IT Risk Management
Published in
May 10, 2024
Roles and Responsibilities
In IT risk management, various documented systems such as ISO 27005 and Special Publication 800–39 guide the process, which typically involves:
- Identification of assets, threats, and vulnerabilities.
- Assessment of risks, often categorized as low, medium, or high.
- Prioritization of risks based on frequency and severity.
- Risk treatment, which includes options like avoidance, control, acceptance, or transfer.
Common roles and responsibilities in IT risk management are:
- Asset Owners: Typically senior decision-makers like vice presidents, responsible for maintaining operational IT systems and deciding on risk treatment options.
- Control Operators: Individuals who execute procedures to control risks, such as analysts monitoring for unusual patterns indicating potential attacks.
- Compliance Team: Knowledgeable about laws, regulations, and best practices, they guide asset owners on addressing well-known risks to ensure compliance.
- Internal Audit Team: Conducts periodic testing of controls to ensure