This document discusses risk management. It defines risk as where assets, vulnerabilities, and threats intersect. It describes identifying threats and assessing risk through scoring matrices. It then discusses ways to reduce risk such as eliminating threats, reducing vulnerabilities, and applying controls. Finally, it discusses ongoing risk management including reassessing risk over time and keeping risk at an acceptable level.