Cyber Management Plan

Assessment Code and Task

Independent Security Report for SAGE Books

Performed by Secure Tech Solutions

ATTN:

Chief Information Security Officer

SAGE Books

Dear SAGE Books,

On behalf of Secure Tech Solutions, I would like to thank you for the opportunity to provide an Independent Security Assessment on behalf of SAGE Books. We have finalized our preliminary reporting and are disseminating our findings below for your review.

Our key findings indicate there are several issues surrounding SAGE Books’s implementation of a strong cybersecurity posture. We also identified concerns involving SAGE Books's security enforcement projects and programs.

Some of our specific findings are listed below:

1. SAGE Books’s security program is not adequately aligned with security best practices and industry standards. The company’s security program covers information security processes for its corporate headquarters, retail stores/e-commerce website, and distribution center. However, the security program lacks a comprehensive approach that covers

(i) securing and protecting organizational assets,

(ii) security of payment card data—also known as cardholder data, and

(iii) the privacy protection for customers located within the European Union

Therefore, we recommend that SAGE Books develop a set of policies and procedures that align with the Payment Card Industry Data Security Standards (PCI DSS) and the requirements outlined in the General Data Protection Regulation (GDPR).

a. Securing and Protecting Organizational Assets: SAGE Books information security has failed to include policy elements that outline acceptable use, mobile device policy, secure passwords, and protecting personally identifiable information contained on organizational assets. It is recommended to develop those policy sections using regulatory (i.e., the National Institute of Standards and Technology) and/or security best practices outlined in the PCI DSS.

b. PCI DSS: SAGE Books uses several financial procedures to collect payment for its goods and services. In many cases, the customer can use either a personal or a company-controlled payment card (credit or debit) to pay for these goods or services physically at self-checkout lanes in the storefront or online on the e-commerce site. In so doing, SAGE Books needs to follow the requirements proscribed by the PCI DSS. Failure to do so may subject SAGE Books to penalty or sanction as outlined in the standard. Currently, a policy document or standardized procedure or other guidance is lacking to outline how SAGE Books accepts these payments in accordance with PCI DSS.

c. GDPR: This regulation, enforceable as law, carries several significant financial penalties for noncompliance. All companies that collect information on any citizen of the European Union must comply with several requirements when collecting, storing, manipulating, or using the PII of a citizen. At the time of this independent security report, Secure Tech Solutions consultants were unable to find any specific measures existing at SAGE Books to protect the collection, storage, or use of the data. To start, it is recommended that SAGE Books implement privacy protection as outlined in GDPR Ch.3 Rights of the Data Subject.

2. SAGE Books's information security team is lacking appropriate expertise to implement the company’s security strategies and projects as it relates to regulatory compliance. The current structure of SAGE Books’s information security team is as follows:

· chief information security officer

· information security manager

· information security engineer (2)

· information security analyst (2)

From an operational security standpoint, the team is meeting security objectives. However, security compliance and regulatory efforts are lacking. Using the National Initiative for Cybersecurity Education (NICE) Cybersecurity Framework as a guide, it is recommended that SAGE Books hire three additional employees to implement, deploy, and maintain the organization's governance, risk, and compliance (GRC) program. As these three additional staff are critical to the GRC program’s success, it is especially important that each role is identified along with applicable knowledge, skills, and tasks associated with the role.

3. SAGE Books's cybersecurity awareness program is not adequately aligned with security best practices and industry standards. When assessing the company’s cybersecurity awareness, it was discovered that training is performed ad hoc. Through interviews, only a quarter of new hires had training, and only 10 percent of current employees took training. Furthermore, the content of the cybersecurity training did not fully meet requirements outlined in best practices (for example, the National Institute of Standards and Technology (NIST)) or standards (for example, the PCI DSS). It is recommended that SAGE Books develop a cybersecurity awareness training program that aligns with NIST standards and PCI Requirement 12.6.

4. SAGE Books's incident response plan (IRP) does not comprehensively cover the incident response process. Our assessment of the current IRP identified several areas where it deviates from recognized best practices, including a lack of defined roles and responsibilities for incident response team members and inadequate procedures for incident handling and analysis. To address these shortcomings, we recommend that SAGE Books align the IRP with NIST Special Publication (SP) 800-61 Revision 2 (R2). By adopting the NIST SP 800-61 R2 framework, the company can improve its incident response capabilities and better protect its information assets from security threats. To start, ensure the IRP establishes the following:

a. clear roles and responsibilities for incident response team members

b. clear and detailed procedures for incident handling and analysis, including steps for the preparation, detection and analysis, containment, eradication and recovery, and post-incident activity phases.

5. SAGE Books's business continuity plan (BCP) does not adequately address natural disasters. Currently, SAGE Books’s distribution centers are operating in the following cities:

· San Joaquin, CA

· Keene, TX

· Cape Coral, FL

These locations were purchased as they are strategically located across the United States. In reviewing SAGE Books's operating documentation, it became evident that the distribution centers are in higher risk areas for natural disasters. This is of concern as SAGE Books’s current BCP is rudimentary in design and scope. Specifically, the BCP doesn’t include recovery strategies in the event of a natural disaster, such as earthquakes, tornados, and/or flooding. The report needs to include the following sections as it relates to natural disasters (and other incidents deemed critical):

· project scope and planning

· business impact analysis

· continuity planning

· plan approval and implementation efforts

Many organizations fail to recognize the need for a continuity plan that outlines how the organization will come back to an operational capability as quickly as possible to avoid loss of customer revenue. Having a quality BCP will ensure recovery efforts are seamless and efficient.

We appreciate the time SAGE Books employees spent with us to help us compile this report. If you have any questions, please feel free to consult Secure Tech Solutions at any time.

Regards,

Head Consultant, Secure Tech Solutions

PAGE 1

PAGE 2