• +1 (317) 799-6577
  • support@sharksavewriters.com
Hire Writer

Gap analysis

Gap analysis

SECTION TWO

In this section we are discussing gap analysis, this analysis is a tool required to be performed on an organization so that it helps it to determine the difference between the present state of information security within an organization and its ideal state and way to to improve the performance level of a specific area in the organization facing a threat. Since gap analysis is a comprehensive tool, it can be used in different perspectives depending on the function area. Gap analysis is a critical step in the business continuity plan and can be classified as a form of risk assessment.

Gap analysis helps by diagnosing the system and provide on how to solve the problems identified. Since one of its benefits is to enable long-term planning by setting goals and outlining changes and practices, its ultimate goal is to gain a list of prioritized activities that an organization can cover to move closer to its main vision.

For our case, we use an information security gap analysis. This will help in a unique way an organization, get to understand where to focus security efforts to maximize security improvements, uncover risks and vulnerabilities of the organization, and to improve their information security posture ultimately. In this case, the gap analysis process for the organization will include the following procedures;

  1. Stage a System break-in; this involves engaging the organization with a security consulting company to conduct a system break-in, which includes operating in the manner of a hacker and penetrate the organization defenses. If successful, it will help the organization to know the vulnerabilities in the system and eliminate them.
  2. Securing the senior management approval is endorsing the top management in the organization to use the power to make everyone use the security measures.
  3. Establish the analysis of the scope; this is by understanding the general objectives of the report.
  4. Determine whether to conduct the analysis in-house or to outsource it. If the analysis is outsourced, it may include some advantages and disadvantages coming with it. The benefits include; getting more significant and current security expertise, greater objectivity to the organization security practices, and less criticism of the organization’s security practices. The disadvantages include; unfamiliarity with the specific organization security practices and operations. If the organization uses in-house analysis, then a team of gap analysts is assembled.
  5. Assembling of a gap analysis team, this team will be responsible for activities of planning, implementation, analysis, and reporting.
  6. Identify current security standards and protocols used by the organization.
  7. Review all information access controls and examine the system software settings.
  8. Evaluate existing security practices and compare them with the established organization norms and security principles.
  9. Document all the findings and recommendations, which will help in the case of a future analysis.
  10. Schedule the next gap analysis, since security planning is not a timed event, and organizations are subjected to constant changes and new security threats that arise daily. This analysis should happen after three to six months in the organization if they can support the investigation.

When adopting a security program, the organization must find a middle ground where it can manage the risk that comes with the technology they choose to use. One should compare the following when wanting to adapt security program anew, the access control policy that outlines access available to the information and data systems. Other items covered in this policy are user access and network access control. This policy allows one to compare how one monitors the system, how unattended systems are secured, and how access is removed from an employee who has left the organization.

We also compare how the changes in the management bring effect on the organization when new security software is adapted. Changes in the management include making changes to security operations. Changing the management helps increase the understanding of the changes that are to be adopted and help ensure the changes are conducted in a method that will not affect the organization’s services.

Another factor in comparing when adopting a security program is the information security policy, and this policy involves making the employees of the organization comply with stated rules and guidelines of who uses the information of the organization.

How the organization responds to incidents and how the company will manage the event and remediate its normal operations is an item to consider when doing a gap analysis. This will help in limiting the damages to business and reducing the cost and time to be incurred. Remote access policy is to be considered as this will help find how the employees can access the organization’s internal networks and information. This policy will support organizations that have many systems that can extend into an unsafe network.

Disaster recovery policy is another item to consider. This will help to know which system to adopt in case of a disaster and plan to restore the hardware items and data, which are essential for business continuity.

For the system’s design to be deployed, we need to point out the shortfalls that need to be dealt with. This will help the system to be free from vulnerabilities, and the issues will be addressed in the coming chapters ahead. The shortfalls include the following;

Not establishing gap analysis as a regular and an ongoing task for an organization

if an organization does a routine gap analysis, it faces less risk of being overwhelmed when it does one. The Data System Solutions will provide this service of regularly offering gap analysis to the organization if they can support the activity.

Lack of an objective

It is difficult for a system administrator to analyze the security of the system objectively, thus the need for engaging an outsourced expert to be part of the gap analysis.

Using a consultant without industry knowledge

It is an excellent option to choose a company that understands the industry well and is consistent with that organization. Many consultant companies feel the pressure to overstate what elements they can fix, and they understate other essential items. It is necessary to check the consultant’s reference before hiring, and they should have a background of working with the applicable industry and equal size companies.

IT staff turnover

high turnover in the IT field has brought a high risk in the security breaches. The attacks in the database and networks are majorly caused by disgruntled ex-employees or the current disgruntled employees.

Security as a low priority

many organizations focus more on bringing up more infrastructures rather than the safety of their information and data. They assume the fact that security can least bring revenue to the organization.

Fear of bad news

Many organizations are reluctant to conduct a gap analysis for fear of what the results might be. The good thing about gap analysis is it brings out both weaknesses and strengths of the system. This will help an organization to make the right decision depending on the results.

From the above, we can conclude that we need a gap analysis to help in the implementation of the plan for the design of the security program. The gap analysis uses the prioritization policy to fill in the most critical gaps first or tackle the most simple to close gaps. The shortfall named above is the ones that will help in designing the system so that the vulnerabilities may be solved through the security program to be developed.

 

error: Content is protected !!