Gap Analysis Flashcards
Security+
What is gap analysis?
A process to compare the current state with the desired state to identify the “gap.”
What does gap analysis require?
Extensive research, which may involve data gathering and technical research.
How long can a gap analysis take?
It can take weeks or months, depending on the complexity of the study and number of participants.
What is a key step when choosing a framework?
Work towards a known baseline, either from internal goals or formal standards.
What are two examples of frameworks to consider in gap analysis?
NIST SP 800-171 and ISO/IEC 27001.
What is NIST SP 800-171 focused on?
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
What should you evaluate regarding people in a gap analysis?
Employees’ formal experience, current training, and knowledge of security policies and procedures.
What should be examined regarding processes?
Existing IT systems and current security policies.
What is the purpose of comparing existing systems in a gap analysis?
To identify weaknesses and the most effective processes.
What should the final analysis include?
Detailed baseline objectives and a clear view of the current state.
What is needed to create a gap analysis report?
A formal description of the current state and recommendations for meeting baseline objectives.
What are common resources required to bridge the gap identified in the analysis?
Time, money, and change control.
Why is a detailed analysis important in gap analysis?
It helps to break broad security categories into smaller segments for better understanding and evaluation.
What is the first step in conducting a gap analysis?
Establishing a clear understanding of where you currently are versus where you want to be.
