Fill in the Gaps!

Information technology systems are typically complex solutions that include various technologies and products, implemented over time with components added as new needs arise.  In order to identify security weaknesses and vulnerabilities, Secure Ideas recommends performing a foundational gap analysis to obtain a more thorough understanding of the environment.  Unlike a penetration test, which is adversarial and invasive, a gap analysis is a cooperative exercise in which Secure Ideas works with clients to review each component of the environment, evaluating the architectural design and controls that encompass the overall security posture. 

Gap

Improve your Posture!

A gap analysis is an exercise that can benefit an organization of any size that is looking for a way to realize improvement with regard to their security posture.  Whether simply doing a initial assessment, experiencing employee turnover, or worried that a security breach is imminent, a gap analysis will help identify weaknesses and vulnerabilities, and allow an organization to address these concerns more effectively and manage their security program.

Review Areas

A foundational security gap analysis allows Secure Ideas to work with clients to evaluate the security controls placed on systems and procedures in scope. Through scheduled interviews with relevant client personnel, Secure Ideas will thoroughly review the specified control framework compliance standard against the currently deployed IT System, evaluating the architectural design and controls that encompass the overall security posture.  During the foundational security gap analysis Secure Ideas will include reviewing the following areas, as applicable to each client:
NIST 800-53
Gap

NIST 800-53

NIST 800-53 is a set of security and privacy controls published by the National Institute of Standards and Technology (NIST). These controls are designed to help organizations protect their information systems and the sensitive information they contain.

An assessment of a company's controls to NIST 800-53 involves evaluating the company's existing security controls to see how well they align with the controls outlined in NIST 800-53.

Get a Quote
NIST SP 800-171
Gap

NIST SP 800-171

NIST SP 800-171 is a set of security controls published by the National Institute of Standards and Technology (NIST). These controls are specifically designed to protect sensitive unclassified information that is handled by non-federal organizations.

An assessment of a company's controls to NIST SP 800-171 involves evaluating the company's existing security controls to see how well they align with the controls outlined in NIST SP 800-171.

Get a Quote
Website designer working digital tablet and computer laptop with smart phone and graphics design diagram on wooden desk as concept
Gap

NIST CSF

The NIST Cybersecurity Framework (CSF) is a set of industry-standard guidelines and best practices for managing cybersecurity risks. The framework provides a common language and approach for organizations to use when designing and implementing their cybersecurity programs.

An assessment of a company's controls to the NIST CSF involves evaluating the company's existing security controls to see how well they align with the controls and recommendations outlined in the NIST CSF.

Get a Quote
Hand touching online network security  button and cloud, connection and contact concept
Gap

CIS Critical Controls

The CIS Critical Security Controls (CSC) are a set of security controls developed by the Center for Internet Security (CIS). These controls are based on the consensus of cybersecurity experts from around the world, and are designed to help organizations protect their information systems and the sensitive data they contain.
 

An assessment of a company's controls to the CIS Critical Security Controls involves evaluating the company's existing security controls to see how well they align with the controls and recommendations outlined in the CSC.

Get a Quote
business documents on office table with smart phone and laptop computer and graph financial with social network diagram and three colleagues discussing data in the background
Gap

CMMC Level 1 Pre-Assessment

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to assess the cybersecurity practices of contractors who work with the DoD. The CMMC has five levels, with Level 1 being the lowest and Level 5 being the highest.

An pre-assessment of a company's controls to CMMC Level 1 involves evaluating the company's existing security controls to see how well they align with the controls and recommendations outlined in CMMC Level 1, preparing for the official certification.

Get a Quote

What will I need before the call?

Before a security assessment, it is important to gather a number of different pieces of information. This could include:

  • The scope of the assessment and an understanding of what systems are to be assessed
  • The goals and objectives of the assessment, such as identifying specific vulnerabilities or ensuring compliance with industry standards
  • Any relevant background information about the systems and networks being assessed, such as their architecture and configuration
  • Any existing security policies and procedures that are in place, as well as any relevant regulations or compliance requirements
  • Any relevant documentation, such as network diagrams and system specifications


Having this information available before the assessment begins can help the assessor to plan and conduct the assessment more effectively, and can provide valuable context for interpreting the results of the assessment.

Understanding
Goals and Objectives
Background Information
Security Policies and Procedures
Relevant Documentation

Scoping

The Foundational Gap Analysis service is scoped by conducting an in-depth conversation to determine which control framework is best to compare against.  This is done by gaining insight into the client’s goals and expectations for this type of engagement, where they currently stand, and where they want to end up. 

Secure Ideas’ pricing for this service is a one-time fee based on the specific control framework that an organization is comparing its systems against.   

 

Type Price-Estimate
NIST 800-171 $6,000
CIS 18 Critical Security Controls $3,000
CMMC Level 1 Pre-Assessment $4,000

Our Process

Have more questions about Foundational Gap Analysis?