REPORT 1 - SAMPLE ASSIGNMENT SOLVED.

Lecturer: Subhash Sagar

SESSION: SUMMER (NOVEMBER) 2023

INFORMATION SYSTEMS RISK AND SECURITY (VICTORIAN INSTITUTE OF

TECHNOLOGY)

DATE:21/11/2023

SUMMITTED BY: BISHAL NEPAL

Table of Contents

EXECUTIVE SUMMARY:...........................................................................................................3

INTRODUCTION......................................................................................................................... 3

VGB'S PRIMARY VALUE-GENERATING ACTIONS AND STRATEGIC OUTLOOK:..........4

KEY ROLES AND ACCOUNTABILITIES OF INDIVIDUAL TEAM MEMBERS...................5

ANALYSIS OF THE CASE EVIDENCE......................................................................................6

RISK ASSESSMENT OF POTENTIAL THREATS AND CHALLENGES:................................7

DETERMINATION OF LIKELIHOOD AND IMPACT..............................................................7

PRIOTIZATION OF SIGNIFICATION RISKS FOR VGB:........................................................8

CONCLUSION:............................................................................................................................ 9

REFERENCE:.............................................................................................................................. 9
EXECUTIVE SUMMARY:

THE VERY GOOD BEAN is a special coffee group with four cool cafes in Melbourne. They
started in 2016 to help people and do good things. They pay their workers well and use their
money to solve a big problem: how coffee farmers are treated around the world. In Kenya,
farmers grow a special bean in a high place called Mount Kenya. The group pays these
farmers more money than others do. In just 3 years, they've made a big difference. They teach
farmers, buy things they need, and even help schools in Kenya. This report highlights VGB's
proactive approach in conducting an information risk assessment, aligning with ISO and
NIST standards.

Key points include:

 VGB's reliance on a custom-built SQL database system, VGBnet, entails potential
risks like injection attacks and vulnerable databases.
 Recommendations centre on adopting ISO 27001 and NIST SP 800 series to fortify
VGB's security framework, safeguarding critical operations from fraud, breaches, and
data loss.
 The assessment identifies high-priority risks, emphasizing security breaches as the
most critical concern, followed by fraud, password theft, human error, and dishonesty.
The report emphasizes the importance of embracing international standards to fortify VGB's
information security practices, ensuring continued success in supporting coffee farmers
globally.

INTRODUCTION

The Very Good Bean (VGB) is a rapidly expanding non-profit coffee organization that has
ventured into international operations. VGB has made significant strides in enhancing the
livelihoods of farmers through financial assistance, training programs, and the provision of
seedlings, infrastructure, and equipment. To further strengthen its operations, VGB is
embarking on an information risk assessment, guided by international standards such as ISO
and NIST 27001 protocols. This assessment aims to thoroughly evaluate VGB's valuable
assets, including physical, logical, and information resources, as well as the information
systems that underpin its operations. The assessment will also clearly define VGB's value-
creating activities and strategic context, enabling the establishment of appropriate risk
appetite and tolerance levels for the organization. Additionally, the assessment will identify
critical roles and responsibilities within VGB, ensuring that individuals and departments are
clearly accountable for managing and mitigating risks effectively. By conducting this
comprehensive risk assessment, VGB is taking proactive steps to safeguard its information
assets, ensuring the continued success of its mission to support and empower farmers.

This risk assessment report aims to:

 Assess VGB's core activities and strategic goals to recommend appropriate risk
appetite and tolerance levels for the organization.

 Identify the critical roles and responsibilities of individuals and departments within
VGB in managing and mitigating risks.

 Evaluate the evidence and conduct an inventory to identify VGB's valuable

information assets, including physical, logical, and information resources, as well as
the information systems that are essential for risk management.

VGB'S PRIMARY VALUE-GENERATING ACTIONS AND STRATEGIC OUTLOOK:

VGB operates a network of cafes that relies on a rapidly developed, custom-built SQL
database system and VPN, known internally as VGBnet, to manage all daily business
activities and operations. VGBnet faces potential risks from injection attacks, exposure of
storage media, and exploitation of vulnerable databases. As an ISO 27001 certified
organization committed to protecting information and compliance, VGB should implement a
systematic framework for an effective security system to minimize the risks posed by
unauthorized users. The ISO 27001 standard provides a framework for protecting and
managing information and helps VGB comply with legal requirements. By following ISO
27001, VGB can develop a framework for effectively managing security information. This
will help VGB ensure that its network, VGBnet, is secure at all levels, from its development
to its use in daily business operations’ SP 800-30 is a standard that helps organizations protect
their data from loss. VGB can use NIST SP 800-30 to assess the security risks of its SQL
database and implement safeguards to protect it.
To keep their database safe, VGB can secure the infrastructure where it's stored. They aim to
minimize data loss risks by using a method that ensures information safety. VGBnet,
connecting Africa to Australia all day, every day, manages various tasks like community
programs and quick delivery orders. Important activities like handling logistics, funding,
employment, and buying materials are managed through VGB. They also handle taxes for
coffee imports and exports using VGBnet automated system. To ensure file safety and
reliability, VGB plans to integrate NIST SP 800-30 into their logistics records via VGBnet.
Additionally, they plan to use NIST SP 800-53 in their custom SQL database and VPN to
secure private information according to standards set by the National Institute of Standards
and Technology. VGB stores a wide range of company data, covering transactions,
operations, and service providers, which they plan to further secure using NIST SP 800-53
within their SQL database and VPN to ensure maximum privacy.

KEY ROLES AND ACCOUNTABILITIES OF INDIVIDUAL TEAM MEMBERS

Directors at VGB play a crucial role in overseeing how each dollar is spent to ensure
accountability and transparency. They can use ISO 27001, a standard framework for handling
information securely, to improve transparency and accountability in handling company funds.
By applying ISO 27001, they can address issues and mistakes in the VGBnet management
program related to handling information. VGB's Human Resource team, consisting of a
manager and an assistant managing employees globally, recently learned about the benefits of
using cloud-based HR software (SaaS). They can utilize NIST SP 800-53, which guides risk
management, to securely store confidential data and prevent security risks. This method can
greatly reduce security-related risks. The VGB management acknowledges the significance of
its data and believes in having a solid backup plan. However, for assessing risks, NIST SP
800-30 is crucial to enhance the reliability of the information system. This approach can
protect various computing platforms, including cyber-physical systems and processing
systems.
The IT department at VGB is focused on safeguarding all company information, including
record-keeping, monitoring, and data storage. They face risks like data loss and unauthorized
access. To address these risks, they can employ NIST SP 800-53, a dependable platform for
securing IT information. It's a non-regulatory agency that establishes and promotes industry
standards for risk management and security.

ANALYSIS OF THE CASE EVIDENCE

The important information assets at VGB, like their systems and data, need careful
management to handle risks effectively. For instance, VGBnet helps manage daily operations
by tracking activities from receiving goods to delivering them. To protect critical product
info, VGB can use ISO 27001 controls like encryption and access limits to prevent any
tampering.
The people in charge, like directors and HR managers, are crucial in making sure everyone
follows the ISO 27001 rules. Risk management involves finding weaknesses. In a broader
view, these weaknesses might be in how the organization is run, like not having good risk
plans or clear communication between departments. VGB values its enterprise architecture,
which supports its goals. They can use SP 800-53 to ensure proper security measures for all
their systems and information. Checking and evaluating risks will help choose the right
security measures and see if more are needed to protect VGB's operations, reputation, and
everything important to the company and the places it operates in.
RISK ASSESSMENT OF POTENTIAL THREATS AND CHALLENGES:

The VGB data system faces various risks like fraud, security breaches, employee dishonesty,
human errors, and password theft. The main threat comes from issues around accountability
and transparency. Mistakes in the community program management module have led to
uncertainties in fund usage, increasing the risks of theft, dishonesty, and breaches. Delayed
initiatives due to fund tracking problems pose threats of errors, theft, and breaches.
ISO 27001 standards outline a six-step plan to enhance data security. VGB can mitigate these
risks by setting up a security policy, defining system boundaries, assessing risks, managing
identified risks, selecting control goals, and preparing an applicability statement. Following
these steps will help VGB take corrective actions to prevent anticipated risks, aligning control
measures with identified risks.
SP 800-53 provides security controls for data and information systems. VGB must address
these risks to safeguard system integrity, confidentiality, and availability. The provisions in
SP 800-53 ensure countermeasures are in place to protect the system. It categorizes security
levels (low, moderate, high) based on FIPS 199 standards, allowing VGB to tailor security
controls to their specific threats and vulnerabilities.
DETERMINATION OF LIKELIHOOD AND IMPACT

Potential risks at VGB include fraud, security breaches in the SQL database system and VPN
(like VGBnet), employee dishonesty, human errors, and password theft. An assessment of the
likelihood and impact of these risks can be made considering VGB's ability to comply with
ISO 27001, NIST SP 800-30, and NIST SP 800-53 security standards. The VGBnet manages
a wide array of products through logistics, tracking details like ID numbers, descriptions,
expiry dates, and costs crucial for inventory management. As VGB relies on this network for
daily operations, security breaches could significantly disrupt services, especially affecting
inbound logistics. When altering database structures, the company needs to foresee impacts,
evaluate the cost-effectiveness of changes, and plan for necessary reconciliations post-
implementation.

While ISO 27001 is a strong framework for information security, it doesn't cover every
security issue. VGB can use clauses 6.1.3b and c to enhance security beyond the standard by
developing unique solutions or using other resources. Similar to ISO, the SP 800 series offers
practices for managing and operating secure information systems. SP 800-30 and -53 help
prioritize systems based on their impact, aiding VGB in addressing risks like threats to SQL
databases. These standards assist in categorizing risks and defining controls based on their
impact and baselines. Implementation involves applying controls and documenting the
process. VGB can benefit by strengthening access control, providing training, conducting
audits, and ensuring accountability. This helps protect physical assets, personnel, and critical
information like product details stored in SQL servers. By following these standards, VGB
safeguards itself from potential threats to information loss and disruptions in crucial
operations and inventory management.

PRIOTIZATION OF SIGNIFICATION RISKS FOR VGB:

The table below outlines the top five most critical risks for VGB in sequence of importance.

Consequenc
Risks Likelihood e Overall Risk Risk Level
Security Breach to Information 5 5 25 Extreme Risk

Fraud 4 5 20 High

Password Theft 3 4 12 Moderate

Human Error 3 3 9 Moderate

Dishonesty 2 2 4 Low

This table presents the five most significant risks for VGB, along with their likelihood,
consequence, overall risk, and risk level. As you can see, security breach to information is the
most significant risk, followed by fraud, password theft, human error, and dishonesty.

The assessment of risks plays a vital role in creating effective information security programs
for VGB. It covers a wide range of security issues, from persistent threats to supply chain
concerns. Using SP 800-30, this assessment considers factors like threats, vulnerabilities,
impacts on operations, and the likelihood of threats exploiting system weaknesses. Results
from this assessment help develop specific actions to respond effectively to identified risks, a
crucial part of comprehensive risk management. SP 800-30 guides the risk assessment
process by framing, evaluating, and responding to risks while continuously monitoring them.
This assessment aids directors and HR managers in understanding and evaluating current
information security risks at VGB. It allows flexibility to ensure that processes like product
information and inventory management meet the diverse needs of various stakeholders.
Covering critical assets like individuals, essential services, and information systems, this risk
assessment, guided by NIST Special Publication 800-30, is essential for the success of VGB's
business.

CONCLUSION:

The external auditor recommends that VGB adopt international risk assessment standards
such as ISO 27001 and NIST SP 800-53 to enhance their information security management
practices and knowledge asset protection. ISO 27001 provides a framework for securing and
managing information while ensuring legal compliance, while NIST SP 800-53 helps mitigate
security management risks. VGB's IT systems are susceptible to risks such as fraud, security
breaches, employee dishonesty, human error, and password theft. The risk assessment process
plays a crucial role in developing and implementing effective information security programs
by helping VGB address the entire spectrum of security concerns, from advanced persistent
threats to supply chain vulnerabilities.

REFERENCE:

Forensic science laboratory evidence analysis workflow showing ... Available at:
https://www.researchgate.net/figure/Forensic-science-laboratory-evidence-analysis-
workflow-showing-bottleneck-due-to_fig8_322097581 .

Forensic science laboratory evidence analysis workflow showing ... Available at:
https://www.researchgate.net/figure/Forensic-science-laboratory-evidence-analysis-
workflow-showing-bottleneck-due-to_fig8_322097581