Botium-Toys Internal Security Audit Project.
Background Information on Botium-Toys Ltd.
Table of contents
Introduction:
This is an internal security assessment conducted on Botium-Toys Internal Security, a fictitious company, conducted as part of my cybersecurity portfolio and as part of Google’s Google Cybersecurity Professional Certificate on Cousera in Play It Safe: Manage Security Risks course.
Goal:
The goal is to perform an audit of Botium Toys’ cybersecurity program. The audit needs to align current business practices with industry standards and best practices. The audit is meant to provide mitigation recommendations for vulnerabilities found that are classified as “high risk,” and present an overall strategy for improving the security posture of the organization. The audit team needs to document their findings, provide remediation plans and efforts, and communicate with stakeholders.
Scenario:
Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location, which serves as their main office, a storefront, and warehouse for their products. However, Botium Toy’s online presence has grown, attracting customers in the U.S. and abroad. As a result, their information technology (IT) department is under increasing pressure to support their online market worldwide.
The manager of the IT department has decided that an internal IT audit needs to be conducted. She's worried about maintaining compliance and business operations as the company grows without a clear plan. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to internally processing and accepting online payments and conducting business in the European Union (E.U.).
The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, listing assets currently managed by the IT department, and completing a risk assessment. The goal of the audit is to provide an overview of the risks and/or fines that the company might experience due to the current state of their security posture.
Additional Reports
The Scope and Goals of the Audit.
Scope: The scope of this audit is defined as the entire security program at Botium Toys. This includes their assets like employee equipment and devices, their internal network, and their systems. You will need to review the assets Botium Toys has and the controls and compliance practices they have in place.
Goals: Assess existing assets and complete the controls and compliance checklist to determine which controls and compliance best practices that need to be implemented to improve Botium Toys’ security posture.
Current assets
Assets managed by the IT Department include:
On-premises equipment for in-office business needs
Employee equipment: end-user devices (desktops/laptops, smartphones), remote workstations, headsets, cables, keyboards, mice, docking stations, surveillance cameras, etc.
Storefront products available for retail sale on site and online; stored in the company’s adjoining warehouse
Management of systems, software, and services: accounting, telecommunication, database, security, ecommerce, and inventory management
Internet access
Internal network
Data retention and storage
Legacy system maintenance: end-of-life systems that require human monitoring
Security AUDIT AND ASSESSMENT REPORT FOR BOTIUM TOYS LTD.
1. Executive Summary
This security audit and assessment report evaluates the current cybersecurity posture of Botium Toys. The goal is to identify risks, assess vulnerabilities, and recommend controls to improve compliance, data security, and business continuity. Based on the findings, Botium Toys faces significant security challenges, particularly in asset management, access controls, encryption, compliance adherence, and disaster recovery preparedness.
Key Findings:
Risk Score: 8/10 (High Risk)
Inadequate asset management and classification
Lack of encryption for sensitive customer data
Insufficient access controls and role-based security measures
No intrusion detection system (IDS) implemented
No disaster recovery (DR) or data backup strategy in place
Weak password policy with no centralized enforcement
Compliance risks with U.S. and international regulations (e.g., PCI DSS, GDPR)
2. Security Assessment
2.1. Asset Management and Inventory
Findings:
Assets, including employee devices, databases, and network systems, are not adequately tracked or categorized.
Legacy systems require better maintenance scheduling.
Recommendations:
Implement an IT Asset Management System (ITAM) to track all devices, systems, and software.
Classify assets based on sensitivity and impact to business operations.
Develop a scheduled maintenance plan for legacy systems.
2.2. Access Controls and Data Security
Findings:
All employees have unrestricted access to internally stored data, including cardholder data and personally identifiable information (PII).
No least-privilege or separation-of-duties policy is in place.
Weak password policy with minimal complexity requirements.
No centralized password management system exists.
Recommendations:
Implement role-based access control (RBAC) to limit data access based on job roles.
Enforce least privilege and separation of duties policies.
Strengthen password policies to require at least 12 characters with multi-factor authentication (MFA).
Deploy a password management system with self-service reset options.
2.3. Data Encryption and Compliance
Findings:
No encryption used for storing, processing, or transmitting credit card data.
PCI DSS and GDPR compliance requirements not fully met.
Recommendations:
Implement end-to-end encryption for credit card transactions and stored PII.
Ensure compliance with PCI DSS and GDPR by:
Encrypting stored credit card data
Implementing tokenization solutions
Conducting regular compliance audits
2.4. Intrusion Detection and Network Security
Findings:
The company has firewalls with security rules but no Intrusion Detection System (IDS).
Antivirus software is installed but lacks real-time monitoring.
Recommendations:
Deploy an IDS/IPS (Intrusion Detection and Prevention System) to monitor network threats.
Upgrade antivirus software to include real-time monitoring and endpoint protection.
2.5. Disaster Recovery and Business Continuity
Findings:
No disaster recovery plan (DRP) or data backup strategy.
No scheduled backups of critical business data.
Recommendations:
Implement a Disaster Recovery Plan (DRP) including:
Regular backups with offsite and cloud storage.
Defined recovery time objectives (RTOs) and recovery point objectives (RPOs).
Regular disaster recovery drills.
2.6. Physical Security
Findings:
- Adequate CCTV surveillance, fire detection, and prevention systems are in place.
Recommendations:
- Continue routine security audits to maintain effective physical security measures.
3. Compliance and Regulatory Recommendations
PCI DSS Compliance Checklist:
Implement encryption and tokenization for cardholder data.
Restrict data access to only authorized personnel.
Conduct quarterly security scans and penetration testing.
GDPR Compliance Checklist:
Enforce data minimization and encryption for EU customer data.
Ensure customers can exercise their rights to access and delete their data.
Develop an incident response plan for data breaches with a 72-hour notification policy.
4. Action Plan and Implementation Roadmap
Immediate Actions (0-3 Months):
✅ Implement role-based access control (RBAC) and least privilege policies.
✅ Strengthen password policies and deploy a password manager.
✅ Encrypt sensitive customer and payment data.
✅ Deploy an IDS/IPS for network security monitoring.
Short-Term Actions (3-6 Months):
✅ Establish a disaster recovery and data backup strategy.
✅ Conduct a compliance audit for PCI DSS and GDPR adherence.
✅ Implement multi-factor authentication (MFA) for user access.
Long-Term Actions (6-12 Months):
✅ Regular security awareness training for employees.
✅ Conduct penetration testing and vulnerability assessments.
✅ Develop a continuous monitoring program for threat detection.
5. Conclusion
This audit highlights significant security risks for Botium Toys, with a high-risk score of 8/10. Immediate action is required to secure critical assets, protect sensitive customer data, and comply with PCI DSS and GDPR regulations. By implementing the recommended security measures, Botium Toys will strengthen its cybersecurity posture, enhance business continuity, and build a more resilient IT infrastructure.