This project outlines key cybersecurity controls categorized into Administrative, Technical, and Physical domains, with associated Control Types (Preventative, Detective, Corrective, Deterrent). It also features a detailed compliance assessment for a fictional company, Botium Toys, based on standards such as PCI DSS, GDPR, and SOC 1 & 2.
| Category | Purpose |
|---|---|
| Administrative | Policy-driven controls to manage data, employee access, and operations. |
| Technical | Systems and software like firewalls, IDS/IPS, antivirus, encryption. |
| Physical | Locks, CCTV, fire prevention β anything to restrict physical access. |
| Type | Function |
|---|---|
| Preventative | Stop incidents before they occur. |
| Corrective | Restore systems after an incident. |
| Detective | Identify if/when an incident has occurred. |
| Deterrent | Discourage potential threats from happening. |
| Control | Type | Status | Notes |
|---|---|---|---|
| Least Privilege | Preventative | β | All employees have full access to customer data. |
| Disaster Recovery Plans | Corrective | β | No plan in place yet. |
| Password Policies | Preventative | β | Current password strength is minimal. |
| Separation of Duties | Preventative | β | CEO manages too many critical functions. |
| Control | Type | Status | Notes |
|---|---|---|---|
| Firewall | Preventative | β | Rules are well-defined. |
| Intrusion Detection System | Detective | β | Needs implementation. |
| Encryption | Deterrent | β | No encryption used for sensitive data. |
| Antivirus Software | Corrective | β | Installed and regularly updated. |
| Backups | Corrective | β | No regular backups for critical data. |
| Password Management System | Preventative | β | Not implemented yet. |
| Legacy System Monitoring | Preventative | Monitoring exists but not regularly scheduled. |
| Control | Type | Status | Notes |
|---|---|---|---|
| Locks (office/store/warehouse) | Deterrent/Preventative | β | All locations are properly secured. |
| CCTV | Preventative/Detective | β | Fully functional surveillance in place. |
| Fire Detection/Prevention | Detective/Preventative | β | Proper alarms and sprinklers are installed. |
- β Encryption and password management lacking
- β All employees have full access to credit card data
- β Sensitive EU customer data not encrypted
- β Breach notification plan exists
- β Data not properly classified
- β Least privilege and separation of duties missing
- β Sensitive data not encrypted
- β Data integrity ensured
- β Access control needs enforcement
- Implement Least Privilege, Disaster Recovery, IDS, Encryption, and Password Management
- Classify assets to better identify and apply relevant controls
- Enforce secure access controls and update compliance procedures
Note: This project is for educational and demonstration purposes based on a fictional company.