Tactical security assessments are great, with a focused scope that produces specific output aimed at improving the security of one particular aspect of your organization, whether it be your e-commerce website, your network perimeter, or your employee’s security awareness. But sometimes, it’s helpful to figure out what your organization’s strategic security posture looks like, and that’s where a Gap Analysis comes in. A high-level overview of your entire security program can help to identify deep-rooted issues, help you document issues that you know already exist (to get the funding you need to fix them), and help prioritize your improvement efforts. Additionally, having a reputable third-party audit your security program using a published standard (such as the CIS Top 20, PCI DSS, HIPAA, NIST) can help meet a lot of security requirements levied on you by outside organizations. Let’s take a look at our gap analysis methodology and how we conduct these strategic assessments.
What Standards Do We Base Our Gap Analysis On?
As mentioned above, a strategic level review is best conducted by using a published security standard. Not only does this help add organization and rigor to your program, it also helps validate your efforts by pointing to a widely accepted best practice standard. Our best practice gap analysis methodology always uses the Center for Internet Security (CIS) Top 20 Security Controls, as this is one of the most robust and widely accepted standards across all industries. Obviously, some organizations may have more specific industry requirements, which would prompt the use of other standards, such as the Payment Card Industry Data Security Standard (PCI DSS) or the National Institute of Standards and Technology CyberSecurity Framework (NIST CSF). We discussed some of the standards that are out there and why you should choose on in particular here.
What’s the Process?
The primary goals of a Gap Analysis are to understand what holes there are in your security program and then develop a prioritized plan to remediate those holes. We do this by holistically assessing security in your organization, starting with your top-level documentation and network diagrams to gain context. By performing these architectural reviews, we can not only gain a deeper understanding of your network and where potential problems may lie, but we can also get more benefit from further interviews with your organizations resources. During these interview sessions, we’ll be diving into the nuts and bolts of your security program, including what processes you have in place, how your network architecture matches up to best practice, what tools have you implemented and how are you using them, etc.
1. Gather Information
After initiating the project, information will be collected from the client. In the case of a gap analysis, this information will include any applicable policies/procedures, network diagrams, etc. Additionally, during this introductory phase of the assessment we’ll look to get a rough schedule together for interviews.
2. Review Rules of Engagement
This process will involve a brief meeting with the client to review and acknowledge the Rules of Engagement (ROE) for the assessment, confirm project scope and testing timeline, identify specific testing objectives, document any testing limitations or restrictions, and answer any questions related to the project.
1. Documentation Review
Prior to meeting with client resources, it helps for us to have an idea of what policies/procedures are currently in place and being followed at an organization. This helps us ask more focused questions, begin identifying areas for improvement, ensure reality matches up with stated policy, and be more efficient with time-limited interview sessions. We’ll request all policies/procedures that you think are important, but some of the key ones we’re looking for include:
- System Hardening Guide
- Change Management Policy
- Authentication/Authorization Policies
- Security Awareness Training Programs
- Incident Response Plan
2. Architecture Review
In the same vein as the documentation review, it really increases the value of our conversations if we have a good understanding of your overall network architecture. Network diagrams, data flow diagrams, and segmentation diagrams can help us identify significant areas of concern in your overall architecture. All of this information also provides context to help us customize and focus our recommendations on your specific environment.
This phase is really the meat of the assessment. During this portion, we’ll schedule a series of interviews with the different organizational stakeholders that are involved in the different aspects of your security program. Generally, we’ll start with an introductory session with the person or group of people that have the most overall knowledge about the organization, their business processes, where the security program is at today, and understand the strategic vision. From there, interviews will continue to narrow in focus, with potential sessions including:
- Asset Management
- Network Design, Device/Firewall Management
- Application Security and Software Development Life Cycle
- Host/Server Hardening and Management
- Identity and Authentication Management
- Personnel Processes (e.g. Human Resources)
- Logging and Monitoring
- Incident Response
- Physical Security
- Security Awareness Training
After completing the assessment, Triaxiom will formally document the findings. The output provided will generally include an executive-level report and a technical findings report. The executive-level report is written for management consumption and includes a high-level overview of the assessment activities, scope, most critical/thematic issues discovered, overall risk scoring, and organizational security strengths. The technical findings report, on the other hand, will include all issues listed individually, details about the issues, an overview of the risk, recommended remediation actions, and helpful reference links.
2. Quality Assurance
All assessments go through a rigorous technical and editorial quality assurance phase. This may also include follow-ups with the client to confirm or deny details gathered during the assessment, as appropriate.
The final activity in any assessment will be a presentation of all documentation to the client. Triaxiom will walk the client through the information provided, make any updates needed, and address questions regarding the assessment output. Following this activity, we’ll provide new revisions of documentation, if applicable.
Hopefully this helps explain our gap analysis methodology. Of course, our approach is fluid for every assessment, and can differ based on your organization’s particular goals. Additionally, oftentimes during these assessments we’ll take particular care to focus on areas that cause the most concern or risk to your organization. Our goal is to provide you with a holistic view of your risk for your organization as a whole, and help you develop a strategic plan to continue to mature your information security program.