SAGE Books is a retail bookseller that provides customers with a one-stop-shopping experience for books, magazines, and multimedia (music, DVDs, and Blu-ray). During a recent board meeting, the discussion centered on how the company can improve its operations and secure its information and information systems. Board members focused on enhancing SAGEs e-commerce website, keeping cybersecurity at the forefront of its new website design and marketing plan. As a result of this meeting, the board decided to have an independent assessment of the cybersecurity posture of the company. The assessment was completed by Secure Tech Solutions. This organization uncovered a number of issues with SAGE Books's security program and sent a security report detailing what was found. (See the Independent Security Report supporting document.) As SAGE Books's chief information security officer (CISO), you act as the leader of the cybersecurity department. You are required to review the report and write SAGE Books's response to the proposed security improvements. You must determine the appropriate actions to take, resulting in a plan for fixing the revealed issues. Your response must be provided in a written report outlining the ways SAGE Books will improve security. This report will be given to the board of directors and upper management, including the chief executive officer (CEO).

A. Summarize the gaps that exist currently in the companys security framework as described in the attached Independent Security Report.

B. Develop mitigation strategies to address the gaps identified in the Independent Security Report, ensuring compliance with PCI DSS and GDPR.

C. Identify three critical security staff positions and the responsibilities for each position, which must be hired to meet compliance, risk, and governance requirements using the NICE Framework discussed in the Independent Security Report.

D. Describe at least three physical vulnerabilities and/or threats and at least three logical vulnerabilities and/or threats and how each impacts the security posture of the company based on the attached Company Overview document and Independent Security Report.

E. Develop a cybersecurity awareness training program in alignment with NIST standards, including the following:

annual training requirements

specialized training requirements

continued awareness

F. Summarize the standards required for securing organizational assets regarding policies for acceptable use, mobile devices, passwords, and personally identifiable information (PII), using regulatory or contractual sources to support your claims.

G. Develop an incident response plan for the company in alignment with the attached Independent Security Report, following the four incident handling phases according to NIST standards.

H. Develop a business continuity plan (BCP) to address potential natural disasters as described in the Independent Security Report, including the following phases:

project scope and planning

business impact analysis

continuity planning

plan approval and implementation

Company Overview

SAGE Books is a retail bookseller that provides customers with a one-stop-shopping experience for books, magazines, and multimedia (music, DVDs, and Blu-ray). Established in 2011 by a group of college graduates, SAGE Books has grown from a local book chain in Utah into a national destination for book lovers in just 12 years.

SAGE Books's latest effort focuses on enhancing its e-commerce website to transform SAGE Books into the #1 bookshop on the internet. The current strategy is a two-phase approach. The first phase implements measures to optimize the companys distribution network to reduce shipping costs and delays for the customer. Phase two will see the opening of a trusted third-party seller marketplace within the current e-commerce website while adhering to PCI DSS and GDPR regulations. The enhancements of both phases will allow the company to better compete with similar retailers while offering customers better prices and the opportunity to find unique items, such as out-of-print copies or signed books.

At present, SAGE Books operates 400 retail locations in all 50 states and Puerto Rico, and has three distribution centers operating in California, Texas, and Florida. The company employs approximately 12,000 people across retail, in-house cafs, and distribution centers. Annual sales have steadily increased year over year since 2014, and annual sales in 2022 amounted to nearly $900 million.

Independent Security Report for SAGE Books

ATTN:

Chief Information Security Officer

SAGE Books

Dear SAGE Books,

On behalf of Secure Tech Solutions, I would like to thank you for the opportunity to provide an Independent Security Assessment on behalf of SAGE Books. We have finalized our preliminary reporting and are disseminating our findings below for your review.

Our key findings indicate there are several issues surrounding SAGE Bookss implementation of a strong cybersecurity posture. We also identified concerns involving SAGE Books's security enforcement projects and programs.

Some of our specific findings are listed below:

1. SAGE Bookss security program is not adequately aligned with security best practices and industry standards. The companys security program covers information security processes for its corporate headquarters, retail stores/e-commerce website, and distribution center. However, the security program lacks a comprehensive approach that covers

(i) securing and protecting organizational assets,

(ii) security of payment card dataalso known as cardholder data, and

(iii) the privacy protection for customers located within the European Union

Therefore, we recommend that SAGE Books develop a set of policies and procedures that align with the Payment Card Industry Data Security Standards (PCI DSS) and the requirements outlined in the General Data Protection Regulation (GDPR).

1. Securing and Protecting Organizational Assets: SAGE Books information security has failed to include policy elements that outline acceptable use, mobile device policy, secure passwords, and protecting personally identifiable information contained on organizational assets. It is recommended to develop those policy sections using regulatory (i.e., the National Institute of Standards and Technology) and/or security best practices outlined in the PCI DSS.
2. PCI DSS: SAGE Books uses several financial procedures to collect payment for its goods and services. In many cases, the customer can use either a personal or a company-controlled payment card (credit or debit) to pay for these goods or services physically at self-checkout lanes in the storefront or online on the e-commerce site. In so doing, SAGE Books needs to follow the requirements proscribed by the PCI DSS. Failure to do so may subject SAGE Books to penalty or sanction as outlined in the standard. Currently, a policy document or standardized procedure or other guidance is lacking to outline how SAGE Books accepts these payments in accordance with PCI DSS.
3. GDPR: This regulation, enforceable as law, carries several significant financial penalties for noncompliance. All companies that collect information on any citizen of the European Union must comply with several requirements when collecting, storing, manipulating, or using the PII of a citizen. At the time of this independent security report, Secure Tech Solutions consultants were unable to find any specific measures existing at SAGE Books to protect the collection, storage, or use of the data. To start, it is recommended that SAGE Books implement privacy protection as outlined in GDPR Ch.3 Rights of the Data Subject.

1. SAGE Books's information security team is lacking appropriate expertise to implement the companys security strategies and projects as it relates to regulatory compliance. The current structure of SAGE Bookss information security team is as follows:

• chief information security officer
• information security manager
• information security engineer (2)
• information security analyst (2)

From an operational security standpoint, the team is meeting security objectives. However, security compliance and regulatory efforts are lacking. Using the National Initiative for Cybersecurity Education (NICE) Cybersecurity Framework as a guide, it is recommended that SAGE Books hire three additional employees to implement, deploy, and maintain the organization's governance, risk, and compliance (GRC) program. As these three additional staff are critical to the GRC programs success, it is especially important that each role is identified along with applicable knowledge, skills, abilities, and tasks associated with the role.

1. SAGE Books's cybersecurity awareness program is not adequately aligned with security best practices and industry standards. When assessing the companys cybersecurity awareness, it was discovered that training is performed ad hoc. Through interviews, only a quarter of new hires had training, and only 10 percent of current employees took training. Furthermore, the content of the cybersecurity training did not fully meet requirements outlined in best practices (for example, the National Institute of Standards and Technology (NIST)) or standards (for example, the PCI DSS). It is recommended that SAGE Books develop a cybersecurity awareness training program that aligns with NIST standards and PCI Requirement 12.6.

1. SAGE Books's incident response plan (IRP) does not comprehensively cover the incident response process. Our assessment of the current IRP identified several areas where it deviates from recognized best practices, including a lack of defined roles and responsibilities for incident response team members and inadequate procedures for incident handling and analysis. To address these shortcomings, we recommend that SAGE Books align the IRP with NIST Special Publication (SP) 800-61 Revision 2 (R2). By adopting the NIST SP 800-61 R2 framework, the company can improve its incident response capabilities and better protect its information assets from security threats. To start, ensure the IRP establishes the following:
   1. clear roles and responsibilities for incident response team members
   2. clear and detailed procedures for incident handling and analysis, including steps for the preparation, detection and analysis, containment, eradication and recovery, and post-incident activity phases.

1. SAGE Books's business continuity plan (BCP) does not adequately address natural disasters. Currently, SAGE Bookss distribution centers are operating in the following cities:

• San Joaquin, CA
• Keene, TX
• Cape Coral, FL

These locations were purchased as they are strategically located across the United States. In reviewing SAGE Books's operating documentation, it became evident that the distribution centers are in higher risk areas for natural disasters. This is of concern as SAGE Bookss current BCP is rudimentary in design and scope. Specifically, the BCP doesnt include recovery strategies in the event of a natural disaster, such as earthquakes, tornados, and/or flooding. The report needs to include the following sections as it relates to natural disasters (and other incidents deemed critical):

• project scope and planning
• business impact analysis
• continuity planning
• plan approval and implementation efforts

Many organizations fail to recognize the need for a continuity plan that outlines how the organization will come back to an operational capability as quickly as possible to avoid loss of customer revenue. Having a quality BCP will ensure recovery efforts are seamless and efficient.

We appreciate the time SAGE Books employees spent with us to help us compile this report. If you have any questions, please feel free to consult Secure Tech Solutions at any time.

Regards,

Head Consultant, Secure Tech Solutions