22 July, 2014

Policy Gap Analysis: Filling the Gaps

Policy Gap Analysis: Filling the Gaps
Secure Ideas
Author: Secure Ideas

When starting a new job, often times the company policies are provided for your review and signature that you have received and understand them.  You are expected to be held to these standards, unfortunately you only see them maybe once a year so you have probably forgotten every little detail.  It is encouraged to be very familiar with the policies for your company.  Many of these may be similar across organizations, however some may be very specific to that company.

As a security consulting firm, Secure Ideas spends a fair amount of time looking at company policies, providing feedback and gap analysis.  It is recommended to get someone that specializes in the topic to review the policies to see if there are any items that just don’t work, or that are possibly missing.  For example, if your password policy is still 8 characters with upper, lower, special character and number requirements, it might be a good idea to update that to a more secure standard.

Performing a gap analysis is important because it helps make you aware of the policies that you may need, but are missing.  I haven’t been to a company yet that didn’t have at least one policy in place.  Often times this starts off slowly and then, if no one is assigned to it, drops off.   Things change rapidly in technology and the policies have to evolve with it.  This change and evolution causes the organization to miss policies that are needed or not update existing ones to take into account the changing environment.

For example, the proliferation of mobile devices requires policies to help identify how those devices can be used at the enterprise, and with its data.  The release of Google Glass and other wearables also adds some new twists to the idea of mobile data or video camera capabilities.  Social media has become so mainstream that many employees need to get access from company computers.   How do they present themselves and how much time they spend on it is very important for the business.  Without a policy stating that you are limited in the time spent on social media, can we assume that we can just not work and play on the computer all day?  It is up for interpretation.

When creating the policies you want them to be clear in their meaning.  I know in the legal world, you want it vague so it covers more, but at the same time that makes it harder to show it is an actual violation.  You don’t want to leave it up to the judges.  Make sure that you are thinking of all the things that need to be said to an employee regarding DONT’S with a company computer or on company property and write them down.   Educate the employees on what the policies mean and how they are enforced.

All too often we see companies that have policies that are just assumed and not written down.  This is a bad idea.  You want to have them formalized and distributed so employees understand their rules of engagement with the business.

If you are not sure about that status of your policies, Secure Ideas can perform a gap analysis of your existing policies to help provide recommendations on what could be added to make it more robust. 

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware on Twitter, or visit the Secure Ideas – Professionally Evil site for services provided.

Join the professionally evil newsletter

Related Resources