Asset Risk Assessment - ASA


Risk Assessment requires that Management identify, assess, measure, mitigate, and monitor those risks that may be present due to the type of services offered and the systems employed to deliver those services. Generally scoped out risk assessments are asset focused and qualitative in nature. In a qualitative approach we will assign a rating to each risk and countermeasure that is derived from a consensus opinion of E3 and the organization being tested. We will develop scenarios to lay out the possible threats their potential likelyhood and impact. We then factor in compensating and mitigating controls to determine the residual risk the organization may have in regards to their critical assets.


Basic Risk Assessment follows the basic outline:

Our security team will conduct a high-level review of existing environment prior to any onsite work; 

  • Review existing third party IT controls review

    • If controls reviews have not been performed this should be added to the scope 

  • Interview experts within the organization to identify assets; 

  • Develop risk scenarios; 

  • Identify Threats from risk scenarios; 

  • Rank the seriousness of threats and estimate probability of occurrence; 

  • Rank effectiveness of various countermeasures (mitigating/compensating controls); 

  • Quantify the aggregate risks based on severity and impact score prior to control

  • Identify primary controls and secondary controls (if any)

  • Finalize risk ranking and demonstrate residual risk in comprehensive risk matrix; 

  • Review report with internal staff

E3 can utilize many different frameworks for risk assessments. The most common approach is based on our customized (light) version of the NIST 800-30

Are you interested in E3 Services? Do you want more information or a proposal? For more information or to receive a Request For Proposal questionnaire please contact us toll-free at (866) 585-8324 or via email at webmaster@e3tech.net.
— Exceeding Every Expectation