Gap Analysis in IT Security

Gap Analysis in IT Security

  • Definition of Gap Analysis

    • A gap analysis is a study that examines the disparity between the current state and the desired future state.

    • In IT security, it helps organizations understand the security measures needed to close that gap.

  • Complexity of Process

    • Although the concept is simple, the execution involves a complex analysis of the current environment and strategizing the path forward.

    • This process often requires substantial time—ranging from weeks to months, or even years.

    • Involves collaboration from various personnel within the organization, along with extensive project management activities such as:

    • Email communication

    • Data gathering

    • Compilation of security information

  • Importance of Establishing a Baseline

    • A baseline serves as a reference point and outlines specific goals for the organization.

    • Different baselines may be utilized:

    • NIST SP 800-171 Revision 2:

      • Title: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

      • This guideline helps organizations meet the minimum security requirements for protecting sensitive information.

    • ISO/IEC 27001:

      • Standards for information security management systems.

    • Organizations may also develop custom baselines to fit specific security needs.

  • Key Elements in Analysis

    • The analysis includes evaluating:

    • People:

      • Formal experience in IT security

      • Training received

      • Familiarity with specific security policies and procedures

    • Policies:

      • Verification that correct policies aligning with IT security best practices are in place.

    • Existing IT Systems:

      • Review how existing systems conform to the formal policies of the organization.

  • Gap Analysis Procedure

    • Initial phase often includes:

    • Comparison of current systems with desired security standards.

    • Identification of system weaknesses.

    • Exploration of effective processes to mitigate weaknesses.

    • The analysis culminates in a detailed examination, generally classified into:

    • Broad security categories

    • Dissection of these categories into smaller, manageable segments.

  • Example of Mapping

    • Reference to SP 800-171 Revision 2

    • Access control requirements are mapped to security controls:

      • Access Control: Protect against unauthorized access by users, processes, and devices.

      • Account Management:

      • Evaluate tasks such as user registration/deregistration, user access provisioning, managing privileged access rights, and reviewing user access rights.

  • Compiling the Final Document

    • After gathering information from all processes and devices, a final document summarizing findings is created.

    • This documentation includes:

    • A comparison table with detailed baseline objectives against current performance.

    • Strategies outlining how to transition from the current state to desired outcomes, focusing on:

      • Time

      • Financial resources

      • Equipment acquisition

      • Change control measures necessary for implementation.

  • Final Report Creation

    • The final gap analysis report encompasses:

    • A review of current security status

    • Action plans for future improvements.

    • Example of a system requirement table included in the report:

    • Assessment across multiple locations (e.g., 7 different sites):

      • Color-coded marking system:

      • Green: Close to meeting baseline

      • Yellow: Moderate progress

      • Red: Significant improvement needed

    • The report further elucidates the rationale behind the color coding and summarizes necessary measures to enhance security controls for compliance with baseline goals.