IT Security Nov 16, 2020

The IT security GAP analysis – Blessing or curse?

The digital transformation is presenting your business with great opportunities, but also increasing your IT landscape’s complexity and vulnerabilities. The aim of a GAP security analysis is to systematically comb through your network and security infrastructure. Structured IT security analyses leverage risk analysis and recommendations for action to show you the technically and economically best path to success.

Share article

Hans-Jürgen Martini
Team Leader Network & Security Engineers – CC-BISS

The purpose of an IT security GAP analysis.

The analysis provides a comparison of your IT security infrastructure versus best practices. The GAP analysis is a very useful tool when it comes to detecting vulnerabilities and gaps in an IT infrastructure. The aim is to filter out parts that require improvement and identify parts of the network that need attention.

A GAP analysis should determine needs and fields of action required to bring your IT landscape right up-to-date. By highlighting the status quo and taking your needs into account, we can create a suitable target architecture.

Benchmarking.

Best practices can often be aligned with guidelines published by the BSI and other important institutions, who develop their own guidelines based on statutory and industrial regulations such as the GDPR and Tisax. To carry out a GAP analysis, a business needs to benchmark its security infrastructure.

By doing this, the corporate environment can be compared against one or more standards and regulations for the company or industry. There are currently quite a lot of these guidelines, some of which are obligatory, such as the Payment Card Industry Data Security Standard (PCI DSS), and they give clear examples of how to implement standards and best practices. This includes the American National Institute of Standards and Technology (NIST) and the German BSI Baseline IT Security.

How a GAP analysis works.

As a general rule, a GAP analysis is carried out according to the business’s needs. The first step is a one or two-day workshop, which is set up like an interview during which we collect all important information about the customer’s situation and their existing IT security architecture and its requirements. Documents, drawings, lists, operating manuals and process descriptions form the basis of discussion and should be made available for the purposes of collecting data.

The result.

After analysing the data collected and taking in to account your requirements, you will receive a complete GAP analysis document, in which the results are presented in a traffic light style with the colours, red, amber and green representing the corresponding levels of urgency, with red signifying that an area has considerable vulnerabilities that must be tackled as a priority. The document is rounded off with a blueprint and an action plan, which include a list of priorities and a description of the necessary tasks.

Summary.

A GAP analysis can help you systematically detect vulnerabilities and design flaws and enables efficient IT security to be put in place, giving you a rough overview of the status quo that serves as the foundation for re-design or expansion. The analysis is an excellent management tool that helps IT decisions makers identify vulnerabilities and security gaps and defines a target to be worked towards using the catalogue of measures identified.

If you have any questions, simply get in touch with the experts at the BISS Competence Centre (Bechtle Internet Security und Services).