During my free time, I decided to take cybersecurity coursework through Coursera. I had the opportunity to simulate an internal IT audit for a fictional company called Botium Toys. This exercise was designed to apply real-world audit skills using the NIST Cybersecurity Framework (CSF) and provided insight into how businesses can proactively manage cyber risks while maintaining regulatory compliance.
Botium Toys is a small U.S.-based toy business with a single physical location that also functions as a warehouse and storefront. Due to growing online sales, including international customers in the E.U., their IT department is under pressure to secure infrastructure and comply with relevant laws and standards—especially around online payments and data protection.
To address these concerns, the IT manager initiated an internal IT audit with the following goals:
Improve infrastructure security posture
Identify risks and vulnerabilities to critical assets
Ensure compliance with E.U. and U.S. regulations (such as GDPR and PCI DSS)
Align with the NIST Cybersecurity Framework
I performed a security audit by evaluating Botium’s environment against standard security controls and compliance best practices. Here's a summary of the assessment:
No formal patch management process exists, recommend establishing one.
MFA is missing for admin accounts; recommend immediate deployment.
Current system lacks necessary encryption and logging controls.
Lacks clear data handling policies and user consent protocols.
Recommendation for the IT Manager
To support Botium’s growth and compliance needs, I recommend the following:
Implement a robust patch management system to reduce software vulnerabilities.
Deploy multi-factor authentication, especially for privileged accounts and remote access.
Update incident response and disaster recovery plans and conduct tabletop exercises.
Ensure PCI DSS and GDPR compliance by consulting with legal and security professionals, especially around secure payment processing and customer data protection.
To validate my internal audit report, I reviewed my work using the course-provided checklist.
This audit project is now part of my cybersecurity portfolio. Feel free to connect with me if you’d like to collaborate or chat about NIST CSF, compliance, or internal audits!
Top comments (0)