Standards to Support Gap Analysis
Introduction
The standards to support gap analysis is the process of comparing present IT technology
to the desired state, and then creating a strategy for how you will fill the gap. The "what" and
"when" of IT technologies, network, and architecture are only the beginning of a gap analysis.
Having a clear understanding of the "why" and "how" of the benefit of updating technology is
essential. Technology tends to evolve more quickly than any other aspect of a company's
operations. As a result, every institution is under even more pressure to keep up with the ever-
changing technological landscape. In order to secure your company and consumer data, you must
also fulfill safety requirements and obligations. It is difficult for most IT teams to take a step
back from their day-to-day work to thoroughly evaluate existing tooling and system capabilities
as well as analyses future needs. However, if you want to construct a digital strategy that keeps
moving the business forward, this is a critical step. Setting goals for the future requires a clear
understanding of where you are now and where you want to go (Turskis et al., 2019). You may
minimize development time, iterate quicker as an organization, and better fulfill user and
business goals if you do an effective gap analysis. The objective is to find little ways to enhance
IT tools and procedures. Improved corporate performance, team productivity, and customer
satisfaction are all possible outcomes of these changes.
Gap Analysis Matrix
Information
Security
Requirement
s
Critical
Level of the
Requiremen
t
Level of
Complianc
e
Responsible
Organizatio
n
Findings Recommendation
s
Confidentialit
y
Essential Level one
compliance
NIST The
organization
was
compliant
Maintaining or
increasing the
level of
confidentiality
Integrity Essential Level one
compliance
NIST Organizatio
n had data
integrity
Maintaining the
level of integrity
Availability Very
essential
Level one
compliance
ISO compliant Maintaining the
level of
availability
Authenticity Very
essential
Level two
compliance
ISO compliant Maintaining the
level of
authenticity
Encryption Essential Level two
compliance
GDPR compliant Strengthening
security measures
Non-
repudiation
Less
essential
Level two
compliance
NIST Non-
compliant
Non- repudiation
required
Information Less critical Level one ISO Non- Risk management
Security risk
management
compliance compliant required
Vulnerability
management
More critical Level three
compliance
ISO Non-
compliant
Vulnerability
management
required
Secure coding More critical Level three
compliance
NIST Non-
compliant
Extra measures
required
Third party
vendor
security
compliance
critical Level three
compliance
NIST Non-
compliant
Third party vendor
compliance
required
Recommendations for the Non-Compliant Requirements
For the non-compliant requirements, it could be important to constantly perform
hardening and system patching to ensure that all information security requirements are up to
date. Patching is something detected by the assessments done by IT auditors. Patch management
is merely one component of a comprehensive strategy that a company must put in place. Policies
and processes for releasing updates, the frequency with which things will be evaluated, the time
requirements for releasing a critical patch, and testing needs/techniques should be included in
your patch management program Tools for identifying missing patches or vulnerabilities should
be included, as should training on anti-virus, file integrity monitoring (FIM), and log
examination, among other things (Haji, Tan, & Costa, 2019). Vulnerability detection is a
wonderful approach to keep your systems secure and meet regulatory requirements. Your
approach should include monitoring numerous sources for security flaws, reviewing vendor sites
for updates and patches, risk grading detected vulnerabilities as it might relate to your company,
and researching methods for spotting zero-day attacks.
Conclusion
In summary, a risk assessment helps companies in assessing and managing circumstances
that breach data security in information risk management. In this procedure, a company looks for
vulnerabilities that a hacker may exploit. IT auditors determine the kind of threats they pose and
how they can prevent them from occurring in order to make sure that the ISMS is performing as
intended. ISO 27001 mandates that security requirements be reviewed, updated, and improved
on a regular basis. A yearly re-evaluation is required to keep up with the ever-changing nature of
the threat environment and the operations of your organization. It's also a good time to look for
methods to strengthen a company’s Information Security Management System (ISMS). This
might be done by implementing a new risk control or by moving to a new risk treatment
alternative.
References
Haji, S., Tan, Q., & Costa, R. S. (2019). A hybrid model for information security risk
assessment.>Int. j. adv. trends comput. sci. eng., (ART-2019-111611).
Turskis, Z., Goranin, N., Nurusheva, A., & Boranbayev, S. (2019). Information security risk
assessment in critical infrastructure: a hybrid MCDM approach.>Informatica,>30(1), 187-
211.
