Gap Analysis in IT Security

Overview

• Gap Analysis: Study of where we are vs. where we want to be
• Purpose: To understand future security needs
• Complexity: Involves detailed analysis, numerous participants, and extensive planning
• Duration: Can take weeks, months, or years

Baseline

• Importance: Provides a target for goals
• Types of Baselines:
  • National Institute of Standards and Technologies (NIST): Special Publication 800-171 Revision 2
  • International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC): ISO/IEC 27001
  • Custom baselines based on organizational needs

Analysis of People

• Evaluate:
  • Formal experience in IT security
  • Training
  • Knowledge of security policies and procedures

Policy Evaluation

• Importance: Ensuring adherence to IT security policies
• Process:
  • Evaluate existing IT systems
  • Compare to formal security policies

Analysis Process

• Steps:
  • Compare existing systems to identify weaknesses
  • Compare weaknesses to effective processes
• Example:
  • NIST 800-171 Revision 2: Access Control
  • Breakdown of Access Control:
    • User registration and deregistration
    • User access provisioning management
    • Management of privileged access rights
    • Review of user access rights

Final Document

• Contents:
  • Summary of findings across all processes and devices
  • Comparison of current state vs. desired state
  • Detailed Baseline objectives
• Path to Improvement:
  • Time, money, equipment, and change control needed

Gap Analysis Report

• Documents:
  • Current state vs. desired state
  • Pathway to improvement
  • Recommendations
• Example Table:
  • System Requirements labeled by site
  • Color-coded status (Green, Yellow, Red)
  • Details on improvement steps, colored status justification, and security controls

Prioritization

• Impact:
  • Start with locations/requirements marked in red
  • Proceed to yellow, then green
  • Include detailed methodology and steps