Step 1: Utilize a standard security framework:
One of the most common frameworks is the ISO/EIC – 27002 standard. The ISO standard provides a good benchmark that you can compare your security policies and network controls against. If you’ve got a good security team, you may be able to conduct the gap analysis yourself.
However, even if you do have a good security team, having an independent person – someone without any connection to the network architecture – evaluate your security plan is recommended. In fact, some industry compliance standards (i.e., HIPAA or PCI) may require an outside consultant to provide an extra set of eyes to ensure that security measures are in compliance with state and federal regulations. The reason is simple: an outside consultant can often catch gaps not found by people who work with the network day in and day out.
Step 2: Evaluate both People and Processes.
I will gather data on your IT environment, application inventory, organizational charts, policies and processes, and other relevant details. This could mean sitting down with your IT staff and your leadership to learn more about the organization’s key objectives. It definitely means learning which security policies are already in place and where your organization’s leaders are taking your firm in the next three to five years and what security risks will be associated with it.
Many of the risks that company networks face are caused by human intervention – an employee innocently clicking on a link in a phishing email, insufficient training, or an angry employee who purposely sabotages the network. We need to address human behavior if we want to do as much as possible to decrease threats to data.
The more we know about the people accessing your network and the controls that are already in place, the easier it is for us to help you create the right security analysis.
Step 3: Data Gathering and Technology Review
Through data gathering, my goal is to understand how well the current security program operates within the technical architecture. As part of this step, I compare best practice controls (i.e. ISO 27002 or NIST 800-53) or relevant requirements against your organizational controls; take a sample of network devices, servers, and applications to validate gaps and weaknesses; review automated security controls; and review incident response processes, communications protocols and log files. With data gathering, I gain a clear picture of your technical environment, the protections in place, and your overall security effectiveness.
As we go through the data gathering process in the security gap analysis, I will benchmark your organization’s security program to key industry best practices. These standards were developed after years of observations and evaluations to gain insight as to which controls are the most effective and where security shortcomings typically arise. This in-depth security knowledge allows me to see how your security process matches up to other processes and controls that have proven successful, especially compared to other companies within your specific industry.
Step 4: Analysis
After I get through the above phases, I then perform an in-depth analysis of your security program. To do this, I correlate the findings and results across all factors to create a clear and concise picture of your IT security profile that includes areas of strength and areas where improvement is most needed. With that information in hand, I can make recommendations for moving forward with a security plan that is right for your company. That security road map considers risks, staffing, and budget requirements, as well as time frames to complete the various security improvements.
Conducting a full information security gap analysis is a detailed, in-depth process that requires not only a thorough knowledge of security best practices but also an extensive knowledge of security risks, controls, and operational issues. I may uncover risks that can undergo remediation quickly with the installation of a security patch, or I may recommend that an outdated communications protocol be replaced with a more robust solution.
Performing a security gap analysis can’t guarantee 100% security, but it goes a long way to ensure that your network, staff, and security controls are robust, effective, and cost efficient. When you conduct a thorough information security gap analysis, you can let your customers know that you are providing the best security possible. In turn, the better you can secure the information they entrusted to you, the better your business will thrive.
Click here to contact me and schedule a Security Gap Analysis for your company.