Compliance Solutions Gap Analysis
A Gap Analysis can be a standalone project or in most cases combined with a Road Map Strategy development. It identifies the gaps in current practices and best practices. Many organizations have never quantified and identified the weakness in their security processes and where they should be according to best practices. This is a critical step in reducing future threats to the organization. If a Gap Analysis has been done, typically it is only focused on security tools, not the business processes used or the business function required. A complete Gap Analysis has to focus on people, process and technology.

Solution

Our solution uses quantitative and qualitative methods to define your current state and future state of your security environment. We determine how your organization maps to best practices and the steps needed to get to the next level of security and maintain a robust security environment as change occurs. A Gap Analysis identifies deficiencies and correlated them to practical solutions. A baseline for your future security architecture will be developed after the analysis is complete. The Gap Analysis will develop best practices unique to your environment that can be used to implement controls over the following areas:

  • Regulatory compliance requirements (ISO, 201 CMR 18.00, CoBIT, HIPAA, SOX and PCI SAQ)
  • Existing policies, procedures and standards
  • Software security development life cycle processes
  • Access controls and user provisioning processes
  • Change control and configuration management
  • Business continuity related to security
  • Vulnerability management processes
  • Asset identification processes
  • Risk management processes
  • Incident handling processes
  • Endpoint architecture
  • Remediation processes
  • Physical security processes

How the Process Works

First we analyze the current security processes and gain an understanding of current practices. Gaps between existing processes and targeted best practices are determines and solutions proposed. Identifying business risks associated with current practices is as important as identifying technology gaps. Through interview process and review of documentation around practices, we provide a phased approach to closing the gaps and providing steps to ensure those gaps do not occur again.