Controls and compliance checklist exemplar

Select “yes” or “no” to answer the question: Does Botium Toys currently have this
control in place?

Controls assessment checklist

Yes No Control Explanation

● Least Privilege Currently, all employees have

access to customer data;
privileges need to be limited
to reduce the risk of a breach.

● ● Disaster recovery plans There are no disaster

recovery plans in place. These
need to be implemented to
ensure business continuity.

● ● Password policies Employee password

requirements are minimal,
which could allow a threat
actor to more easily access
secure data/other assets via
employee work
equipment/the internal
network.

● ● Separation of duties Needs to be implemented to

reduce the possibility of
fraud/access to critical data,
since the company CEO
currently runs day-to-day
operations and manages the
payroll.

● ● Firewall The existing firewall blocks

traffic based on an
appropriately defined set of
 security rules.

● ● Intrusion detection system The IT department needs an

(IDS) IDS in place to help identify
possible intrusions by threat
actors.

● ● Backups The IT department needs to

have backups of critical data,
in the case of a breach, to
ensure business continuity.

● ● Antivirus software Antivirus software is installed

and monitored regularly by
the IT department.

● ● Manual monitoring, The list of assets notes the

maintenance, and intervention use of legacy systems. The
for legacy systems risk assessment indicates that
these systems are monitored
and maintained, but there is
not a regular schedule in place
for this task and procedures/
policies related to
intervention are unclear,
which could place these
systems at risk of a breach.

● Encryption Encryption is not currently

used; implementing it would
provide greater confidentiality
of sensitive information.

● ● Password management There is no password

system management system
currently in place;
implementing this control
would improve IT
department/other employee
productivity in the case of
password issues.
 ● ● Locks (offices, storefront, The store’s physical location,
warehouse) which includes the company’s
main offices, store front, and
warehouse of products, has
sufficient locks.

● ● Closed-circuit television CCTV is installed/functioning

(CCTV) surveillance at the store’s physical
location.

● ● Fire detection/prevention (fire Botium Toys’ physical location

alarm, sprinkler system, etc.) has a functioning fire
detection and prevention
system.

Compliance checklist

Select “yes” or “no” to answer the question: Does Botium Toys currently adhere to this
compliance best practice?

Payment Card Industry Data Security Standard (PCI DSS)

Yes No Best practice Explanation

● Only authorized users have Currently, all employees have

access to customers’ credit access to the company’s internal
card information. data.

● ● Credit card information is Credit card information is not

accepted, processed, encrypted and all employees
transmitted, and stored currently have access to internal
internally, in a secure data, including customers’ credit
environment. card information.

● ● Implement data encryption The company does not currently

procedures to better secure use encryption to better ensure
credit card transaction the confidentiality of customers’
touchpoints and data. financial information.
 ● ● Adopt secure password Password policies are nominal
management policies. and no password management
system is currently in place.

General Data Protection Regulation (GDPR)

Yes No Best practice Explanation

● E.U. customers’ data is kept The company does not currently

private/secured. use encryption to better ensure
the confidentiality of customers’
financial information.

● ● There is a plan in place to notify There is a plan to notify E.U.

E.U. customers within 72 hours customers within 72 hours of a
if their data is data breach.
compromised/there is a
breach.

● ● Ensure data is properly Current assets have been

classified and inventoried. inventoried/listed, but not
classified.

● ● Enforce privacy policies, Privacy policies, procedures, and

procedures, and processes to processes have been developed
properly document and and enforced among IT team
maintain data. members and other employees, as
needed.

System and Organizations Controls (SOC type 1, SOC type 2)

Yes No Best practice Explanation

● User access policies are Controls of Least Privilege

established. and separation of duties are
not currently in place; all
employees have access to
internally stored data.
 ● ● Sensitive data (PII/SPII) is Encryption is not currently
confidential/private. used to better ensure the
confidentiality of PII/SPII.

● ● Data integrity ensures the data is Data integrity is in place.

consistent, complete, accurate,
and has been validated.

● ● Data is available to individuals While data is available to all

authorized to access it. employees, authorization
needs to be limited to only
the individuals who need
access to it to do their jobs.

Recommendations (optional): In this section, provide recommendations, related to

controls and/or compliance needs, that your IT manager could communicate to
stakeholders to reduce risks to assets and improve Botium Toys’ security posture.

Multiple controls need to be implemented to improve Botium Toys’ security posture

and better ensure the confidentiality of sensitive information, including: Least
Privilege, disaster recovery plans, password policies, separation of duties, an IDS,
ongoing legacy system management, encryption, and a password management
system.

To address gaps in compliance, Botium Toys needs to implement controls such as

Least Privilege, separation of duties, and encryption. The company also needs to
properly classify assets, to identify additional controls that may need to be
implemented to improve their security posture and better protect sensitive
information.