Include as part of the control assessments, announced or unannounced, on an organization-defined frequency, in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; and/or organization-defined other forms of assessment.