Perform a gap analysis of your organization's security

All companies should perform a gap analysis of their systems' security on a yearly basis, and they should use the results to adjust their security strategies accordingly. Not sure where to start? Mike Mullins suggests some areas to focus on when conducting a security gap analysis.

Every company should perform an annual gap analysis of its systems' security and use the results to adjust security levels to meet new regulations or growth of the network. Completing a gap analysis means determining the difference between the level of security in place on your network and the level of security that should be in place on your network.

Before you begin a gap analysis, you must first establish an existing set of standards that you can use to judge your network operations. These standards can include any applicable federal or state regulations, standards from the International Organization for Standardization (ISO), recommendations from Control Objectives for Information and related Technology (COBIT), standards from the National Institute of Standards and Technology (NIST), or any other documented best business practices.

It can be difficult to internally assess security due to the size and complexity of your network or the lack of time and spare talent to do so. In such situations, outsourcing this analysis is always a possibility.

However, whether you decide to outsource the gap analysis or plan on doing it in-house, there are key areas you should focus on. By concentrating on the following areas, you can improve your organization's security strategy and make sure your company meets any existing legal requirements.

Policies and procedures

Every job starts with paperwork, and networks are no different. You must maintain accurate documentation on the physical makeup of your network in some form. These drawings can be elaborate, electronic renditions or pencil and paper sketches. The important thing is that you have them because they're necessary if you ever face a legal audit.

User policies are also an absolute necessity. You must specify in writing what the organization considers both acceptable and unacceptable activity on the network. Without this written policy, you have no legal justification to stop activity that's potentially harmful to your organization's network. For example, if you don't want users loading games and running their own file-sharing servers, spell it out in writing.

And don't stop with your users. You also need to define expectations and boundaries of the employees who administer your network—in writing, of course.

Remember: Performance standards and standards of conduct pertain to everyone in the company. Establish guidelines that define the business purpose and responsibilities of everyone involved in your network—from the CEO to the lowest position on your network staff. In addition, create policies and procedures to document every activity on your network.

Most important, include a periodic review of each document. A policy isn't going to do you much good if it's obsolete. If no one's taken the time to update it, it's doubtful anyone is bothering to actually follow it.

After you've buried yourself in paperwork, the fun really begins.


Now it's time to look under the hood and determine whether your network is performing to the standards by which you've chosen to judge your operations. For example, all of your security devices should be running the latest version of software with applicable patches, or you must have a documented migration strategy that incorporates any budgetary constraints or training constraints that hamper your efforts to modernize.

In addition, document the settings of all of these devices. That includes every hole you've poked in the firewall and every allow statement in your routers.

When you've finished documenting, you'll have an application traceability matrix. From this point forward, when someone asks why you allow port X and deny port Y, you can easily demonstrate the business reason for the rules you maintain.

After you've scoped out your network operations on paper, it's time to test your security with audits and penetration tests. The results from these tests should verify that your devices are performing as you've configured them and that your protection is solid according to your overall security plan.

If your network has an intrusion detection system (IDS) in place and you're logging all of your security information to secure servers, you should also have a wealth of information about the actual performance and operational characteristics of your network. You can use this information to make modifications to your security devices to create a rock-solid perimeter, which also provides pertinent information you can use during security incidents.

Final thoughts

Defining the scope of your gap analysis is typically the hardest part. If necessary, break up your analysis into different phases, and perform each section as your time and budget allow.

It really doesn't matter who performs the gap analysis. Whether you perform it in-house or outsource it, what matters is that the person performs it properly. Your ultimate goal is to use the results to define actionable items for correction and/or possible rewards for the people who protect and defend your network on a daily basis.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox