IT risk management includes all of the
activities that an organization carries out to
manage information technology related risks. IT
risk management is a formalized process and
includes:
- Risk Assessment
- Risk Analysis
- Risk Treatment
- Risk Mitigation
- Risk Review and Evaluation
1. Risk Assessment (Identify Risks)
Risk Assessments identify possible sources of
risk. They identify threats or events that could
have a meaningful impact on the organization.
2. Risk Analysis (Impact)
Risk Analysis considers the probability and
magnitude of each event. Risk evaluation
compares the estimated risk with a set of risk
criteria to determine the significance of the
risk.
3. Risk Treatment (Risk Response Action
Plan)
Risk Treatment identifies how each risk is to be
addressed with preventive, detective, and
corrective controls. Residual risk is the risk
left over after implementing risk treatment
steps that avoid the risk, transfer the risk,
reduce the risk, or accept the risk.
4. Risk Mitigation (Risk Control)
Risk mitigation plans propose applicable and
effective security controls that manage the
risks. The plan should contain a schedule
outling the tasks to be performed, individuals
responsible for the actions, estimated dates,
etc.
5. Risk Review and Evaluation (Risk
Effectiveness)
Risk management plans change over time as the
business evolves, as new threats emerge, as
losses are incurred, and as management changes.
Review the effectiveness of your approach and
revise as necessary.
Risk
assessments help organizations identify,
manage, and reduce risks to acceptable levels.
Formal and documented
policies ensure
a top down approach to managing security risks.
Security Blog menu
Tags: risk management \ risk assessment |
risk analysis | risk treatment | risk reduction
|