11/04/18 | News
Two questions our customers often have when talking to us about their cyber security needs are: ‘Why should my business do a gap analysis?’ and ‘What does a gap analysis involve?’.
To answer these questions, we asked Barry Brailey, Principal Virtual Security Officer (VSO) at Aura Information Security, to offer an inside perspective on what’s involved with a gap analysis; and what you should expect to get out of it.
Barry has conducted security assessments for a wide range of government and business clients throughout his 15-year career in information security and in his view, a gap analysis is something every business should consider – particularly if they want to be sure they aren’t leaving any unnecessary gaps in their security armour.
Why do a Gap Analysis?
An Aura Gap Analysis allows your business to take a look under the hood and get a better understanding of the workings within – and what potential issues may lay ahead – with minimal impact on existing resources such as your CIO or IT department.
Whether or not your business decides to invest in a gap analysis may depend on how ‘at risk’ you think you are. But, when you consider the fact that more than half of New Zealand businesses state they’ve been targeted by phishing, ransomware and malware over the past year*, and with the number of cyber-attacks on businesses expected to rise drastically in the coming year, perhaps the better question is – can you afford not to?
What does a gap analysis involve?
Typically, an Aura Gap Analysis has a focus on pragmatic mitigation strategies and critical controls and takes approximately one week (five working days) to complete. Of these five days, two of those involve a VSO being on site, with the remaining part of the assessment being carried out remotely.
Here’s what those five days will involve:
- Initial meetings: The first thing we’ll do is set up a time to come to your offices and meet you, and the wider team, and get a better view as to what your work environment is like. During these meetings we’ll ask a range of questions designed to help us get a full understanding of your business’ existing approach to information security.
- Review of existing policies: Once the initial meetings and information gathering is complete, we’ll get to work on reviewing any existing policy documentation you have – the key aim being to establish whether or not they are robust enough and correct for you.
- Assessment of existing approach to risk: Our VSOs will examine your business’ current risk approach, and will be looking for (or providing advice on) security risk management and risk based decision making.
- Aura Top 10 review: We will look at each item on the Aura Top 10 list of mitigation strategies and compare, or benchmark, your business against each (where applicable). The aim here is to identify areas for remediation in order of priority.
- Reporting: Taking what was discovered during the above into account, we will then carry out an independent assessment to benchmark how mature your business’ current security practices are; and make recommendations as to what actions need to be taken. All this will be presented to you in a formal report (approximately two weeks after the project start date) and we will also include a ‘remediation roadmap’, providing your team with a useful overview of what needs to happen, by when, and the level of urgency.
If you’d like to find out more about our VSO or gap analysis services get in touch with us online.
*According to research conducted by Kordia, September 2017