GRC GAP ASSESSMENT

WHAT IS A GRC GAP ASSESSMENT?

The purpose of a GRC (governance, risk, and compliance) Gap Assessment is to identify missing elements of a security program as compared to a specific framework. Gap Assessments are typically conducted to compare the implemented administrative, physical, and technical controls of an organization with the standards depicted in an established framework.  

Gap Assessments allow a company to establish a baseline or to understand how it would score in an evaluation against a specific governance framework. Upon completion, an organization will know what aspects of the assessed framework are implemented and operating effectively and what aspects require additional work.   

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) was first published by the National Institute of Standards and Technology, an agency of the US Department of Commerce, in 2014.  It provides taxonomy and methodology to proactively manage and reduce risk in the cybersecurity infrastructure.  Organizations use this framework in tandem with an assessment of the specific threats and security challenges they face.  While compliance with the framework is voluntary, some organizations require that their vendors do comply, and regulators are calling for compliance, including the Federal Financial Institutions Examination Council (FFIEC).

Implementation Categories

The NIST CSF focuses on the business drivers that guide cybersecurity efficacy and includes cybersecurity risks as part of an organization’s management processes, including core, profile, and implementation categories:

  • Core – Consists of five (5) main functions: Identify, Protect, Detect, Respond, and Recover, with multiple subcategories addressing cybersecurity outcomes and controls.
  • Profile – Typically split into Current and Target Profiles, defines an organization’s baseline security and the required final configuration and outcomes, based on assessment and tailoring of critical infrastructure and processes.
  • Tiers – Aids in clarifying and communicating cybersecurity implementation across an organization.

(Source:  https://www.nist.gov/document-3764: 01/11/2018.)

23 NYCRR 500

  • Enterprise Security Assessment – A multi-phased approach designed to provide a holistic evaluation of security posture and risk, including review of regulatory compliance, security controls, internal and external vulnerabilities, secure code, and social engineering vulnerability.
  • vCISO – A Digital Strategic Security Program (virtual CISO) that enables small- and medium-sized organizations (SMBs) to leverage the expertise of an experienced cybersecurity team while minimizing time and resource investments.
  • Policy Framework Development – A document development methodology focusing on standards, guidelines, policies, and procedures that inform users of their responsibilities, define the security protection program, and implement appropriate protection initiatives.
  • Penetration Testing – A determination of exposure to risk and vulnerabilities as well as the identification, definition, and creation of a specific, actionable remediation plan, including internal testing (threat vulnerabilities of your internal resources) and external testing (vulnerabilities in your systems due to actors outside your security perimeter).

The following table lists the RedLegg solutions that address the NYDFS:

Solution 23 NYCRR 500 Section Coverage
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20
Enterprise

 

 

      

 

 

 

  

 

 

 

 

 

 

 

 

 

 

 
vCISO  

 

 

 

 
Policies  

 

 

 

 

 

 

 

 

 

 

 

 
Applications  

 

 

 

 

 

 

 

 

 

 

 

 

 

 
Secure Code

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
Pen Testing

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FFIEC

The Federal Financial Institutions Examination Council (FFIEC) is a federal interagency body, comprised of five (5) regulatory agencies plus a state liaison committee, that provides government oversight of US financial institutions.  FFIEC prescribes cybersecurity standards to reduce vulnerability in the financial industry, including third-party service providers.  Compliance with the guidelines requires comprehensive internal assessment and solutions implementation, including ongoing risk assessments, to identify security weaknesses and address threats.

Cybersecurity Assessment Tool

The FFIEC Cybersecurity and Critical Infrastructure Working Group has created a Cybersecurity Assessment Tool that “provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time”.  The assessment tool maps to the NIST Cybersecurity Framework and consists of two (2) parts: Inherent Risk Profile and Cybersecurity Maturity.

Inherent Risk Profile

The Inherent Risk Profile enables financial institution managers to identify inherent organizational risk (least, minimal, moderate, significant, or most), absent implemented controls.  The profile assesses five (5) main categories, with the number of items assessed for each:

  • Technologies and Connection Types (14)
  • Delivery Channels (3)
  • Online/Mobile Products and Technology Services (14)
  • Organizational Characteristics (7)
  • External Threats (1)

Cybersecurity Maturity

The Cybersecurity Maturity portion of the assessment covers “domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices”.  Institution managers evaluate organizational maturity level (baseline, evolving, intermediate, advanced, and innovative) across each of five (5) major domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

GDPR

Go deeper into our GDPR-related services here!

PCI

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions, and to protect cardholders against misuse of their personal information.

The PCI Security Standards Council is a global organization that maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe.  The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa, Inc.  They share equally in governance and execution of the Council's work.

The following table lists the high-level requirements used in PCI gap assessments:

GOAL PCI DSS REQUIREMENTS
Build and Maintain a Secure Network and Systems Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program Protect all systems against malware and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
Implement Strong Access Control Measures Restrict access to cardholder data by business need to know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain an Information Security Policy Maintain a policy that addresses information security for employees and contractors.

(Source:  PCI DSS Requirements and Security Assessment Procedures, v3.2 April 2016: p.5.)

 

BENEFITS

Benefits of a GRC Gap Assessment performed by RedLegg include:

INSIGHT:

Gain insight into many of the current risks within your enterprise by identifying shortcomings in your existing security program.

EFFICACY:

Prioritize the biggest threats to the organization and strategically plan a roadmap to better safeguard your organization.

PROACTIVITY:

Reduce the impact and likelihood of a successful breach and data exfiltration by testing and securing of your organization.

COMPLIANCE:

Show customers and stakeholders your commitment to securing and protecting the most valuable assets against various threat actors.

GRC GAP ASSESSMENT METHODOLOGY

The RedLegg methodology for conducting GRC Gap Assessments is based on a proven track record of examining an organization’s security program through interviews and analyzing relevant documentation and materials. RedLegg has developed a robust assessment methodology that maximizes the ability of the consultant to identify security gaps in the organization’s environment.  During the assessment, we provide consulting to meet compliance with a specific GRC framework while improving the overall security posture of your organization.

RedLegg approaches a gap assessment by assuming your organization meets none of the requirements and requires proof to change that assessment.  RedLegg takes the following steps to obtain proof of compliance, while further analyzing controls to identify other areas for improvement to the overall security posture.

333
PHASE 1:
EXAMINE
PHASE 2:
INTERVIEW
PHASE 3:
CLARIFY
PHASE 4:
DELIVER REPORTS
PHASE 5:
DEBRIEF

PHASE 1:
EXAMINE

RedLegg examines relevant documentation to determine if aspects of the framework are currently in place. Analysis of the documentation allows the consultant to understand the maturity level of the program and identify areas to improve beyond compliance with the assessed framework. Documents may include, but are not limited to:

  • Policies, Standards, Guidelines, Procedures
  • Vulnerability Scans
  • Pen Testing Reports
  • Application Assessment Reports
  • Compliance Reports
  • Network Diagrams
  • Technical Control Configurations
  • Employee Handbook
  • Organizational Chart
  • IR and BCDR Plans

PHASE 2:
INTERVIEW

RedLegg continues by conducting interviews with key stakeholders at the organization.  These stakeholders will answer questions relating to specific aspects of the framework as well as the overall security posture.  Interviewees may include, but are not limited to:

  • CISO/CIO
  • Director of Security/Director of IT
  • Security Architect
  • Network Administrator/Engineer
  • Server Administrator/Engineer
  • Desktop Support
  • Legal and Compliance
  • SOC Team
  • Development Team
  • IT Operations Team
  • Senior Leadership
  • Human Resources

PHASE 3:
CLARIFY

After the interviews are complete, RedLegg will review the notes and ask for any follow-up documentation. Additional interviews may be necessary based on clarifying documentation. RedLegg will attempt to continue to clarify any findings to increase the accuracy of the report.

PHASE 4:
DELIVER REPORTS

Upon completion of the assessment, RedLegg will capture the results in a report, including:

  • Executive Summary
  • Assessment Findings
  • Remediation Recommendations
  • Remediation Roadmap

PHASE 5:
DEBRIEF

Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment. During this phase, RedLegg will work with you to determine any necessary changes to the report. When changes are complete, RedLegg will finalize the report and finish the project.

  • PHASE 1:
    EXAMINE

    • PHASE 1:
    EXAMINE

    RedLegg examines relevant documentation to determine if aspects of the framework are currently in place. Analysis of the documentation allows the consultant to understand the maturity level of the program and identify areas to improve beyond compliance with the assessed framework. Documents may include, but are not limited to:

    • Policies, Standards, Guidelines, Procedures
    • Vulnerability Scans
    • Pen Testing Reports
    • Application Assessment Reports
    • Compliance Reports
    • Network Diagrams
    • Technical Control Configurations
    • Employee Handbook
    • Organizational Chart
    • IR and BCDR Plans
  • PHASE 2:
    INTERVIEW

    • PHASE 2:
    INTERVIEW

    RedLegg continues by conducting interviews with key stakeholders at the organization.  These stakeholders will answer questions relating to specific aspects of the framework as well as the overall security posture.  Interviewees may include, but are not limited to:

    • CISO/CIO
    • Director of Security/Director of IT
    • Security Architect
    • Network Administrator/Engineer
    • Server Administrator/Engineer
    • Desktop Support
    • Legal and Compliance
    • SOC Team
    • Development Team
    • IT Operations Team
    • Senior Leadership
    • Human Resources
  • PHASE 3:
    CLARIFY

    • PHASE 3:
    CLARIFY

    After the interviews are complete, RedLegg will review the notes and ask for any follow-up documentation. Additional interviews may be necessary based on clarifying documentation. RedLegg will attempt to continue to clarify any findings to increase the accuracy of the report.

  • PHASE 4:
    DELIVER REPORTS

    • PHASE 4:
    DELIVER REPORTS

    Upon completion of the assessment, RedLegg will capture the results in a report, including:

    • Executive Summary
    • Assessment Findings
    • Remediation Recommendations
    • Remediation Roadmap
  • PHASE 5:
    DEBRIEF

    • PHASE 5:
    DEBRIEF

    Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment. During this phase, RedLegg will work with you to determine any necessary changes to the report. When changes are complete, RedLegg will finalize the report and finish the project.

DELIVERABLES

RedLegg is a Global Partner for Managed and Cyber Security Services. RedLegg delivers Enterprise Data Governance Consulting Services and Solutions through its Advisory Services practice. RedLegg’s approach to consultancy is based on a solid risk management foundation and strong track record of successful engagements.

Our technical scoping will help determine what information and deliverable items your organization needs.

  • BASIC
  • EXECUTIVE

BASIC

Receive a Gap Assessment Matrix and Findings List.

Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to document any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

EXECUTIVE

Receive a Gap Assessment Matrix, Findings List, as well as an Executive Report.

Upon completion of your assessment, RedLegg will capture the results in a report, including:

  • Executive Summary
  • Assessment Findings
  • Remediation Recommendations
  • Remediation Roadmap

Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

  • BASIC

    • Receive a Gap Assessment Matrix and Findings List.

    Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to document any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

  • EXECUTIVE

    • Receive a Gap Assessment Matrix, Findings List, as well as an Executive Report.

    Upon completion of your assessment, RedLegg will capture the results in a report, including:

    • Executive Summary
    • Assessment Findings
    • Remediation Recommendations
    • Remediation Roadmap

    Once the deliverable has been received, RedLegg will schedule a debriefing meeting to discuss the results of the assessment.  During this phase, RedLegg will work with you to determine any necessary changes to the report.  When changes are complete, RedLegg will finalize the report and finish the project.

Download The Sample Report

Gap Assessments are conducted to establish a baseline, or understand how you would score in an audit against a specific governance framework. 
Tabletop-Exercise-Pillar-Banner

See how incident response tabletop exercises can take your security to the next level.

LEARN MORE

OUR APPROACH

RedLegg is an innovative, global security firm that delivers managed cybersecurity solutions and peace of mind to its clients.

RedLegg’s approach to information security protects the confidentiality, integrity, and availability of critical data based on a sound risk management framework. This approach allows organizations to engage business owners in defining acceptable levels of risk and to participate in the process for evaluating threats.

RedLegg’s ARMEE (Assess, Remediate, Monitor, Educate, Enforce) methodology institutes a lifecycle that allows for an ongoing process to continuously improve the security posture of the organization. This methodology is designed to be portable to all business, legal, regulatory, and security requirements of the organization. It is flexible enough to account for the constant flux in the market place, attack vectors, and protection mechanisms.

ARMEElogo-1

GET COVERED.

Discover the missing elements of your security program.

REACH OUT TO AN EXPERT