If you want to improve information security management or just want to find out how you currently measure up security-wise, there is no better place to start than with an information security gap analysis. There are many ways to carry out a security gap analysis but the most efficient method, we find, is to compare your information Security Management System (ISMS) with best practice, as defined in an industry standard. Using this comparison approach, you will quickly identify where your management structure, policies, processes and controls are not up to scratch and need to be improved or rethought.
We have been carrying out security reviews for many years, and whilst they can be different depending on the type and size of organisation, there are common steps that should be included for every information security gap analysis.
Identify an appropriate security framework. If your focus is payment card security, it is likely that you will want to use the PCI DSS standard to measure the adequacy of your security controls. If you are more concerned with Data Protection you will need to assess your policies and procedures against the GDPR.
The most common security framework we use is the ISO 27001 standard and its corresponding code of practice ISO 27002. Together these standards provide recommendations for information security management in all kinds of organisations. They cover best practice across all key security areas including risk assessment, access control, change management and policy requirements. The ISO 27001 standard provides an excellent yardstick against which you can compare your physical, technical and policy controls.
Security Management Structure
Evaluate how security management is organised and how the people in the organisation interact with the security management system. Identify the management structure from organisational charts, and high-level policies.
Interview both management and staff in all areas of the business including IT, HR, Facilities, Legal and Operational Units to establish what security management means to them. Most of the security risks your company faces have a human element to them, be they deliberate or unintended. Being caught out by a phishing email or a disgruntled employee who purposely steals confidential data are good examples. Including staff members in your information gathering can provide vital details on their understanding of security responsibilities, how effective security controls are or even how they are routinely bypassed.
Meet with the company’s leadership team and find out what the company’s key security objectives are and how they are communicated throughout the organisation. You should also try to understand what the short-term and long-term company objectives are and what new security risks may come to light as a result.
Processes and Procedures
Assess the organisations processes and procedures to see how they support security requirements. Review procedures to assess whether they are suitable and identify where procedures are required, if they are not already in place. Typical questions that will come up in this area are: –
- How often are security risk assessments carried out and who is responsible?
- What are the processes for new starters, movers and leavers with respect to pre-employment checks, job related access control and post-employment confidentiality?
- What are the processes for change control. Consider IT development, IT infrastructure changes and facilities changes. What are the levels of approval that are required before a change is made and is there back-out plan in case there is an unforeseen problem?
- Are security requirements considered within the organisation’s project management standards?
- How are staff trained to keep them aware of evolving security risks?
- How is the level of compliance with security policies assessed? Is there a security audit schedule?
- How often are security policies and procedures reviewed and who is responsible?
- Can information assets such as computer equipment, data and confidential documents be identified. Is there a designated owner for each type of asset?
- Are there rules for what is acceptable and what is not, in relation to the use of company assets?
- Is there a security incident management procedure in place?
If you are using ISO 27001 as the standard to assess security, Annex A of the standard provides a comprehensive checklist of all the areas that should be assessed.
Assess the suitability of the security controls that have been implemented within your technical environment including servers, desktops, networks, mobile devices, applications, cloud services and data. If one does not already exist, you should start by creating and inventory of each of these groups within your technical architecture.
In this phase of the gap analysis, you can compare best practice controls from your chosen standard, be it ISO 27002, PCI or the US standard NIST 800-53 against your implemented controls. From your inventory, select a sample of devices and applications to assess the controls and identify gaps and weaknesses. Be sure to assess preventive, detective and corrective controls in all areas. It is important to stop attacks in the first place, but it is equally important to be able to detect an issue and do something about it.
Recording Your Security Gap Analysis
It is helpful to detail your analysis in a table so that the assessment of each requirement or control area is recorded in a similar format. We would normally recommend recording the description of the asset or control area, details of the existing implemented controls, an assessment of whether the existing control can be considered adequate or deficient, details of the associated risks, a risk score (high, medium or low, for example) and a risk owner. You can also use the table to detail suggested actions or a risk treatment plan.
Conducting an information security gap analysis is an in-depth process that requires a detailed knowledge of security best practices and security risks, controls, and operational issues. Performing a security gap analysis cannot guarantee security, but it is the best way to check whether systems and security controls are robust and effective.
If your company would benefit from a security gap analysis and you would like to discuss the process further, please fell free to contact CIS.