Monitoring internal risk is a large part of a risk management plan, which involves knowing what the vulnerabilities are and an attacker’s ability to exploit the vulnerability. Vulnerabilities can be fixed, mitigated, or accepted. Monitoring the risk ensures that situations do not change, increasing the system risk.
The landscape of information assurance is constantly changing and shifting. New vulnerabilities are being discovered, new tactics and techniques are being used, and new defenses are being developed. The changes in these factors mean that the risk to systems is constantly changing. A risk that had been mitigated, might be a risk again because a new technique to bypass the mitigation was discovered. Conversely, a new security tool, or a software upgrade may lower the risk level.
An active risk management strategy including monitoring of internal risk is expected of every mature organization. There should be documented policies and procedures on how risk is assessed, calculated, and monitored.