IT Security Controls and Countermeasure Gap Analysis
A gap analysis means comparing and contrasting the “as is” to the “to be.” For security controls, this involves comparing the present state of controls with a desired state of controls. Well-known frameworks help organizations set up a desired state. This process also helps better manage operational risk. This includes adherence to regulatory and industry requirements to protect sensitive systems and information as well as privacy data.
At a minimum, common baseline security controls should be in place. Any gaps to the following types of controls should be clearly documented:
Information security policies—This provides direction for the entire organization regarding goals, risks, and applicable laws and regulations.
Information security responsibilities—This defines how staff will execute the policies, assign responsibilities, and promote accountability.
Information security awareness, education, and training—This defines the program to provide initial and ongoing security education across the organization.
Correct processing in applications—This prevents errors and unauthorized misuse of applications.
Vulnerability management—This reduces the risk of known vulnerabilities being exploited.
Business continuity management—This provides methods to continue critical operations in spite of business interruptions.
Security incident management—This ensures security-related events are communicated and acted upon to allow corrective action to be taken by security staff.
The report should clearly identify any major gaps. The report should also provide supporting documentation as to the overall implementation of controls, which includes noting any gaps. A simple approach could include, for example, a spreadsheet with a list of controls and columns to identify a control that is in place, partially in place, or not in place. Another common method is to use a percentage. Table 7-7 provides an example of identifying gaps for security incident management controls management based on ISO/IEC 27002.
TABLE 7-7 Sample gap analysis of security incident management controls.
| Control | Completion Status |
|---|---|
| Report information security events as quickly as possible. | 100% |
| Report security weaknesses in systems and services. | 50% |
| Establish incident response responsibilities and procedures. | 100% |
| Learn from your information security incidents. | 0% |
| Collect evidence to support your actions. | 25% |
Compliance Requirement
Proper security controls are essential to maintaining and safeguarding the IT environment, which exists to help drive the organization’s goals. You can group compliance broadly into two categories: compliance with internal policies and standards and compliance with regulatory and industry requirements. Controls explicit to compliance should be included as part of a policy to ensure adherence with applicable legislation and internal governance.
At a minimum, organizations should have a program to manage compliance with internal policies and standards. Specifically, this includes identifying areas of noncompliance and methods for correction. Additionally, technical controls should be in place to ensure systems are compliant with standards. This would also include a program for penetration testing and vulnerability assessments. In addition, the organization should have a documented control program in place. This program should manage the audit requirements of information systems.
The final report should identify how the report and associated audit and assessment activities fit into the organization’s control. Next, it should include the current state of compliance with legal requirements and compare this with where the organization needs to be.
Has the organization identified all legal, regulatory, and industry-specific requirements? Without these key controls, it will be difficult for the organization to implement and enforce further controls. Additionally, the organization should document the gaps for the following requirements:
Respecting intellectual property rights (IPRs)—Organizations, regardless of size, depend on proprietary software and other intangible assets. Examples of intellectual property include those items protected by copyrights, trademarks, patents, and trade secrets. Intellectual property rights (IPRs) are the exclusive privilege to intangible assets.
Protecting and retaining organizational records—Laws and regulations set time periods for which organizations must hold and protect specific types of data.
Protecting personal information—Numerous laws have been enacted to protect the collection, processing, and storage of personal information.
Preventing users from using systems for unauthorized purposes—Because of legislation that provides protection against computer misuses, organizations are required to meet requirements for security monitoring access notification.
Managing the proper use and import or export of cryptographic controls—Although laws have been relaxed in recent years, there are legal restrictions on the export of cryptographic technology to rogue states or terrorist organizations. In fact, strong cryptography for many years was considered munitions and was part of a list that included items such as firearms, tanks, chemical agents, and nuclear weapons.