# ComplianceLab â€“ Botium Toys Risk Assessment

## Executive Summary

This project simulates an internal IT audit for a small fictional business, **Botium Toys**, using NIST CSF, PCI DSS, GDPR, and SOC frameworks. 

**Key outcomes:**

* Identified **10+ missing controls** across IT systems, policies, and processes.
* Highlighted **3 high-risk gaps** requiring immediate remediation.
* Provided actionable recommendations for improved security posture and regulatory compliance.
* Demonstrated skills in risk assessment, IT governance, and compliance reporting.
---


## Scenario

Botium Toys is a small U.S.-based toy company with a growing online presence. The IT department faces challenges in managing physical assets, online systems, and compliance with regulations, including PCI DSS and GDPR. An internal audit is requested to evaluate the current state of IT assets, identify gaps, and provide recommendations for mitigating risks.

---

## Scope & Goals

**Scope:** Entire IT security program, including physical assets, digital systems, data, and internal processes.

**Goals:**

* Assess existing IT assets and internal controls.
* Complete compliance checklists for NIST CSF, PCI DSS, GDPR, and SOC frameworks.
* Identify gaps and propose remediation actions to improve security posture.

---

## IT Assets

* **Physical Assets:** Office desktops/laptops, remote workstations, headsets, peripherals, CCTV, locks, fire detection systems.
* **Digital Assets:** Accounting, e-commerce, inventory, telecommunication, and security software/services.
* **Data:** Customer, product, and financial data (stored and processed online and on-premises).
* **Legacy Systems:** End-of-life systems requiring manual monitoring.

---

## Controls Assessment

| Control                          | Yes | No | Explanation                                                                         | Risk Level |
| -------------------------------- | --- | -- | ----------------------------------------------------------------------------------- | ---------- |
| Least Privilege                  |     | X  | All employees currently have access to customer data; privileges should be limited. | High       |
| Disaster Recovery Plan           |     | X  | No formal plan exists; critical for business continuity.                            | High       |
| Password Policies                |     | X  | Weak password requirements increase risk of unauthorized access.                    | High       |
| Separation of Duties             |     | X  | CEO handles operations and payroll; separation required to reduce fraud risk.       | Medium     |
| Firewall                         | X   |    | Firewall rules correctly configured.                                                | Low        |
| Intrusion Detection System (IDS) |     | X  | IDS not implemented; critical for detecting intrusions.                             | Medium     |
| Backups                          |     | X  | No regular backups of critical data; needed for business continuity.                | High       |
| Antivirus Software               | X   |    | Installed and monitored regularly.                                                  | Low        |
| Encryption                       |     | X  | Data encryption is not implemented; needed for confidentiality.                     | High       |
| Password Management System       |     | X  | No password management system exists; would improve productivity and security.      | Medium     |

---

## Compliance Checklists

### PCI DSS

| Best Practice                              | Yes | No | Explanation                                                               | Risk Level |
| ------------------------------------------ | --- | -- | ------------------------------------------------------------------------- | ---------- |
| Authorized user access to credit card info |     | X  | All employees currently have access to internal data including card info. | High       |
| Credit card data processed/stored securely |     | X  | Card information is not encrypted; access is not restricted.              | High       |
| Secure password management                 |     | X  | Password policies are minimal and no management system exists.            | Medium     |

### GDPR

| Best Practice                              | Yes | No | Explanation                                         | Risk Level |
| ------------------------------------------ | --- | -- | --------------------------------------------------- | ---------- |
| Notify E.U. customers within 72h of breach | X   |    | Notification plan exists.                           | Low        |
| Data properly classified & inventoried     |     | X  | Assets are listed but not classified.               | Medium     |
| Privacy policies enforced                  | X   |    | Policies are enforced across IT team and employees. | Low        |

### SOC Type 1 & 2

| Best Practice                                                      | Yes | No | Explanation                                                 | Risk Level |
| ------------------------------------------------------------------ | --- | -- | ----------------------------------------------------------- | ---------- |
| Established user policies (Least Privilege & Separation of Duties) |     | X  | All employees have access; policies need to be implemented. | High       |
| Confidential handling of sensitive data                            |     | X  | Encryption not in place.                                    | High       |
| Data integrity (accuracy, completeness)                            | X   |    | Data integrity ensured.                                     | Low        |

---

## Risk Assessment & Recommendations

**High Risks:**

* Weak password policies
* Lack of disaster recovery
* Unencrypted sensitive data
* Least privilege not enforced

**Medium Risks:**

* Separation of duties
* Partial asset classification
* No IDS or password management system

**Low Risks:**

* Firewall, antivirus, and physical security measures in place

**Recommendations:**

* Implement least privilege and separation of duties policies across all sensitive data and systems.
* Create a formal disaster recovery and business continuity plan.
* Encrypt sensitive data, including customer financial information.
* Enforce strong password policies and deploy a password management system.
* Install and configure an Intrusion Detection System (IDS) for network monitoring.
* Classify and categorize all assets for risk prioritization.