How to perform IT Gap Analysis & High-Level Risk Assessment
IT Gap Analysis Assessment
IT Gap Analysis is a powerful tool. It helps enterprises to proactively identify the slack areas (or open doors) and presents a rational approach to filling those gaps. These gaps can start from an end-user laptop/desktop to enterprise Firewall systems. Therefore, identifying and addressing such gaps is essential for the company's progress. A typical IT Gap Analysis highlights the following:
- What is the gap about
- What is the risk associated with the gap
- What is the probability of exploiting the gap
- How can we fix the gap
IT Gap Analysis starts with brainstorming sessions involving team leaders, CTO, CIOs, and other key personnel. Here are the basic steps to conduct the analysis.
1. Identify the Scope of assessment
Identify the technology area to be analyzed, and outline the Scope. It can be about;
- Achieving Zero Trust for your enterprise
- Enhancing the performance, availability, or security of the IT Infrastructure systems
- Set up BCP & DR plan.
2. Establish the Goals (Ideal Future State)
Listing strategic IT goals of the company is essential. Setting goals helps review current system capabilities, understand future needs, and build a roadmap to achieve resources to meet future needs. The goals should have a broader view than merely focusing on enhancing internal efficiency. Outlined goals should align with the expectations of stakeholders and consumers. These efforts streamline and push the company in a forward direction.
3. Take note of the current state
A complete inventory assessment includes human resources – employees, age, experience, unique skillset, familiar tools, and others. In addition, highlighting benchmarks and performance metrics can come in handy. Finally, every team participating in the exercise should clearly understand procedures, techniques, and strategies for collecting and assessing data. It is critical to follow this approach, as these inputs affect the fate and fortune of the workforce, stakeholders, and the company.
4. Outlining the Gaps
After establishing goals and listing out the inventory, it is easier to identify the gaps. For example, adopting a 'scoring system' for every procedure can identify the drawbacks. Likewise, SWOT analysis of every product, skillset review of every employee, and understanding of the costs associated with product development can expose grey areas.
5. Rational Solutions
Finding a way to close the gaps requires a holistic approach – technically and managerial-wise. For instance, introducing a new toolkit involves spending upfront. Therefore, it is crucial to properly understand the trade-offs (redesign or replace) in such scenarios. In addition, proper planning of asset requirements can help meet the budget without failing to meet security standards and compliance requirements.
It's a collaborative act:
While a small group might lead, an IT Gap Analysis is a collaborative exercise that involves every individual contributing to the company's revenue. As a result, observations and recommendations from individuals outside the small group can disclose the degree of alignment of the measures in reality. In addition, group and one-on-one conversations between the teams can help identify gaps that otherwise might slip.
High-Level Risk Assessment
IT systems across the horizon process and store highly sensitive data. Internet connectivity to these systems makes the business a breeze. Unfortunately, this comes at high risk. Yes! Every IT infrastructure with an active internet connection is a target for cybercriminals. Moving troves of data in such a perilous environment is quite frightening. While a company can take zillion steps to secure data, it is vital to understand the assessment and segregation of data and the Action Plan in place during a cyber-attack.
Broadly classifying, we can breakdown the risk assessment into the following:
- Quantitative & Qualitative Assessment
- Threat Event Assessment
- Risk Management Action Plan
- Incident Response and Recovery Plan
Quantitative & Qualitative Assessment:
Systems that process and store sensitive run on a quad-redundant setup, with multiple backups syncing in real-time. Despite many industry standard practices, systems tend to fail due to mechanical or software failure. In addition, cybercriminals are capable of bringing down the hardware infrastructure. In such scenarios, understanding the loss of valuable data, hardware, and frequency of risk occurrence is essential. Quantitative assessment includes the count of phishing emails received, data stolen/lost, and the number of cybersecurity incidents by time and year.
Primarily based on opinion, the qualitative assessment gives insights into categorizing the risk level for each event. This assessment helps the security team mitigate, accept, and transfer certain types of risks. It includes a strategy opted by the enterprise to tackle cybersecurity threats, a risk management protocol, and an in-depth analysis of high-risk threats.
Risk Management Action Plan:
A Risk Management Action plan includes several steps, with specific pre-determined inputs and analyzable output. They are:
1. Threat identification
Sources like FedCIRC (Federal Computer Incident Response Center), OIG (Office of Inspector General, US, for cybersecurity), NIPC (National Infrastructure Protection Center), and mass media help greatly in threat identification. Keeping track of network interference, interception (of data), and impersonation (misuse of credentials) is the key to neutralizing or mitigating the risk.
2. Vulnerability identification
Includes review of previous risk assessment reports, testing security installations and upgrading them, qualitative and quantitative likelihood determination (rare to highly likely), and risk determination. Drafting a list of possible vulnerabilities, understanding their security requirements, and analyzing test results assist in vulnerability identification.
3. Impact Analysis
Using a 'Risk Matrix' table to classify a risk's occurrence and impact, realizing the actual value of assets, the sensitivity of assets, processes that depend on the asset, and the asset's objective helps establish control measures. In addition, preparing a comprehensive BIA can help determine the impact on integrity and confidentiality across the organization. Finally, impact rating helps the non-technical workforce understand the company's security and risk assessment outlook.
Incident Response and Recovery Plan:
Assessment should include simulation of real-time situations like an attacker gaining partial access to the systems upon successful infiltration. Under these circumstances, mitigating is often the most preferred option. However, if need be, an enterprise should avoid a particular procedure owing to security posture. Similarly, enterprises can share risk with other entities by opting for insurance and other measures.
Understanding the system security architecture, network topology, current security controls, procedures, and information flow across devices is vital in high-level risk assessment. In addition, documenting recovery and contingency plans, security procedures, and developing incident response is also a part of the risk assessment plan.