in the never-ending cycle of risk management. The use of
            standard metrics to assess risk is also important so that changes
            in risk and potentially harmful trends can be identified.



            Vulnerability Assessments and Penetration Tests

            Risk monitoring includes regular vulnerability assessments and
            penetration tests that can be conducted either internally or
            externally.

            A vulnerability assessment is a valuable tool to identify any
            gaps or misconfigurations in the security profile of the
            organization. A vulnerability assessment is like walking around
            a building, ensuring that all doors, windows, and other points of
            entry (loading docks, etc.) are locked and secure. The
            vulnerability assessment of an information system is a
            methodical review of security to ensure that the systems are
            hardened and that there are no unnecessary open ports or
            services available that could be used as an attack vector by an
            adversary or misused by an internal employee.

            A vulnerability assessment often results in a lot of 'noise' or
            alerts about vulnerabilities that are not serious. This requires the
            expertise of a security expert to analyze the data from the
            vulnerability assessment and determine which results are
            significant and which results can be ignored.

            A vulnerability assessment is often a thorough review of an
            entire system or facility, and it is intended that the assessment
            will provide a good, complete review of all security controls.
            This can include both technical and non-technical controls. For
            example, a review of a firewall would often include the review