Risk based security is a holistic approach to IT security that uses risk analysis to drive security decisions and investments. This ensures better alignment between the security program and business objectives, increases program efficiency and targets resource utilization for optimal value.

Risk is a future event that is expected to effect business objectives.

Risk analysis is the evaluation of the likelihood and impact a risk would have on business objectives

Risk management is a set of coordinated activities performed to identify, assess and respond to risks.

A risk is something that might happen. It has a probability (or likelihood) of happening and if it does there will be a certain impact (may be positive or negative).
An issue is something that has happened (or is happening right now). It does not have a probability but it will have an impact.

Gross risk is the initial assessment of the impact and likelihood of a risk prior to considering any existing controls
Net risk is the assessment of the impact and likelihood of a risk that considers existing controls.
Target risk is the organizationally defined acceptable levels of impact and likelihood for a risk.

Possible risk responses are:
Avoid – a management decision not to be involved in, or to withdraw from, an activity based on the level of risk
Accept – a management decision that the controls currently in place are sufficient and the current level of residual risk is acceptable
Exploit – a management decision to take actions to ensure an identified opportunity is realized
Mitigate – a management decision to take actions to lessen the likelihood and/or impact of a risk
Transfer – a management decision to share the burden of loss or benefit of gain for a risk with another party.

A penetration test starts from the outside of your organization. Research is performed to identify ways into your organization through externally available IT resources and then attempts are made to breach your perimeter. This testing will evaluate the preventive and detective controls in your organization that protect your environment from external threats. The goal of a penetration test is to find ways into your organization and bring them to your attention so you can patch these holes.
A vulnerability assessment is an attempt to find all the weaknesses in your environment and provide you with a map of the multiple attack paths that currently exist. Our consultants start inside your network with just a few static IP addresses and their toolkit. They will then emulate real world attackers and systematically crawl through the network to find all the possible vulnerabilities on your systems. While no credentials are provided to the team, we often are able to leverage existing vulnerabilities that lead our experienced team to administrative access throughout the organization. The goal of a vulnerability assessment is to identify all the vulnerabilities that exists within your organization and demonstrate how they would be used by an attacker. This is a more comprehensive evaluation of your existing controls and when performed in conjunction with either a penetration test or an external vulnerability assessment will highlight what an attacker could do once they have breached the perimeter.

Secure baselines are a set of standard security settings that are intended to be applied to technologies. They provide for improved security at the host level and also assist with configuration management. While exceptions should be allowed based on demonstrated need they should be rare and must be documented. If the deviations from the baselines introduce additional risk into the environment formal risk acceptance must be performed to ensure management is aware of and is willing to accept the introduction of the risk into the environment.