Conducting an Information Security Gap Analysis

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free

Conducting an
Security Gap Analysis

by James G. Barr

Docid: 00018422

Publication Date: 1907

Publication Type: IMPLEMENTATION


Every enterprise has gaps in
its information security infrastructure. Closing these gaps can
only be accomplished by following a clear strategy based on careful
evaluation and analysis. While a gap analysis sounds simple – find the
gaps and close them – it is an ongoing process as networks are constantly
changing. Hackers know this and continue to
probe networks even after being rebuffed a number of times. The results
of not doing a gap analysis can be disastrous.

Report Contents:

Executive Summary

[return to top
of this report]

Enterprise information systems
are under constant attack by viruses, worms, Trojan horses, and other network
– and non-network – threats. These attacks can result in:

  • Loss of revenue
  • Loss of customers
  • Loss of investor confidence
  • Loss of market share
  • Civil litigation
  • Regulatory sanctions
  • A diminished reputation

To help identify information system vulnerabilities
BEFORE they are exploited by hackers, many enterprises
conduct regular information security gap analyses. 

Faulkner Reports
Network Risk Assessment Tutorial

An information security gap analysis is
a form of risk analysis designed to
determine the differences between the present state of information security
within an enterprise and its ideal state. One of the preferred methods of performing
an information security gap analysis is to ask a series of probing questions in the manner of
a security audit. For example, if one of the objectives of the
Enterprise Information Security Plan is to limit access to central servers and
other IT infrastructure components, critical queries may include:

  • Are all enterprise servers housed in a restricted area, like a computer room?
  • Is access to the computer room limited to essential personnel?
  • Are biometric
    access controls employed to govern entry?
  • Is the computer
    room monitored by video surveillance cameras?
  • How many attempts at unauthorized access
    are routinely recorded and how are these incidents investigated?

The purpose of these questions is not to
play "gotcha," but to determine what level of security control
is being exercised, what "gaps" are present, and what additional
security measures can be applied (within the limit of reason and
finances). The process should not be adversarial; in fact, both
parties – the analyst and the security team – should view the experience as an opportunity to improve security,
not score political points.

The Gap Analyst

While it may seem counterintuitive, the
individual conducting an information security gap analysis should not be a
security "expert." Experts tend to focus narrowly on one
aspect of security, say network security, while ignoring other aspects,
like laptop security. Also, experts are inclined to concentrate on
technical details rather than examining the "big

It’s Not Just Network

While there’s a natural tendency to focus on network security –
ensuring proper protection from viruses, worms, and other forms of malware
that propagate over the Internet – an information security gap analysis is not
complete without considering other common, but often overlooked, exposures
such as laptop security, physical security, business continuity, and
personnel security.

Laptop Security

In one of the more infamous security
breaches on record, a Veterans Administration employee placed the
personal records of 26 million veterans at risk when a laptop containing
the data was stolen from his home. Since then, a number of
high-profile incidents involving laptops has raised public alarm and
undermined public confidence in the ability of companies and agencies to
protect sensitive, confidential, and proprietary data. In virtually all cases, an
information security gap analysis would have

  • The failure to password-protect files.
  • The failure to encrypt sensitive data.
  • The failure to store laptops in a secure

Physical Security

Although physical security and information security are considered,
by many, separate
disciplines, they actually overlap. In particular, when performing
an information security gap analysis, an examiner should determine:

  • Who has physical access to IT
    infrastructure components, like servers and routers?
  • What environmental safeguards exist,
    i.e., temperature and humidity controls?
  • What provisions have been made to protect equipment against fire and
    water damage?

Business Continuity

Along with physical security, business continuity is a critical factor
in evaluating information security. In the course of an information
security gap analysis, an examiner should determine:

  • What happens in the event of a disaster
    affecting the IT infrastructure?
  • How will the security of information and
    information systems be maintained?
  • Does the recovery plan provide for recovery site security?

Personnel Security

Most experts agree that the majority of security incidents – either
inadvertent or intentional – are committed (or enabled) by employees or other
insiders. An information security gap analysis should explore the

  • How are security and IT personnel vetted?
  • Are there security awareness programs that
    discourage insider attacks?
  • What action (or actions) should be taken against individuals who
    deliberately and maliciously violate information security?

The Cloud Gap

In recent years, enterprise information and
information systems have been steadily moving to "the cloud," essentially,
third-party IT providers that service enterprise clients across the Internet. Since a gap analysis is designed to examine conventional, i.e., "on-premise,"
information systems for security vulnerabilities, the process does little to
inform enterprise officials of the state of cloud provider security. Nonetheless, a good gap analysis will include efforts to assess the security
commitment of each cloud provider by inquiring about the provider’s security and
business continuity plans. While a provider may be
understandably reluctant to share specific plan details, the provider should be willing
to describe at least in general terms how client data is protected and how the
provider itself conducts information security gap analyses.


to top of this report]

When conducting an information security gap analysis, experts suggest a
methodical approach, stressing pre-analysis preparation.

  1. Adopt an information security standard (if one
    does not already exist)
    . Consider the ISO 27001 for security-only coverage, or COBIT for IT/security governance.
  2. Define the scope of the analysis. In a large enterprise, it may be prudent – or even necessary – to
    conduct multiple analyses, evaluating, for example, one location at a
    time, or assessing network security separate from mobile and wireless
  3. Assemble all relevant documents. This includes all information security standards, policies, plans, protocols,
    procedures, and guidelines.
  4. Gain senior management approval. If necessary, the chief security officer (CSO) should "run
    interference" for the analyst, persuading business and technical
    managers to cooperate in identifying – and filling – security gaps.
  5. Create a comprehensive information security
     Use the questionnaire to elicit information
    about current information security practices, and expand the questionnaire as
    new avenues of inquiry appear. Suppose, for example, a
    preliminary question reveals the use of two different types of
    physical access controls. A follow-up question might reveal how
    each type is utilized, setting the stage for a new enterprise
    standard. In addition to improving efficiency,
    the use of
    a standardized questionnaire permits a year-over-year comparison of
    gap analysis results, revealing how security performance varies over
  6. Look for gaps from a total systems
    management perspective.
     Information security exists within the realm
    of multiple systems management disciplines, including incident and
    problem management, change and release management, configuration
    management, service level management, and IT service continuity management. Ensure that information security is consistent across the
    full range of these functional areas.
  7. Publish a preliminary Information Security Gap
    Analysis report.
     Before documenting any deficiencies for
    senior management consumption, offer security personnel an opportunity
    to review and challenge any findings. Where gaps are discovered,
    offer these same personnel the opportunity to close or reduce the gaps
    before a final report is issued. In this way, analysts can earn
    the trust and confidence necessary to perform an in-depth analysis.
  8. Develop a remediation plan. Working in concert with the
    CSO, develop a plan to eliminate – or, at least, reduce – any
    information security gaps.1

ISO 27001 Gap Analysis

Owing to its universality, an essential trait in this era of globalization,
many enterprises adopt the ISO 27001 standard or, more officially,
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management
systems – Requirements. Administered by the International Organization for Standardization, ISO/IEC 27001:2013
"specifies the requirements for establishing, implementing,
maintaining and continually improving an information security management system
(ISMS)." Germane to the discussion of gap analyses, ISO 27001 "includes
requirements for the assessment and treatment of information security risks."

While an ISO 27001 gap analysis can be conducted in-house, analyst Camden Woollven
recommends enlisting the aid of an experienced security consultancy.

"Consultancy-led gap analyses typically consist of two key phases.

an ISO 27001 specialist will assess your existing information security
arrangements and documentation. These will be compared against the requirements
of ISO 27001 to identify any opportunities for improvement in the existing
arrangements, address shortfalls against the Standard’s requirements and
mitigate the risk of data breaches.

"Second, following the assessment, you will receive a gap analysis report
collating the findings. It will likely detail:

  • "The overall state and maturity of your information security
  • "The specific gaps between these arrangements and the requirements of ISO
  • "Options for the scope of an ISMS, and how they help to meet your
    business and strategic objectives; and
  • "An outline action plan and indications of the level of internal
    management effort required to implement an ISO 27001 ISMS."2

This third-party approach is equally applicable to other information security
standards, and should be considered a viable alternative to do-it-yourself
analyses, especially when security and IT staffs are new to risk management.


[return to top
of this report]

Not Establishing Gap Analysis as A Regular,
Ongoing Function

Unless an enterprise regularly performs a gap analysis, it may be
overwhelmed by the number of gaps it finds when it eventually does conduct one.
Prioritize the "leaks," patch the ones that present the greatest threat,
then schedule the

next round of fixes.

Lack of Objectivity

It is difficult for internal systems administrators to

objectively analyze an enterprise’s security controls.

While it may be prudent to engage outside experts, a company’s or agency’s IT

department should be involved in all phases of a gap analysis, including the

preparation, the conduct, and, most important, the development of plans

designed to eliminate any security exposures. The reason is twofold.

First, the IT staff is a valuable source of operational information; and second,

the IT staff will almost certainly be involved in implementing – and

maintaining – any security fixes. In short, the IT staff definitely needs to be

"on-board" with any proposed changes.

Using Consultants Who Do Not Have
Industry Knowledge

Whether intentional or not, consultants may feel pressure to overstate elements
that they can fix and understate other elements. Boilerplate analyses and
remedies are also hazards. Choose a consultant that knows the applicable
industry and has a business orientation that is consistent with that of the

Check a consultant’s references. Regulatory mandates like HIPAA have been a

boon to the security industry, creating a large crop of information security firms.

Not all are equally capable.

IT Staff Turnover

High turnover in the IT field has also laid the groundwork for an increased
threat of security breaches. Attacks by disgruntled ex- or employees represent a high percentage of database and network

Security Not Being Seen as A Priority

Large enterprises are so focused on rolling out new infrastructure
and products that they frequently lose sight of security.

Fear of Bad News

Many firms are reluctant to conduct a gap analysis for fear of what it might

reveal. The good news is that a gap analysis highlights both weaknesses and

strengths. This dual perspective can help empower an enterprise by acknowledging
what it does right while at the same time encouraging that enterprise to change what it does wrong.

Conflicting Business Priorities

Despite good intentions, an information security gap analysis may be
postponed to accommodate other previously-scheduled or time-sensitive projects.
Reflecting on his personal experience, analyst Gary Hayslip warns, "I have seen assessments fall apart despite having the
best methodology, tools and people, because the assessor never put together a
plan that accounted for current business operations. So when the assessors came
on site to start, they found that what they wanted to do for the assessment
impacted the business units and the whole process quickly ground to a halt.
Remember, the purpose of the gap analysis is to identify risk hazards, not
create them."3

Before committing to an information security gap analysis, ensure that
required resources are available, and the schedule is clear.


to top of this report]

While there is no standard methodology for conducting a gap analysis,
there is a basic approach which can be followed by all enterprises.

Before beginning a gap analysis, enterprises should define current and
future business requirements as this creates a better understanding of
what portions of the business are most critical in the event of a
disaster. The next step is to identify information gaps within the
enterprise, which
fall into three major categories: People, processes, and technology.
finally, enterprises should develop an information security roadmap
to be used
to drive the gap analysis.

A gap analysis cannot succeed without organizational support. To gain
the attention of senior management, engage a consulting firm to test
enterprise defenses – a process called "penetration testing" or “ethical hacking”. In most
cases, the firm will be able to access sensitive systems using the same
hackers employ. This will convince skeptics that a more formal gap
analysis is

The next step is to decide whether to outsource the
analysis or conduct it in
house. While doing it yourself is usually less expensive, security
offer greater expertise, especially in the latest hacking techniques.

Finally, if the analysis is conducted in-house, develop
a comprehensive plan
designed to test security systems and procedures. Most importantly,
involve the
entire enterprise, not just the IT department.

The following is a representative gap analysis process.

Step 1:
Stage a Systems Break-In

Engage a security consulting company to conduct a
systems break-in. Ask the company to operate in the manner of a hacker or
cyber-terrorist and pierce
enterprise defenses. If they are successful (and, unfortunately, they
will be), their simulated attack will offer two major benefits:

  • For anyone who still needs to be convinced that
    security is a major issue, it will elevate the level of concern beyond
    the realm of perceived risk to one of real risk.
  • The attack will probably target the same
    vulnerabilities that real-world cyber-criminals would exploit, allowing
    the most serious exposures to be identified and eliminated.

Step 2:
Secure Senior Management Approval

Much like business continuity planning, conducting a gap
analysis requires
cross-organizational cooperation. In many enterprises, achieving such
cooperation is only possible through the eager endorsement of senior
The time to gain organizational cooperation is early on as it is
important to
get everyone on board when it comes to gap analysis.

Step 3:
Establish the Scope of the Analysis

Establish the extent of the gap
analysis as well as its general
objectives. This can be accomplished by asking the following key

  • Will the analysis include physical as well as digital security?
  • Will the investigation focus on the headquarters
    location, or will it also encompass branch office and remote sites?
  • Will the analysis concentrate only on "customer-facing" applications or will it include
    all IT systems?
  • What resources will be available to conduct the
    analysis? Budget? Personnel? Facilities?
  • What is the timetable? When will management expect to
    see concrete results?
  • What regulatory mandates must be adhered to? Are
    there any mandated procedures that must be used to meet them?
  • Have all of the project parameters been established?
    In particular, have all of the issues been identified? If there are
    outstanding issues, when will they be resolved?

4: Determine Whether to Outsource or Conduct the Analysis In-house

receiving permission to conduct a gap analysis, the big question is
whether or not to outsource. Table 1 summarizes some of the
advantages and disadvantages of an outsourced analysis.

Table 1. Outsourced Gap Analysis



In general, greater and more current security expertise.

Unfamiliarity with specific
enterprise systems and operations.

experience in gap analysis.

Ironically, the potential for
exposure of critical or sensitive information to third parties.

objectivity relative to enterprise security practices.

In general, higher costs.

reluctance to criticize enterprise security practices.

Resentment from in-house
security personnel, who may feel threatened.

Both outsourcing and
"in-sourcing" are viable options. If outsourcing is
selected, the process must be closely supervised by management to
ensure the cooperation of all personnel. In addition, in-house security
staffers can learn a great deal from their outsourcer colleagues. If
in-house development is selected, proceed with Step 5.

5: Assemble a Gap Analysis Team

Coordinate all activities related to the gap analysis,
including: planning,
implementation, analysis, reporting, and assembling a gap analysis
team. This
multi-disciplinary team should include:

  • In-house security experts.
  • Members of the IT department.
  • Customers, both internal and external.
  • Trusted business partner personnel, particularly any
    analysts who are wrestling with the same or similar security problems
    within their own enterprises.

6: Resolve Any “Jurisdictional” Issues

Closely related to the previous item, determine which
organizations might claim jurisdiction or authority over all or part of
analysis process. Consult with groups such as:

  • Finance
  • Corporate auditing
  • Business continuity
  • Security
  • The Project Management Office (PMO)
  • The Risk Management Office

Ask these organizations to appoint individuals to
participate as members of
the gap analysis team to contribute their own expertise and experience
function as liaisons to their respective groups.

7: Identify Current Security Standards

Determine all relevant security standards and
protocols. This includes the enterprise security policy, enterprise "acceptable use" policy, any statement
of enterprise security standards, and, depending on factors such as industry and
geography, any relevant governmental regulations such as HIPAA.
Sarbanes-Oxley, the Gramm Leach Bliley Act (GLBA), and the soon-to-be-enforced
European Union (EU) General Data Protection Regulation (GDPR).

The GDPR will "enter in force" on May 25, 2018. The GDPR builds on the EU
Data Protection Directive of 1995, which aimed to protect the fundamental rights
and freedoms of natural persons, focusing on their right to privacy with regard
to the processing of their personal data.

The GDPR not only applies to organizations located within the EU but it will
also apply to organizations located outside of the EU if they offer goods or
services to, or monitor the behavior of, EU data subjects. It applies to all
companies processing and holding the personal data of data subjects residing in
the European Union, regardless of the company’s location.

As, arguably, the world’s most stringent regulation affecting data security
and privacy, IT project teams would be wise to adhere to GDPR requirements,
especially as GDPR compliance would likely ensure compliance with most other
security and privacy rules.

8: Collect All Relevant Security Documents

In concert with the previous item, collect all
pertinent documentation relating to security standards such as
policies, protocols, plans, and procedures, plus any pre-existing
analyses of the enterprise’s security infrastructure. It is also
important to gather all documentation relating to the deployment and
use of enterprise hardware and software.

9: Create a Gap Analysis Checklist

Just like any project, a gap analysis should
proceed according to a specific
plan or checklist. The checklist is important because it will:

  • Ensure the analysis is complete and
    comprehensive by allowing others to review it prior to implementation.
  • Provide a structure for recording (and later
    reporting) the results of the analysis.
  • Provide a baseline for future gap analyses.

10: Conduct a Hardware and Software Inventory

Conducting a hardware and software inventory is
vital because it will help determine whether or not the
enterprise’s hardware and software systems are configured
according to enterprise asset management plans.

The inventory also offers an opportunity to discover any
shadow IT applications. Shadow IT is a
relatively recent phenomenon is which employees invoke public cloud programs
like Dropbox without the approval – or even knowledge – of enterprise IT –
effectively expanding the enterprise software portfolio with unsanctioned – and
potentially insecure – third-party software.

11: Review All Information Security Classifications

Because not all information assets are critical, it is
important to ensure
that security efforts are commensurate with the value of the
information being
protected. In some cases, enterprises categorize their information
according to relative asset value and sensitivity, by applying such
terms as:

  • Unclassified
  • Classified
  • Confidential
  • Restricted use
  • Limited availability
  • Secret
  • Top secret

For enterprises that use such categorization schemes,
answer the following

  • Is the classification scheme employed on an
    enterprise-wide basis? If not, why not?
  • Is critical information properly classified? Check
    some common information types, such as financial data, personnel
    records, customer information, and research and development data.
  • Are critical information assets marked as critical?
    In other words, are terms such as ‘classified’ or
    ‘confidential’ attached to each critical asset?
  • Are secured information assets consistent with their
  • Are the graduated security controls adequate to
    protect the most sensitive assets?

12: Review All Information Access Controls

By one estimate, over 80 percent of all security
breaches are initiated by
individuals inside the enterprise, or by persons who have left the
under unhappy circumstances. Some employees have grievances, even if
they have
not left the enterprise, and many also have access to critical systems.
When the
two converge, the effects can be deadly.

The best way to mitigate the risk is to ensure that
employee access to
critical or sensitive information is strictly controlled. To help
evaluate such
safeguards, determine the following:

  • Are access privileges granted on a ‘need to
    know’ basis? If not, how are they allocated?
  • Are employees required to sign non-disclosure
  • Are passwords and other logical access controls
    routinely changed?
  • Are the user accounts of terminated employees
  • Are inactive or dormant accounts suspended?

13: Examine the System Maintenance Logs

Determine if vendor security patches are being
applied in a timely fashion. Consider, for example, that the Code Red
worm exploited an exposure in Microsoft’s Internet Information Server;
an exposure that was publicized at least a month before the worm
struck. Had network administrators installed the patches provided by
Microsoft when the vulnerability was first discovered, the Code Red
worm would probably never have taken hold.

14: Verify the System Backup Procedures

While normally discussed within the context of business continuity,
there is no process more fundamental to the interests of information
security than backup and recovery. If information is lost or destroyed
as the result of a security breach, all or part of that information can
be restored from off-site media. As a function of the gap analysis.
enterprises should determine the

  • Is digital data being backed up on a regular basis?
  • Is the backup data being stored in a secure offsite
  • Importantly, considering that offsite data can
    deteriorate over time, what controls are in place to ensure its
    continued viability?

15: Interview Employees and Other “Security Users”

Despite an enterprise’s best laid plans, there is often
a wide gap between a
system’s intended use and its actual use. To measure the level of
with access and other security controls, interview the users on a confidential basis to ensure cooperation and candor and
then try
to determine the following:

  • Has the importance and need for security been
    explained to employees?
  • Are employees aware of the latest security policies,
    practices, protocols, and procedures?
  • Do employees feel these procedures interfere with
    their work?
  • Do employees attempt to circumvent any of these
    inconvenient procedures? Are they successful in doing so?
  • Which procedures, if any, would employees retain, and
    which procedures, if any, would they eliminate?
  • What would employees do if they had the
    responsibility for administering security?

16: Evaluate Current Security Practices

Determine the efficacy of current security
practices by comparing the conduct
of those practices against established enterprise norms and
security principles. For example, most enterprises require that
corporate PCs be
equipped with anti-virus software. To assess compliance with this
practice, ask
the following:

  • Do all PCs have anti-virus protection?
  • Are these anti-virus packages updated as soon as
    vendor maintenance patches are released?

Importantly, extend the evaluation beyond on-premise equipment to
encompass laptops and smartphones. Operating with the owner’s
consent and cooperation, examine a representative cross-section of
mobile devices to ascertain their security worthiness. Determine
whether enterprise employees are as conscientious about maintaining
security as enterprise IT and security personnel. Leverage the
findings to enhance security awareness training.

17: Document All Findings and Recommendations

At the conclusion of the gap analysis, it is vital
to document (in detail) all findings and recommendations.

18: Develop a Remediation Plan

While not technically a part of the gap analysis,
it is a good practice to develop a plan to plug the holes the gap
analysis discovered. In developing a plan, schedule activities
according to the severity of the exposures, with high-risk items
earning first attention.

19: Schedule the Next Gap Analysis

Security planning is not a one-time-only event. Because
the enterprise
environment is subject to constant change, and new security threats
arise on a
daily basis, the shelf life of a security gap analysis is relatively
short. A
new gap analysis should be conducted every three to six months or more
frequently if enterprise resources can support it.

Step 20: Create an EU- and Asia/Pacific-Version of the Gap
Analysis Process

Most large enterprises – and some small – boast a global computing
infrastructure. It may be necessary – and probably prudent – to
conduct multiple geographically-based gap analyses – at minimum, one
targeting systems serving the European Union and another aimed at
Asia/Pacific operations. At the very least, different
jurisdictions means different regulations. At best, a US- or North
American-based gap analysis would have to be tweaked to identify EU and
Asia/Pacific vulnerabilities. A one-size-fits-all approach to
conducting an information security gap analysis will not work.

Step 21: Conduct a Physical Security Gap Analysis

An information security gap analysis should be supplemented by a physical
security gap analysis. Engage a

security consulting company to develop and execute a physical penetration
test. During the exercise, one or more physical pen testers may attempt
the following:

  1. Penetrate a building perimeter by
    scaling a surrounding fence and eluding video detection (most video
    surveillance systems have "blind spots").
  2. Persuade an employee or business
    partner to grant access
    to an enterprise facility through cajolery or other verbal means.
  3. Determine the willingness of employees
    or business partners
    to tolerate "tailgating" and, in the process, determine the
    willingness of employees to ignore well-established security protocols.
  4. Enter a facility using
    counterfeit credentials – credentials that experienced security
    guards should recognize as false even under casual scrutiny.
  5. Carry contraband into a facility
    despite a physical inspection of one’s person and property by a
    security guard.
  6. Similarly, remove an object like the
    laptop from a facility (again, by avoiding detection by a security
  7. Deposit a suspicious package within a
    facility and measure the time it takes for someone to discover and
    report the finding to security; also, the number of individuals who
    ignore the package.
  8. Collect confidential information from
    employee desktops (or other areas in plain view).
  9. Engage in "dumpster diving" to measure
    compliance with document disposal policies.
  10. Openly photograph enterprise personnel
    and assets (in clear violation of enterprise policy).
  11. Deploy and activate a hardware tool,
    like a special-purpose wireless access point or wireless router,
    that a true practitioner of industrial espionage might employ to
    gather enterprise intelligence.4
  12. Perform a second-level incursion by penetrating a computer room,
    laboratory, or other sensitive space. Even in facilities
    featuring multiple perimeters, there can be a bias in favor of
    someone who has already negotiated entry to the outer perimeter. Once inside a facility, even a stranger can assume the
    characteristics of an employee or other "insider." Consultants, for example, often achieve such status.

As with information security penetration
tests, use the physical security penetration test to identity and plug
any physical security exposures.


to top of this report]

to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst and

business writer with more than 30 years’ IT experience. A member of

"Who’s Who in Finance and Industry," Mr. Barr has designed,

developed, and deployed business continuity plans for a number of Fortune

500 firms. He is the author of several books, including How to

Succeed in Business BY Really Trying, a member of Faulkner’s Advisory

Panel, and a senior editor for Faulkner’s Security Management

Practices. Mr. Barr can be reached via e-mail at

to top
of this report]