Fill in the Gaps!
Information technology systems are typically complex solutions that include various technologies and products, implemented over time with components added as new needs arise. In order to identify security weaknesses and vulnerabilities, Secure Ideas recommends performing a foundational gap analysis to obtain a more thorough understanding of the environment. Unlike a penetration test, which is adversarial and invasive, a gap analysis is a cooperative exercise in which Secure Ideas works with clients to review each component of the environment, evaluating the architectural design and controls that encompass the overall security posture.
Review Areas
NIST 800-53
NIST 800-53 is a set of security and privacy controls published by the National Institute of Standards and Technology (NIST). These controls are designed to help organizations protect their information systems and the sensitive information they contain.
An assessment of a company's controls to NIST 800-53 involves evaluating the company's existing security controls to see how well they align with the controls outlined in NIST 800-53.
NIST SP 800-171
NIST SP 800-171 is a set of security controls published by the National Institute of Standards and Technology (NIST). These controls are specifically designed to protect sensitive unclassified information that is handled by non-federal organizations.
An assessment of a company's controls to NIST SP 800-171 involves evaluating the company's existing security controls to see how well they align with the controls outlined in NIST SP 800-171.
NIST CSF
The NIST Cybersecurity Framework (CSF) is a set of industry-standard guidelines and best practices for managing cybersecurity risks. The framework provides a common language and approach for organizations to use when designing and implementing their cybersecurity programs.
An assessment of a company's controls to the NIST CSF involves evaluating the company's existing security controls to see how well they align with the controls and recommendations outlined in the NIST CSF.
CIS Critical Controls
An assessment of a company's controls to the CIS Critical Security Controls involves evaluating the company's existing security controls to see how well they align with the controls and recommendations outlined in the CSC.
CMMC Level 1 Pre-Assessment
The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to assess the cybersecurity practices of contractors who work with the DoD. The CMMC has five levels, with Level 1 being the lowest and Level 5 being the highest.
An pre-assessment of a company's controls to CMMC Level 1 involves evaluating the company's existing security controls to see how well they align with the controls and recommendations outlined in CMMC Level 1, preparing for the official certification.
What will I need before the call?
Before a security assessment, it is important to gather a number of different pieces of information. This could include:
- The scope of the assessment and an understanding of what systems are to be assessed
- The goals and objectives of the assessment, such as identifying specific vulnerabilities or ensuring compliance with industry standards
- Any relevant background information about the systems and networks being assessed, such as their architecture and configuration
- Any existing security policies and procedures that are in place, as well as any relevant regulations or compliance requirements
- Any relevant documentation, such as network diagrams and system specifications
Having this information available before the assessment begins can help the assessor to plan and conduct the assessment more effectively, and can provide valuable context for interpreting the results of the assessment.
Our Process
