WGU - D489.Cybersecurity Management | 2026
UPDATE WITH COMPLETE SOLUTION
Independent Security Report for SAGE Books
Performed by Secure Tech Solutions
Summarized by Chief Information Security Officer at SAGE Book
Thomas Doherty
mailto:https://www.stuvia.com/user/Wisdoms
,Gaps in the company’s security framework
At a recent board meeting, the focus was on improving the operations and securing the
company's information systems. The board members stressed upgrading SAGE's e-commerce
website while prioritizing cybersecurity in the new website design and marketing plan. As a
result, the board commissioned an independent assessment of the company's cybersecurity
posture, which Secure Tech Solutions conducted. The security report provided by Secure Tech
Solutions highlighted issues in SAGE Books' security program. The report revealed that the
current security program needs to meet the best security practices and industry standards.
Although our current program covers information security processes for the corporate
headquarters, retail stores/e-commerce websites, and distribution centers, it still needs a
comprehensive approach that includes securing and protecting organizational assets and payment
card data. It provides adequate privacy protection for customers in the European Union.
Furthermore, Secure Tech Solutions' key findings indicate several issues surrounding SAGE
Books' implementation of a strong cybersecurity posture. We also identified concerns about
SAGE Books' security enforcement projects and programs.
This report identifies the security shortcomings and provides actionable solutions to align
with Secure Tech Solutions' recommendations.
Mitigation strategies
SAGE Books has various financial procedures to collect payments for goods and
services. Customers can use personal or company-controlled payment cards to pay for these
goods or services physically at self-checkout lanes in the storefront or online on the e-commerce
site. To adhere to the requirements set by the PCI DSS, SAGE Books must follow specific
regulations. Failure to comply with these regulations might lead to penalties or sanctions as
mailto:https://www.stuvia.com/user/Wisdoms
, outlined in the standard. SAGE Books lacks any policy document, standardized procedure, or
other guidance to outline the process of accepting these payments in compliance with PCI DSS.
The information security policy of SAGE Books needs to include some crucial elements such as
acceptable use, mobile device policy, secure passwords, and protection of personally identifiable
information stored on organizational assets. Developing these policy sections using regulatory
guidelines such as those provided by the National Institute of Standards and Technology and
security best practices outlined in the PCI DSS is highly recommended.
Establish dual control. No user can make critical changes to the production
environment/secure servers. Do not store encryption keys in a single location—split and store
parts of the keys at several secure locations. Use AES and PGP Encryption models. It is crucial
to update our software regularly. Software updates help protect us from incidents. When service
providers release software updates, they often include critical bug fixes and improvements to
enhance the application's ability to prevent security breaches. Sensitive cardholder data should
only be accessible to those in your organization whose roles require it. Access to physical
locations must be restricted to authorized personnel. Monitoring devices, RFID for entry, USB-
free zones, and shredding paper storage with cardholder data immediately after use are
recommended. Documentation is a crucial requirement for PCI security.
By documenting our processing activities, we ensure PCI compliance and equip ourselves
with a roadmap to quickly identify the source of a breach and take the necessary steps to fix it. In
other words, your incident response mechanism becomes more efficient and effective.
Furthermore, The General Data Protection Regulation (GDPR) is a regulation that carries
significant financial penalties for noncompliance and is enforceable by law. Companies that
collect information on any citizen of the European Union must comply with several requirements
mailto:https://www.stuvia.com/user/Wisdoms
UPDATE WITH COMPLETE SOLUTION
Independent Security Report for SAGE Books
Performed by Secure Tech Solutions
Summarized by Chief Information Security Officer at SAGE Book
Thomas Doherty
mailto:https://www.stuvia.com/user/Wisdoms
,Gaps in the company’s security framework
At a recent board meeting, the focus was on improving the operations and securing the
company's information systems. The board members stressed upgrading SAGE's e-commerce
website while prioritizing cybersecurity in the new website design and marketing plan. As a
result, the board commissioned an independent assessment of the company's cybersecurity
posture, which Secure Tech Solutions conducted. The security report provided by Secure Tech
Solutions highlighted issues in SAGE Books' security program. The report revealed that the
current security program needs to meet the best security practices and industry standards.
Although our current program covers information security processes for the corporate
headquarters, retail stores/e-commerce websites, and distribution centers, it still needs a
comprehensive approach that includes securing and protecting organizational assets and payment
card data. It provides adequate privacy protection for customers in the European Union.
Furthermore, Secure Tech Solutions' key findings indicate several issues surrounding SAGE
Books' implementation of a strong cybersecurity posture. We also identified concerns about
SAGE Books' security enforcement projects and programs.
This report identifies the security shortcomings and provides actionable solutions to align
with Secure Tech Solutions' recommendations.
Mitigation strategies
SAGE Books has various financial procedures to collect payments for goods and
services. Customers can use personal or company-controlled payment cards to pay for these
goods or services physically at self-checkout lanes in the storefront or online on the e-commerce
site. To adhere to the requirements set by the PCI DSS, SAGE Books must follow specific
regulations. Failure to comply with these regulations might lead to penalties or sanctions as
mailto:https://www.stuvia.com/user/Wisdoms
, outlined in the standard. SAGE Books lacks any policy document, standardized procedure, or
other guidance to outline the process of accepting these payments in compliance with PCI DSS.
The information security policy of SAGE Books needs to include some crucial elements such as
acceptable use, mobile device policy, secure passwords, and protection of personally identifiable
information stored on organizational assets. Developing these policy sections using regulatory
guidelines such as those provided by the National Institute of Standards and Technology and
security best practices outlined in the PCI DSS is highly recommended.
Establish dual control. No user can make critical changes to the production
environment/secure servers. Do not store encryption keys in a single location—split and store
parts of the keys at several secure locations. Use AES and PGP Encryption models. It is crucial
to update our software regularly. Software updates help protect us from incidents. When service
providers release software updates, they often include critical bug fixes and improvements to
enhance the application's ability to prevent security breaches. Sensitive cardholder data should
only be accessible to those in your organization whose roles require it. Access to physical
locations must be restricted to authorized personnel. Monitoring devices, RFID for entry, USB-
free zones, and shredding paper storage with cardholder data immediately after use are
recommended. Documentation is a crucial requirement for PCI security.
By documenting our processing activities, we ensure PCI compliance and equip ourselves
with a roadmap to quickly identify the source of a breach and take the necessary steps to fix it. In
other words, your incident response mechanism becomes more efficient and effective.
Furthermore, The General Data Protection Regulation (GDPR) is a regulation that carries
significant financial penalties for noncompliance and is enforceable by law. Companies that
collect information on any citizen of the European Union must comply with several requirements
mailto:https://www.stuvia.com/user/Wisdoms
