The first question I have is: What are the established requirements you mention? Are they PCI DSS requirements? HIPAA? NERC CIP? Or even ISO 27001/2?
Once you know the requirements you need to meet, then you can usually fall back onto a simple checklist approach for the gap analysis methodology. There are several ways to build or obtain a checklist for your architecture review.
For instance, the Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaire can serve as a starting point. For HIPAA compliance, there are checklists available online from a variety of organizations, such as NIST. For NERC CIP, I have personally found that the standards themselves -- in conjunction with the Reliability Standard Audit Worksheets (RSAWs) -- can be used as a pretty decent checklist, provided you go clause-by-clause and not paragraph-by-paragraph.
If I haven't listed the standard with which your organization needs to comply, search the Internet for checklists, or you can build your own based on the standards of concern (more detail on that below).
Using the checklists, I then suggest a group approach: Bring together the internal experts on the subject –- in your case, network architecture personnel –- to go over the standards and try to determine the following:
- Does the current architecture comply with the requirements?
- Can you document this compliance?
- If not, what actions need to be taken to become compliant?
The best approach for this initial checklist/standard review would be to use a collaboration tool like SharePoint. As the group reviews each requirement, you can track compliance assessments, collect and post documentation that proves compliance, as well as post action items, including responsibilities and due dates.
Lastly, one question that may linger is: "What if I don't have any checklists available?" In this case you need to do the hard work of creating your own by reading the standards and dissecting the expectations to satisfy each requirement. I've had to do this in the past and, essentially, I've taken the auditor's approach: I use a requirement mandated by a particular standard to build a list of questions to ask both myself and the internal team that helps me to determine whether I am compliant. It can be a bit slow initially, but the outcome is that you totally understand the details of the standard.
This was first published in April 2010