Check: https://www.redlegg.com/advisory-services/governance-based-gap-assessments
Gap Assessments are conducted for your benefit, to allow you to establish a baseline or understand how you would score in an audit against a specific governance framework. Upon completion, your organization will have an understanding of what aspects of the assessed framework are implemented and operating effectively, and what aspects require additional work.
Phase 1: examines relevant documentation to determine if aspects of the framework are currently in place. Analysis of the documentation allows the consultant to understand the maturity level of the program and identify areas to improve beyond compliance with the assessed framework. Documents may include, but are not limited to:
- IR and BCDR Plans
- Organizational Chart
- Employee Handbook
- Configurations
- Technical Control
- Network Diagrams
- Compliance Reports
- Application Assessment Reports
- Pen Testing Reports
- Vulnerability Scans
- Policies, Standards, Guidelines, Procedures
Phase 2: conducting interviews with key stakeholders at the organization. These stakeholders will answer questions relating to specific aspects of the framework as well as the overall security posture. Interviewees may include, but are not limited to:
- CISO/CIO
- Director of Security/Director of IT
- Security Architect
- Network Administrator/Engineer
- Server Administrator/Engineer
- Desktop Support
- Legal and Compliance
- SOC Team
- Development Team
- IT Operations Team
- Senior Leadership
- Human Resources
Phase 3: Clarify – After the interviews are complete, will review the notes and ask for any follow-up documentation. Additional interviews may be necessary based on clarifying documentation. will attempt to continue to clarify any findings to increase the accuracy of the report.
Phase 4: Reports – Upon completion of the assessment, will capture the results in a report, including:
- Executive Summary
- Assessment Findings
- Remediation Recommendations
- Remediation Roadmap
Phase 5: Debrief, Once the deliverable has been received, will schedule a debriefing meeting to discuss the results of the assessment. During this phase, will work with you to determine any necessary changes to the report. When changes are complete, will finalize the report and finish the project.
Deliverable: Basic – Receive a Gap Assessment Matrix and Findings List.
Once the deliverable has been received, will schedule a debriefing meeting to discuss the results of the assessment. During this phase, will work with you to determine any necessary changes to the report. When changes are complete, will finalize the report and finish the project.
Deliverable: Executive – Receive a Gap Assessment Matrix, Findings List, as well as an Executive Report.
Upon completion of your assessment, will capture the results in a report, including:
- Executive Summary
- Assessment Findings
- Remediation Recommendations
- Remediation Roadmap
Once the deliverable has been received, will schedule a debriefing meeting to discuss the results of the assessment. During this phase, will work with you to determine any necessary changes to the report. When changes are complete, will finalize the report and finish the project.
