Question

Project Part 2: Gap Analysis Plan and Risk Assessment Methodology  

Scenario

After the productive team meeting, Fullsoft’s chief technology officer (CTO) wants further analysis performed and a high-level plan created to mitigate future risks, threats, and vulnerabilities. As part of this request, you and your team members will create a plan for performing a gap analysis, and then research and select an appropriate risk assessment methodology to be used for future reviews of the Fullsoft IT environment.

An IT gap analysis may be a formal investigation or an informal survey of an organization's overall IT security. The first step of a gap analysis is to compose clear objectives and goals concerning an organization's IT security. For each objective or goal, the person performing the analysis must gather information about the environment, determine the present status, and identify what must be changed to achieve goals. The analysis most often reveals gaps in security between "where you are" and "where you want to be."

Tasks:

1. Create a high-level plan to perform a gap analysis.
2. Review the following two risk assessment methodologies:
   1. NIST SP 800-30 rev. 1, Guide for Conducting Risk Assessments (formerly titled " Risk Management Guide for Information Technology Systems")
   2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), Allegro version
3. Create a report that includes the gap analysis plan, a brief description of each risk assessment methodology, a recommendation for which methodology Fullsoft should follow, and justification for your choice

Answer 1

GAP Analysis Plan:

A gap analysis is a process that compares actual performance or results with what was expected or desired. In my viewpoint, CCC is very important when doing the research on the analysis. Consistency, Correctness, and Completeness. The Proposed plan should follow this CCC rule to be efficient. Timeline plays a very critical role in the gap analysis. So, for an organization, mere periodical monitoring on the security threats will not be sufficient to protect the overall information risk that an organization may face.

So, the following strategies can be followed to prevent security threat that may arise in future

1. Framing the overall goals/objectives to prevent data exposure

2. Bringing New strategical shift in the regular routine[Surprise & not informed]

3. Conducting events by challenging to breach it. [Everyone will see the problem in a different dimension and it will lead to providing future patches to the system]

4. Periodical Assessment is also required.

Risk assessment includes the identification, analysis, and evaluation of uncertainties to objectives and outcomes of an organization.

Review on NIST & OCTAVE:

As per the NIST guidelines, the steps involved in the risk assessment process are, preparing for the assessment, conducting the assessment, communicating the results of the assessment, and maintaining the assessment. Whereas OCTAVE comprises an 8 step process. The following are the process involved:

1. Establish Risk Measurement Criteria

2. Develop an Information Asset Profile

3. Identify Information Asset Containers

4. Identify Areas of Concern

5. Identify Threat Scenarios

6. Identify Risks

7. Analyze Risks

8. Select Mitigation Approach

By reviewing both NIST & OCTAVE we can infer that when an organization has the capital and if it is ready to invest some money in the evaluation process, then its better to go for OCTAVE, since it gives a predicted outcome score.