1. A company is about to acquire a smaller competitor. The security team is asked to evaluate all IT systems, security controls, and compliance posture of the target company before the acquisition closes. Once the acquisition is complete and integration is finished, this evaluation will not be repeated. What type of risk assessment is this?
2. A CISO returns from a threat intelligence conference where a new ransomware-as-a-service operation was discussed in detail. Concerned about the organization's specific exposure, the CISO convenes a team of security engineers and threat analysts to evaluate the organization's defenses against this specific threat. The team produces a report, presents recommendations, and then returns to their normal roles. What type of risk assessment describes this process?
3. A payment processor is undergoing PCI DSS compliance validation. The QSA auditor requests documentation of the organization's risk assessment. The security team provides a risk assessment from 18 months ago. What does PCI DSS require regarding risk assessment frequency, and does the 18-month-old assessment satisfy this requirement?
4. A network engineer submits a change request to modify firewall rules, allowing a new cloud application to communicate through the corporate firewall. The change request includes implementation steps and a rollback plan, but the CCB reviewer notes that no risk assessment for the specific rule change was included. Why is a risk assessment required as part of the change control process?
5. An organization's security team runs vulnerability scans continuously, monitors SIEM alerts around the clock, subscribes to threat intelligence feeds, and requires a documented risk analysis for every change request submitted to the CCB. What type of risk assessment program does this describe?
6. The security team conducts internal risk assessments every six months using a consistent methodology. Between assessments, they compare results to the previous period to identify trends. What advantage does this recurring approach provide that an ad hoc approach would not?
Matching: Risk Assessment Types
Match each assessment type (1–4) to its correct description (A–D).
1One-time assessment
2Ad hoc assessment
3Recurring assessment
4Continuous assessment
APerformed on a defined schedule (quarterly, semi-annually, annually) using consistent methodology; enables trend analysis; mandated by PCI DSS and other regulations
BConducted for a specific project or event with defined scope; not repeated unless the same type of event recurs; examples include company acquisitions and new equipment deployments
COngoing process integrated into all operations including change control; no defined end date; maintains real-time awareness of risk posture through automated tools and per-change analysis
DTriggered by an unplanned specific concern; a team is formed for that single purpose, conducts the assessment, and disbands; not part of the regular schedule