebody may send a sensitive piece of data through the email system, exposing confidential customer records. As a result, we would document that. We would call that reference item A1 for the first item in the list. We would quickly write a synopsis of that, possibility of customer record exposure through email system attachment, something like that. We then would talk about consequences of an event happening. What are the consequences? There may be a regulatory issue, and we may get fined a $1,000. If that happens, what's the likelihood? Likelihood is high. What's the adequacy of existing controls? We may not have existing controls that adequately we would defend against this. We may not be using data loss prevention technology for instance, write a data leakage prevention technology. And so, as a result, adequacy of existing controls may be rated as low or near zero or not adequate. You can take your pick and any of those. But ultimately, we'd say not up to the task. And then, consequence rating, what's the consequence and what's the rating of that consequence? If it's a $1,000 fine, consequence rating may be deemed high. We have to obviously fix that because that's an issue, could be very impactful. What's the likelihood rating? We said the likelihood is high, so we would have maybe numerical ranking or some sort of a number rating that we could ascribe there. So, if we say on a scale of 1-3, one being low, medium being two, high being three, means the consequence rating is three, likelihood rating is three, total was six out of a possible six. That's something that should stand out for us and probably raise some red flags. And then, level of risk and risk priority, we have to figure out what their level of risk is. Again, we may have a numerical framework there that we can work with, maybe 1-5, one being relatively low risk, not very high, not prioritized, five being the highest. This may be a three or five near the top of the scale. And what's the risk priority? How quickly do we have to take that on and deal with that? Again, a numerical rating 1-3, 1-5, whatever it may be, and we would rank those, and we would put in, let's say, if three was the upper level of the scale, all the way across the board, we would go ahead and say, we have threes for everything, indicating that potentially, we have the highest level assigned to the risk likelihood, the risk consequence, the impact, and the priority. And that should tell us as we scan through the Risk Register, looking for risks that we have to address, that this risk likelihood of customer data or customer record being exposed through e-mail is going to be very high, and we should probably take that seriously, and we should address that. It's going to be something we really have to understand and deal with. So, a Risk Register is a visual way for us to distill down risk and to interact with that risk and to be able to deal with it. Very important for us to think about that and be aware of that because sometimes we can talk a lot about risk, "Hey, this risk of sending this customer record through email. It's pretty bad. If that happens, boy, that's going to be an issue. Make it get $1,000 fine and that's really going to screw up a lot of things for us." But people may not really understand the impact to that, may not really equate that issue, that concern with something that's significant. Not everybody learns, not everybody interacts, not everybody consumes information in the same ways. And so, being able to show people on paper, in black and white, what that risk may look like is just another tool, another communication mechanism, another way to reinforce what the impact of that risk may be. This combined with a conversation, combined with other mechanisms like business impact assessments, and risk monitoring, all the other things that we can do, will together really help us to zero in on and deal with risk. Risk ultimately is going to be the thing we probably spend most of our time as security practitioners addressing in one form or another. It's one of the key reasons we do all the things we do. It's one of the key reasons rather that we do a lot of the things that we discuss where we talk about operational environments that have to be configured a certain way, and monitored a certain way, and manage with things like change management, release and deployment management. We use those things that we do to be able to keep track of the change over time and to document and to manage against it, because of the nature and the concern of risk. Risk is normally without exception considered at the heart of everything we do inside of the network in terms of our job day to day with regards to security. If you take away all the risk in a system in theory if you could, because it's not possible to, but if you could get rid of all the risk, we found a way to do that, we would be out of a job, there would be no reason for security professionals and security practitioners to exist because everything would run itself, and there wouldn't be any issues or concerns that we would have to interact with. So, risk is important to us, A because it's job security, but B and most importantly, because it exists and there's really no good way for us to deal with all aspects of risk. No matter how hard we try, there is always something called residual risk in a system. Residual risk is that risk that is a leftover, that is unmitigated, uncontrolled, undocumented unacknowledged, untracked, all those things we can talk about and think about. It's unknown or maybe known but we just may not have a good way of dealing with them. Lots of different reasons why risk will exist. Lots of different reasons why we potentially can mitigate, minimize risk, and accept risk and control it in certain ways, but at the end of the day, there's still going to be risk leftover. It's that leftover risk, what we call the residual risk, that we are always looking to address and deal with and manage it down to as low a common denominator as possible. And that's what the Risk Register, one of the things anyway, that the Risk Register helps us to do by clearly articulating, clearly identifying what risks are. It helps us to zero in on the possibility that that risk can exist, and if it does exist, what's the likelihood of it coming back to effectively create havoc inside the organization, what's the impact of that risk in other words, should it be recognized. And if the impact is high, the Risk Register may give us the opportunity to focus on that and allow us to marshal our resources and take actions to minimize and mitigate that risk if at all possible. So, keep in mind the value of the Risk Register. It may look different in your world by the way, and you may not do it formally this way. You may call it something else. Sometimes it's referred to as a risk catalog or a risk inventory, which is all basically speaking about the same thing. It's some sort of tracking mechanism to help us understand what risks are out there, and what state they're in, and how we're going to acknowledge and address them. Whatever you call it, whatever you interact with it as, whatever you do, even if it's a mental category that you create in your mind and walk around with it or are constantly adding and removing things to and from as just a checklist in your world, you still are documenting risk in some way with the hopes of being able to more formally manage and discuss it. So, this is the general idea behind the Risk Register.
