Star Toys Cyber Audit

Client / Organization
Star Toys
Scope
The scope of this audit is defined as the entire security program at Botium Toys. This includes their assets like employee equipment and devices, their internal network, and their systems. You will need to review the assets Botium Toys has and the controls and compliance practices they have in place.
Objectives
Assess existing assets and complete the controls and compliance checklist to determine which controls and compliance best practices that need to be implemented to  improve Botium Toys’ security posture.
Assets

Assets managed by the IT Department include: 

  • On-premises equipment for in-office business needs 

  • Employee equipment: end-user devices (desktops/laptops, smartphones), remote workstations, headsets, cables, keyboards, mice, docking stations, surveillance cameras, etc.

  • Storefront products available for retail sale on site and online; stored in the company’s adjoining warehouse

  • Management of systems, software, and services: accounting, telecommunication, database, security, ecommerce, and inventory management

  • Internet access

  • Internal network

  • Data retention and storage

  • Legacy system maintenance: end-of-life systems that require human monitoring

Asset Management
Are all business-critical assets classified according to their sensitivity and impact on business continuity?
Does the organization maintain an up-to-date inventory of all IT assets (hardware, software, data, and network components)?
Physical Safety / Continuity
Are fire detection and prevention systems (alarms, sprinklers, extinguishers) installed and regularly tested?
Legacy Systems
Are legacy systems monitored and maintained according to a documented schedule, with clear intervention procedures?
Physical Security
Are physical access controls (locks) implemented for offices, storefront, and warehouses?
Is CCTV surveillance in place and functioning to monitor critical physical areas?
Privacy Management
Are privacy policies, procedures, and processes documented and enforced for handling personal data?
Backup and Recovery
Are regular backups performed for critical systems and data, and are restoration tests conducted?
PCI DSS
Can only authorized users access customers’ credit card information?
Is credit card information stored, processed, and transmitted in a secure environment that complies with PCI DSS requirements?
Network Security
Is an intrusion detection or intrusion prevention system (IDS/IPS) deployed and monitored?
Is there an up-to-date firewall deployed to protect internal networks, with rules reviewed periodically?
Endpoint Security
Is antivirus or endpoint protection software installed, updated, and centrally monitored on all relevant devices?
Data Protection
Is encryption used to protect sensitive data at rest and in transit (e.g., customer payment data, PII)?
GDPR
Is EU customer data kept private and secure according to GDPR principles?
Access Control
Is separation of duties implemented for critical business and IT processes?
Is the principle of least privilege enforced for all user accounts and system access?
Password Management
Is there a centralized password or credential management system in place?
Is there a formal password policy that aligns with current best practices (length, complexity, reuse, MFA, etc.)?
PCI DSS / Password Management
Is there a documented and enforced secure password management policy for systems that handle payment card data?
Business Continuity / DRP
Is there a documented and tested disaster recovery plan (DRP) in place?
GDPR – Incident Response
Is there a documented process to notify EU customers within 72 hours in case of a data breach affecting their personal data?
Powered by Cyber Audit Manager