A primary task of any information security professional is to manage or perform an information security gap analysis to find potential security vulnerabilities and risks and to use the information to implement solutions to bridge the gaps. The goal: to continually improve and move closer to the desired security position, and to transition security from its current state to its future improved state. Several critical steps in the process must always be addressed when conducting a useful gap analysis. Let’s look at them!
Why a gap analysis is important
A gap analysis can be performed for various reasons. Generally, no matter the background, it is a tool used for improving the state of something — to raise the performance level of the particular area in question. As a general tool, it can be used at different levels. Also, it can be centered on different perspectives, such as organizational, business process, business direction, and technology perspectives.
An information security gap analysis is an excellent way for an organization to understand where to focus its security efforts for maximum security improvement. Additionally, it’s often a compliance requirement, to obtain and maintain compliance with a particular standard or regulation. However, this is not the only reason for performing one. A primary purpose is to help organizations uncover risks and vulnerabilities and to improve their information security posture ultimately.
For every gap analysis, the process should include describing the scope or the area to be analyzed, identifying the improvement areas, defining the targets, identifying the current state and devising a plan of action or steps to achieve the desired future state.
Step 1: Define the scope, choose a security standard or benchmark
This essential step in the process is important for many reasons. Most organizations encompass a multitude of processes, departments, and functions. So, it is crucial to define the scope or identify the area that needs investigation. This helps to maintain the focus of the investigation; it provides clarity to keep everyone aligned and on track and ultimately helps to encourage an efficient gap analysis investigation.
Depending on the organization, the available resources and its objective, the scope of the gap analysis can vary. One organization may choose to evaluate its entire security program from the get-go. Another may select a particular area to consider first. Or sometimes evaluating a particular segment initially, is a way to save on resources, cost and time (smaller businesses may consider this approach). By doing this, a section could be used to represent the overall security program, and the outcome of the gap analysis on that particular segment could describe the likely outcome of the rest of the security program in place. So, the result of this initial investigation will affect the investigations going forward. This is dependent on the organization, its processes, set up and the policies, frameworks and the security that is already implemented.
Once the scope has been identified, you need to look a little deeper. The key improvement areas within the scope must be determined. Once the key areas have been identified, targets need to be set for each one to realize the improvement that is required. Benchmarking, analysis, and investigations are essential to this.
So, the targets you set will depend on variables specific to your organization. Variables such as the resources and time available to dedicate to the process. The degree of preparation already done before the gap analysis is performed. If and to what degree the organization’s (or area in question) existing program (current state) is benchmarked to a particular standard or best practices. So, consideration needs to be made for what has already been achieved.
This is when benchmarking becomes important. It is necessary so that the organization can make better-informed decisions. Again, how you go about this depends on the organization, the resources available and the objectives. If the gap analysis is purely for internal reasons, for example, the organization wants to improve its security posture, or if it is a compliance or regulatory requirement, the type of benchmarking will differ. Usually, to obtain or maintain certification, performing a gap analysis against a particular security standard is required.
When comparing an organization’s existing security program with industry security best practices, industry standards or security frameworks help to do this. So, a key step in the process may be to choose a security standard to work with if you do not use one already.
However, other benchmarking may include looking at actions that other organizations have taken or use industry best practices. Considering the experience and knowledge of peers in the same space is also often used. Crowdsourcing experience and expertise are valuable and beneficial for smaller businesses, in particular, those with limited resources. By understanding how other businesses facing similar challenges control them, you accumulate data and knowledge that could be put to practice in your own business. With a broad view from multiple scenarios, the information gained can be assimilated and be very useful to a smaller business when uncovering and managing risk. Ultimately, the aim should be to benchmark the security program to key best practices or universally recognized security standards.
Standards have been developed from years of research into the risks, threats, and adequate controls to help address these. These standards are very beneficial to benchmark organization security controls against as they are proven effective if correctly implemented and followed.
Generally, the ISO/IEC 27002:2013 standard provides a good benchmark. It gives guidelines for organizational information security standards and information security management practices for selecting, implementing and managing controls while considering the information security risk environment of the organization. It’s a good choice for organizations using ISO/IEC 27001 Information Security Management System or organizations implementing universally accepted information security controls or those organizations that want to develop their own unique set of security management strategies. It offers this flexibility and covers the primary security areas that must be addressed as part of the process.
They work well together. The ISO 27000 family of standards encompasses information security best practices. ISO 27001 is great for designing and planning an information security management system implementation framework. However, ISO 27002 offers detailed advice on how to handle information security risks in line with the controls already implemented and guides how to implement further controls, highlighted in ISO 27001, to combat risk. Universally recognized security standards can provide a systematic approach to adopt best practice controls, quantify the risk and level that is acceptable and implement effective and appropriate measures to improve security.
Benchmarking against a standard like this helps to compare the organization’s processes, policies, and controls against others in a focused manner and helps to avoid overlooking essential aspects.
Whichever benchmarking approach is decided upon, the methodology, resources, standards, and best practices must be agreed before starting the investigation process.
Step 2: Choose the best resource for the job
This is a sticking point for some. Larger organizations tend to have security teams in-house, dedicated to all aspects of the business’s security. In this case, the resources are usually readily available for this type of task. However, smaller organizations typically have security as an add-on to a small IT team, no team dedicated to security. Some may not even have an IT team, but rather an IT person that does it all. Some may contract help when needed. No matter the organization’s size or circumstances, to improve security prospects, a gap analysis remains important.
It’s sometimes more difficult for smaller businesses with limited resources to effectively and continuously plan and strategize for the future because of their resource limitations. For smaller businesses getting outside help and advice is probably best. Always ensure the resources enlisted are experienced and reputable.
For organizations that do have the resources, a gap analysis can be done using internal people unless a regulatory requirement says otherwise. However, it’s recommended, and sometimes compulsory, to have an independent or unbiased resource conduct the gap analysis. A new and impartial set of eyes often sees things that internal people (working with the processes and with the security operations daily) will miss.
Whichever approach the organization chooses, results must be reported in a way to highlight risks, recommendations and compliance requirements in a neutral and all-encompassing way. Only then can a realistic view and understanding of the risk exposure and security control inadequacies be uncovered most accurately.
It’s important to get management’s uptake. After all, the results of the analysis will be used by execs and management to make vital decisions regarding the business and its security moving forward.
The quantity of your gap analyses is less important than the quality. Doing a poor job on a regular basis does not improve the outcome, but doing a thorough job less often (on an annual basis) will give you reliable results to work with for the year ahead. So, get the support of leadership, use the best people for the job, and make the effort count.
Step 3: Analyze, investigate, gather and collate
Part of the process is to evaluate people, process, and technology as all of these elements impact and effect information security within the organization. To asses these elements various methods can be used, but all involve gathering intelligence and data. It’s a learning exercise to determine the organization’s current security state relevant to these aspects and its functional (or not) existing security practices.
You will need to investigate existing security policies, controls, and processes, organizational charts and functioning, application and data inventories and interview employees, etc. Consider the following: hardware and software inventories, data classifications, access controls, system maintenance logs, software settings and back up procedures.
A lot of the time security risk involves people — human error. User behavior needs to be investigated and appropriately addressed. This is why interviewing employees is necessary. You need to gain an understanding of their knowledge and their effectiveness at securely following the processes in place. This needs to be demonstrated. In this instance, the process is a security control rather than technology.
Existing documentation needs to be reviewed. All of this evaluation is necessary to gauge the most accurate risk profile of the organization.
Through investigation and data gathering, the goal is to understand better how the existing security program functions. This gives you a clear view of the environment, the existing protection, and the effectiveness of the current security. By comparing the existing controls to best practice controls or those advised in the chosen standard, the gaps, weaknesses, and vulnerabilities become apparent. Also, missing security controls can be identified as well as any that are immature or incomplete.
Stay informed based on data collected and facts, rather than speculation. Look at people, processes and technology and how they fit together, work together and impact one another to reduce or increase security risk. Consider how technology and services work. How processes work and what is expected of them. Look at how they fit into the security program. What their impact on security is. Are they working appropriately? Are they incurring risk? Leave no stone unturned!
Evaluate and collate data. Prepare reports and documentation to demonstrate the current controls in place and the level of maturity for each. Additionally, show the potential impact if the improvement is not made. This step helps an organization to visualize the security state and prioritize the issues to remediate first.
Understand the current state of security. This is as important as understanding where you want to get to (future state). You can’t fully achieve the desired improved state without knowing the state you are starting at. To visualize progress and to design a realistic action plan, this is vital.
With a clear and concise view of the organization’s current security profile and the strengths and weaknesses and areas where improvement is needed, a suitable action plan can be developed.
Step 4: Devise the action plan
The plan of action you devise will be the steps necessary to close the gaps to realize the improved future state of security. It’s important to prioritize these and define a realistic time scale in which to achieve each. Depending on security maturity, this will be different for every organization and will take more or less time to fulfill.
There are various ways to approach it too, maybe prioritizing the most critical gaps first or tackling the ones that are most simple to close first. Again, this is unique to the organization and its circumstances and objectives for the short and long term. Be careful to not rush the “gap-closing” process either. It may be that some gaps are connected and are easier to remediate with a single control, but rushing the process could potentially put too much pressure on the organization and gaps may be poorly closed or, worse, not closed at all.
Prioritizing by having targets and time-scales for each is very important. Make sure to follow the plan that you agree and devise — routinely come back to it to make sure you keep on track.
The action plan should include risks, resources (staff and budget), and timeframes to achieve the targets to improve the security posture.
Gain acceptance and plan the way forward. This is why management uptake is so important. If you remember one of the first recommendations was to get management support and commitment from the start. This is essential to the success of any plan you decide upon.
Gap analysis: A strategic tool with multiple benefits
Although gap analyses are common assessments, like everything else, they should be carried out correctly to realize the full benefits and to obtain the best results. If performed successfully, this strategic tool can provide organizations with value in many ways. It can show the organization its current security state and reflects the key steps and direction to focus security efforts on when devising an action plan to achieve an improved future security state.
Featured image: Shutterstock