I have to do a gap analysis of an existing architecture against a set of established requirements. The goal of...
this is to find the gaps, fix them and bring the infrastructure up to Interim Final Report (meaningful use by CMS) standards. Can you help me with this process; what would be the best first step(s)?
The first question I have is: What are the established requirements you mention? Are they PCI DSS requirements? HIPAA? NERC CIP? Or even ISO 27001/2?
Once you know the requirements you need to meet, then you can usually fall back onto a simple checklist approach for the gap analysis methodology. There are several ways to build or obtain a checklist for your architecture review.
For instance, the Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaire can serve as a starting point. For HIPAA compliance, there are checklists available online from a variety of organizations, such as NIST. For NERC CIP, I have personally found that the standards themselves -- in conjunction with the Reliability Standard Audit Worksheets (RSAWs) -- can be used as a pretty decent checklist, provided you go clause-by-clause and not paragraph-by-paragraph.
If I haven't listed the standard with which your organization needs to comply, search the Internet for checklists, or you can build your own based on the standards of concern (more detail on that below).
Using the checklists, I then suggest a group approach: Bring together the internal experts on the subject –- in your case, network architecture personnel –- to go over the standards and try to determine the following:
- Does the current architecture comply with the requirements?
- Can you document this compliance?
- If not, what actions need to be taken to become compliant?
The best approach for this initial checklist/standard review would be to use a collaboration tool like SharePoint. As the group reviews each requirement, you can track compliance assessments, collect and post documentation that proves compliance, as well as post action items, including responsibilities and due dates.
Lastly, one question that may linger is: "What if I don't have any checklists available?" In this case you need to do the hard work of creating your own by reading the standards and dissecting the expectations to satisfy each requirement. I've had to do this in the past and, essentially, I've taken the auditor's approach: I use a requirement mandated by a particular standard to build a list of questions to ask both myself and the internal team that helps me to determine whether I am compliant. It can be a bit slow initially, but the outcome is that you totally understand the details of the standard.
Dig Deeper on IT security audits and audit frameworks
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading