Perform a gap analysis of your organization's security

By Michael "Mullins CCNA, MCP" September 22, 2005, 7:00am PDT Every company should perform an annual gap analysis of itssystems' security and use the results to adjust security levels to meet newregulations or growth of the network. Completing a gap analysis meansdetermining the difference between the level of security in place on yournetwork and the level of security that shouldbe in place on your network. Before you begin a gap analysis, you must first establish anexisting set of standards that you can use to judge your network operations.These standards can include any applicable federal or state regulations, standardsfrom the International Organization forStandardization (ISO), recommendations from

Policies and procedures

Every job starts with paperwork, and networks are nodifferent. You must maintain policies andprocedures to document every activity on your network. Most important, include a periodic review of each document. Apolicy isn't going to do you much good if it's obsolete. If no one's taken thetime to update it, it's doubtful anyone is bothering to actually follow it. After you've buried yourself in paperwork, the fun really begins.

Operations
Now it's time to look under the hood and determine whetheryour network is performing to the standards by which you've chosen to judgeyour operations. For example, all of your security devices should be runningthe latest version of software with applicable patches, or you must have adocumented migration strategy that incorporates any audits and intrusion detection system(IDS) in place and you're logging all of your security information tosecure servers, you should also have a wealth of information about the actualperformance and operational characteristics of your network. You can use thisinformation to make modifications to your security devices to create a rock-solidperimeter, which also provides pertinent information you can use duringsecurity incidents.

Final thoughts
Defining the scope of your gap analysis is typically thehardest part. If necessary, break up your analysis into different phases, andperform each section as your time and budget allow.

It really doesn't matter who performs the gap analysis. Whetheryou perform it in-house or outsource it, what matters is that the personperforms it properly. Your ultimate goal is to use the results to define actionableitems for correction and/or possible rewards for the people who protect anddefend your network on a daily basis.