If you have spent any time around information technology or people who work in information security, you have probably heard terms like “risk assessment”, “audit”, and “gap analysis”. Sometimes they are used almost interchangeably. However, each has a specific objective to help stakeholders understand their data environment.
While an audit is used to identify control effectiveness and a risk assessment can identify what controls can be implemented to reduce risk, the gap analysis is designed to do exactly what it states – to identify gaps between the current environment and the organization’s required or desired state. This may be a specific regulatory compliance objective, such as how the organization meets the requirements of the HIPAA Security and Privacy Rules or PCI-DSS. In many cases, an organization may want to be able to claim that they are compliant with an information security standard, such as ISO27001. In other instances, the organization may have developed a roadmap for where they plan to be in the future, and want to identify the current progress and next steps. A gap analysis can provide essential feedback for all three examples.
The gap analysis begins with understanding your objective.
You must clearly define the expectation and an appropriate timetable. If your organization falls under regulatory scrutiny, the expectation is usually defined by the regulatory body. For healthcare, it typically falls under the Office of Civil Rights (OCR) or Health and Human Services (HHS). The financial industry was not happy with one regulatory agency, so multiple regulatory agencies were created. Credit unions are typically monitored by the National Credit Union Administration (NCUA). The Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve oversee small and medium-sized banks. Each regulatory body has defined requirements for participating members. They also will define the timetable for members to comply, with financial and operational consequences for non-compliance.
Information security standards will also define the expectation. NIST, ISO, COBIT, and COSO all define the objectives for certification, but do not provide specific control requirements.
If an organization is looking to expand services or product offerings, a gap analysis provides a path to a defined target or objective. It is up to the organization to clearly define and consistently communicate the objective and timetable.
The gap analysis identifies your current position.
The organization has identified where they want to be. However, to understand the gap between the objective and current state, the organization needs to have an understanding of where they currently are positioned in order to identify the gap. If you have ever set a personal goal such as weight loss or preparing for a 5K or marathon, you know it is necessary to understand your current situation so that you can properly prepare and set realistic goals to meet the overall objective. The same scenario exists in the gap analysis. In some cases, you may find you are already meeting or exceeding the objectives while falling short in other areas.
The gap analysis identifies the distance between the organization’s current position and the objective.
Now that the organization has defined where they hope to be and understand where they are, we can identify the distance between the two points and possible roadblocks that are in place. Regulated entities can use the information to immediately move to the next step gap analysis, which is to create improvement plans to close the gaps. For instances where the organization wants to align to a specific security standard or expand into other services and product offerings, the gap identification is useful in two ways. First, the gap analysis can quantify the distance between the current state of the organization and the desired state. This can assist leadership in deciding if a security standard certification or expansion is worth the investment before the process begins. Second, the gap analysis can help identify areas that need the most attention and improvement so that resources can be directed to improve those areas. The gap analysis can provide meaningful insight to decision-makers on how to approach the objective, the amount of time that should be allotted to reach the objective, and the resources required to meet the objective.
The gap analysis can be used to create improvement plans or roadmaps to reduce or eliminate the gap.
The improvement plan should set realistic goals and timelines to complete projects based on the resources available. For regulated organizations, it may mean throwing all available resources at closing the gap for a regulator or negotiating with the regulating agency as to an appropriate timeline and milestones based on the available resources. Regardless if the organization is regulated or not, once an improvement plan has approved, deadlines and resources should be monitored to ensure that the gaps will be remediated in the timeframe and within the budget constraints as projected. Part of the improvement process should include an ongoing gap analysis of the plan or roadmap.