Wgu D489: Cybersecurity Management
Task 1|New 2026 Latest Update Already
Passed
Cybersecurity Management - D489
Western Governors University
Flex Vaughn
11/11/2024
A. Summarize the gaps that exist currently in the company’s security framework as
described in the attached “Independent Security Report.”
The gaps that currently exist in the company’s security framework are as follows
Lack of alignment with security best practices and industry standards:
The company’s security program lacks an approach that covers securing and protecting
organizational assets, Security of Payment Card data and privacy protection for customers
located in the European Union. SAGE books lack policy elements that outline acceptable use,
mobile device poly, secure passwords etc. The company also processes card payments and
should be abiding by the PCI DSS Standard requirements but SAGE books does not have any
documentation stating that they are following these standards or accept these payments in
accordance with PCI DSS. Finally, SAGE does not currently have any specific measures to
,protect the collection, storage and use of data of their customers in the European Union as
outlined in the GDPR.
Understaffed security team:
SAGE books currently has a security team that meets operational security goals but they
do not have a sufficient Governance Risk and Compliance team. This could lead to a lapse in
compliance in regulations such as GDPR, FISMA or PCI DSS, which could then lead to lawsuits
and sanctions.
Inadequate cybersecurity awareness program:
The current cybersecurity awareness training is Ad Hoc meaning, on an as needed
basis. Furthermore, only a quarter of new hires and only 10% of current employees took the
training. The training content also does not meet requirements outlined in best practices or
standards.
Incomplete incident response plan (IRP):
SAGE’s IRP deviates from best practices by lacking clear roles and responsibilities for
incident response team members and inadequate procedures for incident handling and
analysis. With this deviation, SAGE puts its information assets at risk and leaves the company
at risk for prolonged security threats and attacks.
Absence of a Business Continuity Plan (BCP):
The report highlights the critical need for a BCP that outlines recovery procedures for
restoring operational capability in the event of disruption. Given SAGE Book’s location of
distribution centers, they are at a higher risk of natural disaster interruptions.
B. Develop mitigation strategies to address the gaps identified in the “Independent
Security Report,” ensuring compliance with PCI DSS and GDPR.
To address the security gaps identified in the "Independent Security Report" and ensure
compliance with PCI DSS and GDPR, SAGE Books should implement the following mitigation
strategies:
Enhance Security Policies and Procedures
, 1.) Create policies to fill gaps in securing and protecting organizational assets:
Create formal policies for acceptable use, mobile device security, secure password
creation and management, and protecting personally identifiable information (PII)
contained on organizational assets. SAGE Book’s should base these policies on
regulatory guidelines from NIST and security best practices outlined in the PCI DSS.
2.) Align existing policies with industry standards and best practices: Update the
cybersecurity awareness training program to meet NIST standards and PCI DSS
Requirement 12.6. SAGE should also align the incident response plan (IRP) with NIST
Special Publication (SP) 800-61 Revision 2 to enhance incident response capabilities.
Strengthen the Information Security Team
1.) Hire additional GRC staff: It was stated that SAGE needed three new employees to
specialize in governance, risk, and compliance (GRC). Their roles should be well defined
and each member should be well versed when it comes to compliance and regulations
surrounding tech standards such as PCI DSS and GDPR.
Implement a Robust Cybersecurity Awareness Training Program
1.) Develop a comprehensive program: Create a cybersecurity awareness training
program that covers topics such as acceptable use, password security, mobile device
security, phishing attacks, and social engineering, The program should be aligned with
NIST standards and PCI DSS Requirement 12.6
2.) Mandatory training for all employees: Make cybersecurity awareness training
mandatory for all new hires and existing employees, with periodic refreshers to ensure
an improved security posture.
Enhance the Incident Response Plan (IRP)
1.) Define clear roles and responsibilities: Establish a dedicated incident response team
with well-defined roles and responsibilities for each member. Document these roles
Task 1|New 2026 Latest Update Already
Passed
Cybersecurity Management - D489
Western Governors University
Flex Vaughn
11/11/2024
A. Summarize the gaps that exist currently in the company’s security framework as
described in the attached “Independent Security Report.”
The gaps that currently exist in the company’s security framework are as follows
Lack of alignment with security best practices and industry standards:
The company’s security program lacks an approach that covers securing and protecting
organizational assets, Security of Payment Card data and privacy protection for customers
located in the European Union. SAGE books lack policy elements that outline acceptable use,
mobile device poly, secure passwords etc. The company also processes card payments and
should be abiding by the PCI DSS Standard requirements but SAGE books does not have any
documentation stating that they are following these standards or accept these payments in
accordance with PCI DSS. Finally, SAGE does not currently have any specific measures to
,protect the collection, storage and use of data of their customers in the European Union as
outlined in the GDPR.
Understaffed security team:
SAGE books currently has a security team that meets operational security goals but they
do not have a sufficient Governance Risk and Compliance team. This could lead to a lapse in
compliance in regulations such as GDPR, FISMA or PCI DSS, which could then lead to lawsuits
and sanctions.
Inadequate cybersecurity awareness program:
The current cybersecurity awareness training is Ad Hoc meaning, on an as needed
basis. Furthermore, only a quarter of new hires and only 10% of current employees took the
training. The training content also does not meet requirements outlined in best practices or
standards.
Incomplete incident response plan (IRP):
SAGE’s IRP deviates from best practices by lacking clear roles and responsibilities for
incident response team members and inadequate procedures for incident handling and
analysis. With this deviation, SAGE puts its information assets at risk and leaves the company
at risk for prolonged security threats and attacks.
Absence of a Business Continuity Plan (BCP):
The report highlights the critical need for a BCP that outlines recovery procedures for
restoring operational capability in the event of disruption. Given SAGE Book’s location of
distribution centers, they are at a higher risk of natural disaster interruptions.
B. Develop mitigation strategies to address the gaps identified in the “Independent
Security Report,” ensuring compliance with PCI DSS and GDPR.
To address the security gaps identified in the "Independent Security Report" and ensure
compliance with PCI DSS and GDPR, SAGE Books should implement the following mitigation
strategies:
Enhance Security Policies and Procedures
, 1.) Create policies to fill gaps in securing and protecting organizational assets:
Create formal policies for acceptable use, mobile device security, secure password
creation and management, and protecting personally identifiable information (PII)
contained on organizational assets. SAGE Book’s should base these policies on
regulatory guidelines from NIST and security best practices outlined in the PCI DSS.
2.) Align existing policies with industry standards and best practices: Update the
cybersecurity awareness training program to meet NIST standards and PCI DSS
Requirement 12.6. SAGE should also align the incident response plan (IRP) with NIST
Special Publication (SP) 800-61 Revision 2 to enhance incident response capabilities.
Strengthen the Information Security Team
1.) Hire additional GRC staff: It was stated that SAGE needed three new employees to
specialize in governance, risk, and compliance (GRC). Their roles should be well defined
and each member should be well versed when it comes to compliance and regulations
surrounding tech standards such as PCI DSS and GDPR.
Implement a Robust Cybersecurity Awareness Training Program
1.) Develop a comprehensive program: Create a cybersecurity awareness training
program that covers topics such as acceptable use, password security, mobile device
security, phishing attacks, and social engineering, The program should be aligned with
NIST standards and PCI DSS Requirement 12.6
2.) Mandatory training for all employees: Make cybersecurity awareness training
mandatory for all new hires and existing employees, with periodic refreshers to ensure
an improved security posture.
Enhance the Incident Response Plan (IRP)
1.) Define clear roles and responsibilities: Establish a dedicated incident response team
with well-defined roles and responsibilities for each member. Document these roles
