There’s always room to improve your security posture. In this video, you’ll learn how a security gap analysis can be used to make your network even more secure.
As the name implies, a gap analysis is a study of where we are versus where we would like to be. And in the world of IT security, we are constantly performing gap analyses to be able to understand exactly what security is going to be needed in the future. Although this is very simple to explain, it’s a relatively complex process to perform the analysis of what’s actually going on in your environment and putting together a plan of how to get from where you are to where you’re going.
As you might imagine, trying to understand every aspect of IT security and how it applies to your organization can be a very involved process. And this is something that commonly takes a number of weeks, months, or even years to compile. As you can imagine, this might involve a number of different people in your organization. And there is an extensive project plan with emails and data gathering and anything else that’s needed to compile the information about what’s happening with security in your environment.
Before starting the gap analysis, it’s useful to have a baseline. This gives you something to work towards and an idea of where the goals should be for your organization. There are a number of different baselines to choose from, and some of these baselines have been specifically created for certain organizations.
For example, your organization may be following a set of baselines from the National Institute of Standards and Technologies. They publish a document called the Special Publication 800-171 Revision 2. And the title of that document is Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
You might also use a baseline that was created by the International Organization for Standardization and the International Electrotechnical Commission. This is the ISO/IEC 27001, or the information security management systems. And of course, you can create your own baselines based on your specific needs as an organization.
These baselines will commonly involve an analysis of the people in your organization and the processes you use for security. When evaluating people, you might want to get a better understanding of their formal experience in information technology security. You might want to understand what kind of training they’ve received. And you might want to see if they have a knowledge of specific security policies and procedures that you can use in your organization.
Even with the right people in place, you’ll still want to be sure that you’re following the correct policies for IT security. This might start with an evaluation of the existing IT systems and how they relate to your formal policies that have been created in your central security policy documentation.
The analysis portion of the gap analysis will begin with a comparison of the existing systems that you have running in your environment and to identify any weaknesses that those systems might have. You can also compare these weaknesses with the most effective processes for understanding how to compensate for those weaknesses. Ultimately, you’ll create a detailed analysis where you’ll look at very broad categories of security and then break down those broad securities into individual smaller segments.
Here’s a good example of how you might start with broad understanding of a process and then breaking it down into individual pieces. This is the document 800-171 Revision 2, which is Protecting Controlled Unclassified Information. And this is a table that maps the access control requirements to the security controls that are in place. For example, this page shows access control where you would want to limit system access to unauthorized users, processes acting on behalf of authorized users, and devices.
This account management covers a number of different individual security controls. So when we start to break this down, we can look at user registration and deregistration. We need to understand how user access provisioning is handled, understand the management of privileged access rights, a review of the user access rights, and so on. By looking at these broad areas, we can now break down individual security tasks to see how well we’re handling the processes and procedures for each of these individual steps.
Once we’ve gathered all of this information for all of our processes, all of our devices across all of our different locations, we need to create a final document that summarizes everything that we’ve discovered. We can start with a comparison that looks at the detailed baseline objectives and gives a perspective of where we are today versus where we would like to be with each one of these objectives.
Perhaps the more difficult question to answer is how you get from where you are to where you’d like to be. This path to get from where we are to where we’d like to be commonly takes time, it takes money, there may be equipment that we need to purchase, and, obviously, there’s change control so that you can implement these changes in your environment.
Once we have all of this information compiled and the plan of how we can get from where we are to where we’d like to be, we can create a final gap analysis report. This report not only includes the information about where we are today, but it also provides that pathway so that we can understand what it’s really going to take to move forward into the future. All of the recommendations you have about meeting this baseline will be documented in this gap analysis report.
Here’s an example of one of the tables that you might include in your gap analysis report. On the left side, I have a series of system requirements. And all of those system requirements were broken into smaller pieces in the detailed part of the report. But we might want to get a much broader understanding about all of our different remote sites and how they are compared to the ultimate baseline that we would like to reach.
For example, our organization might have seven different locations, and we’ve performed a gap analysis across all of these system requirements for all seven of those locations. The locations that are relatively close to meeting the baseline we can mark with a green color. Anything that might be in the midpoint we can mark as yellow. And locations that need a lot of work to be able to meet our standardized baselines we’ll mark with red.
So if we wanted to have the biggest impact on improving our security, we may want to start with the locations and security requirements marked in red, and then move to the ones marked in yellow, and then finally the green. The report obviously will include extensive details about why these colors were used and provide a summary of how we can implement security controls to better meet the goals of these baselines.