Expresso® 3.5







  • Click here learn to about Expresso® Risk Assessments 
  • Click here to learn about Expresso® Breach Notification Wizard 
  • Click here to learn about Expresso® Compliance Repository (single version of the truth) & access to all Products
  • Click here to learn about Expresso® Business Partner Vetting (BPV) (Expresso® Silver)
  • Click here to learn about Expresso® Requestor 

Download Expresso® 3.5 Data Sheet

Below we provide just a general overview of Expresso®'s functionality, BUT the details are covered above.


"Before using Expresso ® and the HIPAA Survival Guide products, I was unfamiliar with the extent of compliance regulations. I feel I received a 'college education' in Regulatory Compliance by watching videos, reading the documentation, and attending monthly webinars that are educational. Webinars provided by 3Lions are outstanding!..." Shirleen Sando – Privacy & Security Officer

What QuickBooks Online ("QBO") did for accounting Expresso® does for Risk Assessments. QBO did not eliminate all the work associated with accounting, what it did was transform accounting from a necessary evil, something to be avoided at all costs and/or handed over to a third party, to something that a business person could master at some basic to intermediate level.

Expresso® comes pre-populated with (T)hreats, (V)ulnerabilities, and potential business (I)mpacts to your organization making the calculation of (R)isks easier than the tedious process that our competitors offer. In addition to pre-populating of Threats, Vulnerabilities and Impacts, Expresso® allows you to modify all pre-populated data in a manner that best fits your organization. 


The following list summarizes Expresso®'s principal features. Expresso®

  1. allows you to bulk import Security Objects (people, places, and things that Security Controls are applied to);
  2. comes pre-populated with known threats and vulnerabilities to allow for easier pairing of the two;
  3. allows Security Objects to be categorized via a user defined taxonomy so that Controls can be applied at various levels of classification;
  4. allows you to retain instances of past RAs for reporting purposes;
  5. allows for tracking the results of the Security Controls applied in the remediation step; and
  6. is based on an authoritative methodology (e.g. NIST SP 800-30) so as to meet regulatory compliance objectives.

Expresso® ® "productizes" the equation and the process that emerges from the NIST methodology as depicted in the graphic below:


Expresso® provides the following:

  1. Pre-populated (T)hreats,  (V)ulnerabilities, (I)mpacts, (R)isks, and (C)ontrols ("TVRCs"):  allow you to perform a Risk Assessment in hours, instead of weeks or months;
  2. The ability to capture an unlimited number of Risk Assessments over time in order to show visible, demonstrable evidence of past compliance
  3. The ability to import Security Objects (e.g. people, processes, PCs, servers, networks, applications, databases, physical plant, etc.) from your existing systems thereby minimizing the amount of data entry required;
  4. Tracking mechanism(s) for capturing Risk Assessment process results in the form of predefined reports:  the measurement;
  5. The ability to import (T)hreats and  (V)ulnerabilities from authenticated sources: leveraging industry data where available;
  6. The ability to directly link to the full source code of Security Rule Controls on the HIPAA Survival Guide website;
  7. Scalability, reliability, and availability built-in out-of-the-box using Microsoft's cloud platform Azure; and
  8. Much, much more, including a UI that was built for ease of use and clarity that increases your Risk Assessment productivity on day one


Expresso® provides visible, demonstrable evidence of your organization's compliance with the HIPAA Security Rule's Risk Assessment requirement. When combined with the rest of our Subscription Plan we provide the most comprehensive set of products available, at a price point unmatched elsewhere.