IT Control Gap Analysis

When someone says they are getting ready to do a gap analysis of an IT systems, what’s the first thing that comes to mind? Compliance, SOX, HIPAA, log management, change control, identity management? While all of these are valid considerations, they should not be the first.  

The Importance of Processes 

Process should be the starting point for every review. Without a process, systems are worthless. For instance, if you have a log management system but no process that defines who reviews logs, what they should look for and what actions to take, the technology is useless. Priority should be placed on the maturity of the process. This includes policy, procedures and overall documentation. 

It happens time and time again. An outage occurs because a simple procedure was not followed. Perhaps the procedure wasn’t documented or wasn’t documented well. Maybe the procedure exists but nobody knows about it. These types of issues display a lack of maturity, which no amount of technology can fix. Organizations should begin to place more importance, and thus resources, on improving their process. 

Technology will only take you so far with security and compliance. In fact, at times technology will mask poor processes, which may complicate problems in the future. 

5 Questions to Ask During a Gap Analysis 

If you are a CIO, CTO, VP, Director or Manager of a technology group, I implore you to sit down as a leadership team and review the following 5 items. 

• Do we have a policy which dictates the design, implementation, management and review of our systems? 
• Do we have a repository of procedures and associated documentation to carry out this policy? 
• Are team members well educated in the existence, importance and location of this information? 
• Is someone responsible for managing this repository and performing periodic reviews as our technology and business process evolves? 
• Is there a system in place to identify and correct actions not in line with our process? 

If more of this activity were to take place, I’d venture to bet companies would spend less time trying to fit various security technologies into their organization and more time finding technology that complements their existing way of doing business.