Gap Analysis in IT Security--Lesson 1.2

CompTIA Security + Flashcards

What is the purpose of a gap analysis in IT security?

To compare current security posture with desired future state and identify weaknesses.

What is a baseline in gap analysis?

A standard or goal used to measure current security status, often based on NIST 800-171 or ISO/IEC 27001.

What are the three main areas evaluated in a gap analysis?

People, processes, and technology.

What personnel factors are assessed in gap analysis?

Training, experience, and familiarity with security policies.

How are processes and systems evaluated?

By reviewing policies, infrastructure, and identifying vulnerabilities.

Why is breaking down broad security categories important?

It allows for detailed evaluation and targeted remediation.

What does a gap analysis report include?

Current status vs. baseline, remediation steps, resources, and timelines.

What do green, yellow, and red indicators in a gap report mean?

Green = compliant, Yellow = moderate gaps, Red = significant deficiencies.

Why is a gap analysis considered iterative and complex?

It involves detailed data collection, multiple stakeholders, and extended timelines.

What is the benefit of using established baselines like NIST or ISO?

They provide expert-developed frameworks aligned with best practices and regulations.

Why are human factors critical in gap analysis?

Even strong technical controls fail without proper user knowledge and policy adherence.

What does task-level analysis enable?

Pinpointing specific weaknesses for effective remediation.

How does multi-location operation affect gap analysis?

It adds complexity but helps prioritize remediation using visual tools.

What does closing gaps typically require?

Strategic planning, investment, training, and change management.

Why is documentation important in gap analysis?

It drives accountability and supports continuous improvement.