One of the most critical tasks I have as an information security consultant is conducting a security gap analysis. This analysis provides a comparison of your security program versus overall security best practices.
By comparing your actual practices against industry best practices, you can identify areas where vulnerabilities and risks are lurking and determine any gaps. But, more than that, a security gap analysis shows you what you should be doing by giving you the right structure and controls.
But it’s not enough to merely conduct a security gap analysis – you need to be sure it’s being done correctly. Here are four steps that are critical for every information security gap analysis.
Step 1: Select an industry standard security framework
This framework will give you the baseline best practices by which you can measure your own security program.
One of the most common frameworks is the ISO/EIC – 27002 standard. This standard covers best practices for key security areas such as risk assessment, access control, change management, physical security and others.
If you have a good security team, you may be able to conduct the gap analysis yourself. However, even with a good security team, it may be in your best interest to have an independent third party evaluate your security plan. An outside consultant can often catch gaps that may be overlooked by people who work with the network day in and day out.
Some industry compliance standards (i.e., HIPAA, PCI, etc.) may require an outside consultant to provide an extra set of eyes to ensure that security measures comply with state and federal regulations.
Step 2: Evaluate people and processes
Once you’ve chosen a framework and how to run the assessment, start compiling information about your systems and conducting interviews to learn more about the organization’s key objectives.
Security analysts should conduct in-depth interviews with your company’s key stakeholders and specific departments like HR and legal. This usually includes the leadership team, IT staff, security administrators (if you have a dedicated security team in house) and anyone who works with the network, servers or workstations.
The goal is to learn as much as possible about your IT environment, application inventory, organizational charts, policies and processes, and other relevant details.
All of this helps you discover which security policies are already in place, where your organization’s leaders are taking your firm in the next three to five years and any security risks associated with either.
Many of the risks that company networks face are caused by humans – an employee innocently clicks a link in a phishing email, leadership offers insufficient training or an angry employee purposely sabotages the network. Addressing human behavior is vital to decreasing threats to data.
Key staff members can provide details on how the various controls are implemented. For example:
- How is access for new hires and terminations handled?
- Is there a standard role-based policy in place that helps ensure that the correct access is provided to each job position?
- How are changes implemented in your environment?
- Are there standard procedures and approvals that are required before a change is made?
- Is there a back-out procedure in case there is a problem?
- Is staff training provided to keep your company abreast of evolving security risks?
The more you know about the people accessing your network and the controls that are already in place, the easier it will be to create the right security analysis.
Step 3: Data gathering
Data gathering has a clear objective: to understand how well the current security program operates within the technical architecture.
As part of this step, compare best practice standards (i.e., ISO 27002 or NIST 800-53) and relevant requirements against your organizational controls. Take a sample of network devices, servers and applications to validate gaps and weaknesses. Review automated security controls. Assess incident response processes, communications protocols and log files.
Gathering this data will help give you a clear picture of your technical environment, the protections in place and your overall security effectiveness.
Step 4: Analysis
The final step is to perform an in-depth analysis of your security program.
If you hire a third party to perform the gap analysis, your partner should benchmark your organization’s security program against its best practices throughout the data gathering process. When we analyze customers’ environments, our in-depth security knowledge, developed over years of observations and evaluations, allows us to see how your security processes match up to other processes and controls that have proven successful for other companies within your specific industry.
We do this by correlating the findings and results from the gap analysis across all factors, creating a clear and concise picture of your IT security profile. This includes areas of strength and areas where improvement is most needed. The results come with a score – graded zero to four – that, in non-technical terms, assesses your organization’s security program.
With this information, we can help you devise a plan that is right for your company. That security roadmap considers risks, staffing and budget requirements, as well as timeframes to complete the recommended security improvements.
Peace of mind
Conducting a full information security gap analysis is a detailed, in-depth process that requires a thorough knowledge of security best practices and an extensive understanding of security risks, controls and operational issues.
You may uncover risks that can be remediated quickly with the installation of a security patch, or vulnerabilities that require a more robust solution.
A security gap analysis can’t guarantee 100% security. However, performing one will offer you peace of mind and go a long way toward ensuring that your network, staff and security controls are robust, effective and cost efficient.