Gap Analysis in IT Security

Jun 12, 2024

Gap Analysis in IT Security

Introduction

  • Definition: Study of current state vs desired state in IT security.
  • Purpose: To understand future security needs and how to get from current state to desired state.
  • Time and Complexity: Typically takes weeks, months, or years involving many people, emails, and data gathering.

Setting a Baseline

  • Importance: Essential to have something to work towards and to set organizational goals.
  • Sources of Baselines:
    • National Institute of Standards and Technologies (NIST): Special Publication 800-171 Revision 2
    • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC): ISO/IEC 27001
    • Custom baselines tailored to specific organizational needs.

Components of Gap Analysis

People

  • Evaluate formal experience in IT security.
  • Assess training received.
  • Check knowledge on specific security policies and procedures.

Policies

  • Evaluate Existing Policies: Compare current IT systems to the central security policy documentation.
  • Document Example: NIST Special Publication 800-171 Revision 2
    • Access Control Requirements: Limiting system access, user registration, deregistration, privileged access rights, etc.

Systems

  • Assessment: Compare existing systems and identify weaknesses.
  • Analysis: Break down broad security categories into smaller segments.

Creating the Gap Analysis Report

  • Final Document: Summarizes current state, goals, and pathway to achieve goals.
  • Content: Detailed Baseline Objectives and comparison of current vs desired state.
  • Steps to Reach Goals: Consider time, money, equipment, and change control.
  • Recommendations: Documented in the final report.

Example Structure

  • Tables: For visual comparison across multiple locations.
    • Color Coding: Green (close to meeting baseline), Yellow (midpoint), Red (needs work).
    • Detailed Breakdown: Inclusive of all processes, devices, and locations.

Summary

  • Gap analysis is crucial for understanding and improving IT security.
  • Involves extensive planning, evaluation, and documentation.
  • Helps in making informed decisions about where to allocate resources for maximum security improvement.