Project Context: Google Cybersecurity Professional Certificate
This project is part of the Google Cybersecurity Professional Certificate.
Scenario: Botium Toys is a small U.S. business that sells toys and has a growing online presence. As an IT Associate, I conducted an internal security audit to assess the company's security posture. The goal was to identify risks, evaluate current controls, and ensure compliance with regulations like PCI DSS, GDPR, and SOC.
- Scope: The audit covers the entire security program at Botium Toys, including assets (employee equipment, internal network, systems), controls, and compliance practices.
- Goals: Assess existing assets, complete a controls and compliance checklist, and identify gaps to improve the security posture.
Current Risk Score: 8/10 (High)
The risk score is high due to a lack of controls and adherence to compliance best practices.
- Critical Issue: All employees currently have access to internally stored data (including cardholder data and PII).
- Critical Issue: Encryption is not used for data stored locally.
| Control | Status |
|---|---|
| Least Privilege | ❌ No |
| Disaster Recovery Plans | ❌ No |
| Password Policies | |
| Separation of Duties | ❌ No |
| Firewall | ✅ Yes |
| Intrusion Detection System (IDS) | ❌ No |
| Backups | ❌ No |
| Antivirus Software | ✅ Yes |
| Legacy System Maintenance | |
| Encryption | ❌ No |
| Password Management System | ❌ No |
| Physical Locks | ✅ Yes |
| CCTV Surveillance | ✅ Yes |
| Fire Detection | ✅ Yes |
| Best Practice | Status |
|---|---|
| Authorized Access Only | ❌ No |
| Secure Storage/Transmission | ❌ No |
| Data Encryption | ❌ No |
| Secure Password Policies | ❌ No |
| Best Practice | Status |
|---|---|
| E.U. Data Privacy | ❌ No |
| 72h Breach Notification | ✅ Yes |
| Data Classification | ❌ No |
| Privacy Policies | ✅ Yes |
| Best Practice | Status |
|---|---|
| User Access Policies | ❌ No |
| Sensitive Data Confidentiality | ❌ No |
| Data Integrity | ✅ Yes |
| Data Availability | ✅ Yes |
Based on the audit findings, the following controls must be prioritized to reduce risk:
- Implement Access Controls: Enforce Least Privilege and Separation of Duties to restrict access to sensitive data (PCI DSS requirement).
- Deploy Encryption: Implement encryption for customer credit card data and PII to ensure confidentiality (PCI DSS & GDPR requirement).
- Disaster Recovery & Backups: Create a plan and regular backup schedule to ensure business continuity.
- Password Management: Adopt a centralized password management system and enforce strong password complexity rules.
- IDS Implementation: Install an Intrusion Detection System to monitor for malicious activity.