Gap Analysis - CompTIA Security+ SY0-701 - 1.2

00:01

As the name implies, a gap analysis

00:04

is a study of where we are versus

00:07

where we would like to be.

00:08

And in the world of IT security, we

00:11

are constantly performing gap analyses

00:13

to be able to understand exactly what security is going

00:16

to be needed in the future.

00:18

Although this is very simple to explain,

00:20

it's a relatively complex process

00:22

to perform the analysis of what's actually

00:25

going on in your environment and putting together

00:27

a plan of how to get from where you are to where you're going.

00:31

As you might imagine, trying to understand every aspect of IT

00:35

security and how it applies to your organization

00:38

can be a very involved process.

00:40

And this is something that commonly

00:42

takes a number of weeks, months, or even years to compile.

00:46

As you can imagine, this might involve

00:48

a number of different people in your organization.

00:50

And there is an extensive project plan

00:52

with emails and data gathering and anything else

00:56

that's needed to compile the information about what's

00:58

happening with security in your environment.

01:01

Before starting the gap analysis,

01:03

it's useful to have a baseline.

01:05

This gives you something to work towards

01:07

and an idea of where the goals should

01:09

be for your organization.

01:10

There are a number of different baselines to choose from,

01:13

and some of these baselines have been specifically created

01:16

for certain organizations.

01:17

For example, your organization may

01:19

be following a set of baselines from the National Institute

01:22

of Standards and Technologies.

01:24

They publish a document called the Special Publication 800-171

01:29

Revision 2.

01:30

And the title of that document is Protecting Controlled

01:33

Unclassified Information in Nonfederal Systems

01:36

and Organizations.

01:38

You might also use a baseline that

01:39

was created by the International Organization

01:42

for Standardization and the International Electrotechnical

01:45

Commission.

01:46

This is the ISO/IEC 27001, or the information security

01:52

management systems.

01:53

And of course, you can create your own baselines

01:56

based on your specific needs as an organization.

02:00

These baselines will commonly involve

02:02

an analysis of the people in your organization

02:05

and the processes you use for security.

02:08

When evaluating people, you might

02:09

want to get a better understanding

02:11

of their formal experience in information technology

02:14

security.

02:14

You might want to understand what kind of training

02:16

they've received.

02:17

And you might want to see if they

02:19

have a knowledge of specific security policies

02:21

and procedures that you can use in your organization.

02:25

Even with the right people in place,

02:26

you'll still want to be sure that you're

02:28

following the correct policies for IT security.

02:31

This might start with an evaluation of the existing IT

02:34

systems and how they relate to your formal policies that

02:37

have been created in your central security policy

02:40

documentation.

02:41

The analysis portion of the gap analysis

02:44

will begin with a comparison of the existing systems

02:47

that you have running in your environment

02:49

and to identify any weaknesses that those systems might have.

02:53

You can also compare these weaknesses

02:55

with the most effective processes

02:57

for understanding how to compensate

02:59

for those weaknesses.

03:01

Ultimately, you'll create a detailed analysis

03:04

where you'll look at very broad categories of security

03:07

and then break down those broad securities

03:09

into individual smaller segments.

03:12

Here's a good example of how you might

03:14

start with broad understanding of a process

03:16

and then breaking it down into individual pieces.

03:19

This is the document 800-171 Revision 2,

03:23

which is Protecting Controlled Unclassified Information.

03:26

And this is a table that maps the access control requirements

03:29

to the security controls that are in place.

03:32

For example, this page shows access control

03:34

where you would want to limit system

03:36

access to unauthorized users, processes

03:38

acting on behalf of authorized users, and devices.

03:42

This account management covers a number

03:44

of different individual security controls.

03:46

So when we start to break this down,

03:48

we can look at user registration and deregistration.

03:51

We need to understand how user access provisioning is handled,

03:55

understand the management of privileged access rights,

03:58

a review of the user access rights, and so on.

04:02

By looking at these broad areas, we

04:04

can now break down individual security tasks

04:07

to see how well we're handling the processes

04:09

and procedures for each of these individual steps.

04:13

Once we've gathered all of this information

04:16

for all of our processes, all of our devices

04:19

across all of our different locations,

04:21

we need to create a final document that

04:23

summarizes everything that we've discovered.

04:26

We can start with a comparison that

04:28

looks at the detailed baseline objectives

04:30

and gives a perspective of where we are today

04:33

versus where we would like to be with each

04:35

one of these objectives.

04:37

Perhaps the more difficult question to answer

04:39

is how you get from where you are to where you'd like to be.

04:42

This path to get from where we are

04:44

to where we'd like to be commonly

04:46

takes time, it takes money, there may be equipment

04:49

that we need to purchase, and, obviously,

04:51

there's change control so that you can implement these changes

04:54

in your environment.

04:55

Once we have all of this information compiled

04:58

and the plan of how we can get from where

05:00

we are to where we'd like to be, we

05:02

can create a final gap analysis report.

05:05

This report not only includes the information

05:07

about where we are today, but it also provides that pathway

05:11

so that we can understand what it's really

05:13

going to take to move forward into the future.

05:16

All of the recommendations you have

05:17

about meeting this baseline will be documented

05:20

in this gap analysis report.

05:22

Here's an example of one of the tables

05:24

that you might include in your gap analysis report.

05:27

On the left side, I have a series of system requirements.

05:30

And all of those system requirements

05:31

were broken into smaller pieces in the detailed part

05:35

of the report.

05:36

But we might want to get a much broader understanding

05:38

about all of our different remote sites

05:40

and how they are compared to the ultimate baseline

05:44

that we would like to reach.

05:45

For example, our organization might

05:47

have seven different locations, and we've

05:49

performed a gap analysis across all

05:51

of these system requirements for all seven of those locations.

05:55

The locations that are relatively

05:57

close to meeting the baseline we can mark with a green color.

06:00

Anything that might be in the midpoint we can mark as yellow.

06:04

And locations that need a lot of work

06:06

to be able to meet our standardized baselines we'll

06:09

mark with red.

06:10

So if we wanted to have the biggest impact on improving

06:13

our security, we may want to start with the locations

06:16

and security requirements marked in red,

06:18

and then move to the ones marked in yellow,

06:20

and then finally the green.

06:22

The report obviously will include extensive details

06:25

about why these colors were used and provide

06:28

a summary of how we can implement

06:30

security controls to better meet the goals of these baselines.