ITSC1001 Information Systems Risk and Security Case Study Sample
Assignment Brief
Students should carefully go through the given case study and produce a Risk report. The report will provide analysis of likelihood and impacts of threats and vulnerabilities based on the structure NIST Cybersecurity assessment framework (https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final). The scope of the report is to identify and analyse impact risks, recommendations as well as proposal for risks treatments and mitigation will not be provided.
Case study:
THE VERY GOOD BEAN (VGB) is a registered not-for-profit coffee collective with four stylish cafés across Melbourne’s CBD and suburbs. The organization’s main purpose is to use its profits to combat the exploitation of coffee producers in developing countries. VGB sources single origin, traceable coffee beans directly from small-scale coffee farmers in Ethiopia & Kenya for import, roasting and retail sale at VGB’s 4 retail outlets. On-shore VGBs network of cafés manages all their daily business activities and operations through a rapidly built, bespoke SQL database system and VPN, known in-house as VGBnet. VGBnet integrates HR, accounts and POS for front-counter service and back-of-house operations with VGB HQ. Café menus vary in each location and are constantly changing.
There are hundreds of different products that are purchased and tracked through inbound logistics and distribution to locations (each item includes product information critical to operations and inventory management, e.g., ID numbers, goods description, expiry control dates, and costs that are crucial for inventory management).
POS functionality handles bank reconciliation of customer card and touch payment and allows café staff to manage sales of food and beverages with mostly automated, synchronised inventory and order & supply management that provides timely payment of suppliers. Registration of café staff shifts in the system ensures all staff are paid on time and correctly. Recording the profits from sales and managing the disbursement of funds from the cafés is mission critical to VGB as they return all profits to farming communities in Ethiopia and Kenya, Africa.
The not-for-profit ensures that all the coffee it sells is traceable to its origin and the inclusion of not only the full range of key business process data created in the acquisition, importance, and sale of coffee in VGBnet, but also the collection of stories (digital, multi-media, including photographs, maps, text- narrative, voice, and music files) about the Ethiopian and Kenyan communities supplying the coffee. VGB uses this information to curate exhibitions, about the VGB coffee for a social good journey, that is displayed on the walls of the cafés, on websites and shared through social media. VGB has a Facebook page with more than 12k followers and it is rapidly becoming VGBs major channel for brand management offshore VGB’s focus is on community development activities in the marginalised rural areas of Ethiopia & Kenya where coffee is grown.
The rapid growth of the business over the first two years quickly convinced the 4 founding members (now constituting the Board of Directors) that they needed a permanent presence in both countries to manage supply chain logistics and help in coordinating philanthropic spending. VGB has set up regional offices in both Addis Ababa and Nairobi to coordinate the purchase of coffee beans and community development programs. There is always one Australian Director on rotation in Africa and Australian program staff visit regularly to work with local office staff. The VGB network and its trademark are now recognised in Ethiopia & Kenya as a brand that is supporting local communities and increasing the bargaining power of farmers.
VGBs operations currently span three countries, and it is subject to the laws and regulations of each. However, at the same time, VGB must comply with Australian law as its HQ is registered in Australia. This can be challenging in situations where VGB staff operating in the host country are required to share information with the local authorities, as it may be deemed inappropriate under Australian law (e.g., The Privacy Act (Cth) 1988). In these cases, VGB staff keep a record of the information they have shared with the host country, and they often need to communicate and consult with HQ in Australia about the best ways to handle information sharing. Information about each farming collective individual client case files, legal files and associated records all need to be kept both by regional officers and at Australian HQ.
The management of VGB is aware of the importance of its data, and it believes VGB has a good data backup strategy in place. The backup of company data which is now vast (it comprises operational data from multiple countries, transactional data from partners, goods and services providers, program information and more) is done monthly. The data backup service is provided “pro bono “by a small start-up company located in the Dandenong Range supportive of the VGBs mission and has leased enough bandwidth from an ISP to perform off-site backups on regular basis.
The report should provide the answer to the following tasks:
1. Identify the key roles and responsibilities of individuals and departments within the organisation as they pertain to risk assessment,
2. Carefully audit and analyse the case evidence, undertake an inventory, and identify information assets that include VGB’s most significant, physical or logical information resources, information of value and the information systems that must be accounted for in any approach to risk management,
3. Identify risks: provide an analysis of the threats and vulnerabilities that pose the greatest risks to VGB’s most important information assets (both information and information systems),
4. Prioritise the most 5 significant risks for VGB to manage in order in your assessment table.
Solution
1. Introduction
VGB is a socially focused organization that aims to improve the livelihoods of coffee-growing farmers in Kenya and Ethiopia. The organization depends to a great degree on VGBnet, an information system that is sophisticated and supports such key functions as purchasing, logistics, human resource management, financial operations, and marketing. Aside from supporting commercial operations, VGBnet contains very sensitive data such as employee data, financial information, and supplier contracts that form the core to the transparency and efficiency of the organization. Though very crucial to the organization, VGBnet was initially designed with a priority to meet immediate operational needs and not long-term security and hence presented very significant risks. The rapid deployment and expansion of the system were conducted without robust risk management processes in place which left VGB exposed to risks such as data leakage, interruption of operations, and failure to meet regulations. The necessity to improve internal controls has thus emerged, and the organization has initiated a structured process to assess risks within the organization. The NIST SP 800-30 framework has been utilized in this document to identify, assess, and prioritize the organization’s most important risks. Mitigating the risks will be crucial in ensuring the integrity of VGB’s operations and its credibility with donor organizations and partner communities.
2. Roles and Responsibilities
Board of Directors: The Board of Directors' purpose is to set the vision and guide the governance framework of the organization. However, the absence of IT skills among the directors leads to IT-related risks and cybersecurity concerns not receiving sufficient attention. The limitation is particularly for university assignment help worrisome with the increased reliance on VGBnet in operational and financial operations.
Managing Director: The executive who oversees day-to-day operations in the organization and has come to appreciate the seriousness of IT issues in recent times. The Managing Director plays an important role in ensuring coordination between the IT manager, finance, and program managers to deal with operational risks and system issues.
Managing Accountant: He is in charge of all the finances, including financial reporting, salaries and payments to vendors. Traditionally, the role has served to articulate IT matters to the Board without having undergone official IT training and has thereby prevented the organization from prioritizing technical risk management appropriately.
IT Manager: Recently appointed to oversee the expanding technical and security needs of VGBnet. The role is central to spearheading the process of assessing risks, tightening security controls on access, improving system solidity, and applying secure solutions to day-to-day operations.
Human Resource Manager: Oversees human resource functions such as staff hiring, training, and salary administration. Is in the process of evaluating cloud-based SaaS systems to improve HR functions, adding new challenges to data security and regulation compliance [2].
Australian and regional staff: They carry out core operational activities such as logistics, community outreach, and field data collection. As they interact with VGBnet and use personal devices to work regularly, they form a major exposure group to risks, highlighting the requirement to have proper cybersecurity awareness and training in place.
The absence of an IT representative on the Board has been one of the main drivers of reactive risk management activities. As VGB grows, the void would translate to even bigger exposures unless supplemented with the addition of IT governance at the topmost tier of decision-making.
3. Asset Identification
Information Assets
VGBnet System: The central system of VGB operations that includes multiple core business functions such as HR, POS, accounts, logistics, inventory management and financial reports. It is used primarily in staff and field operations.
Financial Data: Contains significant financial information including payments to vendors, sales to buyers, employee payrolls, tax records, and financial reports that all play a crucial role in providing transparency and accountability in finances.
Community Program Records: The records have detailed documentation of philanthropic activities, disbursements of funds, program outcomes, and compliance reports that are all crucial to ensuring VGB remains not-for-profit.
Customer data: Customer profiles, purchase history, comments and likes received through the POS systems and the new online platform [3].
Multimedia Content: Comprises thoughtfully chosen digital stories, images, videos, audio recordings, and geographic information about partner communities and utilized in exhibitions and marketing.
Physical assets
POS terminals: Placed in VGB cafes all over the nation, the terminals carry out daily transactions and link to VGBnet.
HQ Servers: Store and manage business information, financial transactions and records in the headquarters.
Field Devices: People typically use personal or organization-allocated laptops, cell phones, and satellite phones in the field operations, which play a significant role in data collection and communication.
Rational Resources
VPN: Enabling secure communication between VGB’s distributed teams, especially between Australian HQ and regional offices in Ethiopia and Kenya.
VGB Online Store: New online sale platform, customer engagement, and virtual exhibitions
Backups: Regular monthly backups of core data, currently provided through a small third-party vendor, to facilitate business continuity and recovery from a disaster.
4. Threats, Vulnerabilities, and Risk Identification
Threat 1: Use of Individual Devices
Vulnerability: VGB lacks an official Bring Your Own Device (BYOD) policy and thus has uninhibited use of personal devices for official work such as financial transactions, management of community data, and supply chain operations.
Risk: The failure to have adequate security policies and controls in place over personal devices has in the past caused malware infections to occur, notably in the Point-of-Sale (POS) and accounts systems.
Impact: The direct consequences include significant operational downtime, loss and delays in disbursements to coffee-growing communities. Apart from financial loss, the brand reputation is at stake because donors and stakeholders expect robust security in place. Prolonged service disruption can additionally erode consumer confidence and affect partnerships with international and domestic stakeholders.
Threat 2: Inadequate Access Controls
Vulnerability: The VGBnet system doesn't have a clearly defined Role-Based Access Control (RBAC) system in place. The employees have varying levels of access but no job role-based limitations [4].
Risk: The exposure increases the likelihood of intrusions into such sensitive data as donor information, supplier contracts and agreements, and community program records.
Impact: Inadequate access controls have already caused fund management mistakes and held up important community initiatives in the past. The threat even includes compliance with financial reporting and audit regulations in the nonprofit sector. Illegal data accessibility will further undermine the accountability and transparency that the organization must have to ensure donor support and VGB’s public image.
Threat 3: Insufficient Backup Strategy
Vulnerability: VGB relies on a third-party vendor with minimal capacity to undertake monthly backups, leaving them vulnerable to risks of service disruption, capacity limitations, and operational restrictions.
Risk: If this vendor encounters technical or financial issues, or if there were a cyber attack, VGB might lose important data from financial records to documentation on community programs [8].
Impact: Without data, VGB would not be in a position to continue operations seamlessly. Reporting to partners, regulators, and donors would be severely affected. Long recovery times for data would slow down payroll, supply chain operations, and even disbursements to finance crucial community activities.
Threat 4: Compliance with the law
Vulnerability: VGB falls under multiple data protection laws in Australia, Ethiopia, and Kenya but lacks a unified strategy to maintain compliance with such laws. The employees routinely disclose information to the authorities without checking its legality under the Australian Privacy Act (1988) [5].
Risk: Unsystematic or uninformed data-sharing policies subject VGB to legal risks, including breach of the Australian Privacy Act and resultant penalties, litigation, and strained relations with international partners.
Impact: Non-compliance will be subject to significant monetary penalties, affect VGB’s registration with the Australian Charities and Not-for-profits Commission (ACNC), and adversely affect the reputation of the organization with stakeholders and donors [6].
Threat 5: Supply Chain Data Vulnerabilities
Vulnerability: VGBnet’s minimal encryption and open architecture expose vulnerable supply chain data to interception threats. Communications between internal personnel, community partners, and suppliers routinely occur through insecure media [7].
Risk: Malicious parties, competitors, or hackers may intercept or modify logistics data, invoices, or community funding information.
Impact: Disrupting or interfering with supply information in the supply chain leads to delivery delays, loss of farmer-supplier trust and inefficiency that impacts community programs in direct manner. It can also bring about financial discrepancies and operational instability during peak coffee seasons or in key project milestones.
5. Risk Prioritization
Prioritization of risks is needed to allow VGB to allocate its limited resources to the most likely places to be lost or disrupted. The table below ranks the top five risks from the assessment in terms of likelihood and impact severity.
.png)
This ranking reflects a mixture of past events, operational dependencies, and compliance obligations. The insecure use of personal devices tops the list due to its immediate and well-documented threat, followed in turn by weak access controls and contingency plans because they have the potential to cause massive operational and reputational damage. Compliance with the law, although less likely to be triggered, has high-impact consequences if not achieved. Last but not least, supply chain risks, although with a medium impact, have the potential to cause cascading operational disruption if targeted.
6. Recommendations
• Enforce Role-Based Access Control (RBAC): Implement a strict RBAC model to restrict access to users based solely on roles and responsibilities to allow only authorized personnel to view sensitive data.
• Implement a BYOD Policy: Create clear policies on personal device usage. Apply Mobile Device Management (MDM) solutions to enforce security features such as compulsory antivirus, encryption, and secure VPN connection.
• Implement an Enhanced Backup Plan: Collaborate with a certified and well-equipped backup partner to increase the frequency of backups and provide offsite and real-time backups to limit the risk of significant data loss.
• Strengthening Compliance and Governance: Establish a compliance and data protection department to ensure data sharing meets Australian and international laws. Establish official data handling guidelines in all regions.
• Secure Supply Chain Communications: Encrypt communications with all supplier and community partners. Use secure file transfer protocols and improve endpoint security for remote and field-based employees.
7. Conclusion
VGB's current IT system, though indispensable in supporting its core operations and social mission, is getting stretched to capacity with the requirements of growth at a high growth rate and new and emergent cyber threats. The risk assessment conducted identifies significant risks with the potential to seriously hinder VGB from performing well and sustaining its philanthropic contributions to coffee-growing farmers' communities. The risks identified, ranging from insecure use of personal devices to poor data backup procedures, legal compliance loopholes, to supply chain data risks, represent a set of operational, financial, and reputational risks.
If left unchecked, they have the potential to bring about data breaches, downtime in services, legal problems, and loss of donor confidence. With the right precautions in place, VGB can take those shortcomings and turn them into opportunities to get better. With the implementation of the controls that have been recommended, role-based access management, rigorous enforcement of BYOD policies, effective backups, and ensuring regulation compliance, the organization can improve its information security position immensely.
In addition, the inclusion of periodic threat assessments and continuous monitoring within VGB's governance system will enable the organization to be responsive and adaptable to the ever-evolving threat context. As a result, VGB will not only protect its valued information assets but will also improve its reputation, enhance operational resiliency, and enhance its ability to fulfill its humanitarian mission.
8. Reference
[1] A. Chidukwani, S. Zander and P. Koutsakis, "A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations," in IEEE Access, vol. 10, pp. 85701-85719, 2022, doi: 10.1109/ACCESS.2022.3197899.
[2] L. Falát, T. Michalová, P. Madzík and K. Maršíková, "Discovering Trends and Journeys in Knowledge-Based Human Resource Management: Big Data Smart Literature Review Based on Machine Learning Approach," in IEEE Access, vol. 11, pp. 95567-95583, 2023, doi: 10.1109/ACCESS.2023.3296140.
[3] C. Ling, T. Zhang and Y. Chen, "Customer Purchase Intent Prediction Under Online Multi-Channel Promotion: A Feature-Combined Deep Learning Framework," in IEEE Access, vol. 7, pp. 112963-112976, 2019, doi: 10.1109/ACCESS.2019.2935121.
[4] M. Uddin, S. Islam and A. Al-Nemrat, "A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control," in IEEE Access, vol. 7, pp. 166676-166689, 2019, doi: 10.1109/ACCESS.2019.2947377.
[5] Office of the Australian Information Commissioner (OAIC), "The Privacy Act," OAIC, 2023. [Online]. Available: https://www.oaic.gov.au/privacy/privacy-legislation/the-privacy-act. [Accessed: 1-Apr-2025].
[6] Australian Charities and Not-for-profits Commission, "Home | ACNC," 27-Mar-2025. [Online]. Available: https://www.acnc.gov.au/. [Accessed: 01-Apr-2025].
[7] I. A. Omar, R. Jayaraman, K. Salah, M. Debe and M. Omar, "Enhancing Vendor Managed Inventory Supply Chain Operations Using Blockchain Smart Contracts," in IEEE Access, vol. 8, pp. 182704-182719, 2020, doi: 10.1109/ACCESS.2020.3028031.
[8] H. Du and Y. Jiang, "Backup or Reliability Improvement Strategy for a Manufacturer Facing Heterogeneous Consumers in a Dynamic Supply Chain," in IEEE Access, vol. 7, pp. 50419-50430, 2019, doi: 10.1109/ACCESS.2019.2911620.
Fill the form to continue reading
Would you like to schedule a callback?
Send us a message and we will get back to you
Highlights
Earn While You Learn With Us
Confidentiality Agreement
Money Back Guarantee
Live Expert Sessions
550+ Ph.D Experts
21 Step Quality Check
100% Quality
24*7 Live Help
On Time Delivery
Plagiarism-Free
81 Isla Avenue Glenroy, Mel, VIC, 3046 AU
