Audit Scope and Goals Risk Assessment

Summary: The internal audit needs to align current business practices with industry
standards and best practices. The audit is meant to provide mitigation Current assets
recommendations for vulnerabilities found that are classified as “high risk,” and present
an overall strategy to improve the security posture of the organization. The audit team Assets managed by the IT Department include:
needs to document their findings, provide remediation plans and efforts, and ●​ Employee equipment: end-user devices (desktops/laptops, smartphones),
communicate with stakeholders. remote workstations, headsets, cables, keyboards, mice, docking stations,
surveillance cameras, etc.
Scope: The internal IT audit will assess the following: ●​ Internal network: protected storage of customer, vendor, organizational data
●​ Assess user permissions
●​ Identify existing controls, procedures, and system protocols Risk description
●​ Account for technology currently in use
Currently, there is inadequate management of assets. Additionally, proper controls are
not in place and the organization may not be compliant with U.S. and international
Goals: The goals for the internal IT audit are:
compliance regulations and standards.
●​ Adhere to the NIST Cybersecurity Framework (CSF)
●​ Establish policies and procedures to ensure compliance with regulations
●​ Fortify system controls Control best practices
The organization will need to dedicate resources to managing assets. Additionally, they
will need to determine the impact of the loss of existing assets, including systems, on
business continuity.

Risk score
On a scale of 1-10, the risk score is 8, which is fairly high. This is due to a lack of controls
and adherence to necessary compliance regulations and standards.

Additional comments
The likelihood of a lost asset or fines from governing bodies is high because the
organization does not have all of the necessary controls in place and is not adhering to
required regulations and standards related to keeping PII data private.
Controls Assessment investigation

Locks Preventative; physical and X High

digital assets are more secure
Administrative Controls

Control name Control type and Needs to be Priority

explanation implemented
(X)

Password policies Preventative; establish X High

password strength rules to
improve security/reduce
likelihood of account
compromise through brute
force or dictionary attack
techniques

Technical Controls

Control Name Control type and Needs to be Priority

explanation implemented
(X)

Intrusion Detection Detective; allows IT team to X HIgh

System (IDS) identify possible intrusions
(i.e., anomalous traffic) quickly

Encryption Deterrent; makes confidential X High/

information/data more secure Medium
(i.e., website payment
transactions)

Physical Controls

Control Name Control type and Needs to be Priority

explanation implemented
(X)

Closed-circuit Preventative/detective; can X High/

television (CCTV) reduce risk of certain events; Medium
surveillance can be used after event for
 Course # 2
Module # 2

Compliance Checklist
OWASP principles and security audits

​ General Data Protection Regulation (GDPR)

Security audits
GDPR is a European Union (EU) general data regulation that protects the
A security audit is a review of an organization's security controls, policies, and
processing of EU citizens’ data and their right to privacy in and out of EU
procedures against a set of expectations. Audits are independent reviews that evaluate
territory. Additionally, if a breach occurs and a EU citizen’s data is compromised, whether an organization is meeting internal and external criteria. Internal criteria include
outlined policies, procedures, and best practices. External criteria include regulatory
they must be informed within 72 hours of the incident.
compliance, laws, and federal regulations.
Explanation: The organization needs to adhere to GDPR because we conduct Additionally, a security audit can be used to assess an organization's established
business and collect personal information from people in the EU. security controls. As a reminder, security controls are safeguards designed to reduce
specific security risks.
​ Payment Card Industry Data Security Standard (PCI DSS)
Audits help ensure that security checks are made (i.e., daily monitoring of security
information and event management dashboards), to identify threats, risks, and
PCI DSS is an international security standard meant to ensure that organizations
vulnerabilities. This helps maintain an organization’s security posture. And, if there are
storing, accepting, processing, and transmitting credit card information do so in security issues, a remediation process must be in place.
a secure environment.
Goals and objectives of an audit
Explanation: The organization needs to adhere to PCI DSS because we store,
The goal of an audit is to ensure an organization's information technology (IT) practices
accept, process, and transmit credit card information in person and online.
are meeting industry and organizational standards. The objective is to identify and
address areas of remediation and growth. Audits provide direction and clarity by
identifying what the current failures are and developing a plan to correct them.

Security audits must be performed to safeguard data and avoid penalties and fines from
governmental agencies. The frequency of audits is dependent on local laws and federal
compliance regulations.

Factors that affect audits

Factors that determine the types of audits an organization implements include:
●​ Industry type
●​ Organization size
●​ Ties to the applicable government regulations
●​ A business’s geographical location
●​ A business decision to adhere to a specific regulatory compliance
Course # 2 Course # 2
Module # 2 Module # 2

To review common compliance regulations that different organizations need to adhere ●​ When conducting an internal audit, you will assess the security of the identified
to, refer to the reading about controls, frameworks, and compliance. assets listed in the audit scope.

Create a mitigation plan

The role of frameworks and controls in audits ●​ A mitigation plan is a strategy established to lower the level of risk and potential
costs, penalties, or other issues that can negatively affect the organization’s
Along with compliance, it’s important to mention the role of frameworks and controls in
security posture.
security audits. Frameworks such as the National Institute of Standards and Technology
Cybersecurity Framework (NIST CSF) and the international standard for information Communicate results to stakeholders
security (ISO 27000) series are designed to help organizations prepare for regulatory ●​ The end result of this process is providing a detailed report of findings, suggested
compliance security audits. By adhering to these and other relevant frameworks, improvements needed to lower the organization's level of risk, and compliance
organizations can save time when conducting external and internal audits. Additionally, regulations and standards the organization needs to adhere to.
frameworks, when used alongside controls, can support organizations’ ability to align
with regulatory compliance requirements and standards.
Key takeaways
There are three main categories of controls to review during an audit, which are
administrative and/or managerial, technical, and physical controls. To learn more about In this reading you learned more about security audits, including what they are; why
specific controls related to each category, click the following link and select “Use they’re conducted; and the role of frameworks, controls, and compliance in audits.
Template.”
Although there is much more to learn about security audits, this introduction is meant to
support your ability to complete an audit of your own for a self-reflection portfolio activity
later in this course.
Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is
generally made up of the following areas of focus:

Identify the scope of the audit

●​ The audit should:
○​ List assets that will be assessed (e.g., firewalls are configured correctly,
PII is secure, physical assets are locked, etc.)
○​ Note how the audit will help the organization achieve its desired goals
○​ Indicate how often an audit should be performed
○​ Include an evaluation of organizational policies, protocols, and procedures
to make sure they are working as intended and being implemented by
employees

Complete a risk assessment

●​ A risk assessment is used to evaluate identified organizational risks related to
budget, controls, internal processes, and external standards (i.e., regulations).

Conduct the audit

Course # 2 Course # 2
Module # 2 Module # 2

Review the following scenario. Then complete the step-by-step instructions. Controls, frameworks, and compliance
Previously, you were introduced to security frameworks and how they provide a
This scenario is based on a fictional company:
structured approach to implementing a security lifecycle. As a reminder, a security
Botium Toys is a small U.S. business that develops and sells toys. The business has a lifecycle is a constantly evolving set of policies and standards. In this reading, you will
single physical location, which serves as their main office, a storefront, and warehouse learn more about how security frameworks, controls, and compliance regulations—or
for their products. However, Botium Toy’s online presence has grown, attracting laws—are used together to manage security and make sure everyone does their part to
customers in the U.S. and abroad. As a result, their information technology (IT) minimize risk.
department is under increasing pressure to support their online market worldwide.

The manager of the IT department has decided that an internal IT audit needs to be
How controls, frameworks, and compliance are related
conducted. She's worried about maintaining compliance and business operations as the The confidentiality, integrity, and availability (CIA) triad is a model that helps inform how
company grows without a clear plan. She believes an internal audit can help better organizations consider risk when setting up systems and security policies.
secure the company’s infrastructure and help them identify and mitigate potential risks,
threats, or vulnerabilities to critical assets. The manager is also interested in ensuring
that they comply with regulations related to internally processing and accepting online
payments and conducting business in the European Union (E.U.).

The IT manager starts by implementing the National Institute of Standards and

Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and
goals, listing assets currently managed by the IT department, and completing a risk
assessment. The goal of the audit is to provide an overview of the risks and/or fines that
the company might experience due to the current state of their security posture.

Your task is to review the IT manager’s scope, goals, and risk assessment report. Then,
perform an internal audit by completing a controls and compliance checklist.

CIA are the three foundational principles used by cybersecurity professionals to

establish appropriate controls that mitigate threats, risks, and vulnerabilities.

As you may recall, security controls are safeguards designed to reduce specific security
risks. So they are used alongside frameworks to ensure that security goals and
processes are implemented correctly and that organizations meet regulatory
compliance requirements.
Course # 2 Course # 2
Module # 2 Module # 2

Security frameworks are guidelines used for building plans to help mitigate risks and offerings. Its purpose is to provide consistency across the government sector and
threats to data and privacy. They have four core components: third-party cloud providers.
1.​ Identifying and documenting security goals
2.​ Setting guidelines to achieve security goals Center for Internet Security (CIS®)
3.​ Implementing strong security processes
4.​ Monitoring and communicating results CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can
be used to safeguard systems and networks against attacks. Its purpose is to help
Compliance is the process of adhering to internal standards and external regulations. organizations establish a better plan of defense. CIS also provides actionable controls
that security professionals may follow if a security incident occurs.
Specific controls, frameworks, and compliance General Data Protection Regulation (GDPR)
The National Institute of Standards and Technology (NIST) is a U.S.-based agency that
GDPR is a European Union (E.U.) general data regulation that protects the processing
develops multiple voluntary compliance frameworks that organizations worldwide can
of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example,
use to help manage risk. The more aligned an organization is with compliance, the
if an organization is not being transparent about the data they are holding about an E.U.
lower the risk.
citizen and why they are holding that data, this is an infringement that can result in a
Examples of frameworks include the NIST Cybersecurity Framework (CSF) and the fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is
NIST Risk Management Framework (RMF). compromised, they must be informed. The affected organization has 72 hours to notify
the E.U. citizen about the breach.
Note: Specifications and guidelines can change depending on the type of organization
you work for. Payment Card Industry Data Security Standard (PCI DSS)

In addition to the NIST CSF and NIST RMF, there are several other controls, PCI DSS is an international security standard meant to ensure that organizations
frameworks, and compliance standards that are important for security professionals to storing, accepting, processing, and transmitting credit card information do so in a secure
be familiar with to help keep organizations and the people they serve safe. environment. The objective of this compliance standard is to reduce credit card fraud.

The Federal Energy Regulatory Commission - North American Electric The Health Insurance Portability and Accountability Act (HIPAA)
Reliability Corporation (FERC-NERC)
HIPAA is a U.S. federal law established in 1996 to protect patients' health information.
FERC-NERC is a regulation that applies to organizations that work with electricity or This law prohibits patient information from being shared without their consent. It is
that are involved with the U.S. and North American power grid. These types of governed by three rules:
organizations have an obligation to prepare for, mitigate, and report any potential 1.​ Privacy
security incident that can negatively affect the power grid. They are also legally required 2.​ Security
to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by 3.​ Breach notification
the FERC.
Organizations that store patient data have a legal obligation to inform patients of a
breach because if patients' Protected Health Information (PHI) is exposed, it can lead to
The Federal Risk and Authorization Management Program
identity theft and insurance fraud. PHI relates to the past, present, or future physical or
(FedRAMP®) mental health or condition of an individual, whether it’s a plan of care or payments for
care. Along with understanding HIPAA as a law, security professionals also need to be
FedRAMP is a U.S. federal government program that standardizes security
assessment, authorization, monitoring, and handling of cloud services and product
Course # 2 Course # 2
Module # 2 Module # 2

familiar with the Health Information Trust Alliance (HITRUST®), which is a security In this reading you learned more about controls, frameworks, and compliance. You also
framework and assurance program that helps institutions meet HIPAA compliance. learned how they work together to help organizations maintain a low level of risk.

International Organization for Standardization (ISO) As a security analyst, it’s important to stay up-to-date on common frameworks, controls,
and compliance regulations and be aware of changes to the cybersecurity landscape to
ISO was created to establish international standards related to technology, help ensure the safety of both organizations and people.
manufacturing, and management across borders. It helps organizations improve their
processes and procedures for staff retention, planning, waste, and services.

System and Organizations Controls (SOC type 1, SOC type 2)

The American Institute of Certified Public Accountants® (AICPA) auditing standards

board developed this standard. The SOC1 and SOC2 are a series of reports that focus
on an organization's user access policies at different organizational levels such as:
●​ Associate
●​ Supervisor
●​ Manager
●​ Executive
●​ Vendor
●​ Others

They are used to assess an organization’s financial compliance and levels of risk. They
also cover confidentiality, privacy, integrity, availability, security, and overall data safety.
Control failures in these areas can lead to fraud.

Pro tip: There are a number of regulations that are frequently revised. You are
encouraged to keep up-to-date with changes and explore more frameworks, controls,
and compliance. Two suggestions to research: the Gramm-Leach-Bliley Act and the
Sarbanes-Oxley Act.

United States Presidential Executive Order 14028

On May 12, 2021, President Joe Biden released an executive order related to improving
the nation’s cybersecurity to remediate the increase in threat actor activity. Remediation
efforts are directed toward federal agencies and third parties with ties to U.S. critical
infrastructure. For additional information, review the Executive Order on Improving the
Nation’s Cybersecurity.

Key takeaways
Course # 2 Course # 2
Module # 2 Module # 2

Open Web Application Security Project/Open Worldwide Application Security

Glossary terms from module 2 Project (OWASP): A non-profit organization focused on improving software security

Protect: A NIST core function used to protect an organization through the

implementation of policies, procedures, training, and tools that help mitigate
Terms and definitions from Course 2, Module 2 cybersecurity threats

Asset: An item perceived as having value to an organization Recover: A NIST core function related to returning affected systems back to normal
operation
Attack vectors: The pathways attackers use to penetrate security defenses
Respond: A NIST core function related to making sure that the proper procedures are
Authentication: The process of verifying who someone is
used to contain, neutralize, and analyze security incidents, and implement
Authorization: The concept of granting access to specific resources in a system improvements to the security process

Availability: The idea that data is accessible to those who are authorized to access it Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

Biometrics: The unique physical characteristics that can be used to verify a person’s Security audit: A review of an organization's security controls, policies, and procedures
identity against a set of expectations

Confidentiality: The idea that only authorized users can access specific assets or data Security controls: Safeguards designed to reduce specific security risks

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how Security frameworks: Guidelines used for building plans to help mitigate risk and
organizations consider risk when setting up systems and security policies threats to data and privacy

Detect: A NIST core function related to identifying potential security incidents and Security posture: An organization’s ability to manage its defense of critical assets and
improving monitoring capabilities to increase the speed and efficiency of detections data and react to change

Encryption: The process of converting data from a readable format to an encoded Threat: Any circumstance or event that can negatively impact assets
format

Identify: A NIST core function related to management of cybersecurity risk and its effect
on an organization’s people and assets

Integrity: The idea that the data is correct, authentic, and reliable

National Institute of Standards and Technology (NIST) Cybersecurity Framework

(CSF): A voluntary framework that consists of standards, guidelines, and best practices
to manage cybersecurity risk

National Institute of Standards and Technology (NIST) Special Publication (S.P.)

800-53: A unified framework for protecting the security of information systems within the
U.S. federal government
 Risk assessment
Botium Toys: Scope, goals, and risk assessment
Risk description
report Currently, there is inadequate management of assets. Additionally, Botium Toys does
not have all of the proper controls in place and may not be fully compliant with U.S. and
international regulations and standards.

Scope and goals of the audit

Control best practices
Scope: The scope of this audit is defined as the entire security program at Botium Toys.
The first of the five functions of the NIST CSF is Identify. Botium Toys will need to
This includes their assets like employee equipment and devices, their internal network,
dedicate resources to identify assets so they can appropriately manage them.
and their systems. You will need to review the assets Botium Toys has and the controls
Additionally, they will need to classify existing assets and determine the impact of the
and compliance practices they have in place.
loss of existing assets, including systems, on business continuity.

Goals: Assess existing assets and complete the controls and compliance checklist to
Risk score
determine which controls and compliance best practices that need to be implemented
to improve Botium Toys’ security posture. On a scale of 1 to 10, the risk score is 8, which is fairly high. This is due to a lack of
controls and adherence to compliance best practices.

Current assets
Additional comments
Assets managed by the IT Department include:
The potential impact from the loss of an asset is rated as medium, because the IT
●​ On-premises equipment for in-office business needs
department does not know which assets would be at risk. The risk to assets or fines
●​ Employee equipment: end-user devices (desktops/laptops, smartphones),
from governing bodies is high because Botium Toys does not have all of the necessary
remote workstations, headsets, cables, keyboards, mice, docking stations,
controls in place and is not fully adhering to best practices related to compliance
surveillance cameras, etc.
regulations that keep critical data private/secure. Review the following bullet points for
●​ Storefront products available for retail sale on site and online; stored in the
specific details:
company’s adjoining warehouse
●​ Management of systems, software, and services: accounting,
●​ Currently, all Botium Toys employees have access to internally stored data and
telecommunication, database, security, ecommerce, and inventory management may be able to access cardholder data and customers’ PII/SPII.
●​ Internet access ●​ Encryption is not currently used to ensure confidentiality of customers’ credit
●​ Internal network card information that is accepted, processed, transmitted, and stored locally in
●​ Data retention and storage the company’s internal database.
●​ Legacy system maintenance: end-of-life systems that require human monitoring ●​ Access controls pertaining to least privilege and separation of duties have not
been implemented.
●​ The IT department has ensured availability and integrated controls to ensure
data integrity.
●​ The IT department has a firewall that blocks traffic based on an appropriately
defined set of security rules.
●​ Antivirus software is installed and monitored regularly by the IT department.
●​ The IT department has not installed an intrusion detection system (IDS).
●​ There are no disaster recovery plans currently in place, and the company does
not have backups of critical data. Control categories
●​ The IT department has established a plan to notify E.U. customers within 72
hours if there is a security breach. Additionally, privacy policies, procedures, and
processes have been developed and are enforced among IT department
members/other employees, to properly document and maintain data. Control categories
●​ Although a password policy exists, its requirements are nominal and not in line
with current minimum password complexity requirements (e.g., at least eight Controls within cybersecurity are grouped into three main categories:
characters, a combination of letters and at least one number; special
characters). ●​ Administrative/Managerial controls
●​ There is no centralized password management system that enforces the ●​ Technical controls
password policy’s minimum requirements, which sometimes affects productivity
●​ Physical/Operational controls
when employees/vendors submit a ticket to the IT department to recover or
reset a password.
●​ While legacy systems are monitored and maintained, there is no regular Administrative/Managerial controls address the human component of cybersecurity.
schedule in place for these tasks and intervention methods are unclear. These controls include policies and procedures that define how an organization
●​ The store’s physical location, which includes Botium Toys’ main offices, store manages data and clearly defines employee responsibilities, including their role in
front, and warehouse of products, has sufficient locks, up-to-date closed-circuit protecting the organization. While administrative controls are typically policy based,
television (CCTV) surveillance, as well as functioning fire detection and the enforcement of those policies may require the use of technical or physical controls.
prevention systems.

Technical controls consist of solutions such as firewalls, intrusion detection systems

(IDS), intrusion prevention systems (IPS), antivirus (AV) products, encryption, etc.
Technical controls can be used in a number of ways to meet organizational goals and
objectives.

Physical/Operational controls include door locks, cabinet locks, surveillance cameras,

badge readers, etc. They are used to limit physical access to physical assets by
unauthorized personnel.

Control types
Control types include, but are not limited to:​
1.​ Preventative
2.​ Corrective
3.​ Detective
4.​ Deterrent
These controls work together to provide defense in depth and protect assets.
Preventative controls are designed to prevent an incident from occurring in the first
place. Corrective controls are used to restore an asset after an incident. Detective
controls are implemented to determine whether an incident has occurred or is in Technical Controls
progress. Deterrent controls are designed to discourage attacks.
Control Name Control Type Control Purpose
Review the following charts for specific details about each type of control and its
Firewall Preventative To filter unwanted or
purpose. malicious traffic from
entering the network
Administrative/Managerial Controls IDS/IPS Detective To detect and prevent
anomalous traffic that
Control Name Control Type Control Purpose
matches a signature or
Least Privilege Preventative Reduce risk and overall rule
impact of malicious insider
Encryption Deterrent Provide confidentiality to
or compromised accounts
sensitive information
Disaster recovery plans Corrective Provide business
Backups Corrective Restore/recover from an
continuity
event
Password policies Preventative Reduce likelihood of
Password management Preventative Reduce password fatigue
account compromise
through brute force or Antivirus (AV) software Preventative Scans to detect and
dictionary attack quarantine known threats
techniques
Manual monitoring, Preventative Necessary to identify and
Access control policies Preventative Bolster confidentiality and maintenance, and manage threats, risks, or
integrity by defining which intervention vulnerabilities to
groups can access or out-of-date systems
modify data

Account management Preventative Managing account

policies lifecycle, reducing attack
surface, and limiting
overall impact from
disgruntled former Physical/Operational Controls
employees and default
account usage Control Name Control Type Control Purpose

Separation of duties Preventative Reduce risk and overall Time-controlled safe Deterrent Reduce attack surface and
impact of malicious insider overall impact from
or compromised accounts physical threats
Adequate lighting Deterrent Deter threats by limiting
“hiding” places
Controls and compliance checklist
Closed-circuit television Preventative/Detective Closed circuit television is
(CCTV) both a preventative and
detective control because To complete the controls assessment checklist, refer to the information provided in the
it’s presence can reduce scope, goals, and risk assessment report. For more details about each control,
risk of certain types of including the type and purpose, refer to the control categories document.
events from occurring, and
can be used after an event Then, select “yes” or “no” to answer the question: Does Botium Toys currently have this
to inform on event control in place?
conditions

Locking cabinets (for Preventative Bolster integrity by

network gear) preventing unauthorized Controls assessment checklist
personnel and other
individuals from physically
Yes No Control
accessing or modifying
network infrastructure ​ ​ Least Privilege
gear
​ ​ Disaster recovery plans
Signage indicating alarm Deterrent Deter certain types of
service provider threats by making the ​ ​ Password policies
likelihood of a successful
attack seem low ​ ​ Separation of duties

Locks Deterrent/Preventative Bolster integrity by ​ ​ Firewall

deterring and preventing
unauthorized personnel, ​ ​ Intrusion detection system (IDS)
individuals from physically
accessing assets ​ ​ Backups

Fire detection and Detective/Preventative Detect fire in physical ​ ​ Antivirus software

prevention (fire alarm, location and prevent
sprinkler system, etc.) damage to physical assets ​ ​ Manual monitoring, maintenance, and intervention for legacy
such as inventory, servers, systems
etc. Encryption
​ ​

​ ​ Password management system

​ ​ Locks (offices, storefront, warehouse)

​ ​ Closed-circuit television (CCTV) surveillance

 ​ ​ Fire detection/prevention (fire alarm, sprinkler system, etc.) ​ ​ Enforce privacy policies, procedures, and processes to properly
document and maintain data.

To complete the compliance checklist, refer to the information provided in the scope, System and Organizations Controls (SOC type 1, SOC type 2)
goals, and risk assessment report. For more details about each compliance regulation,
review the controls, frameworks, and compliance reading. Yes No Best practice

​ ​ User access policies are established.

Then, select “yes” or “no” to answer the question: Does Botium Toys currently adhere
to this compliance best practice? ​ ​ Sensitive data (PII/SPII) is confidential/private.

Compliance checklist ​ ​ Data integrity ensures the data is consistent, complete, accurate,
and has been validated.
Payment Card Industry Data Security Standard (PCI DSS) ​ ​ Data is available to individuals authorized to access it.

Yes No Best practice

​ ​ Only authorized users have access to customers’ credit card

information.
This section is optional and can be used to provide a summary of recommendations to
​ ​ Credit card information is stored, accepted, processed, and the IT manager regarding which controls and/or compliance best practices Botium Toys
transmitted internally, in a secure environment.
needs to implement, based on the risk posed if not implemented in a timely manner.
​ ​ Implement data encryption procedures to better secure credit card
transaction touchpoints and data. Recommendations (optional): In this section, provide recommendations, related to

​ ​ Adopt secure password management policies. controls and/or compliance needs, that your IT manager could communicate to
stakeholders to reduce risks to assets and improve Botium Toys’ security posture.

General Data Protection Regulation (GDPR)

Yes No Best practice

​ ​ E.U. customers’ data is kept private/secured.

​ ​ There is a plan in place to notify E.U. customers within 72 hours if

their data is compromised/there is a breach.

​ ​ Ensure data is properly classified and inventoried.