Ask the Expert

Gap analysis methodology for IT security and compliance

I have to do a gap analysis of an existing architecture against a set of established requirements. The goal of this is to find the gaps, fix them and bring the infrastructure up to Interim Final Report (meaningful use by CMS) standards. Can you help me with this process; what would be the best first step(s)?

    Requires Free Membership to View

The first question I have is: What are the established requirements you mention? Are they PCI DSS requirements? HIPAA? NERC CIP? Or even ISO 27001/2?

Once you know the requirements you need to meet, then you can usually fall back onto a simple checklist approach for the gap analysis methodology. There are several ways to build or obtain a checklist for your architecture review.

For instance, the Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaire can serve as a starting point. For HIPAA compliance, there are checklists available online from a variety of organizations, such as NIST. For NERC CIP, I have personally found that the standards themselves -- in conjunction with the Reliability Standard Audit Worksheets (RSAWs) -- can be used as a pretty decent checklist, provided you go clause-by-clause and not paragraph-by-paragraph.

If I haven't listed the standard with which your organization needs to comply, search the Internet for checklists, or you can build your own based on the standards of concern (more detail on that below).

Using the checklists, I then suggest a group approach: Bring together the internal experts on the subject –- in your case, network architecture personnel –- to go over the standards and try to determine the following:

  1. Does the current architecture comply with the requirements?

  2. Can you document this compliance?

  3. If not, what actions need to be taken to become compliant?

The best approach for this initial checklist/standard review would be to use a collaboration tool like SharePoint. As the group reviews each requirement, you can track compliance assessments, collect and post documentation that proves compliance, as well as post action items, including responsibilities and due dates.

Lastly, one question that may linger is: "What if I don't have any checklists available?" In this case you need to do the hard work of creating your own by reading the standards and dissecting the expectations to satisfy each requirement. I've had to do this in the past and, essentially, I've taken the auditor's approach: I use a requirement mandated by a particular standard to build a list of questions to ask both myself and the internal team that helps me to determine whether I am compliant. It can be a bit slow initially, but the outcome is that you totally understand the details of the standard.

This was first published in April 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: