Chapter 5 Β· Helper 1

Glossary of Terms

Key vocabulary for Gap Analysis.

Gap Analysis
A structured assessment comparing an organization's current security posture (current state) against a defined target (desired state/baseline) to identify areas where security falls short and plan remediation.
Current State
The actual security posture of an organization at the time of the assessment β€” what controls, processes, and capabilities exist today.
Desired State
The target security posture defined by the chosen baseline framework (NIST, ISO, custom). What the organization aims to achieve.
Baseline
The reference framework or standard used as the target for the gap analysis. Common baselines: NIST SP 800-171, ISO/IEC 27001, or organization-specific requirements.
NIST SP 800-171
National Institute of Standards and Technology Special Publication 800-171, Revision 2. Title: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." A common baseline for gap analyses involving CUI.
ISO/IEC 27001
International Organization for Standardization / International Electrotechnical Commission standard for Information Security Management Systems (ISMS). Widely used globally as a baseline for gap analyses.
Controlled Unclassified Information (CUI)
Information the US government creates or possesses that requires safeguarding but is not classified. Organizations handling CUI must comply with NIST SP 800-171.
Access Control Requirements
One of the major security categories in NIST 800-171. Requires limiting system access to authorized users, processes, and devices. Broken down into sub-requirements including user registration, access provisioning, privileged access management, and access reviews.
User Access Provisioning
The process of creating and assigning access rights to users when they join an organization or change roles. A sub-requirement evaluated in gap analyses.
Privileged Access Management
Controls governing administrative or elevated access rights. A key sub-requirement in gap analyses β€” organizations must track who has privileged access and justify it.
Change Control
A formal process for approving, documenting, and implementing changes to IT systems. Required during gap analysis remediation to avoid unintended disruptions when applying security improvements.
Gap Analysis Report
The final document produced by a gap analysis. Contains: current state vs. desired state comparison, identified gaps, color-coded matrix, and a remediation roadmap with costs, timeline, and change control requirements.
Risk Posture
The overall level of risk an organization faces based on its current security controls and vulnerabilities. Gap analysis helps quantify and communicate the risk posture.
Remediation Roadmap
The plan within the gap analysis report that outlines HOW to close identified gaps β€” what actions to take, estimated costs, resource requirements, and implementation timeline.
Security Maturity
A measure of how sophisticated and consistent an organization's security practices are. Gap analyses often reveal maturity levels from ad-hoc (low) to optimized (high).
Traffic Light (Red/Yellow/Green)
Color coding used in gap analysis reports to indicate compliance level: Green = close to baseline, Yellow = partial compliance, Red = significant gaps requiring urgent attention.