There is much debate (as well as many misconceptions) about IT Act, 2000 duly amended by IT (Amendment) Act, 2008 audit and compliance. In actuality, this is a fact finding technique or a GAP analysis technique that is used to find out loop holes in existing process, policy, procedures and systems. Here are three steps that will help you address these concerns as well as draft a GAP analysis checklist for IT (Amendment) Act, 2008.
Step 1 - Security policy GAP analysis
This step reviews security systems against security policies and procedures. It looks for system weaknesses as well as vulnerabilities, and provides a comprehensive report on the current information security, network security, and preparedness status of your organization.
Two types of GAP analysis can be conducted as part of this step. These are:
Onsite GAP analysis: It is important that your organization has
the desired level of protection from intrusions, internal threats and misuse of technology
by employees. So an onsite GAP analysis should be conducted once or twice a year depending on your
nature of business.
Offsite GAP analysis: An off-site GAP analysis checklist can protect the institution from unforeseen and unexpected risks, especially external risks, external threats, or from rival companies. This should be biannual in frequency. Companies can conduct two types of offsite GAP analysis— either a security analysis or a policy analysis.
(i) Security analysis: This provides an independent review of security systems and looks for weaknesses against industry best practices. Some of the best practices that can be included in this GAP analysis checklist are:
• Schedule II of Information Technology Act, 2000 duly amended by IT (Amendment) Act, 2008
• Standard operating procedures (SOPs) released by Information Security Forum
• ISO 27001
• ISO/IEC 27005:2008 - information technology - security techniques - information security risk management
• DSCI – Data security framework (Pilot implemented by TCS BPO and Tech Mahindra)
(ii) Policy analysis: This part of your GAP analysis checklist tests against the organization's established security policy.
Checklist for security analysis
|Activities under policy analysis
Details of both the GAP analysis should be well documented as well as describe:
• Methodology adopted for the GAP analysis
• Summarized findings into priority (HIGH, MEDIUM, LOW) with respect to business functionality, goals and objectives
• Recommendations for corrective action in terms of priority
An advantage ofusing a GAP analysis checklist regularly with respect to new compliance, legal and regulatory requirements helps in knowing that information security programs and systems are Maintained, Implemented, Documented (MID) in its current state. This GAP analysis checklist also ensures that framed and drafted policies are in use.
Step 2: Risk assessment
The results of a GAP analysis can establish a baseline for security programs. The next course of
action in your GAP analysis
checklist should be a risk assessment (RA). This is sometimes clubbed with the GAP
An RA provides an overview of the computing and network environment, as well as the existing preparedness with respect to security. This process can:
- Identify threats to the organization's security
- Buffer impact of risks to the business
- Provide physical security, application security, network security and operational security for additional preparedness
Activities in risk assessment
• Conducting interviews with staff and concern person to better understand business
• Review previous incidents, breaches and business impacts if available
• Conduct a detailed site observation
• Perform analysis of aspects like IS architecture and configuration
• Documentation review
• Network connectivity review
• Implementation of access controls review
• Analyze existing security policies and procedures
Issues are addressed depending upon the scope of assessment. You can also refer to ISO 31000:2009 that provides principles and generic guidelines on risk management.
A good RA should address hardware and software configurations, access control, intrusion detection (and response), data security, current security policies/procedures and business continuity plans.
Step 3: Internal vulnerability assessments
A GAP analysis and RA address security at an enterprise level. Next in your GAP
analysis checklist is an internal vulnerability assessment (IVA) that helps you locate,
identify and ultimately mitigate the risks posed by inadequate security through internal corporate
This activity of the GAP analysis checklist progresses beyond routine work performed by standard scanners and other testing devices. It applies test results and recommendations to a company's specific environment and business goals.
The scope of IVA testing provides:
1. A high-level architectural review of a company's system
2. Review of a company's internal infrastructure
3. A detailed, hands-on, system-by-system evaluation of the company's security status
You can reduce or eliminate uncertainty and false alerts by supporting findings with concrete as well as empirical testing as part of your GAP analysis checklist. The goal is to identify known security issues with routers, servers, desktops, and network hardware.
Additional steps in your GAP analysis checklist include a physical infrastructure review and an analysis of policies and physical procedural controls. The main aim is to identify weakness that could result in a security breach or loss of service. This is not exhaustive, and attempts to do whatever is best with the existing system.
About the author: In his professional capacity, Vicky Shah provides consulting and advisory services for information security practices, information security awareness, research, corporate fraud investigations, incident handling and response, computer forensics services, cyber crime prevention methodology as well as training. He can be contacted on firstname.lastname@example.org.
You can follow our Twitter feed at @SearchSecIN
This was first published in August 2010