Icon10.png

Asset Risk Assessment - ASA

description

Risk Assessment requires that Management identify, assess, measure, mitigate, and monitor those risks that may be present due to the type of services offered and the systems employed to deliver those services. Generally scoped out risk assessments are asset focused and qualitative in nature. In a qualitative approach we will assign a rating to each risk and countermeasure that is derived from a consensus opinion of E3 and the organization being tested. We will develop scenarios to lay out the possible threats their potential likelyhood and impact. We then factor in compensating and mitigating controls to determine the residual risk the organization may have in regards to their critical assets.


TESTING OBJECTIVES

Basic Risk Assessment follows the basic outline:

Our security team will conduct a high-level review of existing environment prior to any onsite work; 

  • Review existing third party IT controls review

    • If controls reviews have not been performed this should be added to the scope 

  • Interview experts within the organization to identify assets; 

  • Develop risk scenarios; 

  • Identify Threats from risk scenarios; 

  • Rank the seriousness of threats and estimate probability of occurrence; 

  • Rank effectiveness of various countermeasures (mitigating/compensating controls); 

  • Quantify the aggregate risks based on severity and impact score prior to control

  • Identify primary controls and secondary controls (if any)

  • Finalize risk ranking and demonstrate residual risk in comprehensive risk matrix; 

  • Review report with internal staff

E3 can utilize many different frameworks for risk assessments. The most common approach is based on our customized (light) version of the NIST 800-30

Are you interested in E3 Services? Do you want more information or a proposal? For more information or to receive a Request For Proposal questionnaire please contact us toll-free at (866) 585-8324 or via email at webmaster@e3tech.net.
— Exceeding Every Expectation
Icon10.png

NIST 800-30 Risk Assessment

description

Risk Assessment requires that Management identify, assess, measure, mitigate, and monitor those risks that may be present due to the type of services offered and the systems employed to deliver those services. Generally scoped out risk assessments are asset focused and qualitative in nature. In a qualitative approach we will assign a rating to each risk and countermeasure that is derived from a consensus opinion of E3 and the organization being tested. We will develop scenarios to lay out the possible threats their potential likelyhood and impact. We then factor in compensating and mitigating controls to determine the residual risk the organization may have in regards to their critical assets.


TESTING OBJECTIVES

The NIST 800-30 Risk assessment framework is widely recognized as one of the most comprehensive risk assessment processes. E3 has more than 15 years experience guiding both large and small, state and federal agencies through the NIST 800 30 risk assessment. The key thing to understand is that adopting this framework gives an organization an ongoing process to continually assess and manage risk related to its IT Assets.

Are you interested in E3 Services? Do you want more information or a proposal? For more information or to receive a Request For Proposal questionnaire please contact us toll-free at (866) 585-8324 or via email at webmaster@e3tech.net.
— Exceeding Every Expectation
Icon10.png

Cyber Security Assessment

description

E3 has helped many financial institutions get a handle on and manage its cyber security risk through the use of the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool. The CAT provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time. 


TESTING OBJECTIVES

The CAT consists of two parts:

  1. Inherent Risk Profile

  2. Cybersecurity Maturity

The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the CAT is not designed to identify an overall cybersecurity maturity level.

The Assessment covers the institution’s inherent risk profile based on five categories:

  • Technologies and Connection Types

  • Delivery Channels

  • Online/Mobile Products and Technology Services

  • Organizational Characteristics

  • External Threats

Next the assessment evaluates the institution’s Cybersecurity Maturity level for each of five domains

  • Cyber Risk Management and Oversight

  • Threat Intelligence and Collaboration

  • Cybersecurity Controls

  • External Dependency Management

  • Cyber Incident Management and Resilience

Are you interested in E3 Services? Do you want more information or a proposal? For more information or to receive a Request For Proposal questionnaire please contact us toll-free at (866) 585-8324 or via email at webmaster@e3tech.net.
— Exceeding Every Expectation