Asset Risk Assessment - ASA

description

A Risk Assessment requires that management identify, assess, measure, mitigate, and monitor risks that may be present due to the type of services offered and the systems employed to deliver those services. Generally, scoped out risk assessments are asset focused and qualitative in nature. In a qualitative approach, we will assign a rating to each risk and countermeasure that is derived from a consensus opinion of E3 and the organization being tested. We will develop scenarios to lay out the possible threats and their potential likelihood and impact. We then factor in compensating and mitigating controls to determine the residual risk the organization may have in regards to their critical assets.

TESTING OBJECTIVES

Basic Risk Assessment follows the basic outline:

Our security team will conduct a high-level review of the existing environment prior to any onsite work:

• Review existing third-party IT controls review

  • If controls reviews have not been performed, this should be added to the scope 

• Interview experts within the organization to identify assets

• Develop risk scenarios

• Identify threats from risk scenarios

• Rank the seriousness of threats and estimate the probability of occurrence

• Rank effectiveness of various countermeasures (mitigating/compensating controls)

• Quantify the aggregate risks based on severity and impact score prior to control

• Identify primary controls and secondary controls (if any)

• Finalize risk ranking and demonstrate residual risk in comprehensive risk matrix

• Review report with internal staff

E3 can utilize many different frameworks for risk assessments. The most common approach is based on our customized version of the NIST 800-30.