The Information Security Program ‘Gap Analysis’ is designed to assist your organization in obtaining full compliance with the appropriate regulations, guidelines and/or best practice standards. The resulting report will summarize your organization’s current level of compliance and provide the details for developing appropriate corrective action.
Fundamentally, the gap analysis comprises a series of questions for each section of the requirements document and seeks to discover if there is a documented process in place that adequately addresses the intent of each requirement. Each question is answered ‘Yes’, ‘Partly’ or ‘No’ and will include justification for each response answered yes and partly along with planned mitigation actions for no responses. The identified gaps provide management with insight into the areas within the information security program which need to be improved.
The gap analysis process involves determining, documenting and obtaining management’s recognition of the variance between the requirements set forth in the regulation, guideline and/or best practice standard and the organization’s current information security program. Once the gaps are identified a Security Improvement Plan can be developed that provides a foundation for setting priorities, assigning ownership, allocating investments of time, money and human resources and for measuring and improving compliance with the guidelines.
Although Risk Based Security has preformed Gap Analysis engagements on numerous regulations, guidelines and best practice standards, the following requirement documents have been the most popular.
- NCUA – Rules and Regulations, Part 748, Appendix A; Interagency Guidelines Establishing Information Security Standards
- ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems – Requirements; and
- Massachusetts’ 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
- Federal Information Security and Management Act (FISMA)
To Start Your Gap Analysis… Contact Us at firstname.lastname@example.org