Cybersecurity Management - D489 Task 1 passed first submission
Cybersecurity Management - D489
Western Governors
University Flex
Vaughn
Cybersecurity Management - D489 Task 1 passed first submission
,Cybersecurity Management - D489 Task 1 passed first submission
A. Summarize the gaps that exist currently in the company’s security framework
as described in the attached “Independent Security Report.”
The gaps that currently exist in the company’s security framework are as follows
Lack of alignment with security best practices and industry standards:
The company’s security program lacks an approach that covers securing and
protecting organizational assets, Security of Payment Card data and privacy
protection for customers located in the European Union. SAGE books lack policy
elements that outline acceptable use, mobile device poly, secure passwords etc.
The company also processes card payments and should be abiding by the PCI DSS
Standard requirements but SAGE books does not have any documentation stating
that they are following these standards or accept these payments in accordance
with PCI DSS. Finally, SAGE does not currently have any specific measures to protect
the collection, storage and use of data of their customers in the European Union as
outlined in the GDPR.
Understaffed security team:
SAGE books currently has a security team that meets operational security
goals but they do not have a sufficient Governance Risk and Compliance team. This
could lead to a lapse in compliance in regulations such as GDPR, FISMA or PCI DSS,
which could then lead to lawsuits and sanctions.
Inadequate cybersecurity awareness program:
The current cybersecurity awareness training is Ad Hoc meaning, on an as
needed basis. Furthermore, only a quarter of new hires and only 10% of current
employees took the training. The training content also does not meet
requirements outlined in best practices or standards.
Cybersecurity Management - D489 Task 1 passed first submission
,Cybersecurity Management - D489 Task 1 passed first submission
Incomplete incident response plan (IRP):
SAGE’s IRP deviates from best practices by lacking clear roles and
responsibilities for incident response team members and inadequate procedures
for incident handling and analysis. With this deviation, SAGE puts its information
assets at risk and leaves the company at risk for prolonged security threats and
attacks.
Absence of a Business Continuity Plan (BCP):
The report highlights the critical need for a BCP that outlines recovery
procedures for restoring operational capability in the event of disruption. Given
SAGE Book’s location of distribution centers, they are at a higher risk of natural
disaster interruptions.
B. Develop mitigation strategies to address the gaps identified in the “Independent
Security Report,” ensuring compliance with PCI DSS and GDPR.
To address the security gaps identified in the "Independent Security Report" and
ensure compliance with PCI DSS and GDPR, SAGE Books should implement the
following mitigation strategies:
Enhance Security Policies and Procedures
1.) Create policies to fill gaps in securing and protecting organizational assets:
Create formal policies for acceptable use, mobile device security, secure
password creation and management, and protecting personally
identifiable information (PII) contained on organizational assets. SAGE
Book’s should base these policies on regulatory guidelines from NIST and
security best practices outlined in the PCI DSS.
2.) Align existing policies with industry standards and best practices: Update the
cybersecurity awareness training program to meet NIST standards and PCI
DSS Requirement 12.6. SAGE should also align the incident response plan
Cybersecurity Management - D489 Task 1 passed first submission
, Cybersecurity Management - D489 Task 1 passed first submission
(IRP) with NIST Special Publication (SP) 800-61 Revision 2 to enhance
incident response capabilities.
Cybersecurity Management - D489 Task 1 passed first submission
Cybersecurity Management - D489
Western Governors
University Flex
Vaughn
Cybersecurity Management - D489 Task 1 passed first submission
,Cybersecurity Management - D489 Task 1 passed first submission
A. Summarize the gaps that exist currently in the company’s security framework
as described in the attached “Independent Security Report.”
The gaps that currently exist in the company’s security framework are as follows
Lack of alignment with security best practices and industry standards:
The company’s security program lacks an approach that covers securing and
protecting organizational assets, Security of Payment Card data and privacy
protection for customers located in the European Union. SAGE books lack policy
elements that outline acceptable use, mobile device poly, secure passwords etc.
The company also processes card payments and should be abiding by the PCI DSS
Standard requirements but SAGE books does not have any documentation stating
that they are following these standards or accept these payments in accordance
with PCI DSS. Finally, SAGE does not currently have any specific measures to protect
the collection, storage and use of data of their customers in the European Union as
outlined in the GDPR.
Understaffed security team:
SAGE books currently has a security team that meets operational security
goals but they do not have a sufficient Governance Risk and Compliance team. This
could lead to a lapse in compliance in regulations such as GDPR, FISMA or PCI DSS,
which could then lead to lawsuits and sanctions.
Inadequate cybersecurity awareness program:
The current cybersecurity awareness training is Ad Hoc meaning, on an as
needed basis. Furthermore, only a quarter of new hires and only 10% of current
employees took the training. The training content also does not meet
requirements outlined in best practices or standards.
Cybersecurity Management - D489 Task 1 passed first submission
,Cybersecurity Management - D489 Task 1 passed first submission
Incomplete incident response plan (IRP):
SAGE’s IRP deviates from best practices by lacking clear roles and
responsibilities for incident response team members and inadequate procedures
for incident handling and analysis. With this deviation, SAGE puts its information
assets at risk and leaves the company at risk for prolonged security threats and
attacks.
Absence of a Business Continuity Plan (BCP):
The report highlights the critical need for a BCP that outlines recovery
procedures for restoring operational capability in the event of disruption. Given
SAGE Book’s location of distribution centers, they are at a higher risk of natural
disaster interruptions.
B. Develop mitigation strategies to address the gaps identified in the “Independent
Security Report,” ensuring compliance with PCI DSS and GDPR.
To address the security gaps identified in the "Independent Security Report" and
ensure compliance with PCI DSS and GDPR, SAGE Books should implement the
following mitigation strategies:
Enhance Security Policies and Procedures
1.) Create policies to fill gaps in securing and protecting organizational assets:
Create formal policies for acceptable use, mobile device security, secure
password creation and management, and protecting personally
identifiable information (PII) contained on organizational assets. SAGE
Book’s should base these policies on regulatory guidelines from NIST and
security best practices outlined in the PCI DSS.
2.) Align existing policies with industry standards and best practices: Update the
cybersecurity awareness training program to meet NIST standards and PCI
DSS Requirement 12.6. SAGE should also align the incident response plan
Cybersecurity Management - D489 Task 1 passed first submission
, Cybersecurity Management - D489 Task 1 passed first submission
(IRP) with NIST Special Publication (SP) 800-61 Revision 2 to enhance
incident response capabilities.
Cybersecurity Management - D489 Task 1 passed first submission
