Security Audit · Risk Assessment
Security Audit
Security Audit
Botium Toys
Conducted a full internal security audit for Botium Toys — assessing their assets, controls, and compliance posture across PCI DSS, GDPR, and SOC standards, producing a risk assessment and actionable recommendations.
Overview
Scope & Goals
The scope of this audit covered the entire security programme at Botium Toys — including all employee equipment and devices, the internal network, and all systems and services managed by the IT department.
The goal was to assess existing assets and complete a controls and compliance checklist, identifying which controls and best practices needed to be implemented to improve their overall security posture.
Controls Assessment
Controls Checklist
| Control | Status | Finding |
|---|---|---|
| Firewall | ✓ Pass | Existing firewall blocks traffic based on an appropriately defined set of security rules. |
| Antivirus Software | ✓ Pass | Installed and monitored regularly by the IT department. |
| Locks (offices, storefront, warehouse) | ✓ Pass | Physical locations have sufficient locks in place. |
| CCTV Surveillance | ✓ Pass | CCTV is installed and functioning at all physical locations. |
| Fire Detection/Prevention | ✓ Pass | Fire alarm and sprinkler system are operational. |
| Least Privilege | ✗ Fail | All employees currently have access to all internal data including customer PII and cardholder data. Privileges must be restricted. |
| Separation of Duties | ✗ Fail | The CEO currently manages both day-to-day operations and payroll, creating fraud risk. |
| Intrusion Detection System (IDS) | ✗ Fail | No IDS in place — the organisation cannot detect potential intrusions by threat actors. |
| Disaster Recovery Plans | ✗ Fail | No disaster recovery plans exist. Business continuity is at serious risk in the event of an incident. |
| Encryption | ✗ Fail | Credit card data is accepted, processed, and stored without encryption. Confidentiality of customer financial data is not assured. |
| Password Management System | ✗ Fail | No centralised password management system. Current password policy requirements are nominal and below minimum complexity standards. |
| Legacy System Maintenance | ✗ Fail | No regular maintenance schedule. Intervention procedures are unclear, leaving legacy systems at elevated risk. |
Compliance Assessment
Compliance Checklist
PCI DSS
Authorised-only access to credit card data — all employees currently have access.
Secure environment for card data — no encryption in place.
Data encryption procedures — not implemented.
Secure password management policies — not in place.
GDPR
EU customer data kept private/secured — encryption not used.
72-hour breach notification plan — plan exists for EU customers.
Data properly classified and inventoried — assets listed but not classified.
Privacy policies enforced — developed and enforced across IT and staff.
SOC Type 1 & 2
User access policies established — least privilege and separation of duties not implemented.
PII/SPII kept confidential — encryption not in use.
Data integrity — in place and maintained by IT.
Data available only to authorised users — all employees have unrestricted access.
Recommendations
Priority Controls to Implement
Implement Least Privilege — restrict employee access to only the data and systems needed for their role.
Establish Disaster Recovery Plans to ensure business continuity in the event of a breach or system failure.
Enforce a robust Password Policy with minimum complexity requirements and a centralised password management system.
Implement Separation of Duties — the CEO should not control both operations and payroll.
Deploy an Intrusion Detection System (IDS) to identify potential threat actor activity on the network.
Enable Encryption across all credit card data touchpoints — at rest and in transit.
Establish a Legacy System Maintenance Schedule with clear intervention procedures and responsible owners.
Classify existing assets to understand business impact of loss and identify additional controls required.