Gap analysis procedures

BROWSE BY TAG Security Management,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   Information Security Policies, Procedures and Guidelines,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management How to prepare for a FERPA audit Why doesn't the CISSP cover information assurance and DIACAP? Data breach notification legislation: What info must be released? Risk management strategy for an information technology solution provider Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations How to write technology outsourcing contracts The requirements for being a PCI DSS-compliant service provider The requirements needed to make an external penetration test legal Enterprise Risk Management: Metrics and Assessments How to detect and respond to money laundering How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC Enterprise Risk Management: Metrics and Assessments Research Information Security Policies, Procedures and Guidelines How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Before you begin a gap analysis, you should perform an in-depth vulnerability and risk assessment to examine:

• The existence of policies, procedures, standards and supporting documentation
• Access control and user provisioning processes and tools
• Change control and configuration management processes
• Asset identification processes
• Vulnerability management processes
• Risk management processes
• Incident handling processes
• Business continuity documentation and readiness
• Software development lifecycle processes
• Perimeter defense strength
• Test the configurations of firewalls, remote access servers, IDS, antivirus, etc.
• Patching processes
• Physical security processes
• Personnel security processes

Once the vulnerability and risk assessment is complete, perform a gap analysis within each sector and include strategic steps regarding how to bring each area "up to corporate standards." A gap analysis compares what is currently there to what is required. The requirements are derived from federal and state laws, government regulations, industry standards and corporate governance requirements. The following are the common steps of a gap analysis:

1. Define a scope as it pertains to each previously listed item
2. Collect all current documentation within the environment (policies, procedures, configuration standards, etc.)
3. Identify all hardware and software assets with the scope that was established in step 2. (This can be done manually or through automated tools.)
4. Interview individuals and document how the processes listed previously are carried out.
5. Compare the current security practices, configurations and processes to the goals identified in step 1.
6. Prioritize the gaps that were identified and create implementation steps to get each area to the right level of compliance.

It's important to note, it can take years to successfully complete a gap analysis, because it takes time to identify all of the laws, regulations and business drivers that will set your corporate security requirements and derive security goals from them.

Let's review a step, to show you how a gap analysis would be carried out and remediation steps taken. If your corporate standards state that each network device, server and workstation must provide a certain level of protection, then the first thing you need to do is establish the configuration standards for each system. This means every router, firewall, server, workstation, and network device must have detail-oriented, written configuration standards stating exactly how to configure each system. After testing these configurations, roll them out to a production environment. To ensure the configurations were created properly, use a product like Symantec's Enterprise Security Manager (ESM). It compares the policy you created (which is the same as the configuration standard you created) to the current settings on each system. It will then show you the configurations that do not meet your policy, which you must then properly configure so they meet your configuration standard.

Remember, this is just one way to detect if the infrastructure is not meeting corporate requirements. To learn more about this, these sites review how others have attacked this gap analysis task:
http://www.state.nd.us/ea/teams/dt/st/gap.html#gaa
http://www.ttuhsc.edu/sop/ContinuingEd/hipaa/Gen_GapAnalysis_Remediation.doc