How Robust is your IT Security Control?
Business are more likely to be successful, if they set clear objectives to be achieved or accomplished over a specified period. These could include to earn profit for growth and development, provide quality goods to its customers, protect the environment, etc. Protecting the information that drives the business objectives is an equally important aspect that businesses must focus in order on to stay competitive and be relevant. In an increasingly interconnected environment under which businesses operate, data is exposed to a growing number and wider variety of risks. It’s vital that business leaders ensure that information security is well enforced and permeates through their organization.
Fundamentally, information security is the application of administrative, physical, and technical controls to protect the confidentiality, integrity, and/or availability of information. With information flowing through a wide variety of channels, the risk of exposure is very high. Threats such as malicious code, ransomware, computer hacking and denial-of-service attacks have become more common, ambitious and sophisticated, making implementing, maintaining and updating information security in an organisation a real challenge. Poor supervision of staff and lack of proper authorization procedures are frequently highlighted as the main causes of security incidents. To prevent security breaches, various controls are put into place by companies, including some draconian and overarching measures which make routine tasks difficult and cumbersome. At the other extreme are companies who exercise little or no control over access to data and thereby exposing data to a high degree of risk.
Implementing information security in an organisation can protect the technology and information assets it uses by preventing, detecting and responding to threats, both internal and external.
How To Conduct An Information Security Gap Analysis?
Step 1: Select an industry standard security framework
Many frameworks are available to undertake a security assessment and benchmark an organisation’s security policies and network controls. A commonly used framework is the ISO/EIC – 27002:2013. This standard provides best practice recommendations on various aspects of information security management. It covers key security areas such as risk assessment, access control, change management, physical security, and others.
Step 2: Evaluate People and Processes
This stage would involve obtaining information of the IT infrastructure, IT applications, organizational charts, IT policies and processes, and other relevant details. A good starting point would be to involve IT staff, security administrators, and anyone who works with the network, servers or workstations, and the leadership to learn more about the organization’s key objectives.
This stage also involves reviewing and assessing the current security policies, associated risks and the direction in which the leadership envisages to take the organization over the short to medium term of 3-5 years.
It’s equally important to address staff access rights if threat to data is to be minimised. This includes organization’s need to relook at how are access to new hires and terminations handled? How is back-up taken and secured? Is staff training provided on data security? Many of the risks that company networks face is caused by human intervention– an employee innocently clicking on a link in a phishing email, insufficient training, or an angry employee who purposely sabotages the network.
Step 3: Data Gathering
This would involve understanding how well the current security program operates within the overall technical architecture. Toward this, compare best practice controls against organizational controls; take a sample of network devices, servers, and applications to validate gaps and weaknesses; review automated security controls; and review incident response processes, communications protocols and log files.
With data gathering, gain a clear picture of your technical environment, the protections in place, and your overall security effectiveness. This in-depth security knowledge allows one to see how security process matches up to other processes and controls that have proven successful, especially when compared to other companies and security controls within your specific industry.
Step 4: In-depth analysis of security program
Correlate the findings and results across all factors to create a clear and concise picture of your IT security profile that includes areas of strength and areas where improvement is most needed. With that information in hand, make recommendations for moving forward with a security plan that is right appropriate for the company. That security roadmap considers risks, staffing, and budget requirements, as well as timeframes to complete the various security improvements.
Needless to state, given the dynamic way in which organisations are exposed to security threats, an IT security assessment whilst will not provide 100% assurance, nonetheless, it will help to have a first-hand assessment of how robust and effective is the network, staff and security controls that an organisation relies on to protect and safeguard its vital data. If an in-house IT security team is available, an organisation may be able to conduct the security gap analysis internally. Alternatively, an independent third party may be able to bring in fresh perspective and domain knowledge to deliver effective policies, procedures and controls to safeguard data from misuse, improper access and external and internal threats.
(This article is compiled by Shajan Abraham, Partner, based in Dubai)