IT Security Controls and Countermeasure Gap Analysis
IS 4680 Week 4
When deciding what security frameworks to use for your network, the network needs to be analyzed to see what security controls are already in place. Also, any compliance laws that apply to the organization, in this case HIPAA and PCI DSS, need to be addressed and adhered to. A baseline for network activity needs to be established to determine abnormal behavior of network resources. Once the current state of the network is established, a thorough risk assessment needs to be done to decide what risks are acceptable and what risks need to be addressed and mitigated. A vulnerability assessment needs to be done to analyze what parts of the network are susceptible to external and internal threats. This vulnerability assessment needs to be done for all parts of the IT infrastructure including servers, databases, network traffic (onsite and remote from home/away), and users.
The gap analysis is done to determine how far the security controls are from where we want them to be and where they are now. HIPAA and PCI DSS compliance laws dictate certain policies and security control that must be in place to maintain compliance. Using the baseline analysis of the network infrastructure, we can make the necessary changes to maintain compliance with these laws. Any company-wide security policies need to be examined as well. Acceptable Use Policies, training sessions, and any other policies, guidelines, or procedures need to be assessed to see if they are being followed properly by all employees and guest users. The gap analysis will verify what needs to be done to achieve this goal. Emergency procedures for the company need to be maintained and updated regularly. These include the Disaster Recovery Plan, the Business Continuity Plan, and Incident Response Plan to name a few. Using a gap analysis will gauge where these plans are at and where they need to be to comply with the...