Wgu D489: Cybersecurity
Management Task 1|New 2026 Latest
Update Already Passed
Cybersecurity Management - D489
Western Governors University
Flex Vaughn
11/11/2024
A. Summarize the gaps that exist currently in the company’s security framework as
described in the attached “Independent Security Report.”
The gaps that currently exist in the company’s security framework are as follows
Lack of alignment with security best practices and industry standards:
The company’s security program lacks an approach that covers securing and protecting
organizational assets, Security of Payment Card data and privacy protection for customers
located in the European Union. SAGE books lack policy elements that outline acceptable use,
mobile device poly, secure passwords etc. The company also processes card payments and
should be abiding by the PCI DSS Standard requirements but SAGE books does not have any
documentation stating that they are following these standards or accept these payments in
accordance with PCI DSS. Finally, SAGE does not currently have any specific measures to
protect the collection, storage and use of data of their customers in the European Union as
outlined in the GDPR.
,Understaffed security team:
SAGE books currently has a security team that meets operational security goals but they
do not have a sufficient Governance Risk and Compliance team. This could lead to a lapse in
compliance in regulations such as GDPR, FISMA or PCI DSS, which could then lead to lawsuits
and sanctions.
Inadequate cybersecurity awareness program:
The current cybersecurity awareness training is Ad Hoc meaning, on an as needed
basis. Furthermore, only a quarter of new hires and only 10% of current employees took the
training. The training content also does not meet requirements outlined in best practices or
standards.
Incomplete incident response plan (IRP):
SAGE’s IRP deviates from best practices by lacking clear roles and responsibilities for
incident response team members and inadequate procedures for incident handling and
analysis. With this deviation, SAGE puts its information assets at risk and leaves the company
at risk for prolonged security threats and attacks.
Absence of a Business Continuity Plan (BCP):
The report highlights the critical need for a BCP that outlines recovery procedures for
restoring operational capability in the event of disruption. Given SAGE Book’s location of
distribution centers, they are at a higher risk of natural disaster interruptions.
B. Develop mitigation strategies to address the gaps identified in the “Independent
Security Report,” ensuring compliance with PCI DSS and GDPR.
To address the security gaps identified in the "Independent Security Report" and ensure
compliance with PCI DSS and GDPR, SAGE Books should implement the following mitigation
strategies:
Enhance Security Policies and Procedures
Create policies to fill gaps in securing and protecting organizational assets: Create formal
policies for acceptable use, mobile device security, secure password creation and management,
and protecting personally identifiable information (PII) contained on organizational assets. SAGE
, Book’s should base these policies
1.) on regulatory guidelines from NIST and security best practices outlined in the PCI
ix ix ix ix ix ix ix ix ix ix ix ix
ix DSS.
2.) Align existing policies with industry standards and best practices: Update the
ix ix ix ix ix ix ix ix ix ix
ix cybersecurity awareness training program to meet NIST standards and PCI DSS
ix ix ix ix ix ix ix ix ix ix
ix Requirement 12.6. SAGE should also align the incident response plan (IRP) with
ix ix ix ix ix ix ix ix ix ix ix
ix NIST Special Publication (SP) 800-61 Revision 2 to enhance incident response
ix ix ix ix ix ix ix ix ix ix
ix capabilities.
Strengthen the Information Security Team
ix ix ix ix
1.) Hire additional GRC staff: It was stated that SAGE needed three new employees to
ix ix ix ix ix ix ix ix ix ix ix ix ix
ix specialize in governance, risk, and compliance (GRC). Their roles should be well
ix ix ix ix ix ix ix ix ix ix ix
ix defined and each member should be well versed when it comes to compliance and
ix ix ix ix ix ix ix ix ix ix ix ix ix
ix regulations surrounding tech standards such as PCI DSS and GDPR.
ix ix ix ix ix ix ix ix ix
Implement a Robust Cybersecurity Awareness Training Program
ix ix ix ix ix ix
1.) Develop a comprehensive program: Create a cybersecurity awareness training
ix ix ix ix ix ix ix ix
ix program that covers topics such as acceptable use, password security, mobile
ix ix ix ix ix ix ix ix ix ix
ix device security, phishing attacks, and social engineering, The program should be
ix ix ix ix ix ix ix ix ix ix
ix aligned with NIST standards and PCI DSS Requirement 12.6
ix ix ix ix ix ix ix ix
2.) Mandatory training for all employees: Make cybersecurity awareness training
ix ix ix ix ix ix ix ix
ix mandatory for all new hires and existing employees, with periodic refreshers to
ix ix ix ix ix ix ix ix ix ix ix
ix ensure an improved security posture.
ix ix ix ix
Enhance the Incident Response Plan (IRP)
ix ix ix ix ix
Define clear roles and responsibilities: Establish a dedicated incident response team with
ix ix ix ix ix ix ix ix ix ix ix
well-defined roles and responsibilities for each member. Document these roles
ix ix ix ix ix ix ix ix ix ix
1.) within the IRP and provide training to team members on their specific duties.
ixi ixi ixi ixi ixi ixi ixi ixi ixi ixi ixi ixi
2.) Develop detailed incident handling and analysis procedures: Enhance the IRP
ixi ixi ixi ixi ixi ixi ixi ixi ixi
Management Task 1|New 2026 Latest
Update Already Passed
Cybersecurity Management - D489
Western Governors University
Flex Vaughn
11/11/2024
A. Summarize the gaps that exist currently in the company’s security framework as
described in the attached “Independent Security Report.”
The gaps that currently exist in the company’s security framework are as follows
Lack of alignment with security best practices and industry standards:
The company’s security program lacks an approach that covers securing and protecting
organizational assets, Security of Payment Card data and privacy protection for customers
located in the European Union. SAGE books lack policy elements that outline acceptable use,
mobile device poly, secure passwords etc. The company also processes card payments and
should be abiding by the PCI DSS Standard requirements but SAGE books does not have any
documentation stating that they are following these standards or accept these payments in
accordance with PCI DSS. Finally, SAGE does not currently have any specific measures to
protect the collection, storage and use of data of their customers in the European Union as
outlined in the GDPR.
,Understaffed security team:
SAGE books currently has a security team that meets operational security goals but they
do not have a sufficient Governance Risk and Compliance team. This could lead to a lapse in
compliance in regulations such as GDPR, FISMA or PCI DSS, which could then lead to lawsuits
and sanctions.
Inadequate cybersecurity awareness program:
The current cybersecurity awareness training is Ad Hoc meaning, on an as needed
basis. Furthermore, only a quarter of new hires and only 10% of current employees took the
training. The training content also does not meet requirements outlined in best practices or
standards.
Incomplete incident response plan (IRP):
SAGE’s IRP deviates from best practices by lacking clear roles and responsibilities for
incident response team members and inadequate procedures for incident handling and
analysis. With this deviation, SAGE puts its information assets at risk and leaves the company
at risk for prolonged security threats and attacks.
Absence of a Business Continuity Plan (BCP):
The report highlights the critical need for a BCP that outlines recovery procedures for
restoring operational capability in the event of disruption. Given SAGE Book’s location of
distribution centers, they are at a higher risk of natural disaster interruptions.
B. Develop mitigation strategies to address the gaps identified in the “Independent
Security Report,” ensuring compliance with PCI DSS and GDPR.
To address the security gaps identified in the "Independent Security Report" and ensure
compliance with PCI DSS and GDPR, SAGE Books should implement the following mitigation
strategies:
Enhance Security Policies and Procedures
Create policies to fill gaps in securing and protecting organizational assets: Create formal
policies for acceptable use, mobile device security, secure password creation and management,
and protecting personally identifiable information (PII) contained on organizational assets. SAGE
, Book’s should base these policies
1.) on regulatory guidelines from NIST and security best practices outlined in the PCI
ix ix ix ix ix ix ix ix ix ix ix ix
ix DSS.
2.) Align existing policies with industry standards and best practices: Update the
ix ix ix ix ix ix ix ix ix ix
ix cybersecurity awareness training program to meet NIST standards and PCI DSS
ix ix ix ix ix ix ix ix ix ix
ix Requirement 12.6. SAGE should also align the incident response plan (IRP) with
ix ix ix ix ix ix ix ix ix ix ix
ix NIST Special Publication (SP) 800-61 Revision 2 to enhance incident response
ix ix ix ix ix ix ix ix ix ix
ix capabilities.
Strengthen the Information Security Team
ix ix ix ix
1.) Hire additional GRC staff: It was stated that SAGE needed three new employees to
ix ix ix ix ix ix ix ix ix ix ix ix ix
ix specialize in governance, risk, and compliance (GRC). Their roles should be well
ix ix ix ix ix ix ix ix ix ix ix
ix defined and each member should be well versed when it comes to compliance and
ix ix ix ix ix ix ix ix ix ix ix ix ix
ix regulations surrounding tech standards such as PCI DSS and GDPR.
ix ix ix ix ix ix ix ix ix
Implement a Robust Cybersecurity Awareness Training Program
ix ix ix ix ix ix
1.) Develop a comprehensive program: Create a cybersecurity awareness training
ix ix ix ix ix ix ix ix
ix program that covers topics such as acceptable use, password security, mobile
ix ix ix ix ix ix ix ix ix ix
ix device security, phishing attacks, and social engineering, The program should be
ix ix ix ix ix ix ix ix ix ix
ix aligned with NIST standards and PCI DSS Requirement 12.6
ix ix ix ix ix ix ix ix
2.) Mandatory training for all employees: Make cybersecurity awareness training
ix ix ix ix ix ix ix ix
ix mandatory for all new hires and existing employees, with periodic refreshers to
ix ix ix ix ix ix ix ix ix ix ix
ix ensure an improved security posture.
ix ix ix ix
Enhance the Incident Response Plan (IRP)
ix ix ix ix ix
Define clear roles and responsibilities: Establish a dedicated incident response team with
ix ix ix ix ix ix ix ix ix ix ix
well-defined roles and responsibilities for each member. Document these roles
ix ix ix ix ix ix ix ix ix ix
1.) within the IRP and provide training to team members on their specific duties.
ixi ixi ixi ixi ixi ixi ixi ixi ixi ixi ixi ixi
2.) Develop detailed incident handling and analysis procedures: Enhance the IRP
ixi ixi ixi ixi ixi ixi ixi ixi ixi
