Chapter 110 · Flashcards

Risk Management — Flashcards

Ten cards covering risk identification scope, one-time assessment triggers, ad hoc assessment formation and disbanding, recurring assessment schedules, PCI DSS annual mandate, continuous assessment integration, change control risk analysis, internal vs. external threat identification, trend analysis from recurring assessments, and the four assessment type comparison. Click any card to flip it.

What is risk identification, and what two sources of threats must it address?

Risk identification: the systematic process of finding weaknesses, threats, and vulnerabilities that could negatively impact the organization before they are exploited. Goal: identify risks proactively rather than reactively. Two sources of threats: Internal: vulnerabilities within the organization's own systems, processes, and people — unpatched software, misconfigured systems, weak access controls, untrained employees, outdated hardware. External: threats originating outside the organization that could exploit internal vulnerabilities — ransomware actors, phishing campaigns, supply chain compromise, regulatory changes creating compliance risk. Qualifying risk: not all identified risks are treated equally. Risk identification includes qualifying each risk (assessing severity and likelihood) so limited resources are directed at the highest-priority risks. Ongoing nature: risks change as systems, threats, and regulations evolve — identification must recur.

What is a one-time risk assessment and what are its two classic trigger scenarios?

One-time risk assessment: conducted for a specific, discrete event or project with a defined beginning and end. Not repeated unless the triggering circumstance recurs. Classic trigger 1 — Company acquisition: when acquiring another company, a one-time assessment evaluates the target's IT systems, security controls, compliance posture, and integration risks. The organization inherits all of the target's risks. Classic trigger 2 — New equipment deployment: deploying a new type of equipment (industrial control system, medical device network, cloud platform) that has not been previously evaluated. Assessment determines required security controls before integration into production. Other triggers: unique threat investigation, new regulatory requirement affecting a specific system, major architecture redesign. Key characteristic: defined scope, defined end, not repeated on a schedule. Contrast with recurring (calendar-driven) and ad hoc (event-triggered, temporary team).

What defines an ad hoc risk assessment, and how does the team lifecycle differ from other assessment types?

Ad hoc risk assessment: performed for a specific, unplanned purpose not part of the regular assessment schedule. Triggered by emerging concerns rather than a calendar. Team lifecycle (key differentiator): a committee or specialized team is formed specifically for the assessment purpose, conducts the assessment, and then DISBANDS. The team does not continue as a permanent body. Classic trigger — CEO/executive concern: leadership returns from a conference where a specific attack type was highlighted. A team is formed, evaluates the organization's exposure to that specific threat, reports findings, and returns to normal roles. Other triggers: pre-audit compliance check for a specific area, board request for assessment of a specific risk category, regulatory inquiry about a specific control domain. Distinction from one-time: one-time assessments are project-driven (acquisition, new equipment); ad hoc assessments are concern-driven (executive question, specific threat). Both involve temporary focused assessment.

What is a recurring risk assessment, what schedules are common, and which regulation specifically mandates it annually?

Recurring risk assessment: performed on a defined schedule, repeating at regular intervals as part of the ongoing security program. Calendar-driven, not event-triggered. Common schedules: quarterly (high-risk organizations, financial institutions), semi-annual (balanced frequency/cost), annual (minimum for most compliance frameworks). PCI DSS mandate: Requirement 12.3 mandates a targeted risk analysis at least annually and whenever significant environmental changes occur. Results must be documented and used to inform the security program. QSA auditors verify that the annual assessment occurred. An 18-month-old assessment is not PCI DSS compliant. HIPAA: requires ongoing risk analysis (periodic, risk-based). Key advantage over ad hoc: consistent methodology over multiple periods enables trend analysis — comparing current risk posture to prior periods to measure improvement and identify emerging risk categories.

What is continuous risk assessment and how does it differ from recurring assessment?

Continuous risk assessment: an ongoing process that integrates risk evaluation into every operational activity. No defined start and end date. Maintains current risk awareness in real time or near-real time rather than taking periodic snapshots. Components: vulnerability scanners running continuously; SIEM monitoring correlating events into risk indicators; threat intelligence feeds alerting to emerging threats; per-change risk analysis in the CCB for every significant system change. vs. Recurring assessment: Recurring assessment takes a comprehensive periodic snapshot (annually, quarterly). Continuous assessment maintains current awareness between those snapshots. Both are needed: recurring for comprehensive structured analysis; continuous for staying current as the environment changes daily. Key integration point: continuous assessment requires risk evaluation for every change going through change control. Changes are the primary source of new risk between periodic assessments.

Why must risk assessment be integrated into the change control process?

Changes to IT systems are one of the primary sources of new risk introduction. A system assessed and found acceptable can gain new vulnerabilities after a change is made without risk evaluation. Examples of change-introduced risk: (1) New firewall rule opens a port; what is now exposed? (2) Software upgrade introduces a new dependency with known vulnerabilities. (3) Cloud migration moves data to a region with different regulatory requirements. (4) Third-party integration creates a new data sharing relationship not previously evaluated. CCB requirement: every change submitted to the Change Control Board must include a risk assessment of what the specific change introduces. Without this, the CCB cannot meaningfully approve the change. Gap created without this integration: organizations that conduct only periodic assessments but skip per-change risk analysis accumulate new unassessed risks between assessment periods. By the time the next periodic assessment occurs, the risk landscape may have changed substantially.

What is trend analysis in the context of recurring risk assessments?

Trend analysis: the ability to compare risk assessment results across multiple periods to identify directional changes in the organization's risk posture. Only possible with recurring assessments that use consistent methodology. What trend analysis reveals: (1) Is the overall risk posture improving (controls being implemented) or worsening (new vulnerabilities faster than remediation)? (2) Which risk categories are growing? (3) Has a specific security investment reduced risk in the expected area? (4) Are the same vulnerabilities appearing repeatedly (remediation failure)? Business value: enables security leaders to demonstrate ROI of security investments to management; shows the effectiveness of security program changes; provides defensible evidence of improving security posture for audit and board reporting. Why ad hoc assessments cannot provide this: each ad hoc assessment is triggered by a different concern and uses potentially different methodology — results are not comparable across periods. Only scheduled recurring assessments with consistent methodology enable meaningful comparison.

Compare all four risk assessment types in a single summary.

One-time: Trigger = specific project (acquisition, new equipment). Duration = defined scope, completed once. Team = formed for the project. Purpose = evaluate specific new risk. Ad hoc: Trigger = unplanned specific concern (CEO question, pre-audit). Duration = defined purpose, team disbands after. Team = temporarily formed and disbanded. Purpose = answer specific unplanned question. Recurring: Trigger = calendar schedule (quarterly, annual). Duration = repeats indefinitely on schedule. Team = standing internal security team. Purpose = ongoing tracking with trend analysis; satisfies regulatory mandates (PCI DSS). Continuous: Trigger = ongoing; every change; every security event. Duration = permanent, no end. Team = automated tools + security staff. Purpose = real-time risk awareness; change control integration. Most organizations need all four types operating simultaneously for comprehensive risk management coverage.

What does it mean to qualify risk during identification, and why does it matter?

Qualifying risk: the process of assessing each identified risk to determine its relative priority based on likelihood and potential impact. Not all identified risks receive equal attention or resources. Why qualification matters: organizations have finite security resources (budget, staff, time). Without qualification, teams may spend significant effort addressing low-probability, low-impact risks while ignoring high-probability, high-impact ones. Qualification directs limited resources toward risks that matter most. Qualification dimensions: (1) Likelihood/probability: how likely is this risk to be realized in a given period? (2) Impact: if realized, how severely does this affect the organization (financial, operational, reputational, safety)? Output of qualification: a prioritized risk list. High likelihood + high impact = highest priority. Low likelihood + low impact = lowest priority. Medium combinations require judgment. Qualification is the foundation for both qualitative risk assessment (descriptive: high/medium/low) and quantitative risk assessment (numerical: dollar values).

What regulations mandate recurring risk assessments, and what do they require?

PCI DSS (Payment Card Industry Data Security Standard): Requirement 12.3 mandates a targeted risk analysis at least annually and when significant changes occur. Must identify critical assets, threats, and vulnerabilities. Results must inform the security program and be reviewed by QSA auditors during compliance validation. HIPAA Security Rule: requires an ongoing risk analysis as part of administrative safeguards. Regulators interpret "ongoing" as periodic at risk-appropriate intervals; organizations with changing environments may need more frequent analysis than annual. FISMA (Federal Information Security Management Act): requires annual security reviews for federal information systems, including risk assessment components. GDPR: does not specify a fixed assessment schedule but requires data protection impact assessments (DPIAs) for high-risk processing activities. ISO/IEC 27001: requires regular information security risk assessments at planned intervals or when significant changes occur. The interval must be defined in the ISMS scope.