0 / 16 flipped
Gap Analysis
Tap to reveal
Compares current security posture (where we are) to a desired baseline (where we want to be). Identifies gaps and creates a remediation roadmap.
Baseline
Tap to reveal
The target security standard used in a gap analysis. Examples: NIST SP 800-171, ISO/IEC 27001, or a custom organizational framework.
NIST SP 800-171
Tap to reveal
"Protecting Controlled Unclassified Information in Nonfederal Systems." US government baseline for organizations handling CUI. Revision 2 is commonly referenced.
ISO/IEC 27001
Tap to reveal
International standard for Information Security Management Systems (ISMS). Used globally as a gap analysis baseline for any type of organization.
People Evaluation
Tap to reveal
Assessing IT security staff: formal security experience, training received, knowledge of security policies. People gaps are as important as technology gaps.
Process Evaluation
Tap to reveal
Comparing existing IT systems and security procedures against baseline requirements. Identifies where documented processes are missing or insufficient.
Gap Analysis Report
Tap to reveal
The final output. Contains: current vs. desired state comparison, color-coded matrix, identified gaps, and a remediation roadmap with costs and timeline.
Traffic Light (Red/Yellow/Green)
Tap to reveal
Color coding for gap analysis results. π΄ Red = significant gaps, urgent. π‘ Yellow = partial compliance. π’ Green = close to baseline. Start remediation with Red.
Change Control
Tap to reveal
Formal process for approving and implementing changes. Required during gap remediation to prevent disruptions when applying security improvements to production systems.
Remediation Roadmap
Tap to reveal
The plan for closing identified gaps. Specifies: what actions to take, estimated costs, required equipment, timeline, and change control requirements.
CUI
Tap to reveal
Controlled Unclassified Information. Government-related information requiring protection but not classified. Organizations handling CUI must comply with NIST SP 800-171.
How long does a gap analysis take?
Tap to reveal
Commonly weeks, months, or even years for large organizations. Involves extensive data gathering, interviews, and documentation across all departments and locations.
What does gap analysis compare?
Tap to reveal
Current state (what we have today) vs. Desired state (what the baseline requires). The difference = the gap that needs to be closed.
First Step of Gap Analysis
Tap to reveal
Define the baseline. You cannot measure any gap without first establishing the desired target state.
Gap Analysis vs. Penetration Test
Tap to reveal
Gap analysis = compare processes/controls to a baseline standard (documentary, no active attacks). Penetration test = actively attempt to exploit vulnerabilities (technical attack simulation).
Privileged Access Management
Tap to reveal
Controls for admin/elevated access. A key sub-requirement evaluated in gap analyses β who has privileged access and is it justified?