The purpose of this study is to identify and quantify risks that may occur any time in the application of information technology in a company, as well as to provide information on the risks associated with the security of information technology system of the company. The methods used are: data collection and analysis techniques. Data collection includes: literature and field studies, in which the field study is conducted by interview and observation. Analytical technique used in the measurement of risk is OCTAVE-S. The results found the risks associated with security management, contingency planning, vulnerability management, as well as design and security architecture. It iscocluded from this this study that there are still a lot of risks that can threaten companies such as lack of contingency and disaster recovery plan.