IT risk is any risk that is specific to information technology.
IT risk management deals with the IT risk within an organization.
In an organization, IT risk management may be done by the IT security department or the risk department.
Information security subjects:
- IT risk management framework
- IT risk assessments
It is convenient that organization plan a risk map, where they identify risks surrounding the organization.
Risk Maturity Model (RMM)
Business continuity is expanded on this post.
Supply Chain Security
An organization has to take care of their own IT security, but also the IT security of their vendors / providers and customers.
You can find more information about supply chain IT security on this post.
You can find more information about IT vendor risk management on this post.
Controls
Controls are measures that are implemented to mitigate a risk.
A control framework provides lists of common controls used for IT security. You can find control frameworks on this post.
Methods for control assessment:
- Security Control Assesstment (SCA)
- Penetration tests
- Vulnerability assessments
Security Control Assesstment (SCA) is a formal evaluation of security infrastructure mechanisms compared against a baseline or reliability expection. USA federal agencies perform SCAs based on control framework NIST SP 800-53.
Penetration tests and vulnerability management are discussed in their corresponding sections.
Risk Indicators
Key Risk Indicators (KRI) are used within IT governance to monitor risks.
You can read more about indicators on this post.