### **Introduction**

Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location, which serves as their main office, a storefront, and warehouse for their products. However, Botium Toy’s online presence has grown, attracting customers in the U.S. and abroad. As a result, their information technology (IT) department is under increasing pressure to support their online market worldwide. 

The manager of the IT department has decided that an internal IT audit needs to be conducted. She's worried about maintaining compliance and business operations as the company grows without a clear plan. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to internally processing and accepting online payments and conducting business in the European Union (E.U.).   

The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, listing assets currently managed by the IT department, and completing a risk assessment. The goal of the audit is to provide an overview of the risks and/or fines that the company might experience due to the current state of their security posture.

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a voluntary framework developed to help organizations manage and reduce cybersecurity risks. It provides a structured approach based on five core functions—Identify, Protect, Detect, Respond, and Recover—to improve cybersecurity practices, align security goals with business objectives, and enhance resilience against threats. The NIST CSF is widely adopted across industries for its flexibility and effectiveness in strengthening cybersecurity posture and ensuring compliance with regulatory requirements.

I have reviewed  IT manager’s scope, goals, and risk assessment report (below). I have performed  an internal audit by completing a controls and compliance checklist (below). 

### **Botium Toys: Scope, goals, and risk assessment report**

#### **Scope and goals of the audit** ###

**Scope** The scope of this audit is defined as the entire security program at Botium Toys.
This includes their assets like employee equipment and devices, their internal network,
and their systems. You will need to review the assets Botium Toys has and the controls
and compliance practices they have in place.

**Goals:** Assess existing assets and complete the controls and compliance checklist to
determine which controls and compliance best practices that need to be implemented
to improve Botium Toys’ security posture.

**Current assets**
Assets managed by the IT Department include:
● On-premises equipment for in-office business needs
● Employee equipment: end-user devices (desktops/laptops, smartphones),
remote workstations, headsets, cables, keyboards, mice, docking stations,
surveillance cameras, etc.
● Storefront products available for retail sale on site and online; stored in the
company’s adjoining warehouse
● Management of systems, software, and services: accounting,
telecommunication, database, security, ecommerce, and inventory management
● Internet access
● Internal network
● Data retention and storage
● Legacy system maintenance: end-of-life systems that require human monitoring

#### **Risk assessment**

**Risk description**
Currently, there is inadequate management of assets. Additionally, Botium Toys does
not have all of the proper controls in place and may not be fully compliant with U.S. and
international regulations and standards.

**Control best practices**
The first of the five functions of the NIST CSF is Identify. Botium Toys will need to
dedicate resources to identify assets so they can appropriately manage them.
Additionally, they will need to classify existing assets and determine the impact of the
loss of existing assets, including systems, on business continuity.

**Risk score**
On a scale of 1 to 10, the risk score is 8, which is fairly high. This is due to a lack of
controls and adherence to compliance best practices.

**Additional comments**
The potential impact from the loss of an asset is rated as medium, because the IT
department does not know which assets would be at risk. The risk to assets or fines
from governing bodies is high because Botium Toys does not have all of the necessary
controls in place and is not fully adhering to best practices related to compliance
regulations that keep critical data private/secure. Review the following bullet points for
specific details:
● Currently, all Botium Toys employees have access to internally stored data and
may be able to access cardholder data and customers’ PII/SPII.
● Encryption is not currently used to ensure confidentiality of customers’ credit
card information that is accepted, processed, transmitted, and stored locally in
the company’s internal database.
● Access controls pertaining to least privilege and separation of duties have not
been implemented.
● The IT department has ensured availability and integrated controls to ensure
data integrity.
● The IT department has a firewall that blocks traffic based on an appropriately
defined set of security rules.
● Antivirus software is installed and monitored regularly by the IT department.

● The IT department has not installed an intrusion detection system (IDS).
● There are no disaster recovery plans currently in place, and the company does
not have backups of critical data.
● The IT department has established a plan to notify E.U. customers within 72
hours if there is a security breach. Additionally, privacy policies, procedures, and
processes have been developed and are enforced among IT department
members/other employees, to properly document and maintain data.
● Although a password policy exists, its requirements are nominal and not in line
with current minimum password complexity requirements (e.g., at least eight
characters, a combination of letters and at least one number; special
characters).
● There is no centralized password management system that enforces the
password policy’s minimum requirements, which sometimes affects productivity
when employees/vendors submit a ticket to the IT department to recover or
reset a password.
● While legacy systems are monitored and maintained, there is no regular
schedule in place for these tasks and intervention methods are unclear.
● The store’s physical location, which includes Botium Toys’ main offices, store
front, and warehouse of products, has sufficient locks, up-to-date closed-circuit
television (CCTV) surveillance, as well as functioning fire detection and
prevention systems.

## **Controls and Compliance Checklist for Botium Toys**
### **Controls Assessment Checklist**

**Control	Yes/No**	
Explanation

**Least Privilege	No**
No access controls for least privilege are implemented, meaning all employees have access to critical data.

**Disaster Recovery Plans	No**	
Disaster recovery plans are not in place, increasing risk of business disruption in the event of a disaster.

**Password Policies	No**	The password policy does not meet minimum complexity requirements (e.g., eight characters, numbers, special characters).

**Separation of Duties	No**	
There is no separation of duties, exposing systems to risks from malicious insiders or compromised accounts.

**Firewall	Yes**	
A firewall is installed and effectively blocks traffic based on defined security rules.

**Intrusion Detection System (IDS)	No**	
An IDS is not installed, leaving systems vulnerable to undetected malicious traffic or anomalies.

**Backups	No**	
There are no backups of critical data, increasing the risk of data loss.

**Antivirus Software	Yes**	
Antivirus software is installed and monitored regularly by the IT department.

**Manual Monitoring and Maintenance	No**	
While legacy systems are monitored, there is no regular schedule or intervention plan for these tasks.

**Encryption	No**	
Encryption is not used for credit card data, leaving sensitive customer data unprotected.

**Password Management System	No**	
No centralized password management system is in place, making password enforcement inconsistent.

**Locks (Offices, Storefront, Warehouse)	Yes**	
Physical locks are sufficient to secure the office, storefront, and warehouse.

**Closed-Circuit Television (CCTV)	Yes**	
CCTV surveillance is up to date and functioning effectively.

**Fire Detection/Prevention Systems	Yes**	
Fire detection and prevention systems (e.g., alarms, sprinklers) are installed and operational.


### **Compliance Checklist**

**Compliance Best Practice	Yes/No**	
Explanation

**Payment Card Industry Data Security Standard (PCI DSS)**		
**Only authorized users have access to customers’ credit card information.	No**	
All employees currently have access to credit card information.


**Credit card information is stored, accepted, processed, and transmitted internally, in a secure environment.	No**	
Encryption is not used, and there are no secure procedures for handling cardholder data.

**Implement data encryption procedures to better secure credit card transaction touchpoints and data.	No**	
No encryption is currently implemented for sensitive data.

**Adopt secure password management policies.	No**	
Password policies are weak and not enforced by a password management system.

**General Data Protection Regulation (GDPR)**		
**E.U. customers’ data is kept private/secured.	No**	
Weak access controls and no encryption leave data unprotected.

**There is a plan in place to notify E.U. customers within 72 hours if their data is compromised/there is a breach.	Yes**	
A breach notification plan is in place and compliant with GDPR requirements.

**Ensure data is properly classified and inventoried.	No**	
Data classification and inventorying are not currently performed.

**Enforce privacy policies, procedures, and processes to properly document and maintain data.	Yes**	
Privacy policies and procedures are enforced among employees.

**System and Organizations Controls (SOC Type 1, SOC Type 2)**		
**User access policies are established.	No**	
No access control policies are implemented.

**Sensitive data (PII/SPII) is confidential/private.	No**	
Sensitive data is not adequately protected due to lack of encryption and access controls.

**Data integrity ensures the data is consistent, complete, accurate, and has been validated.	Yes**	
Controls for data integrity are implemented by the IT department.

**Data is available to individuals authorized to access it.	No**	
Lack of least privilege and separation of duties compromises availability for authorized users.

## **Recommendations for IT Manager**

**1. Implement Access Controls:**
Adopt least privilege and separation of duties to restrict access to sensitive data.
Develop robust access control policies to ensure only authorized users have access to critical systems and data.

**2. Strengthen Password Policies:**
Update password policies to enforce complexity (e.g., eight characters, numbers, special characters).
Deploy a password management system to enforce policies and improve productivity.

**3. Install Security Tools:**
Deploy an Intrusion Detection System (IDS) to monitor and detect anomalous traffic.
Implement encryption for sensitive data, including credit card information and PII/SPII.

**4. Develop Disaster Recovery Plans and Backups:**
Create a comprehensive disaster recovery plan to ensure business continuity during disruptions.
Establish regular backups of critical data to mitigate risks of data loss.

**5. Enhance Compliance Practices:**
Ensure PCI DSS compliance by limiting access to cardholder data and encrypting credit card information.
Perform data classification and inventorying to meet GDPR requirements.
Provide ongoing employee training on privacy policies and cybersecurity best practices.

By implementing these recommendations, Botium Toys can significantly reduce its risk score, enhance its security posture, and comply with critical regulatory standards.

## **Conclusion**

The internal IT audit at Botium Toys has highlighted several critical gaps in the organization’s cybersecurity posture and compliance practices. These gaps include insufficient access controls, weak password policies, a lack of encryption for sensitive data, and the absence of disaster recovery plans and backups. Additionally, Botium Toys is currently not fully compliant with key standards such as PCI DSS and GDPR, exposing the company to potential data breaches, operational disruptions, and regulatory fines.

To address these issues and support the company’s growing online presence, the following steps are recommended:

Implement robust access control mechanisms, including least privilege and separation of duties.

Strengthen password policies and deploy a centralized password management system.

Install essential security tools like an Intrusion Detection System (IDS) and encryption technologies.
Develop and test disaster recovery plans, and establish a regular data backup schedule.

Enhance compliance practices by classifying and inventorying data and providing comprehensive training to employees.

By adopting these measures, Botium Toys can significantly improve its security and compliance posture, reduce risks to critical assets, and foster customer trust. These improvements will not only safeguard the organization against potential threats but also position Botium Toys for sustainable growth in an increasingly competitive online market. The IT department’s proactive steps in implementing the NIST Cybersecurity Framework will ensure that the company is resilient and well-prepared to handle evolving cybersecurity challenges.