by Asher DeMetz
Ransomware is wreaking havoc. An attack against Maersk cost the shipping company hundreds of millions of dollars. HBO was told to pay up or hackers would spill stolen emails and episodes of some of HBO’s most popular shows.
Enormous companies aren’t the only targets. WannaCry attacked smaller organisations, locking down their data and demanding Bitcoin ransoms. And it’s not just ransomware. The Google Docs phishing attack, ever-larger DDoS attacks like the one that took out Dyn and most of the East Coast’s internet, and other threats loom over businesses.
You may think you’re not at risk, but when was the last time you put your systems to the test? How do your security measures compare to best practices? The distance between them can be an open door for malware, phishing and other cyberattacks that compromise data, waste time, sap resources and wreck reputations.
But you can identify those weaknesses by calling in an expert to conduct a security gap analysis. This is one of the most important jobs I do as an information security consultant. By comparing overall best practices to actual practices, we can shed light on areas where vulnerabilities and risks are lurking. However, it’s not enough that you conduct the analysis; it’s also important that it’s done correctly. To do a thorough job, here are four steps that are critical for every information security gap analysis.
Step 1: Select an industry standard security framework
One of the most common frameworks is the ISO/EIC – 27002 standard. ISO/IEC 27002:2013 provides best practice recommendations on information security management. This standard covers best practices for such key security areas as risk assessment, access control, change management, physical security and others.
The ISO standard provides a good benchmark that you can compare your security policies and network controls against. If you have a good security team, you may be able to conduct the gap analysis yourself. However, even if you do have a good security team, having an independent third party – someone without any connection to the network architecture – evaluate your security plan is recommended. In fact, some industry compliance standards may recommend an outside consultant to provide an extra set of eyes to ensure that security measures are in compliance with state and federal regulations. The reason is simple: An outside consultant is independent and can also often catch gaps not found by people who work with the network day in and day out.
Step 2: Evaluate people and processes
This is the data-gathering phase: data on your IT environment, application inventory, organisational charts, policies and processes, and other relevant details. This could mean sitting down with your IT staff and your leadership to learn more about the organisation’s key objectives.
It definitely means learning which security policies are already in place and where your organisation’s leaders are taking your firm in the next three to five years and what security risks will be associated with that path.
It’s also important for the security analysts to conduct in-depth interviews with your company’s key stakeholders and specific departments like HR and legal. Usually this includes IT staff, security administrators (if you have a dedicated security team in house), and anyone who works with the network, servers or workstations. Good security practices involve everyone in the company.
Many of the risks that company networks face are caused by humans: an employee innocently clicking on a link in a phishing email, insufficient training or an angry employee who purposely sabotages the network. We need to address human behaviour if we want to do as much as possible to decrease threats to data.
Key staff members can provide details on how the various controls are implemented. For example:
- How is access for new hires and terminations handled?
- Is there a standard role-based policy in place that helps ensure that the correct access is provided to each job position?
- How are changes implemented in your environment?
- Are there standard procedures and approvals that are required before a change is made?
- Is there a back-out procedure in case there is a problem?
- Is staff training provided to keep your company abreast of evolving security risks?
The more we know about the people accessing your network and the controls that are already in place, the easier it is for us to help you create the right security analysis.
Step 3: Data gathering/technology
Through data gathering, our goal is to understand how well the current security programme operates within the technical architecture. As part of this step, we compare best practice controls (i.e., ISO 27002 or NIST 800-53) or relevant requirements against your organisational controls; take a sample of network devices, servers and applications to validate gaps and weaknesses; review automated security controls; and communications protocols and log files. With data gathering, we gain a clear picture of your technical environment, the protections in place, and your overall security effectiveness.
As we go through the data gathering process in the security gap analysis, we benchmark your organisation’s security programme to our best practices. These standards were developed after years of observations and evaluations to gain insight as to which controls are the most effective and where security shortcomings typically arise. This in-depth security knowledge allows us to see how your security process matches up to other processes and controls that have proven successful, especially when compared to other companies and security controls within your specific industry.
Step 4: Analysis
After we get through the above phases, we perform an in-depth analysis of your security programme. To do this, we correlate the findings and results across all factors to create a clear and concise picture of your IT security profile that includes areas of strength, and areas where improvement is most needed. With that information in hand, we can make recommendations for moving forward with a security plan that is tailored for your company. That security roadmap considers risks, staffing and budget requirements, as well as timeframes to complete the various security improvements.
As you’ve probably concluded by now, conducting a full information security gap analysis is a detailed, in-depth process that requires not only a thorough knowledge of security best practices, but also an extensive knowledge of security risks, controls and operational issues. We may uncover risks that can be remediated quickly with the installation of a security patch, or we may recommend that an outdated communications protocol be replaced with a more robust solution.
Performing a security gap analysis can’t guarantee 100 percent security, but it goes a long way to ensure that your network, staff and security controls are robust, effective and cost efficient. When we conduct a thorough information security gap analysis, you can let your customers know that you are providing the best security possible. In turn, the better you can secure the information they entrusted to you, the more your business will thrive.