A Gap analysis can be a standalone project or in most cases combined with a Roadmap Strategy development.
It identifies the gaps in current security practices and best practices.
Most organizations have never quantified and identified the weakness in their security processes and where they should be according to industry best practices.
This is a critical step in reducing future threats to the organization.
If a Gap analysis has previously been done, typically it is only focused on security tools, not the business processes used or the business function required.
A complete Gap analysis has to focus on people, process and technology.
Our solution uses quantitative and qualitative methods to define your current state and future state of your security environment. We determine how your organization maps to best practices and the steps needed to get to the next level of security and maintain a robust security environment as changes occur. We will identify deficiencies and correlated them to practical solutions.
A baseline for your future security architecture will be developed after the analysis is complete.
Gap closure requirements are derived from governmental laws, industry regulations and corporate governance and best practices. Common steps of a gap analysis include:
- Define a scope of each process and function being reviewed
- Gather all current documentation (policies, procedures, configuration standards, best practices used, etc.)
- Identify all hardware and software assets
- Interview individuals and document how the processes of the business functions
- Regulatory compliance requirements (ISO, CoBIT, HIPAA, SOX and PCI)
- Existing policies, procedures and standards
- Software security development lifecycle processes
- Access controls and user provisioning processes
- Change control and configuration management
- Business continuity related to security
- Vulnerability management processes
- Asset identification processes
- Risk management processes
- Incident handling processes
- Endpoint architecture
- Remediation processes
- Physical security processes
- Compare security practices to best practices
- Prioritize the gaps and create a remediation plan
First we analyze the current security processes and gain an understanding of your current practices.
We identify gaps between existing processes and targeted best practices and determine what solutions are needed. Identifying business risks associated with current practices is as important as identifying technology gaps. Through interview process and review of documentation around practices, we provide a phased approach to closing the gaps and providing steps to ensure those gaps do not occur again.
The results are directly correlated to the Risk and Compliance measures most companies need to address. By solving the strategic weaknesses, the tactical weaknesses identified in a Compliance Risk Assessment are more easily resolved.