April 2023
ITSC1001
INFORMATION SYSTEMS RISK AND SECURITY
Assignment
Weightage: 25%
Project Submission deadline: Session 8
Assignment (Individual)
The purpose of project is to assess students on the following Learning Outcomes:
LO 1 Identify contemporary Information Systems in different industries.
LO 2 Analyse Information Systems and describe threats, vulnerabilities, risks, security breaches related to these Information Systems and outline the impact on organizations and their stakeholders.
LO 3 Identify security management standards and frameworks for securing Information Systems and discuss possible countermeasures in case-based scenarios.
__________________________________________________________________
Assignment Overview:
Students should carefully go through the given case study and produce a Risk report. The report will provide analysis of likelihood and impacts of threats and vulnerabilities based on the structure NIST Cybersecurity assessment framework (https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final). The scope of the report is to identify and analyse impact risks, recommendations as well as proposal for risks treatments and mitigation will not be provided.
Case study:
THE VERY GOOD BEAN (VGB) is a registered not-for-profit coffee collective with four stylish cafés across Melbourne’s CBD and suburbs. The organization’s main purpose is to use its profits to combat the exploitation of coffee producers in developing countries. VGB sources single origin, traceable coffee beans directly from small-scale coffee farmers in Ethiopia & Kenya for import, roasting and retail sale at VGB’s 4 retail outlets. On-shore VGBs network of cafés manages all their daily business activities and operations through a rapidly built, bespoke SQL database system and VPN, known in-house as VGBnet. VGBnet integrates HR, accounts and POS for front-counter service and back-of-house operations with VGB HQ. Café menus vary in each location and are constantly changing. There are hundreds of different products that are purchased and tracked through inbound logistics and distribution to locations (each item includes product information critical to operations and inventory management, e.g., ID numbers, goods description, expiry control dates, and costs that are crucial for inventory management).
POS functionality handles bank reconciliation of customer card and touch payment and allows café staff to manage sales of food and beverages with mostly automated, synchronised inventory and order & supply management that provides timely payment of suppliers. Registration of café staff shifts in the system ensures all staff are paid on time and correctly. Recording the profits from sales and managing the disbursement of funds from the cafés is mission critical to VGB as they return all profits to farming communities in Ethiopia and Kenya, Africa.
The not-for-profit ensures that all the coffee it sells is traceable to its origin and the inclusion of not only the full range of key business process data created in the acquisition, importance, and sale of coffee in VGBnet, but also the collection of stories (digital, multi-media, including photographs, maps, text-narrative, voice, and music files) about the Ethiopian and Kenyan communities supplying the coffee. VGB uses this information to curate exhibitions, about the VGB coffee for a social good journey, that is displayed on the walls of the cafés, on websites and shared through social media. VGB has a Facebook page with more than 12k followers and it is rapidly becoming VGBs major channel for brand management offshore VGB’s focus is on community development activities in the marginalised rural areas of Ethiopia & Kenya where coffee is grown.
The rapid growth of the business over the first two years quickly convinced the 4 founding members (now constituting the Board of Directors) that they needed a permanent presence in both countries to manage supply chain logistics and help in coordinating philanthropic spending. VGB has set up regional offices in both Addis Ababa and Nairobi to coordinate the purchase of coffee beans and community development programs. There is always one Australian Director on rotation in Africa and Australian program staff visit regularly to work with local office staff. The VGB network and its trademark are now recognised in Ethiopia & Kenya as a brand that is supporting local communities and increasing the bargaining power of farmers.
Communications across VGBnet from Africa to Australia now run almost 24/7, ensuring that all business processes that are required for the order and delivery of coffee and the development of community programs are completed (e.g., purchase of materials, logistics records, maintenance, employment, granting of funds). VGB is diligent in paying customs duties and taxes for the coffee it exports and imports with processing automated by the VGBnet system. While the system does incorporate secure document locks and access management that permits and controls employee access, a hunger for rapid growth has often been at the expense of robust internal control. As VGB has grown the number and intensity of the reports that need to be processed and monitored have increased substantially. Processing these reports in an effective and timely manner has significant implications for the cost of operations as well as the implication for the subsequent distribution of funds from VGB HQ, Australia. VGBnet is built on a reasonably open architecture, and it is one of the few systems of its type supporting built-in access to WhatsApp, a social media application adopted widely in Australia, Ethiopia, and Kenya. This allows VGB staff ready access to communication in the field with various communities’ members and it allows HQ staff to send and receive invoices, statements of account, receipts, confirmation of payment and other documents directly to external clients.
VGBs operations currently span three countries, and it is subject to the laws and regulations of each. However, at the same time, VGB must comply with Australian law as its HQ is registered in Australia. This can be challenging in situations where VGB staff operating in the host country are required to share information with the local authorities, as it may be deemed inappropriate under Australian law (e.g., The Privacy Act (Cth) 1988). In these cases, VGB staff keep a record of the information they have shared with the host country, and they often need to communicate and consult with HQ in Australia about the best ways to handle information sharing. Information about each farming collective individual client case files, legal files and associated records all need to be kept both by regional officers and at Australian HQ.
Staff are required to report to the local office periodically to provide updates on farms, supply logistics and community programs VGB field staff visiting farms and regions are equipped with a set of mobile communication devices that can be mission critical for day-to-day operations. This includes smartphones and/or satellite phones (in remote areas), and a laptop. VGB practice has always allowed its field staff to use their phones and laptops even when completing key operational functions simply because staff seem the happiest working with their own devices.
Recently, however, as VGB has grown issues have started to crop up. Some of the issues are in the form of compatibility, different document, and file formats, and sometimes field staff working with different types of applications forgetting to save the files to VGBnet applications. In a few cases, malicious software has been introduced into the system and has affected local and regional operations significantly. Last year HQ’s POS and accounts system was infected and although no significant damage or loss of financial data was identified the more than 24 hours of downtime that resulted was costly. Allegedly the malicious code was brought in by a privately-owned laptop of a VGB Australian staff member returning from an overseas assignment. For better or worse, the issue of the use of personal devices at work remains somewhat vexed and unregulated.
For recording income and meeting financial reporting and disclosure requirements, VGB must meet the reporting requirements of the ACNC (https://www.acnc.gov.au/for-charities/manageyour-charity/obligations-acnc). Where it is needed VGB has worked with local communities to provide funding and support to build key facilities such as schools, clean water wells, sanitary facilities, and health clinics. VGB uses information from the school’s programs not only for evidentiary purposes but also to share the good news about its work with Australian consumers. GROWING CONCERN Accountability and transparency are very high concerns in the not-for-profit sector and VGB is no exception to this. The Directors want to know how much in every dollar that they provide is being used to support the cause they have chosen instead of being trimmed through selfish or fraudulent behaviour. However, shortcomings and errors that have been identified in VGBnet’s community program management module have recently caused the postponement of several major program initiatives because of an inability to accurately track who has accessed funds and how all funds were used. As a result, the funding of major programs has been temporarily frozen while the issue is addressed. Uncertainty around system access overall has become a very serious dilemma for VGB staff at home and abroad. The founders are aware of the issue although normally they would plead ignorance when it comes to IT and the operational aspects of IT are rarely discussed in detail at Director meetings.
There is no IT representative to the Board of Directors, nor does IT report to the board. IT department interests are represented by the managing accountant who generally is not keen on occupying the Director’s time with “non-strategic” issues. However, the Managing Director is aware of the current fund management issue and has commissioned a newly appointed IT Manager to improve the fund’s module and access management as soon as possible. There are growing concerns across the organisation that while VGBs integrated database system served everyone well in the early days, it is now becoming a liability that may need to be radically updated or replaced.
In the meantime, VGB’s HR manager has recently attended a presentation regarding Software as a Service (SaaS) in the HR area and is impressed with the benefits that could be gained by using a cloud-based/SaaS HR platform. She has initiated a discussion with Workday, a US-based SaaS provider. Ultimately, she has intended to get funding from the Manager of Accounts directly and use that to purchase a SaaS service from one of the Human Resource Management Systems providers. According to one of her contacts in the HR profession, Workday’s Human Capital Management is a good solution for her contact’s company. There was a discussion about the data centre and the server is in the US as the list of Australian clients is not big enough to justify an infrastructure presence here, but she doesn’t care about that. All she wants is better functionalities for her team.
The management of VGB is aware of the importance of its data, and it believes VGB has a good data backup strategy in place. The backup of company data which is now vast (it comprises operational data from multiple countries, transactional data from partners, goods and services providers, program information and more) is done monthly. The data backup service is provided “pro bono” by a small start-up company located in the Dandenong Range supportive of the VGBs mission and has leased enough bandwidth from an ISP to perform off-site backups on regular basis.
One aspect of IT that everyone at VGB is proud of is the move from a static website to an interactive online shop front and exhibition space that integrates seamlessly with the VGB mobile app and social media accounts, providing a more personalised customer experience for lovers of good coffee and good causes alike. While the online store will also need to be integrated with VGBnet and VGBs data management procedures this hasn’t happened yet.
The recently appointed IT manager has been asked to investigate best practice management of VGBs information assets, systems security, and the integration of the online shop with existing systems &/or the development of new solutions, and importantly, where to host VGBs systems – on an external cloud service or their internal servers?
The report should provide the answer to the following tasks:
Identify the key roles and responsibilities of individuals and departments within the organisation as they pertain to risk assessment,
Carefully audit and analyse the case evidence, undertake an inventory, and identify information assets that include VGB’s most significant, physical &/or logical information resources, information of value and the information systems that must be accounted for in any approach to risk management,
Identify risks: provide an analysis of the threats and vulnerabilities that pose the greatest risks to VGB’s most important information assets (both information and information systems),
Prioritise the most 5 significant risks for VGB to manage in order in your assessment table.
Marking Guide: 50 Marks
Task |
Description |
Marks |
Report Layout |
The report style, language and structure should be appropriate. |
5 |
Executive summary |
This section should include a brief outline of the given case study and risk assessment. |
5 |
Roles and responsibilities |
A detailed analysis of key roles identified for all the business locations and their responsibilities. |
5 |
Assets identification |
Crucial assets are identified, and their valuations explained |
5 |
Threat, vulnerabilities, and risk identification |
Clear identification of threat, vulnerabilities and risk posed by the different domains. |
20 |
Risk prioritization. |
Select 5 significant risks for the organization and provide a table ranked from high impact at the top. Justification for the selection of these 5 risks should be provided. |
5 |
Conclusion & References |
Summary of the report & follow the IEEE style |
5 |
Marking rubrics
Assessment criteria |
Exceptional >=80% |
Admirable 70% – 79% |
Creditable 60% – 69% |
Acceptable 50% – 59% |
Unsatisfactory <=49 |
C1. Report Layout 5 marks
5 points |
Extremely well structured and organized report; use of professional language |
Well-structured and organized report; use of professional language |
Structured and organized report; use of language is appropriate |
Structured and organized report; use of language could be improved |
Choppy and confusing; format was difficult to follow; language needs to be proofread plenty of errors |
C2. Executive summary 5 marks .5 points |
The executive summary is well rounded and provides a brief description of the case study and risk assessment; the introduction sets an excellent flow for the report |
The introduction provides a brief description of the case study and risk assessment; the introduction sets a good flow for the report |
The introduction provides a brief description of the case study and risk assessment; the introduction sets the flow for the report |
The introduction could relate more to the case study and risk assessment |
The introduction does not relate to the case study and risk assessment and does not set the flow for the assessment |
C3. Roles and responsibilities 5 marks |
The section demonstrates identification of various roles and responsibilities extremely well; the section provides an excellent explanation of how it meets the requirements |
The identification of various roles and responsibilities well; the section provides a good explanation of how it meets the requirements |
The section demonstrated the identification of various roles and responsibilities; the section provides an explanation of how it meets the requirements |
The section briefly identifies the various roles and responsibilities and provides some explanation of how it meets the requirement |
The identifies roles and responsibilities are hardly relevant; little discussion of how it meets the requirements |
C4. Assets identification 5 marks |
An excellent analysis of all the significant assets for the organization were identified along with a very comprehensive discussion on its values. |
A good analysis of all the significant assets for the organization were identified along with a good discussion on its values. |
A decent analysis of most of the significant assets for the organization were identified along with a sufficient discussion on its values. |
An analysis of several significant assets for the organization were identified along with a limited discussion on its values. |
The identified assets barely significant for the organization and a discussion on its value is not provided. |
C5. Threat, vulnerabilities, and risk identification 20 marks |
Provided an excellent analysis on all the threats, vulnerabilities and risks posed by all seven domains is presented. |
Provided a good analysis on most of the threats, vulnerabilities and risks posed by all seven domains is presented. |
Provided a decent analysis on most of the threats, vulnerabilities and risks posed but did not cover all the seven domains. |
Provided a limited analysis of the threats, vulnerabilities and risks posed and did not cover all the seven domains. |
Provided a remotely relevant analysis of the threats, vulnerabilities and risks posed and did not cover all the seven domains. |
C4. Risk prioritization. 5 marks |
Five most significant risks in terms of their likelihood and damage of the impact were listed with an excellent analysis. The table was prioritized from most significant at the top with a comprehensive justification. |
Five significant risks in terms of their likelihood and damage of the impact were listed with a good analysis. The table was prioritized from most significant at the top with sufficient justification. |
Five significant risks in terms of their likelihood and damage of the impact were listed with an analysis. The risks were not prioritized from most significant. |
Five significant risks in terms of their likelihood and damage of the impact were listed but analysis was not provided. The table structure was not used. |
The identified five risks were not significant in terms of their likelihood and damage of the impact. The table structure was not used. |
C7. Conclusion & References 5 marks |
Provided an excellent summary of the assessment, covering all aspects of the assessment.
The references followed IEEE Style; the references were cited and complete. |
Provided a good summary of the assessment, covering most aspects of the assessment.
The references followed IEEE Style; most the references were cited and complete. |
Provided a summary of the assessment; somewhat covered the aspects of the assessment.
Most references followed IEEE Style; some of the references were cited and complete. |
Provided a summary of the assessment.
Most references followed IEEE Style; the references were not cited. |
The conclusions failed to summaries the assessment.
The references did not follow IEEE Style and were not cited and incomplete. |
Referencing guides
You must reference all the sources of information you have used in your assessments. Please use the IEEE referencing style when referencing your assessments in this unit. Refer to the library’s reference guides for more information.
Academic misconduct
VIT enforces that the integrity of its students’ academic studies follows an acceptable level of excellence. VIT will adhere to its VIT Policies, Procedures and Forms which explain the importance of staff and student honesty about academic work. It outlines the kinds of behaviors that are “academic misconduct”, including plagiarism.
Late submissions
In cases where there are no accepted mitigating circumstances as determined through VIT Policies, Procedures and Forms, late submission of assessments will lead automatically to the imposition of a penalty. Penalties will be applied as soon as the deadline is reached.
Short extensions and special consideration
Special Consideration is a request for:
Extensions of the due date for an assessment, other than an examination (e.g., assignment extension).
Special Consideration (Special Consideration concerning a Completed assessment, including an end-of-unit Examination).
Students wishing to request Special Consideration concerning an assessment the due date of which has not yet passed must engage in written emails to the teaching team to Request for Special Consideration as early as possible and prior to start time of the assessment due date, along with any accompanying documents, such as medical certificates.
Contract Cheating
Contract cheating usually involves the purchase of an assignment or piece of research from another party. This may be facilitated by a fellow student, friend or purchased on a website. Other forms of contract cheating include paying another person to sit an exam in the student’s place.
Contract cheating warning:
By paying someone else to complete your academic work, you don’t learn as much as you could have if you did the work yourself.
You are not prepared for the demands of your future employment.
You could be found guilty of academic misconduct.
Many of for pay contract cheating companies recycle assignments despite guarantees of “Original, plagiarism-free work” so similarity is easily detected by Turnitin.
Penalties for academic misconduct include suspension and exclusion.
Students in some disciplines are required to disclose any findings of guilt for academic misconduct before being accepted into certain professions (e.g., law).
You might disclose your personal and financial information in an unsafe way, leaving yourself open to many risks including possible identity theft.
You also leave yourself open to blackmail – if you pay someone else to do an assignment for you, they know you have engaged in fraudulent behaviour and can always blackmail you.