Chapter 110 · Tricks

Risk Management — Tricks & Mnemonics

Four memory tricks and three practice scenarios for exam-day recall of assessment type classification, PCI DSS annual mandate, ad hoc committee formation, and continuous assessment in change control.

01The Assessment Type Decision Tree

On the exam, a scenario describes an assessment situation. Use this decision tree to classify it:

  1. Is it triggered by a specific project (acquisition, new equipment)? Yes → One-time
  2. Is it calendar-scheduled and repeating? Yes → Recurring
  3. Is it an unplanned concern, with a team formed and then disbanded? Yes → Ad hoc
  4. Is it ongoing with no end date, integrated into operations? Yes → Continuous

The key discriminators:

  • Ad hoc vs. one-time: both are event-triggered, but one-time serves a project (acquisition), ad hoc serves an unplanned concern (CEO question). Both involve temporary work but one-time is project-scoped.
  • Recurring vs. continuous: recurring has an interval (every 6 months); continuous has no interval (always on).

Exam scenario: "The CEO saw a news article about a new cyberattack and formed a team to check the company's exposure. The team reported findings and returned to their regular jobs." → Ad hoc (unplanned trigger, temporary team, disbanded after).

02PCI DSS = Annual. No Exceptions.

PCI DSS Requirement 12.3 is one of the most commonly cited regulatory mandates for risk assessment frequency. Know this cold:

  • PCI DSS requires a risk assessment at least annually
  • Also required when significant environmental changes occur
  • Must be documented and used to inform the security program
  • QSA auditors verify the assessment occurred as part of compliance validation

Exam trap: "The organization's risk assessment is 13 months old." = PCI DSS non-compliant. The 12-month (annual) requirement means it must occur at least once in any rolling 12-month period.

Exam trap: "The organization conducted a risk assessment 2 years ago and has had no significant changes." = Still non-compliant. Annual means annual regardless of whether anything changed. New threats emerge even when internal environments are stable.

HIPAA adds: requires ongoing risk analysis. Regulators do not specify a fixed interval but expect the frequency to match the organization's risk profile and rate of environmental change.

03Ad Hoc = Forms and Disbands

The defining characteristic of an ad hoc assessment that distinguishes it from all others is the temporary committee formation and disbanding. Every exam scenario that mentions a team being convened for a specific concern and then returning to their regular jobs is describing an ad hoc assessment.

Classic exam scenario pattern:

  • A senior leader (CEO, CISO, board member) raises a specific concern
  • A team is assembled from various departments
  • The team assesses the specific concern
  • The team presents findings and recommendations
  • Team members return to their regular roles

This pattern = ad hoc. The trigger is always an unplanned concern (conference, news article, regulatory inquiry, executive question) — not a scheduled calendar date and not a project milestone.

Memory: "Ad hoc = formed for one thing, then gone." Like an emergency committee that solves one problem and dissolves.

04Changes = New Risk: Always Assess Before Approving

Continuous risk assessment has one critical exam implication: every change going through the CCB requires a risk assessment. This is not optional, and a rollback plan does not substitute for it.

Why every change? Because changes are the primary source of new risk introduction between periodic assessments. Examples:

  • Firewall rule change → What new exposure does this create?
  • New software deployment → What new vulnerabilities does this software have?
  • Cloud migration → What new compliance obligations apply to this region?
  • Third-party integration → What data is now shared, and is the third party secure?

Exam scenario: "A change request is submitted with an implementation plan and backout plan but no risk assessment. Should the CCB approve it?" Answer: No. The risk assessment is a required component. The CCB cannot evaluate the change's security impact without it.

The gap between change-control risk assessment and periodic assessment is where most real-world security incidents originate: a change introduced a vulnerability that was never assessed, and the next periodic assessment was months away.

Practice Scenarios

Scenario 1: Assessment Type Classification

Classify each of the following activities into the correct risk assessment type and explain the classification: (A) The security team runs automated vulnerability scans every night and receives threat intelligence alerts in real time. (B) The compliance team conducts a comprehensive security review every September as required by the organization's insurance policy. (C) The board of directors reads about a significant data breach at a competitor and asks the CISO to form a team to compare the competitor's attack vector to the organization's defenses. The team reports back in two weeks and then returns to normal duties. (D) A company acquires a startup and the security team spends three months evaluating the startup's entire IT environment before integration.

Classify each (A-D) and explain the key indicator that identifies each type.

Answer: (A) Continuous assessment. Key indicators: no defined start/end, always running, automated tools (vulnerability scanner, threat intelligence), real-time awareness. No periodic intervals — it is ongoing. (B) Recurring assessment. Key indicators: fixed calendar schedule (every September), defined interval, repeated indefinitely. Also note: driven by an insurance requirement, which is a form of external mandate similar to PCI DSS. The consistent methodology over time enables trend comparison between years. (C) Ad hoc assessment. Key indicators: triggered by an unplanned external event (competitor breach news + board concern), a temporary team was specifically formed, the team disbands and returns to normal roles after two weeks. The trigger was not a scheduled date. (D) One-time assessment. Key indicators: tied to a specific project (acquisition), defined scope (three months evaluating the startup), not repeated unless another acquisition occurs. The assessment serves a specific transient business event.

Scenario 2: PCI DSS Compliance Gap

A payment processing company is preparing for its annual PCI DSS audit. The QSA requests documentation of the organization's risk assessment process. The security team provides: a comprehensive risk assessment completed 14 months ago, an ad hoc assessment conducted 6 months ago after a phishing attack, and evidence of continuous vulnerability scanning. The QSA notes a compliance gap. What is the gap, and what must the organization do to address it?

Answer: The PCI DSS compliance gap is that the organization has not conducted a comprehensive formal risk assessment within the past 12 months (annually as required by PCI DSS Requirement 12.3). The last comprehensive assessment was 14 months ago, which is 2 months past the annual requirement. The ad hoc assessment after the phishing attack, while valuable, does not substitute for the annual formal risk assessment because: (1) it addressed only the specific phishing threat, not the comprehensive risk landscape; (2) PCI DSS requires a targeted risk analysis of the full cardholder data environment scope annually. The continuous vulnerability scanning demonstrates good continuous assessment practices but also does not satisfy the annual formal documented risk assessment requirement. To address the gap: the organization must immediately conduct (or rapidly complete) a formal annual risk assessment covering the full PCI DSS scope, document the results, and use findings to update the security program. For future compliance: schedule the annual assessment to occur at the same time each year with at least one month of buffer before the PCI DSS audit date.

Scenario 3: Change Control Risk Assessment Integration

A development team submits a change request to deploy a new API integration between the company's customer database and a third-party marketing analytics platform. The request includes: detailed implementation steps, a rollback plan, and an end-user impact assessment. The CCB chair requests that a risk assessment be added. The development team argues that since the marketing platform is a reputable vendor with SOC 2 certification, no risk assessment is needed.

Is the CCB chair correct? What should the risk assessment evaluate for this specific change?

Answer: The CCB chair is correct. SOC 2 certification of the vendor does not eliminate the need for a change-specific risk assessment, and a rollback plan does not substitute for risk analysis. The risk assessment for this specific API integration change must evaluate: (1) Data scope: what customer data fields will be transmitted to the marketing platform? Does this include PII, financial data, or other sensitive categories? Is this consistent with the privacy policy and any applicable data subject consent? (2) Controller-processor obligations: is a data processing agreement in place with the marketing platform (especially for GDPR-covered data)? (3) API security: is the API connection authenticated and encrypted? How are API keys managed and rotated? (4) New attack surface: does this API create a new path into the customer database from an external system? What are the authorization controls for API calls? (5) Data residency: where does the marketing platform store the data it receives? Does this comply with applicable data residency requirements? (6) Incident notification: if the marketing platform suffers a breach, how and how quickly will they notify the organization? The SOC 2 report confirms the vendor has security controls, but does not evaluate these integration-specific risks for this specific use case.