by Asher de Metz
As an information security consultant, one of the most important jobs I do is to conduct an information security gap analysis. This analysis provides a comparison of your security program versus overall best security practices. By comparing these best practices to actual practices, we can shed light on areas where vulnerabilities and risks are lurking.
However, it’s not only important that a gap analysis be conducted; it’s also important that it be done correctly. Here are 4 steps that are critical for every information security gap analysis.
One of the most common frameworks is the ISO/EIC – 27002 standard. ISO/IEC 27002:2013 provides best practice recommendations on information security management. This standard covers best practices for such key security areas as risk assessment, access control, change management, physical security, and others.
The ISO standard provides a good benchmark that you can compare your security policies and network controls against. If you’ve got a good security team, you may be able to conduct the gap analysis yourself. However, even if you do have a good security team, having an independent person - someone without any connection to the network architecture - evaluate your security plan is recommended. In fact, some industry compliance standards (i.e., HIPAA or PCI) may require an outside consultant to provide an extra set of eyes to ensure that security measures are in compliance with state and federal regulations. The reason is simple: an outside consultant, such as Sungard Availability Services, can often catch gaps not found by people who work with the network day in and day out.
This is the data-gathering phase: data on your IT environment, application inventory, organizational charts, policies and processes, and other relevant details. This could mean sitting down with your IT staff and your leadership to learn more about the organization’s key objectives.
It definitely means learning which security policies are already in place and where your organization’s leaders are taking your firm in the next three to five years and what security risks will be associated with it.
It’s also important for the security analysts to conduct in-depth interviews with your company’s key stakeholders and specific departments like HR and legal. Usually this includes IT staff, security administrators (if you have a dedicated security team in house), and anyone who works with the network, servers or workstations. Good security practices involve everyone in the company.
Many of the risks that company networks face are caused by human intervention – an employee innocently clicking on a link in a phishing email, insufficient training, or an angry employee who purposely sabotages the network. We need to address human behavior if we want to do as much as possible to decrease threats to data.
Key staff members can provide details on how the various controls are implemented. For example:
The more we know about the people accessing your network and the controls that are already in place, the easier it is for us to help you create the right security analysis.
Through data gathering, our goal is to understand how well the current security program operates within the technical architecture. As part of this step, we compare best practice controls (i.e. ISO 27002 or NIST 800-53) or relevant requirements against your organizational controls; take a sample of network devices, servers, and applications to validate gaps and weaknesses; review automated security controls; and review incident response processes, communications protocols and log files. With data gathering, we gain a clear picture of your technical environment, the protections in place, and your overall security effectiveness.
As we go through the data gathering process in the security gap analysis, we benchmark your organization’s security program to our best practices. These standards were developed after years of observations and evaluations to gain insight as to which controls are the most effective and where security shortcomings typically arise. This in-depth security knowledge allows us to see how your security process matches up to other processes and controls that have proven successful, especially when compared to other companies and security controls within your specific industry.
After we get through the above phases, we perform an in-depth analysis of your security program. To do this, we correlate the findings and results across all factors to create a clear and concise picture of your IT security profile that includes areas of strength and areas where improvement is most needed. With that information in hand, we can make recommendations for moving forward with a security plan that is right for your company. That security roadmap considers risks, staffing, and budget requirements, as well as timeframes to complete the various security improvements.
As you’ve probably concluded by now, conducting a full information security gap analysis is a detailed, in-depth process that requires not only a thorough knowledge of security best practices but also an extensive knowledge of security risks, controls, and operational issues. We may uncover risks that can be remediated quickly with the installation of a security patch, or we may recommend that an outdated communications protocol be replaced with a more robust solution.
Performing a security gap analysis can’t guarantee 100% security, but it goes a long way to ensure that your network, staff, and security controls are robust, effective, and cost efficient. When we conduct a thorough information security gap analysis, you can let your customers know that you are providing the best security possible. In turn, the better you can secure the information they entrusted to you, the better your business will thrive.