Security Assessments (Gap Analysis) are conducted for your benefit, to allow you to establish a baseline or understand how you would score in an audit against a specific governance framework (NIST CSF, SOC 2, ISO 27001, etc). Upon completion, your organization will have an understanding of what aspects of the assessed framework are implemented and operating effectively, and what aspects require additional work.
The process is organized in multiple phases:
Examine all relevant documentation to determine what aspects of the framework are currently in place. Analysis of the documentation allows the consultant to understand the maturity level of the program and identify areas to improve beyond compliance with the assessed framework. Documents may include, but are not limited to:
- Incident Response and Disaster Recovery (BCDR) Plans
- Organizational Chart
- Employee Handbook
- Technical Controls
- Network Diagrams
- Compliance Reports
- Application Assessment Reports
- Pen Testing Reports
- Vulnerability Scans
- Policies, Standards, Guidelines, Procedures
Conduct interviews with key stakeholders at the organization. These stakeholders will answer questions relating to specific aspects of the framework as well as the overall security posture. Interviewees may include, but are not limited to:
- Director of Security/Director of IT
- Security Architect
- Network Administrator/Engineer
- Server Administrator/Engineer
- Desktop Support
- Legal and Compliance
- SOC Team
- Development Team
- IT Operations Team
- Senior Leadership
- Human Resources
After the interviews are complete, will review the notes and ask for any follow-up documentation. Additional interviews may be necessary based on clarifying documentation. will attempt to continue to clarify any findings to increase the accuracy of the report.
Reports, upon completion of the assessment, will capture the results in a report, including:
- Executive Summary
- Assessment Findings
- Remediation Recommendations
- Remediation Roadmap
Debrief, once the deliverable has been received, will schedule a debriefing meeting to discuss the results of the assessment. During this phase, will work with you to determine any necessary changes to the report. When changes are complete, will finalize the report and finish the project.
The security assessment report can be used as an Audit Readiness report. You can use this report to determine how well you stack up against a particular compliance framework, and what actions need to be taken to achieve 100% compliance.
At Prodigy 13, the security assessment (gap analysis) is the first step of our process, and is offered as a free complimentary service to all of our current clients.