WGU D489 TASK 1 | CYBERSECURITY
MANAGEMENT | 2026 UPDATE WITH COMPLETE
SOLUTION
A. Summary of the gaps that currently exist Sage’s in “Independent Security Report.”
Sage’s “Independent Security Report”, or aforementioned “ISR,” revealed
considerable gaps in their cybersecurity framework. The gaps will be discussed below.
1. Business Continuity Plan
Sage’s BCP does not encompass the minute details that are important to continue a
business in the event of a natural disaster and no recovery strategies are in place.
2. Inadequate Security Awareness Plan
Sage’s cybersecurity awareness plan is not compliant with the industry’s best practices
and standards in regard to NIST and PCI Requirement 12.6.
3. Inadequate Incident Response Plan
Sage’s IRP does not define roles and responsibilities of team members. The IRP also has
significant shortcomings regarding efficient incident handling and analysis.
https://www.stuvia.com/user/MBOFFIN
, 4. Inadequate Information Security Team
Sage’s information security team is poorly staffed and is lacking key team members
that are necessary to provide the company with effective security compliance and
regulatory efforts.
5. Noncompliance with PCI-DSS and GDPR
Sage currently does not have policies and procedures that would enable it to become
and maintain compliance with two very important global industry standards: PCI-DSS
and GDPR.
B. Mitigation strategies that were developed to address the gaps identified in Sage’s
“Independent Security Report,” ensuring compliance with PCI DSS and GDPR.
The gaps that were identified in Sage’s ISR were the lack of an adequate business
continuity plan, security awareness plan, incident response plan, and information
security team, leading to non-compliance with the security principles and standards of
GDPR and PCI-DSS. Compliance with these two important standards is essential for
international businesses.
The following sections will include mitigation strategies to be implemented to address
the gaps and achieve compliance with the industry’s standards.
1. Business Continuity Plan
https://www.stuvia.com/user/MBOFFIN
, The mitigation strategy that was developed to address Sage’s BCP and ensure
compliance with GDPR and PCI-DSS was done by developing a thorough and finely
detailed recovery plan that addresses natural disasters. The new mitigation strategy
will be used to ensure European data and cardholder data protection and quickly
recover the systems that store or use this data. The BCP mitigation strategy will include
a risk assessment, business impact assessment, emergency response plan,
communication plan, and backup recovery plan. Editing the business continuity plan to
include these attuned details can ensure that the business can withstand any disaster
and is properly prepared for any unforeseen event that could possibly disrupt the
business’s operations.
2. Inadequate Security Awareness Plan
The Sage’s cybersecurity awareness plan will be mitigated to comply with the industry’s
best practices and standards in regard to NIST and PCI Requirement 12.6.
The PCI-DSS requirement 12.6 and the NIST require a mandatory security awareness
plan that should be followed for everyone handling cardholder data. The mitigation
strategy that will be used to close the identified gaps in Sage’s security awareness plan
will be done by properly making employees aware of the security awareness plan. The
mitigation strategy addressing Sage’s inadequate security plan will commence with
new-hire initial training and refresher training that will be done yearly. The training
https://www.stuvia.com/user/MBOFFIN
MANAGEMENT | 2026 UPDATE WITH COMPLETE
SOLUTION
A. Summary of the gaps that currently exist Sage’s in “Independent Security Report.”
Sage’s “Independent Security Report”, or aforementioned “ISR,” revealed
considerable gaps in their cybersecurity framework. The gaps will be discussed below.
1. Business Continuity Plan
Sage’s BCP does not encompass the minute details that are important to continue a
business in the event of a natural disaster and no recovery strategies are in place.
2. Inadequate Security Awareness Plan
Sage’s cybersecurity awareness plan is not compliant with the industry’s best practices
and standards in regard to NIST and PCI Requirement 12.6.
3. Inadequate Incident Response Plan
Sage’s IRP does not define roles and responsibilities of team members. The IRP also has
significant shortcomings regarding efficient incident handling and analysis.
https://www.stuvia.com/user/MBOFFIN
, 4. Inadequate Information Security Team
Sage’s information security team is poorly staffed and is lacking key team members
that are necessary to provide the company with effective security compliance and
regulatory efforts.
5. Noncompliance with PCI-DSS and GDPR
Sage currently does not have policies and procedures that would enable it to become
and maintain compliance with two very important global industry standards: PCI-DSS
and GDPR.
B. Mitigation strategies that were developed to address the gaps identified in Sage’s
“Independent Security Report,” ensuring compliance with PCI DSS and GDPR.
The gaps that were identified in Sage’s ISR were the lack of an adequate business
continuity plan, security awareness plan, incident response plan, and information
security team, leading to non-compliance with the security principles and standards of
GDPR and PCI-DSS. Compliance with these two important standards is essential for
international businesses.
The following sections will include mitigation strategies to be implemented to address
the gaps and achieve compliance with the industry’s standards.
1. Business Continuity Plan
https://www.stuvia.com/user/MBOFFIN
, The mitigation strategy that was developed to address Sage’s BCP and ensure
compliance with GDPR and PCI-DSS was done by developing a thorough and finely
detailed recovery plan that addresses natural disasters. The new mitigation strategy
will be used to ensure European data and cardholder data protection and quickly
recover the systems that store or use this data. The BCP mitigation strategy will include
a risk assessment, business impact assessment, emergency response plan,
communication plan, and backup recovery plan. Editing the business continuity plan to
include these attuned details can ensure that the business can withstand any disaster
and is properly prepared for any unforeseen event that could possibly disrupt the
business’s operations.
2. Inadequate Security Awareness Plan
The Sage’s cybersecurity awareness plan will be mitigated to comply with the industry’s
best practices and standards in regard to NIST and PCI Requirement 12.6.
The PCI-DSS requirement 12.6 and the NIST require a mandatory security awareness
plan that should be followed for everyone handling cardholder data. The mitigation
strategy that will be used to close the identified gaps in Sage’s security awareness plan
will be done by properly making employees aware of the security awareness plan. The
mitigation strategy addressing Sage’s inadequate security plan will commence with
new-hire initial training and refresher training that will be done yearly. The training
https://www.stuvia.com/user/MBOFFIN
