Problem solve Get help with specific problems with your technologies, process and projects.

Gap analysis procedures

In this Ask the Expert Q&A, Shon Harris, SearchSecurity's security management expert advises what should be done before a gap analysis is performed, and, provides six common steps of a gap analysis, so organizations will know what to expect before they begin this program.

I have to do a gap analysis of an existing architecture against a set of established requirements. The goal of this is to find the security gaps, fix them and bring the infrastructure up to corporate standards. Can you help me with this process?

Before you begin a gap analysis, you should perform an in-depth vulnerability and risk assessment to examine: 

  • The existence of policies, procedures, standards and supporting documentation
  • Access control and user provisioning processes and tools
  • Change control and configuration management processes
  • Asset identification processes
  • Vulnerability management processes
  • Risk management processes
  • Incident handling processes
  • Business continuity documentation and readiness
  • Software development lifecycle processes
  • Perimeter defense strength
  • Test the configurations of firewalls, remote access servers, IDS, antivirus, etc.
  • Patching processes
  • Physical security processes
  • Personnel security processes

Once the vulnerability and risk assessment is complete, perform a gap analysis within each sector and include strategic steps regarding how to bring each area "up to corporate standards." A gap analysis compares what is currently there to what is required. The requirements are derived from federal and state laws, government regulations, industry standards and corporate governance requirements. The following are the common steps of a gap analysis:

  1. Define a scope as it pertains to each previously listed item
  2. Collect all current documentation within the environment (policies, procedures, configuration standards, etc.)
  3. Identify all hardware and software assets with the scope that was established in step 2. (This can be done manually or through automated tools.)
  4. Interview individuals and document how the processes listed previously are carried out.
  5. Compare the current security practices, configurations and processes to the goals identified in step 1.
  6. Prioritize the gaps that were identified and create implementation steps to get each area to the right level of compliance.

It's important to note, it can take years to successfully complete a gap analysis, because it takes time to identify all of the laws, regulations and business drivers that will set your corporate security requirements and derive security goals from them.

Let's review a step, to show you how a gap analysis would be carried out and remediation steps taken. If your corporate standards state that each network device, server and workstation must provide a certain level of protection, then the first thing you need to do is establish the configuration standards for each system. This means every router, firewall, server, workstation, and network device must have detail-oriented, written configuration standards stating exactly how to configure each system. After testing these configurations, roll them out to a production environment. To ensure the configurations were created properly, use a product like Symantec's Enterprise Security Manager (ESM). It compares the policy you created (which is the same as the configuration standard you created) to the current settings on each system. It will then show you the configurations that do not meet your policy, which you must then properly configure so they meet your configuration standard.

Remember, this is just one way to detect if the infrastructure is not meeting corporate requirements.

This was last published in April 2006

Dig Deeper on Risk assessments, metrics and frameworks