Security Gap Analysis
Copyright 2019, Faulkner Information Services. All Rights Reserved.
Publication Date: 1907
Publication Type: IMPLEMENTATION
Every enterprise has gaps in
its information security infrastructure. Closing these gaps can
only be accomplished by following a clear strategy based on careful
evaluation and analysis. While a gap analysis sounds simple – find the
gaps and close them – it is an ongoing process as networks are constantly
changing. Hackers know this and continue to
probe networks even after being rebuffed a number of times. The results
of not doing a gap analysis can be disastrous.
- Executive Summary
- Possible Pitfalls
- Step-by-Step Implementation
- Web Links
- Related Reports
[return to top
of this report]
Enterprise information systems
are under constant attack by viruses, worms, Trojan horses, and other network
– and non-network – threats. These attacks can result in:
- Loss of revenue
- Loss of customers
- Loss of investor confidence
- Loss of market share
- Civil litigation
- Regulatory sanctions
- A diminished reputation
To help identify information system vulnerabilities
BEFORE they are exploited by hackers, many enterprises
conduct regular information security gap analyses.
Network Risk Assessment Tutorial
An information security gap analysis is
a form of risk analysis designed to
determine the differences between the present state of information security
within an enterprise and its ideal state. One of the preferred methods of performing
an information security gap analysis is to ask a series of probing questions in the manner of
a security audit. For example, if one of the objectives of the
Enterprise Information Security Plan is to limit access to central servers and
other IT infrastructure components, critical queries may include:
- Are all enterprise servers housed in a restricted area, like a computer room?
- Is access to the computer room limited to essential personnel?
- Are biometric
access controls employed to govern entry?
- Is the computer
room monitored by video surveillance cameras?
- How many attempts at unauthorized access
are routinely recorded and how are these incidents investigated?
The purpose of these questions is not to
play "gotcha," but to determine what level of security control
is being exercised, what "gaps" are present, and what additional
security measures can be applied (within the limit of reason and
finances). The process should not be adversarial; in fact, both
parties – the analyst and the security team – should view the experience as an opportunity to improve security,
not score political points.
The Gap Analyst
While it may seem counterintuitive, the
individual conducting an information security gap analysis should not be a
security "expert." Experts tend to focus narrowly on one
aspect of security, say network security, while ignoring other aspects,
like laptop security. Also, experts are inclined to concentrate on
technical details rather than examining the "big
It’s Not Just Network
While there’s a natural tendency to focus on network security –
ensuring proper protection from viruses, worms, and other forms of malware
that propagate over the Internet – an information security gap analysis is not
complete without considering other common, but often overlooked, exposures
such as laptop security, physical security, business continuity, and
In one of the more infamous security
breaches on record, a Veterans Administration employee placed the
personal records of 26 million veterans at risk when a laptop containing
the data was stolen from his home. Since then, a number of
high-profile incidents involving laptops has raised public alarm and
undermined public confidence in the ability of companies and agencies to
protect sensitive, confidential, and proprietary data. In virtually all cases, an
information security gap analysis would have
- The failure to password-protect files.
- The failure to encrypt sensitive data.
- The failure to store laptops in a secure
Although physical security and information security are considered,
by many, separate
disciplines, they actually overlap. In particular, when performing
an information security gap analysis, an examiner should determine:
- Who has physical access to IT
infrastructure components, like servers and routers?
- What environmental safeguards exist,
i.e., temperature and humidity controls?
- What provisions have been made to protect equipment against fire and
Along with physical security, business continuity is a critical factor
in evaluating information security. In the course of an information
security gap analysis, an examiner should determine:
What happens in the event of a disaster
affecting the IT infrastructure?
How will the security of information and
information systems be maintained?
- Does the recovery plan provide for recovery site security?
Most experts agree that the majority of security incidents – either
inadvertent or intentional – are committed (or enabled) by employees or other
insiders. An information security gap analysis should explore the
- How are security and IT personnel vetted?
Are there security awareness programs that
discourage insider attacks?
- What action (or actions) should be taken against individuals who
deliberately and maliciously violate information security?
The Cloud Gap
In recent years, enterprise information and
information systems have been steadily moving to "the cloud," essentially,
third-party IT providers that service enterprise clients across the Internet. Since a gap analysis is designed to examine conventional, i.e., "on-premise,"
information systems for security vulnerabilities, the process does little to
inform enterprise officials of the state of cloud provider security. Nonetheless, a good gap analysis will include efforts to assess the security
commitment of each cloud provider by inquiring about the provider’s security and
business continuity plans. While a provider may be
understandably reluctant to share specific plan details, the provider should be willing
to describe at least in general terms how client data is protected and how the
provider itself conducts information security gap analyses.
to top of this report]
When conducting an information security gap analysis, experts suggest a
methodical approach, stressing pre-analysis preparation.
- Adopt an information security standard (if one
does not already exist). Consider the ISO 27001 for security-only coverage, or COBIT for IT/security governance.
- Define the scope of the analysis. In a large enterprise, it may be prudent – or even necessary – to
conduct multiple analyses, evaluating, for example, one location at a
time, or assessing network security separate from mobile and wireless
- Assemble all relevant documents. This includes all information security standards, policies, plans, protocols,
procedures, and guidelines.
- Gain senior management approval. If necessary, the chief security officer (CSO) should "run
interference" for the analyst, persuading business and technical
managers to cooperate in identifying – and filling – security gaps.
Create a comprehensive information security
questionnaire. Use the questionnaire to elicit information
about current information security practices, and expand the questionnaire as
new avenues of inquiry appear. Suppose, for example, a
preliminary question reveals the use of two different types of
physical access controls. A follow-up question might reveal how
each type is utilized, setting the stage for a new enterprise
standard. In addition to improving efficiency,
the use of
a standardized questionnaire permits a year-over-year comparison of
gap analysis results, revealing how security performance varies over
Look for gaps from a total systems
management perspective. Information security exists within the realm
of multiple systems management disciplines, including incident and
problem management, change and release management, configuration
management, service level management, and IT service continuity management. Ensure that information security is consistent across the
full range of these functional areas.
Publish a preliminary Information Security Gap
Analysis report. Before documenting any deficiencies for
senior management consumption, offer security personnel an opportunity
to review and challenge any findings. Where gaps are discovered,
offer these same personnel the opportunity to close or reduce the gaps
before a final report is issued. In this way, analysts can earn
the trust and confidence necessary to perform an in-depth analysis.
- Develop a remediation plan. Working in concert with the
CSO, develop a plan to eliminate – or, at least, reduce – any
information security gaps.1
ISO 27001 Gap Analysis
Owing to its universality, an essential trait in this era of globalization,
many enterprises adopt the ISO 27001 standard or, more officially,
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management
systems – Requirements. Administered by the International Organization for Standardization, ISO/IEC 27001:2013
"specifies the requirements for establishing, implementing,
maintaining and continually improving an information security management system
(ISMS)." Germane to the discussion of gap analyses, ISO 27001 "includes
requirements for the assessment and treatment of information security risks."
While an ISO 27001 gap analysis can be conducted in-house, analyst Camden Woollven
recommends enlisting the aid of an experienced security consultancy.
"Consultancy-led gap analyses typically consist of two key phases.
an ISO 27001 specialist will assess your existing information security
arrangements and documentation. These will be compared against the requirements
of ISO 27001 to identify any opportunities for improvement in the existing
arrangements, address shortfalls against the Standard’s requirements and
mitigate the risk of data breaches.
"Second, following the assessment, you will receive a gap analysis report
collating the findings. It will likely detail:
- "The overall state and maturity of your information security
- "The specific gaps between these arrangements and the requirements of ISO
- "Options for the scope of an ISMS, and how they help to meet your
business and strategic objectives; and
- "An outline action plan and indications of the level of internal
management effort required to implement an ISO 27001 ISMS."2
This third-party approach is equally applicable to other information security
standards, and should be considered a viable alternative to do-it-yourself
analyses, especially when security and IT staffs are new to risk management.
[return to top
of this report]
Not Establishing Gap Analysis as A Regular,
Unless an enterprise regularly performs a gap analysis, it may be
overwhelmed by the number of gaps it finds when it eventually does conduct one.
Prioritize the "leaks," patch the ones that present the greatest threat,
then schedule the
next round of fixes.
Lack of Objectivity
It is difficult for internal systems administrators to
objectively analyze an enterprise’s security controls.
While it may be prudent to engage outside experts, a company’s or agency’s IT
department should be involved in all phases of a gap analysis, including the
preparation, the conduct, and, most important, the development of plans
designed to eliminate any security exposures. The reason is twofold.
First, the IT staff is a valuable source of operational information; and second,
the IT staff will almost certainly be involved in implementing – and
maintaining – any security fixes. In short, the IT staff definitely needs to be
"on-board" with any proposed changes.
Using Consultants Who Do Not Have
Whether intentional or not, consultants may feel pressure to overstate elements
that they can fix and understate other elements. Boilerplate analyses and
remedies are also hazards. Choose a consultant that knows the applicable
industry and has a business orientation that is consistent with that of the
Check a consultant’s references. Regulatory mandates like HIPAA have been a
boon to the security industry, creating a large crop of information security firms.
Not all are equally capable.
IT Staff Turnover
High turnover in the IT field has also laid the groundwork for an increased
threat of security breaches. Attacks by disgruntled ex- or employees represent a high percentage of database and network
Security Not Being Seen as A Priority
Large enterprises are so focused on rolling out new infrastructure
and products that they frequently lose sight of security.
Fear of Bad News
Many firms are reluctant to conduct a gap analysis for fear of what it might
reveal. The good news is that a gap analysis highlights both weaknesses and
strengths. This dual perspective can help empower an enterprise by acknowledging
what it does right while at the same time encouraging that enterprise to change what it does wrong.
Conflicting Business Priorities
Despite good intentions, an information security gap analysis may be
postponed to accommodate other previously-scheduled or time-sensitive projects.
Reflecting on his personal experience, analyst Gary Hayslip warns, "I have seen assessments fall apart despite having the
best methodology, tools and people, because the assessor never put together a
plan that accounted for current business operations. So when the assessors came
on site to start, they found that what they wanted to do for the assessment
impacted the business units and the whole process quickly ground to a halt.
Remember, the purpose of the gap analysis is to identify risk hazards, not
Before committing to an information security gap analysis, ensure that
required resources are available, and the schedule is clear.
to top of this report]
While there is no standard methodology for conducting a gap analysis,
there is a basic approach which can be followed by all enterprises.
Before beginning a gap analysis, enterprises should define current and
future business requirements as this creates a better understanding of
what portions of the business are most critical in the event of a
disaster. The next step is to identify information gaps within the
fall into three major categories: People, processes, and technology.
finally, enterprises should develop an information security roadmap
to be used
to drive the gap analysis.
A gap analysis cannot succeed without organizational support. To gain
the attention of senior management, engage a consulting firm to test
enterprise defenses – a process called "penetration testing" or “ethical hacking”. In most
cases, the firm will be able to access sensitive systems using the same
hackers employ. This will convince skeptics that a more formal gap
The next step is to decide whether to outsource the
analysis or conduct it in
house. While doing it yourself is usually less expensive, security
offer greater expertise, especially in the latest hacking techniques.
Finally, if the analysis is conducted in-house, develop
a comprehensive plan
designed to test security systems and procedures. Most importantly,
entire enterprise, not just the IT department.
The following is a representative gap analysis process.
Stage a Systems Break-In
Engage a security consulting company to conduct a
systems break-in. Ask the company to operate in the manner of a hacker or
cyber-terrorist and pierce
enterprise defenses. If they are successful (and, unfortunately, they
will be), their simulated attack will offer two major benefits:
- For anyone who still needs to be convinced that
security is a major issue, it will elevate the level of concern beyond
the realm of perceived risk to one of real risk.
- The attack will probably target the same
vulnerabilities that real-world cyber-criminals would exploit, allowing
the most serious exposures to be identified and eliminated.
Secure Senior Management Approval
Much like business continuity planning, conducting a gap
cross-organizational cooperation. In many enterprises, achieving such
cooperation is only possible through the eager endorsement of senior
The time to gain organizational cooperation is early on as it is
get everyone on board when it comes to gap analysis.
Establish the Scope of the Analysis
Establish the extent of the gap
analysis as well as its general
objectives. This can be accomplished by asking the following key
- Will the analysis include physical as well as digital security?
- Will the investigation focus on the headquarters
location, or will it also encompass branch office and remote sites?
- Will the analysis concentrate only on "customer-facing" applications or will it include
all IT systems?
- What resources will be available to conduct the
analysis? Budget? Personnel? Facilities?
- What is the timetable? When will management expect to
see concrete results?
- What regulatory mandates must be adhered to? Are
there any mandated procedures that must be used to meet them?
- Have all of the project parameters been established?
In particular, have all of the issues been identified? If there are
outstanding issues, when will they be resolved?
4: Determine Whether to Outsource or Conduct the Analysis In-house
receiving permission to conduct a gap analysis, the big question is
whether or not to outsource. Table 1 summarizes some of the
advantages and disadvantages of an outsourced analysis.
In general, greater and more current security expertise.
Unfamiliarity with specific
Ironically, the potential for
In general, higher costs.
Resentment from in-house
Both outsourcing and
"in-sourcing" are viable options. If outsourcing is
selected, the process must be closely supervised by management to
ensure the cooperation of all personnel. In addition, in-house security
staffers can learn a great deal from their outsourcer colleagues. If
in-house development is selected, proceed with Step 5.
5: Assemble a Gap Analysis Team
Coordinate all activities related to the gap analysis,
implementation, analysis, reporting, and assembling a gap analysis
multi-disciplinary team should include:
- In-house security experts.
- Members of the IT department.
- Customers, both internal and external.
- Trusted business partner personnel, particularly any
analysts who are wrestling with the same or similar security problems
within their own enterprises.
6: Resolve Any “Jurisdictional” Issues
Closely related to the previous item, determine which
organizations might claim jurisdiction or authority over all or part of
analysis process. Consult with groups such as:
- Corporate auditing
- Business continuity
- The Project Management Office (PMO)
- The Risk Management Office
Ask these organizations to appoint individuals to
participate as members of
the gap analysis team to contribute their own expertise and experience
function as liaisons to their respective groups.
7: Identify Current Security Standards
Determine all relevant security standards and
protocols. This includes the enterprise security policy, enterprise "acceptable use" policy, any statement
of enterprise security standards, and, depending on factors such as industry and
geography, any relevant governmental regulations such as HIPAA.
Sarbanes-Oxley, the Gramm Leach Bliley Act (GLBA), and the soon-to-be-enforced
European Union (EU) General Data Protection Regulation (GDPR).
The GDPR will "enter in force" on May 25, 2018. The GDPR builds on the EU
Data Protection Directive of 1995, which aimed to protect the fundamental rights
and freedoms of natural persons, focusing on their right to privacy with regard
to the processing of their personal data.
The GDPR not only applies to organizations located within the EU but it will
also apply to organizations located outside of the EU if they offer goods or
services to, or monitor the behavior of, EU data subjects. It applies to all
companies processing and holding the personal data of data subjects residing in
the European Union, regardless of the company’s location.
As, arguably, the world’s most stringent regulation affecting data security
and privacy, IT project teams would be wise to adhere to GDPR requirements,
especially as GDPR compliance would likely ensure compliance with most other
security and privacy rules.
8: Collect All Relevant Security Documents
In concert with the previous item, collect all
pertinent documentation relating to security standards such as
policies, protocols, plans, and procedures, plus any pre-existing
analyses of the enterprise’s security infrastructure. It is also
important to gather all documentation relating to the deployment and
use of enterprise hardware and software.
9: Create a Gap Analysis Checklist
Just like any project, a gap analysis should
proceed according to a specific
plan or checklist. The checklist is important because it will:
- Ensure the analysis is complete and
comprehensive by allowing others to review it prior to implementation.
- Provide a structure for recording (and later
reporting) the results of the analysis.
- Provide a baseline for future gap analyses.
10: Conduct a Hardware and Software Inventory
Conducting a hardware and software inventory is
vital because it will help determine whether or not the
enterprise’s hardware and software systems are configured
according to enterprise asset management plans.
The inventory also offers an opportunity to discover any
shadow IT applications. Shadow IT is a
relatively recent phenomenon is which employees invoke public cloud programs
like Dropbox without the approval – or even knowledge – of enterprise IT –
effectively expanding the enterprise software portfolio with unsanctioned – and
potentially insecure – third-party software.
11: Review All Information Security Classifications
Because not all information assets are critical, it is
important to ensure
that security efforts are commensurate with the value of the
protected. In some cases, enterprises categorize their information
according to relative asset value and sensitivity, by applying such
- Restricted use
- Limited availability
- Top secret
For enterprises that use such categorization schemes,
answer the following
- Is the classification scheme employed on an
enterprise-wide basis? If not, why not?
- Is critical information properly classified? Check
some common information types, such as financial data, personnel
records, customer information, and research and development data.
- Are critical information assets marked as critical?
In other words, are terms such as ‘classified’ or
‘confidential’ attached to each critical asset?
- Are secured information assets consistent with their
- Are the graduated security controls adequate to
protect the most sensitive assets?
12: Review All Information Access Controls
By one estimate, over 80 percent of all security
breaches are initiated by
individuals inside the enterprise, or by persons who have left the
under unhappy circumstances. Some employees have grievances, even if
not left the enterprise, and many also have access to critical systems.
two converge, the effects can be deadly.
The best way to mitigate the risk is to ensure that
employee access to
critical or sensitive information is strictly controlled. To help
safeguards, determine the following:
- Are access privileges granted on a ‘need to
know’ basis? If not, how are they allocated?
- Are employees required to sign non-disclosure
- Are passwords and other logical access controls
- Are the user accounts of terminated employees
- Are inactive or dormant accounts suspended?
13: Examine the System Maintenance Logs
Determine if vendor security patches are being
applied in a timely fashion. Consider, for example, that the Code Red
worm exploited an exposure in Microsoft’s Internet Information Server;
an exposure that was publicized at least a month before the worm
struck. Had network administrators installed the patches provided by
Microsoft when the vulnerability was first discovered, the Code Red
worm would probably never have taken hold.
14: Verify the System Backup Procedures
While normally discussed within the context of business continuity,
there is no process more fundamental to the interests of information
security than backup and recovery. If information is lost or destroyed
as the result of a security breach, all or part of that information can
be restored from off-site media. As a function of the gap analysis.
enterprises should determine the
- Is digital data being backed up on a regular basis?
- Is the backup data being stored in a secure offsite
- Importantly, considering that offsite data can
deteriorate over time, what controls are in place to ensure its
15: Interview Employees and Other “Security Users”
Despite an enterprise’s best laid plans, there is often
a wide gap between a
system’s intended use and its actual use. To measure the level of
with access and other security controls, interview the users on a confidential basis to ensure cooperation and candor and
to determine the following:
- Has the importance and need for security been
explained to employees?
- Are employees aware of the latest security policies,
practices, protocols, and procedures?
- Do employees feel these procedures interfere with
- Do employees attempt to circumvent any of these
inconvenient procedures? Are they successful in doing so?
- Which procedures, if any, would employees retain, and
which procedures, if any, would they eliminate?
- What would employees do if they had the
responsibility for administering security?
16: Evaluate Current Security Practices
Determine the efficacy of current security
practices by comparing the conduct
of those practices against established enterprise norms and
security principles. For example, most enterprises require that
corporate PCs be
equipped with anti-virus software. To assess compliance with this
- Do all PCs have anti-virus protection?
- Are these anti-virus packages updated as soon as
vendor maintenance patches are released?
Importantly, extend the evaluation beyond on-premise equipment to
encompass laptops and smartphones. Operating with the owner’s
consent and cooperation, examine a representative cross-section of
mobile devices to ascertain their security worthiness. Determine
whether enterprise employees are as conscientious about maintaining
security as enterprise IT and security personnel. Leverage the
findings to enhance security awareness training.
17: Document All Findings and Recommendations
At the conclusion of the gap analysis, it is vital
to document (in detail) all findings and recommendations.
18: Develop a Remediation Plan
While not technically a part of the gap analysis,
it is a good practice to develop a plan to plug the holes the gap
analysis discovered. In developing a plan, schedule activities
according to the severity of the exposures, with high-risk items
earning first attention.
19: Schedule the Next Gap Analysis
Security planning is not a one-time-only event. Because
environment is subject to constant change, and new security threats
arise on a
daily basis, the shelf life of a security gap analysis is relatively
new gap analysis should be conducted every three to six months or more
frequently if enterprise resources can support it.
Step 20: Create an EU- and Asia/Pacific-Version of the Gap
Most large enterprises – and some small – boast a global computing
infrastructure. It may be necessary – and probably prudent – to
conduct multiple geographically-based gap analyses – at minimum, one
targeting systems serving the European Union and another aimed at
Asia/Pacific operations. At the very least, different
jurisdictions means different regulations. At best, a US- or North
American-based gap analysis would have to be tweaked to identify EU and
Asia/Pacific vulnerabilities. A one-size-fits-all approach to
conducting an information security gap analysis will not work.
Step 21: Conduct a Physical Security Gap Analysis
An information security gap analysis should be supplemented by a physical
security gap analysis. Engage a
security consulting company to develop and execute a physical penetration
test. During the exercise, one or more physical pen testers may attempt
- Penetrate a building perimeter by
scaling a surrounding fence and eluding video detection (most video
surveillance systems have "blind spots").
- Persuade an employee or business
partner to grant access
to an enterprise facility through cajolery or other verbal means.
- Determine the willingness of employees
or business partners
to tolerate "tailgating" and, in the process, determine the
willingness of employees to ignore well-established security protocols.
- Enter a facility using
counterfeit credentials – credentials that experienced security
guards should recognize as false even under casual scrutiny.
- Carry contraband into a facility
despite a physical inspection of one’s person and property by a
- Similarly, remove an object like the
laptop from a facility (again, by avoiding detection by a security
- Deposit a suspicious package within a
facility and measure the time it takes for someone to discover and
report the finding to security; also, the number of individuals who
ignore the package.
- Collect confidential information from
employee desktops (or other areas in plain view).
- Engage in "dumpster diving" to measure
compliance with document disposal policies.
- Openly photograph enterprise personnel
and assets (in clear violation of enterprise policy).
- Deploy and activate a hardware tool,
like a special-purpose wireless access point or wireless router,
that a true practitioner of industrial espionage might employ to
gather enterprise intelligence.4
- Perform a second-level incursion by penetrating a computer room,
laboratory, or other sensitive space. Even in facilities
featuring multiple perimeters, there can be a bias in favor of
someone who has already negotiated entry to the outer perimeter. Once inside a facility, even a stranger can assume the
characteristics of an employee or other "insider." Consultants, for example, often achieve such status.
As with information security penetration
tests, use the physical security penetration test to identity and plug
any physical security exposures.
to top of this report]
to top of this report]
About the Author
[return to top of this report]
James G. Barr is a leading business continuity analyst and
business writer with more than 30 years’ IT experience. A member of
"Who’s Who in Finance and Industry," Mr. Barr has designed,
developed, and deployed business continuity plans for a number of Fortune
500 firms. He is the author of several books, including How to
Succeed in Business BY Really Trying, a member of Faulkner’s Advisory
Panel, and a senior editor for Faulkner’s Security Management
Practices. Mr. Barr can be reached via e-mail at firstname.lastname@example.org.
of this report]