Enterprise Security Gap Analysis Methodology
Pre-Planning
After contractual arrangements and NDA’s are finalized, the following is a typical order of operations:
- Send organization chart
- Schedule a planning meeting
- Review org chart
- Create sheet of interview candidates and time needed
- Pick a date not intrusive to holiday / vacation / team schedules
- Work with company representative to coordinate the scheduling of meetings
- Cloud Security Labs to send draft of communications to be sent to executives and management
- Three Days before start
- Ensure company email, slack, and confluence access is provisioned
Kick Off Meeting With Executives
Typically scheduled on a Monday, we start off with a brief project Kickoff meeting with executive staff in the room. This allows executives to meet us, where we present our methodology, approach, and set expectations for the Gap Analysis. It also provides a great opportunity to answer any questions or highlight areas of concern.
Our experience has taught us that approachability of security staff is essential in building bridges of communication and fostering progress. We make sure to highlight that the Gap Analysis will not be a painful experience and no one will be penalized for issues found, but instead we will create a collaborative environment.
Gap Analysis Interviews
The heart of the Gap Analysis is interview based. Having the right people in the room ensures we are able to assess all the information needed.
1:1 Executives
Cloud Security Labs will meet 1:1 with executives to discuss their business function, processes, tools used, and data managed. These meetings are typically 30 minutes long, but 45 minutes for technical/risk focused positions.
Executive | Time Needed |
CEO | 30 mins |
CFO | 30 mins |
CPO / Head of HR | 45 mins |
CTO / CIO | 1 hr |
GC / Legal | 45 mins |
System/Data Owners, SME’s, Managers
Based on your organization’s structure, we will then meet with various teams and SMEs to dig deeper into their processes, systems, and data. Employees will be expected to login to systems and walk us through their systems and data flows. We will ask to look at data storage locations, sharing permissions, and other relative information. These meetings are typically 45 minutes long, but longer if we have 3 or more employees attending. Employees will be asked to take screenshots and send information to us via company slack or email.
Areas Covered:
- Identity and Access Management
- Data Storage, Transmission, and Handling
- Data classification
Technical Team Deep Dive
Depending on the size of the team we will conduct deep dive discussions with engineering teams delving into the technical aspects of their applications and infrastructure. This will involve, but is not limited to, the following:
- Cursory Source Code Review
- Customer Authentication and Authorization
- Administrative Authentication and Authorization (Admin Panel)
- Password Hygiene
- Password reset flow
- Complexity Requirements
- Hashing and Encryption
- Data Storage, Handling, and Encryption
- Logging
The Gap Analysis is not a penetration test or a full source code review. However, it will give you a sense of whether and when you should schedule a penetration test.
Reporting
After interviews are completed the reporting process begins. Compiling a report may take up to 5 business days to complete.
Report Structure
- Executive Summary
- Graphs and Charts
- Gaps
- Conclusion
You can see a sample report here.
Gap Analysis Report Presentation
After the report is completed, we present executives with a walkthrough of the report. It is essential that executives be available and present for the presentation as the report will cover vulnerabilities discovered throughout the business. This also provides an excellent opportunity to ask questions and assign responsible parties for remediation.