Home Design Work Security Contact
Security Audit · Risk Assessment

Security Audit
Botium Toys

Conducted a full internal security audit for Botium Toys — assessing their assets, controls, and compliance posture across PCI DSS, GDPR, and SOC standards, producing a risk assessment and actionable recommendations.

Risk Score
8 / 10
Standards
PCI DSS · GDPR · SOC
Framework
NIST CSF

Scope & Goals

The scope of this audit covered the entire security programme at Botium Toys — including all employee equipment and devices, the internal network, and all systems and services managed by the IT department.

The goal was to assess existing assets and complete a controls and compliance checklist, identifying which controls and best practices needed to be implemented to improve their overall security posture.

8
Risk Score / 10
Rated fairly high due to a significant lack of security controls and non-adherence to compliance best practices. The potential for data loss, financial penalty, and reputational damage was assessed as substantial.

Controls Checklist

ControlStatusFinding
Firewall✓ PassExisting firewall blocks traffic based on an appropriately defined set of security rules.
Antivirus Software✓ PassInstalled and monitored regularly by the IT department.
Locks (offices, storefront, warehouse)✓ PassPhysical locations have sufficient locks in place.
CCTV Surveillance✓ PassCCTV is installed and functioning at all physical locations.
Fire Detection/Prevention✓ PassFire alarm and sprinkler system are operational.
Least Privilege✗ FailAll employees currently have access to all internal data including customer PII and cardholder data. Privileges must be restricted.
Separation of Duties✗ FailThe CEO currently manages both day-to-day operations and payroll, creating fraud risk.
Intrusion Detection System (IDS)✗ FailNo IDS in place — the organisation cannot detect potential intrusions by threat actors.
Disaster Recovery Plans✗ FailNo disaster recovery plans exist. Business continuity is at serious risk in the event of an incident.
Encryption✗ FailCredit card data is accepted, processed, and stored without encryption. Confidentiality of customer financial data is not assured.
Password Management System✗ FailNo centralised password management system. Current password policy requirements are nominal and below minimum complexity standards.
Legacy System Maintenance✗ FailNo regular maintenance schedule. Intervention procedures are unclear, leaving legacy systems at elevated risk.

Compliance Checklist

PCI DSS

Authorised-only access to credit card data — all employees currently have access.
Secure environment for card data — no encryption in place.
Data encryption procedures — not implemented.
Secure password management policies — not in place.

GDPR

EU customer data kept private/secured — encryption not used.
72-hour breach notification plan — plan exists for EU customers.
Data properly classified and inventoried — assets listed but not classified.
Privacy policies enforced — developed and enforced across IT and staff.

SOC Type 1 & 2

User access policies established — least privilege and separation of duties not implemented.
PII/SPII kept confidential — encryption not in use.
Data integrity — in place and maintained by IT.
Data available only to authorised users — all employees have unrestricted access.

Priority Controls to Implement

Implement Least Privilege — restrict employee access to only the data and systems needed for their role.
Establish Disaster Recovery Plans to ensure business continuity in the event of a breach or system failure.
Enforce a robust Password Policy with minimum complexity requirements and a centralised password management system.
Implement Separation of Duties — the CEO should not control both operations and payroll.
Deploy an Intrusion Detection System (IDS) to identify potential threat actor activity on the network.
Enable Encryption across all credit card data touchpoints — at rest and in transit.
Establish a Legacy System Maintenance Schedule with clear intervention procedures and responsible owners.
Classify existing assets to understand business impact of loss and identify additional controls required.
Next Project
Network Hardening →