Enterprise Security Gap Analysis Methodology

Pre-Planning

After contractual arrangements and NDA’s are finalized, the following is a typical order of operations:

  1. Send organization chart
  2. Schedule a planning meeting
    • Review org chart
    • Create sheet of interview candidates and time needed
    • Pick a date not intrusive to holiday / vacation / team schedules
    • Work with company representative to coordinate the scheduling of meetings
    • Cloud Security Labs to send draft of communications to be sent to executives and management
  3. Three Days before start
    • Ensure company email, slack, and confluence access is provisioned

Kick Off Meeting With Executives

Typically scheduled on a Monday, we start off with a brief project Kickoff meeting with executive staff in the room. This allows executives to meet us, where we present our methodology, approach, and set expectations for the Gap Analysis. It also provides a great opportunity to answer any questions or highlight areas of concern.

Our experience has taught us that approachability of security staff is essential in building bridges of communication and fostering progress. We make sure to highlight that the Gap Analysis will not be a painful experience and no one will be penalized for issues found, but instead we will create a collaborative environment.

Gap Analysis Interviews

The heart of the Gap Analysis is interview based. Having the right people in the room ensures we are able to assess all the information needed.

1:1 Executives

Cloud Security Labs will meet 1:1 with executives to discuss their business function, processes, tools used, and data managed. These meetings are typically 30 minutes long, but 45 minutes for technical/risk focused positions.

ExecutiveTime Needed
CEO30 mins 
CFO30 mins
CPO / Head of HR45 mins
CTO / CIO1 hr
GC / Legal45 mins

System/Data Owners, SME’s, Managers

Based on your organization’s structure, we will then meet with various teams and SMEs to dig deeper into their processes, systems, and data. Employees will be expected to login to systems and walk us through their systems and data flows. We will ask to look at data storage locations, sharing permissions, and other relative information. These meetings are typically 45 minutes long, but longer if we have 3 or more employees attending. Employees will be asked to take screenshots and send information to us via company slack or email.

Areas Covered:

  • Identity and Access Management
  • Data Storage, Transmission, and Handling
  • Data classification

Technical Team Deep Dive

Depending on the size of the team we will conduct deep dive discussions with engineering teams delving into the technical aspects of their applications and infrastructure. This will involve, but is not limited to, the following:

  • Cursory Source Code Review
  • Customer Authentication and Authorization
  • Administrative Authentication and Authorization (Admin Panel)
  • Password Hygiene
    • Password reset flow
    • Complexity Requirements
    • Hashing and Encryption
  • Data Storage, Handling, and Encryption
  • Logging

The Gap Analysis is not a penetration test or a full source code review. However, it will give you a sense of whether and when you should schedule a penetration test.

Reporting

After interviews are completed the reporting process begins. Compiling a report may take up to 5 business days to complete.

Report Structure

  • Executive Summary
  • Graphs and Charts
  • Gaps
  • Conclusion

You can see a sample report here.

Gap Analysis Report Presentation

After the report is completed, we present executives with a walkthrough of the report. It is essential that executives be available and present for the presentation as the report will cover vulnerabilities discovered throughout the business. This also provides an excellent opportunity to ask questions and assign responsible parties for remediation.