There is much debate (as well as many misconceptions) about IT Act, 2000 duly amended by IT (Amendment) Act, 2008 audit and compliance. In actuality, this is a fact finding technique or a GAP analysis technique that is used to find out loop holes in existing process, policy, procedures and systems. Here are three steps that will help you address these concerns as well as draft a GAP analysis checklist for IT (Amendment) Act, 2008.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
Step 1 - Security policy GAP analysis
This step reviews security systems against security policies and procedures. It looks for system
weaknesses as well as vulnerabilities, and provides a comprehensive report on the current
information security, network security, and preparedness status of your organization.
Two types of GAP analysis can be conducted as part of this step. These are:
Onsite GAP analysis: It is important that your organization has
the desired level of protection from intrusions, internal threats and misuse of technology
by employees. So an onsite GAP analysis should be conducted once or twice a year depending on your
nature of business.
Offsite GAP analysis: An off-site GAP
analysis checklist can protect the institution from unforeseen and unexpected risks, especially
external risks, external threats, or from rival companies. This should be biannual in frequency.
Companies can conduct two types of offsite GAP analysis— either a security analysis or a policy
analysis.
(i) Security analysis: This provides an independent review of security systems and looks for
weaknesses against industry best practices. Some of the best practices that can be included in this
GAP analysis checklist are:
• Schedule II of Information Technology Act, 2000 duly amended by IT
(Amendment) Act, 2008
• Standard operating procedures (SOPs) released by Information Security
Forum
• ISO 27001
• COBIT
• ISO/IEC 27005:2008 - information technology - security techniques - information
security risk management
• DSCI – Data security framework (Pilot implemented by TCS BPO and Tech
Mahindra)
(ii) Policy analysis: This part of your GAP analysis checklist tests against the
organization's established security policy.
|
Checklist for security analysis |
Activities under policy analysis |
|
|
Details of both the GAP analysis should be well documented as well as describe:
• Methodology adopted for the GAP analysis
• Summarized findings into priority (HIGH, MEDIUM, LOW) with respect to business
functionality, goals and objectives
• Recommendations for corrective action in terms of priority
An advantage ofusing
a GAP analysis checklist regularly with respect to new compliance, legal and regulatory
requirements helps in knowing that information security programs and systems are Maintained,
Implemented, Documented (MID) in its current state. This GAP analysis checklist also ensures that
framed and drafted policies are in use.
Step 2: Risk assessment
The results of a GAP analysis can establish a baseline for security programs. The next course of
action in your GAP analysis
checklist should be a risk assessment (RA). This is sometimes clubbed with the GAP
analysis.
An RA provides an overview of the computing and network environment, as well as the existing
preparedness with respect to security. This process can:
- Identify threats to the organization's security
- Buffer impact of risks to the business
- Provide physical security, application security, network security and operational security for
additional preparedness
Activities in risk assessment
• Conducting interviews with staff and concern person to better understand
business
• Review previous incidents, breaches and business impacts if available
• Conduct a detailed site observation
• Perform analysis of aspects like IS architecture and configuration
• Documentation review
• Network connectivity review
• Implementation of access controls review
• Analyze existing security policies and procedures
Issues are addressed depending upon the scope of assessment. You can also refer to ISO 31000:2009
that provides principles and generic guidelines on risk management.
A good RA should address hardware and software configurations, access control, intrusion detection
(and response), data security, current security policies/procedures and business continuity
plans.
Step 3: Internal vulnerability assessments
A GAP analysis and RA address security at an enterprise level. Next in your GAP
analysis checklist is an internal vulnerability assessment (IVA) that helps you locate,
identify and ultimately mitigate the risks posed by inadequate security through internal corporate
networks.
This activity of the GAP analysis checklist progresses beyond routine work performed by standard
scanners and other testing devices. It applies test results and recommendations to a company's
specific environment and business goals.
The scope of IVA testing provides:
1. A high-level architectural review of a company's system
2. Review of a company's internal infrastructure
3. A detailed, hands-on, system-by-system evaluation of the company's security
status
You can reduce or eliminate uncertainty and false alerts by supporting findings with concrete as
well as empirical testing as part of your GAP analysis checklist. The goal is to identify known
security issues with routers, servers, desktops, and network hardware.
Additional steps in your GAP analysis checklist include a physical infrastructure review and an
analysis of policies and physical procedural controls. The main aim is to identify weakness that
could result in a security breach or loss of service. This is not exhaustive, and attempts to do
whatever is best with the existing system.
About the author: In his professional capacity, Vicky Shah provides consulting and advisory services for information security practices, information security awareness, research, corporate fraud investigations, incident handling and response, computer forensics services, cyber crime prevention methodology as well as training. He can be contacted on vicky@cybercrimes.in.
You can follow our Twitter feed at @SearchSecIN
This was first published in August 2010