THE INSTITUTE OF FINANCE MANAGEMENT

FACULTY OF BUSINESS AND ECONOMICS (FBE)

BACHELOR IN ACCOUNTING WITH INFORMATION TECHNOLOGY

COURSE: INFORMATION SYSTEM AUDIT

CODE ITU 08213

STREAM C,

YEAR THREE

ACADEMIC 2024/2025

NATURE OF WORK: INDIVIDUAL ASSIGNMENT

NAME: ERICK EZEKIEL GADIGA

REG, NUMBER: IMC/BAIT/2224396

Scenario-02

Introduction

Cloud computing is a transformative technology that enables organizations to access and

utilize computing resources over the internet, rather than relying on local servers or personal
computers. This model allows businesses to store data, run applications, and manage IT
infrastructure in a flexible and scalable manner. By leveraging cloud services, companies can
reduce costs associated with hardware procurement and maintenance while gaining the ability
to scale resources up or down based on demand. The primary types of cloud services include
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS), each offering varying levels of control and management.

Despite its advantages, cloud computing introduces new security challenges and risks that
organizations must address to ensure data integrity, confidentiality, and availability. such
concerns may include No clear visibility on where the system is stationed scooch as theirs
servers and where the data is stored

a) How would you apply the risk management life cycle to identify and assess the risks
associated with Nebula Intel Limited's cloud infrastructure?

Applying the Risk Management Life Cycle to Nebula Intel Limited's Cloud
Infrastructure

To effectively manage the risks associated with Nebula Intel Limited's transition to a cloud-
based IT infrastructure for its e-Inventory Management System, it is essential to apply the
risk management life cycle. This structured approach involves several key steps: risk
identification, risk assessment, risk response, and ongoing monitoring and review. Below is a
detailed explanation of each step in the context of Nebula Intel Limited.

Risk Identification

The first step in the risk management life cycle is identifying potential risks that could impact
the cloud infrastructure. This involves:

Objective: Identify potential risks that could affect cloud operations, data security, regulatory
compliance, and service availability.

2|Page
RISK REGISTER: a risk register is a formal, living document or software-based tool that
records all identified risks within an organization. it acts as the central repository for risk
information and is essential for tracking and managing risk across departments. Each
identified risk is logged into a Risk Register, a central document that tracks all
organizational risks.

Key entries include: Risk ID, description, likelihood, impact, owner, mitigation strategies,
and status. Example entry: Risk ID: CR-101, Description: data exposure, Likelihood:
Medium Impact: High

Risk Assessment

Once risks are identified, they must be assessed to determine their potential impact on the
organization. This involves two main components Qualitative Assessment: Evaluating risks
based on their severity and likelihood using a scoring system (e.g., low, medium, high). This
helps prioritize which risks need immediate attention. Quantitative Assessment: Where
possible, quantifying the financial impact of risks using metrics such as potential loss in
revenue or costs associated with data breaches. Objective: Determine the likelihood and
impact of each identified risk using qualitative or quantitative methods.

RISK CHAMPIONS

Risk Champions are appointed individuals within each business unit or department (e.g., IT,
HR, Legal, Compliance) who play a key role in supporting risk management processes at the
operational level.

Role of Risk Champions:

1. Risk Champions from each department (IT, Legal, Operations, Compliance) provide
domain-specific insights.
2. They assess departmental exposures and update risks relevant to their units.
3. Help ensure that risk identification is holistic across all operations.
4. Monitor the progress of assigned mitigation actions
5. Monitor the progress of assigned mitigation actions
6. Ensure that risk mitigation strategies are implemented.

3|Page
3.Risk Evaluation and Prioritization

Objective: Rank the risks to determine which require immediate attention or mitigation.
Application, High-priority risks (e.g., lack of encryption at rest, weak IAM policies) are
escalated to the Risk and Compliance Committee (RCC). RCC evaluates whether the
organization's risk appetite and tolerance levels are breached.

Risk and Compliance Committee (RCC)

The Risk and Compliance Committee (RCC) is a high-level governance body responsible
for overseeing and directing the organization’s risk and compliance strategy. A governance
body responsible for overseeing enterprise risk. Includes senior leadership from Legal, IT,
Compliance, and Audit. Evaluates proposed controls and provides strategic guidance on risk
decisions.

Key Responsibilities

i. Review and approve the Risk Register and major risk entries.
ii. Prioritize risk treatment strategies aligned with business goals.
iii. Approve resource allocation for risk mitigation.
iv. Monitor compliance with regulatory requirements (e.g., GDPR, ISO 27001).
v. Make strategic decisions about risk tolerance and risk appetite.
vi. Escalate high-risk items to the Board if needed.

Risk Treatment and Mitigation

Objective: Define actions to reduce or manage risk to an acceptable level.

Treatment Options: Accept the risk (if within tolerance) Mitigate the risk (e.g., through
firewalls, encryption, MFA) Transfer the risk (e.g., via cloud provider SLAs or cyber
insurance) Avoid the risk (e.g., not using a particular cloud service)

Risk Monitoring and Reporting

4|Page
Objective: Continuously monitor the effectiveness of risk controls and adjust as necessary.
Application Monthly or quarterly reviews of the Risk Register. Cloud logs and security
alerts are continuously monitored. Risk Champions report updates to the RCC.

Reporting Structure:

Risk Champions → Department Heads → RCC

RCC consolidates reports and communicates with executive leadership and board.

Risks associated with accessing data online

Reputational Damage: Reputational damage is one of the most severe consequences that
can arise from mishandling data online. When an organization suffers a data breach or fails to
protect sensitive information adequately, it can lead to:

Loss of Customer Trust: Customers expect their personal information to be safeguarded. A

breach can erode trust and lead customers to seek alternatives

Negative Publicity: Media coverage surrounding data breaches often highlights the
organization's failure to protect its customers, leading to negative perceptions in the public
eye

Impact on Brand Value: Long-term reputational damage can affect brand equity and market
position, resulting in decreased sales and customer loyalty

Data Breaches: Data breaches are among the most pressing concerns when accessing data
online. They occur when unauthorized individuals gain access to sensitive information, which
can result in:

Financial Losses: Organizations may incur substantial costs related to forensic

investigations, legal fees, and remediation efforts following a breach

Identity Theft: Breached personal information can be used for identity theft, leading to
further complications for affected individuals and potential lawsuits against the organization (

5|Page
Intellectual Property Theft: Sensitive corporate data or proprietary technology may be
stolen during a breach, jeopardizing competitive advantage

Compliance Violations and Penalties

Organizations must adhere to various regulations governing data protection and privacy.
Non-compliance can lead to severe penalties:

Regulatory Fines: Laws such as GDPR impose hefty fines on organizations that fail to
comply with data protection standards. These fines can reach millions of dollars depending
on the severity of the violation (The General Data Protection Regulation).

Legal Action: Affected individuals may file lawsuits against organizations for failing to
protect their personal information adequately. This legal exposure can result in costly
settlements or judgments

B) What are the five (5) specific vulnerabilities in cloud-based systems would you focus
on during the risk management process?

Poor Authentication Mechanisms: Weak authentication practices can lead to unauthorized

access to sensitive data and applications. This vulnerability arises from inadequate password
policies, lack of multi-factor authentication (MFA), or reliance on easily guessable
credentials. If attackers gain access through compromised credentials, they can manipulate
data, steal information, or disrupt services. Implementing strong authentication measures,
such as MFA and robust password policies, is essential to mitigate this risk.

Lack of Control Over System Updates and Patch Management

Cloud applications rely on underlying software and operating systems managed by either the
organization or the cloud provider. Delays or gaps in applying critical security patches leave
systems exposed. Furthermore, in a cloud environment, organizations often rely on service
providers to manage system updates and patches. This lack of control can result in delayed
updates or failure to address known vulnerabilities promptly. Unpatched systems are
susceptible to exploitation by cybercriminals who take advantage of known vulnerabilities.
Organizations should establish clear agreements with service providers regarding update
schedules and ensure that they have visibility into the patch management process.

6|Page
Insufficient Access Controls

Inadequate access controls can lead to excessive permissions granted to users or applications
within a cloud environment. This vulnerability often stems from poor identity and access
management practices. When users have more privileges than necessary, it increases the risk
of accidental or malicious actions that could compromise system integrity or data security.
Implementing role-based access control (RBAC) and regularly reviewing user permissions
are critical steps in mitigating this vulnerability

Data Exposure and Inadequate Encryption: Without strong encryption, data stored or
transmitted via cloud platforms can be intercepted, especially during backups, replication, or
API calls. The e-Inventory system likely stores financial records, product data, and possibly
customer details. Any data leak could lead to regulatory violations and reputational damage.
Lack of key management or poor implementation of encryption protocols. Mitigations
Enforce end-to-end encryption

c) How would you mitigate the five (5) risks related to data breaches and unauthorized
access to the cloud infrastructure?Strong Authentication Policy: A strong authentication
policy is critical in safeguarding cloud infrastructure against unauthorized access. This
involves implementing multi-factor authentication (MFA), which requires users to provide
two or more verification factors to gain access. MFA typically combines something the user
knows (password), something the user has (a mobile device or hardware token), and
something the user is (biometric verification). By enforcing a strong authentication policy,
Nebula Intel can significantly reduce the risk of unauthorized access due to compromised
credentials. Additionally, password management practices should be established, including
regular password changes, complexity requirements, and prohibiting password reuse. This
approach ensures that even if a password is compromised, additional layers of security will
protect sensitive data

Separation Between Application and Database Servers: Implementing a clear separation

between application servers and database servers is another effective strategy for mitigating
risks related to data breaches. By isolating these components within the cloud architecture,
organizations can minimize the attack surface available to potential intruders. This separation
ensures that even if an attacker gains access to the application layer, they cannot directly
interact with the database without additional authentication measures. Network segmentation

7|Page
can be employed to create distinct zones within the cloud environment where different types
of traffic are controlled and monitored Firewalls and virtual private networks (VPNs) can
further enhance this separation by restricting access based on predefined rules.

Awareness Training: Human error remains one of the leading causes of data
breaches; therefore, conducting regular awareness training for employees is vital in
mitigating risks associated with unauthorized access. Training programs should
educate staff about best practices for data security, including recognizing phishing
attempts, understanding social engineering tactics, and adhering to company
policies regarding data handling. Awareness training should also cover how
employees can identify suspicious activities within their accounts or systems. By
fostering a culture of security awareness among employees at Nebula Intel
Limited, organizations can empower their workforce to act as an additional line of
defense against potential threats

Regular System Audits Conducting regular system audits is essential for identifying
vulnerabilities within cloud infrastructure that could lead to data breaches or unauthorized
access. These audits should include comprehensive assessments of security controls,
configurations, compliance with regulatory standards, and overall system performance.
Audits help organizations detect anomalies or deviations from established security protocols
before they escalate into significant issues. Automated tools can assist in monitoring logs for
unusual activity patterns while manual reviews ensure that all aspects of security are
evaluated thoroughly Establishing a routine audit schedule allows Nebula Intel Limited to
maintain continuous oversight over its cloud environment.

Least Privilege Policy: Implementing a least privilege policy ensures that users have only
the minimum level of access necessary to perform their job functions effectively. This
principle limits exposure by reducing permissions granted to users based on their roles within
the organization. By regularly reviewing user permissions and adjusting them as needed—
especially when employees change roles or leave the company—Nebula Intel can minimize
opportunities for unauthorized access or accidental data exposure Role-based access control

8|Page
(RBAC) mechanisms can facilitate this process by automatically assigning permissions based
on predefined roles rather than individual user requests.

Conclusion

In conclusion, mitigating risks related to data breaches and unauthorized access in cloud
infrastructure requires a multifaceted approach encompassing strong authentication policies,
separation between application and database servers, employee awareness training, regular
system audits, and least privilege policies. By implementing these strategies effectively
within its IT framework for the Nebula GenX e-Inventory Management System, Nebula Intel
Limited can enhance its security posture while leveraging the benefits offered by cloud
computing.

9|Page
 REFFERENCE

Tipton & Krause , "Information Security Management Handbook." (Print)

Erl et al., "Cloud Computing: Concepts, Technology & Architecture." (Print)
Raghavan et al., "The Cloud Security Ecosystem." (Print)
Kumar & Singh , "Managing Cloud Services: A Practical Guide." (Print)
Buyya&Broberg&Goscinski , "Cloudonomics: The Business Value of Cloud Computing."
(Print)

10 | P a g e