Conducting a Security Audit

BOTIUM TOYS SECURITY AUDIT OVERVIEW:

Botium Toys is a small U.S. business that develops and sells toys. The business has a single physical location, which serves as their main office, a storefront, and a warehouse for their products. However, Botium Toys’ online presence has grown, attracting customers in the U.S. and abroad. As a result, their information technology (IT) department is under increasing pressure to support their online market worldwide.

The manager of the IT department has decided that an internal IT audit needs to be conducted. She’s worried about maintaining compliance and business operations as the company grows without a clear plan. She believes an internal audit can help better secure the company’s infrastructure and help them identify and mitigate potential risks, threats, or vulnerabilities to critical assets. The manager is also interested in ensuring that they comply with regulations related to internally processing and accepting online payments and conducting business in the European Union (E.U.).

TASK: AUDIT BOTIUM TOYS:

The IT manager starts by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), establishing an audit scope and goals, listing assets currently managed by the IT department, and completing a risk assessment. The goal of the audit is to provide an overview of the risks and/or fines that the company might experience due to the current state of their security posture.

Your task is to review the IT manager’s scope, goals, and risk assessment report. Then, perform an internal audit by completing a controls and compliance checklist.

To initiate the audit, the IT manager began by implementing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), defining the audit’s boundaries and objectives, and conducting a detailed risk assessment. The purpose of this audit was to gain a clear understanding of the risks the organization may face under its current security posture. The IT manager also planned to use the audit results to support a proposal for expanding the IT department.

My role involved reviewing the IT manager’s defined scope, objectives, and risk assessment, and then carrying out an internal audit to complete a comprehensive controls evaluation and compliance checklist. Working closely with the IT manager, I helped outline the essential components of the internal audit, including establishing the audit scope and goals, assessing organizational assets for risk, evaluating internal controls, reviewing compliance requirements, and preparing findings for stakeholder communication.

Audit Scope: The audit examined existing user permissions, implemented controls, operational procedures, and overall compliance posture.

Audit Goals: The goals included aligning with the NIST CSF, improving system processes to maintain compliance, strengthening controls, applying least‑privilege principles, establishing policies and procedures, and ensuring regulatory requirements were met.

Risk Assessment: This phase focused on identifying threats, vulnerabilities, and risks across the environment. It helped determine which security safeguards needed to be implemented or monitored to protect critical assets. Compliance obligations were also evaluated to ensure required standards were addressed.

Controls Assessment: We evaluated Botium’s assets and the risks associated with them to determine the effectiveness of current internal controls. This included reviewing administrative controls involving human behavior, technical controls such as IDS and IPS technologies, and physical controls designed to prevent unauthorized access to protected resources.

Compliance Checklist: Given Botium Toys’ global customer base and online payment processing, compliance was a major priority. I developed a checklist to assess adherence to GDPR and PCI DSS requirements, helping identify gaps and areas requiring corrective action.

Documentation and Reporting: In the final stage, I consolidated all findings into a clear and concise report. This report communicated Botium Toys’ current cybersecurity posture to senior leadership and highlighted areas needing improvement, serving as a roadmap for strengthening their overall security environment.

This project delivered value on two fronts: it enhanced Botium Toys’ security and compliance readiness while also supporting the strategic growth of the IT department. By aligning with the NIST Cybersecurity Framework, performing a thorough risk assessment, and providing actionable recommendations for controls and compliance, the project demonstrated the importance of proactive cybersecurity practices in safeguarding critical assets, maintaining operational continuity, and supporting global business expansion.

      Botium Toys: Scope, Goals and Risk Assessment Report 

     Control Categories

      Control and Compliance Checklist 

Stakeholder Report 

Stakeholder Report

TO: IT Manager, Executive Stakeholders

FROM: Daniel Durgaprasad

DATE: February 12, 2026

SUBJECT: Internal IT Audit – Findings, Gaps, and Security Recommendations

Dear Colleagues,

Please review the following summary of the internal IT audit conducted for Botium Toys. This report outlines the audit scope, objectives, critical findings, and recommended actions required to strengthen our security posture and ensure regulatory compliance.

---

Scope:

The audit focused on the following systems and security components:

• Accounting systems

• Endpoint detection and response (EDR)

• Firewalls

• Intrusion Detection System (IDS)

• Security Information and Event Management (SIEM)

Each system was evaluated for:

• Current user permissions and access levels

• Existing technical and administrative controls

• Operational procedures and security protocols

• Alignment with PCI DSS and GDPR compliance requirements

• Inventory and validation of current hardware and system access

---

Goals:

The audit objectives were aligned with the NIST Cybersecurity Framework (CSF) and focused on:

• Strengthening compliance processes and documentation

• Enhancing system and data protection controls

• Implementing least‑privilege and secure credential management practices

• Establishing formal policies, procedures, and incident response playbooks

• Ensuring regulatory requirements are met across all in‑scope systems

---

Critical Findings (Immediate Action Required):

Multiple high‑priority gaps were identified that must be addressed to meet compliance and security expectations:

Missing or Insufficient Controls

• Enforcement of Least Privilege and Separation of Duties

• Documented Disaster Recovery (DR) and Business Continuity plans

• Comprehensive password, access control, and account management policies

• Deployment of a password management system

• Encryption for secure website transactions

• Fully implemented Intrusion Detection System (IDS)

• Reliable backup processes

• Updated antivirus/endpoint protection

• CCTV coverage and physical access controls

• Secure locks for sensitive areas

• Manual monitoring and maintenance procedures for legacy systems

• Fire detection and prevention systems

Compliance Gaps:

• Policies required for PCI DSS and GDPR compliance are incomplete or missing

• User access and data‑protection policies do not meet SOC 1 and SOC 2 expectations

---

Additional Findings (Address When Feasible):

The following controls are recommended to further enhance security but are not immediately critical:

• Time‑controlled safe

• Adequate exterior and interior lighting

• Locking storage cabinets

• Signage identifying the alarm service provider

---

Summary & Recommendations

Botium Toys must prioritize remediation of the critical findings related to PCI DSS and GDPR, given the organization’s role in processing online payments for customers in both the U.S. and EU. Strengthening compliance in these areas is essential to reducing regulatory exposure and safeguarding customer data.

Adopting least‑privilege access, supported by SOC 1 and SOC 2 guidance, will help establish robust user access policies and improve overall data governance. Developing a formal disaster recovery plan and implementing reliable backup procedures are also essential to ensuring operational resilience.

From a security operations perspective, deploying an IDS, updating antivirus/EDR, and improving monitoring processes—especially for legacy systems—will significantly enhance threat detection and response capabilities. Physical security controls, including locks, CCTV, and fire‑prevention systems, should be strengthened to protect on‑site infrastructure.

While not immediately required, implementing additional measures such as encryption upgrades, improved lighting, locking cabinets, and alarm signage will further reinforce the organization’s long‑term security posture.