Chapter 110 · Security Program Management

Risk Management

The discipline of identifying, categorizing, and assessing organizational risk — including when and why to conduct one-time, ad hoc, recurring, and continuous risk assessments, and how risk assessment integrates with change management.

Confidential
Report ID: RM-2024-001Domain: Security Program ManagementTopic: Risk Identification & One-Time Assessments

Risk Identification and One-Time Risk Assessments

Risk management begins with identification — recognizing that a weakness or exposure exists before it is exploited. Organizations that identify risks proactively can implement controls before harm occurs. Organizations that discover risks reactively typically do so after suffering the consequences. Risk management is therefore fundamentally a forward-looking discipline.

Risk Identification

Risk identification is the process of systematically finding weaknesses, threats, and vulnerabilities that could negatively impact the organization. Effective risk identification addresses both internal and external sources:

One-Time Risk Assessment

A one-time risk assessment is conducted for a specific, discrete event or project that has a defined beginning and end. Once the assessment purpose is fulfilled, it is not repeated (unless the triggering circumstance recurs).

One-time assessment = specific event with defined scope. Key examples: company acquisition (inherit all risks), new equipment deployment (evaluate before integration), unique threat (assess specific vulnerability). Not repeated unless the triggering event recurs.
Confidential
Report ID: RM-2024-002Domain: Security Program ManagementTopic: Ad Hoc & Recurring Risk Assessments

Ad Hoc and Recurring Risk Assessments

Ad Hoc Risk Assessment

An ad hoc risk assessment is performed for a specific, unique purpose that is not part of the regular assessment schedule. Unlike one-time assessments triggered by a project, ad hoc assessments typically respond to an emerging concern or specific organizational question that requires immediate attention.

Recurring Risk Assessment

A recurring risk assessment is performed on a defined schedule, repeating at regular intervals as part of the organization's ongoing security program. Unlike ad hoc assessments (triggered by events) or one-time assessments (triggered by specific projects), recurring assessments happen on a calendar, regardless of whether a specific incident triggered them.

PCI DSS Annual Risk Assessment

PCI DSS Requirement 12.3 specifically mandates that organizations perform a risk assessment at least annually and when significant changes occur to the environment. This is one of the most commonly cited examples of a regulatory mandate for recurring risk assessment:

Ad hoc = formed for one purpose, done, disbanded (CEO concern, regulatory inquiry). Recurring = scheduled calendar assessment (quarterly/annual). PCI DSS mandates annual risk assessment. Recurring assessments enable trend analysis; ad hoc assessments respond to specific concerns.
Confidential
Report ID: RM-2024-003Domain: Security Program ManagementTopic: Continuous Assessment & Change Control Integration

Continuous Risk Assessment and Change Control Integration

Continuous Risk Assessment

Continuous risk assessment is an ongoing process that integrates risk evaluation into every operational activity rather than treating risk assessment as a periodic event. Instead of taking snapshots of risk at intervals, continuous assessment maintains current awareness of the organization's risk posture in real time or near-real time.

Comparison of Assessment Types

Assessment TypeTriggerDurationTeamExample
One-timeSpecific project or eventDefined scope; completed onceFormed for the projectCompany acquisition; new equipment deployment
Ad hocUnplanned specific concernDefined purpose; team disbands afterFormed and disbanded for the specific purposeCEO concern about new attack type; pre-audit assessment
RecurringCalendar scheduleRepeating at defined intervalsInternal security team (standing)Annual PCI DSS assessment; quarterly internal review
ContinuousOngoing; triggered by any changePermanent; no end dateAutomated tools + security team oversightChange control risk analysis; SIEM monitoring; vulnerability scanning

Why Risk Assessment Must Be Integrated with Change Control

Changes to IT systems are one of the primary sources of new risk introduction. A system that was assessed and found acceptable yesterday may have a new vulnerability today if a change was made without risk evaluation:

Each of these is a risk that would only be caught if risk assessment is part of the change control workflow. Organizations that conduct periodic risk assessments but skip change-control risk analysis create a gap where new risks accumulate between assessment periods without being identified or managed.

Continuous assessment = built into operations, not a scheduled event. Most important integration: risk assessment is required for every change going through the CCB. Changes are one of the primary sources of new risk — assessing change risk is the only way to stay current between periodic assessment cycles.