This document provides an overview of risk analysis and risk management for information systems. It begins by defining key terms like risk, vulnerability, and threat. It then lists common categories of risks including audit risk, control risk, business risk, continuity risk, detection risk, material risk, inherent risk, and security risk. The document also outlines the typical steps in risk management, which include developing a risk team, identifying assets and threats, performing risk analysis and mitigation, and monitoring. Finally, it discusses strategies for controlling risks, such as avoiding, reducing, accepting, or transferring risk.

1. RISK ANALYSIS
Samwiri Wagema
Mob: 0772-663310

2. Learning objectives
At the end of this session, a participant should be in position
to:
i) Explain the terms risk, risk analysis, risk management
ii) Explain the categories of risks in Information management
iii) Mention the Risk Management steps
iv) Describe the Risk control strategies

3. Introduction
Modern networks and computerized data systems are highly
complex. Information managers responsible for auditing these
systems must ask a fundamental question “What do I audit?”
One way an Information Manager can determine what to audit
is to use risk analysis.
Risk can not be discussed in void. When discussing risk,
vulnerability and threat must also be reviewed.
Risks can threaten an Organisation by financial, operational or
regulatory means

4. According to Gregg (2023, p32)
Risk is the exposure or potential for loss or damage
to IT assets within that IT infrastructure
Vulnerability is weakness in a system or process
Threat can be seen as frequency

5. Reflective scenario 1
♦Mukasa Rebecca is a Sales Executive with Unilever Uganda,
she logs into her computer with a privileged account,
checks her email and inadvertently downloads a virus.
♦Since Mukasa is a member of the Domain Administrator
group the virus has full rights to her computer, all servers,
all files, and the entire domain.
♦This could cause serious damage and result in critical
systems down time.
♦As an Information Security Manager, how you can mitigate
against this scenario in future?

6. Reflective scenario 2
♦To protect user accounts in the Active Directory domain, an
information manager must configure and implement a domain
password policy that provides sufficient complexity, thus, she/he
can make it hard for an attacker to crack user passwords using
the brute-force attack, or capture passwords when sent over a
network.
(i) Briefly explain all the available six password policies in
Windows default domain policy.
(ii) Identify two Account Lockout password policies configured in
GPO section of Windows Server 2012 operating system.

7. Categories of Risks
Some common categories of risks include:
i) Audit risk: The risk that the audit report might contain a
material error or that an error might exist that the
auditor did not detect.
ii) Control risk: The risk that a material error may exit that
might not be detected by the system of internal controls
iii) Business risk: The risk that will affect the business’s
fundamental goals

8. iv) Continuity risk: The risk that the business faces that might
keep it from recovering from a disaster.
v) Detection risk: The risk that an improper test is performed that
will not detect a material error
vi) Material risk: An unacceptable risk
vii) Inherent risk: The risk that a material error will occur because
of weak controls or no controls
viii) Security risk: The risk that unauthorized access to data will
result in the exposure or loss of integrity of the data

9. Risk Management
Risk Management: The overall responsibility and
management of risk within an organisation.
Is the responsibility and dissemination of roles,
responsibilities and accountabilities for risk in an
organisation

10. Risk Management steps
Risk management follows a defined process that includes
the following steps:
1. Develop a risk management team- responsible the risk
assessment process
2. Identify assets
3. Identify threats
4. Perform risk analysis
5. Perform risk mitigation
6. Monitor

11. Risk mitigation addresses how risks will be handled. This can be
done in four ways
i) Avoid risk: You simply don’t perform the activity that allows
the risk to be present
ii) Reduce risk: Is one of the common methods of dealing with
risk. An example would be installing a firewall or
implementing new internal accounting control
iii) Accept risk: This means that the organisation knows about
the risk but makes a conscious decision to accept the risk.
Example. A biz might be considering building an e-commerce
website but has determined that it will face an added risk
Risk control strategies

12. iv) Transfer risk:
This involves placing the risk in someone else’s hands.
Example is insurance- insurance is an ongoing expense,
time consuming and costly to document and settle
relatively small losses.
Even small payouts by the company can have an adverse
effect on future insurance costs.

13. Thanks for Listening