As an integral facet of the Google Cybersecurity Professional course, I conducted an internal security audit for the fictional company Botium Toys. Security audits are essential to ensuring that comprehensive checks are implemented to monitor potential threats, risks, or vulnerabilities that could impact an organization’s business continuity and critical assets.
My mandate included a thorough examination of the IT manager’s scope, goals, and risk assessment report. Following this, I was assigned the responsibility of conducting an internal audit by meticulously completing a controls and compliance checklist.
Controls and Compliance Checklist for Botium Toys
Table of contents
Open Table of contents
Controls assessment checklist
Does Botium Toys currently have this control in place?
| Yes | No | Control | Explanation |
|---|---|---|---|
| ✔️ | Least Privilege | Presently, all employees have access to customer data; however, privileges need to be restricted to mitigate the risk of a breach. | |
| ✔️ | Disaster recovery plans | No disaster recovery plans are currently in place. It is imperative to implement these plans to ensure business continuity. | |
| ✔️ | Password policies | The employee password requirements are minimal, potentially allowing a threat actor to more easily access secure data or other assets via employee work equipment or the internal network. | |
| ✔️ | Separation of duties | Implementation is necessary to reduce the risk of fraud and unauthorized access to critical data, especially considering that the company CEO currently oversees day-to-day operations and manages the payroll. | |
| ✔️ | Firewall | The current firewall restricts traffic based on a well-defined set of security rules. | |
| ✔️ | Intrusion detection system | The IT department requires an Intrusion Detection System (IDS) to help identify potential intrusions by threat actors. | |
| ✔️ | Backups | The IT department needs to maintain backups of critical data to ensure business continuity in the event of a breach. | |
| ✔️ | Antivirus software | The IT department has installed and regularly monitors antivirus software. | |
| ✔️ | Manual monitoring, maintenance, and intervention for legacy systems | The list of assets highlights the utilization of legacy systems. The risk assessment indicates that these systems are monitored and maintained; however, there is no regular schedule in place for these tasks, and the procedures/policies related to intervention are unclear. This lack of clarity could potentially expose these systems to the risk of a breach. | |
| ✔️ | Encryption | Encryption is not currently in use; its implementation would enhance the confidentiality of sensitive information. | |
| ✔️ | Password management | No password management system is currently in place; implementing this control would enhance productivity for both the IT department and other employees in the event of password issues. | |
| ✔️ | Locks (offices, storefront, warehouse) | The physical location of the store, encompassing the company’s main offices, storefront, and product warehouse, is equipped with adequate locks. | |
| ✔️ | Closed-circuit television (CCTV) surveillance | CCTV is installed and operational at the store’s physical location. | |
| ✔️ | Fire detection/prevention (fire alarm, sprinkler system, etc.) | The physical location of Botium Toys is equipped with a functional fire detection and prevention system. |
Compliance checklist
Does Botium Toys currently adhere to this compliance best practice?
Payment Card Industry Data Security Standard (PCI DSS)
| Yes | No | Best practice | Explanation |
|---|---|---|---|
| ✔️ | Only authorized users have access to customers’ credit card information. | At present, all employees have access to the company’s internal data. | |
| ✔️ | Credit card information is accepted, processed, transmitted, and stored internally, in a secure environment. | Credit card information is currently unencrypted, and all employees have access to internal data, including customers’ credit card information. | |
| ✔️ | Implement data encryption procedures to better secure credit card transaction touchpoints and data. | The company currently does not employ encryption to enhance the confidentiality of customers’ financial information. | |
| ✔️ | Adopt secure password management policies. | The password policies are minimal, and there is currently no password management system in place. |
General Data Protection Regulation (GDPR)
| Yes | No | Best practice | Explanation |
|---|---|---|---|
| ✔️ | E.U. customers’ data is kept private/secured. | The company currently does not utilize encryption to enhance the confidentiality of customers’ financial information. | |
| ✔️ | There is a plan in place to notify E.U. customers within 72 hours if their data is compromised/there is a breach. | There is a plan in place to notify EU customers within 72 hours of a data breach. | |
| ✔️ | Ensure data is properly classified and inventoried. | Current assets have been inventoried and listed but have not been classified. | |
| ✔️ | Enforce privacy policies, procedures, and processes to properly document and maintain data. | Privacy policies, procedures, and processes have been developed and enforced among IT team members and other employees as required. |
System and Organizations Controls (SOC type 1, SOC type 2)
| Yes | No | Best practice | Explanation |
|---|---|---|---|
| ✔️ | User access policies are established. | Controls such as Least Privilege and separation of duties are currently not in place; all employees have access to internally stored data. | |
| ✔️ | Sensitive data (PII/SPII) is confidential/private | Encryption is not currently employed to enhance the confidentiality of Personally Identifiable Information (PII) and Sensitive Personal Identifiable Information (SPII). | |
| ✔️ | Data integrity ensures the data is consistent, complete, accurate, and has been validated. | Data integrity measures are in place. | |
| ✔️ | Data is available to individuals authorized to access it. | While data is accessible to all employees, authorization needs to be restricted to individuals who require access for their job responsibilities. |
Recommendations
Multiple controls must be implemented to enhance Botium Toys’ security posture and ensure the confidentiality of sensitive information. These controls include Least Privilege, disaster recovery plans, password policies, separation of duties, an Intrusion Detection System (IDS), ongoing legacy system management, encryption, and a password management system.
To address compliance gaps, Botium Toys should implement controls such as Least Privilege, separation of duties, and encryption. Additionally, the company needs to accurately classify assets to identify any additional controls that may be necessary to enhance its security posture and better safeguard sensitive information.