GAP analysis checklist for IT (Amendment) Act, 2008 compliance

Prepare your business for IT (Amendment) Act, 2008 compliance with these guidelines for designing a GAP analysis checklist.

There is much debate (as well as many misconceptions) about IT Act, 2000 duly amended by IT (Amendment) Act, 2008...

audit and compliance. In actuality, this is a fact finding technique or a GAP analysis technique that is used to find out loop holes in existing process, policy, procedures and systems. Here are three steps that will help you address these concerns as well as draft a GAP analysis checklist for IT (Amendment) Act, 2008.

Step 1 - Security policy GAP analysis

This step reviews security systems against security policies and procedures. It looks for system weaknesses as well as vulnerabilities, and provides a comprehensive report on the current information security, network security, and preparedness status of your organization.

Two types of GAP analysis can be conducted as part of this step. These are:

Onsite GAP analysis: It is important that your organization has

 the desired level of protection from intrusions, internal threats and misuse of technology by employees. So an onsite GAP analysis should be conducted once or twice a year depending on your nature of business.

Offsite GAP analysis: An off-site GAP analysis checklist can protect the institution from unforeseen and unexpected risks, especially external risks, external threats, or from rival companies. This should be biannual in frequency. Companies can conduct two types of offsite GAP analysis— either a security analysis or a policy analysis.

(i) Security analysis: This provides an independent review of security systems and looks for weaknesses against industry best practices. Some of the best practices that can be included in this GAP analysis checklist are:

•    Schedule II of Information Technology Act, 2000 duly amended by  IT (Amendment) Act, 2008
•    Standard operating procedures (SOPs) released by Information Security Forum
•    ISO 27001
•    COBIT
•    ISO/IEC 27005:2008 - information technology - security techniques - information security risk management
•    DSCI – Data security framework (Pilot implemented by TCS BPO and Tech Mahindra)

(ii) Policy analysis: This part of your GAP analysis checklist tests against the organization's established security policy.

Checklist for security analysis

Activities under policy analysis
  • Check the device configurations, versions and patches
  • Review security with respect to system documentation
  • Inspect firewalls and device rule sets for inconsistency and unnecessary loopholes
  • Review a sample log file for issues
  • Test the system from a "trusted' network to check system defects and lacunae against basic attacks
  • Review firewall rules and compare it with overall organizational policy
  • Review HTTP logs, web browsing, downloads, verify that restrictions and permissions match the policy's clauses
  • Review email controls, white lists, black lists, SPAM settings, etc
  • Review remote access, open ports, and verify whether authentication systems are being used according to the policy

Details of both the GAP analysis should be well documented as well as describe:

•    Methodology adopted for the GAP analysis
•    Summarized findings into priority (HIGH, MEDIUM, LOW) with respect to business functionality, goals and objectives
•    Recommendations for corrective action in terms of priority

An advantage ofusing a GAP analysis checklist regularly with respect to new compliance, legal and regulatory requirements helps in knowing that information security programs and systems are Maintained, Implemented, Documented (MID) in its current state. This GAP analysis checklist also ensures that framed and drafted policies are in use.

Step 2: Risk assessment

The results of a GAP analysis can establish a baseline for security programs. The next course of action in your GAP analysis checklist should be a risk assessment (RA). This is sometimes clubbed with the GAP analysis.

An RA provides an overview of the computing and network environment, as well as the existing preparedness with respect to security. This process can:

- Identify threats to the organization's security
- Buffer impact of risks to the business
- Provide physical security, application security, network security and operational security for additional preparedness

Activities in risk assessment
•    Conducting interviews with staff and concern person to better understand business
•    Review previous incidents, breaches and business impacts if available
•    Conduct a detailed site observation
•    Perform analysis of aspects like IS architecture and configuration
•    Documentation review
•    Network connectivity review
•    Implementation of access controls review
•    Analyze existing security policies and procedures

Issues are addressed depending upon the scope of assessment. You can also refer to ISO 31000:2009 that provides principles and generic guidelines on risk management.

A good RA should address hardware and software configurations, access control, intrusion detection (and response), data security, current security policies/procedures and business continuity plans.

Step 3: Internal vulnerability assessments

A GAP analysis and RA address security at an enterprise level. Next in your GAP analysis checklist is an internal vulnerability assessment (IVA) that helps you locate, identify and ultimately mitigate the risks posed by inadequate security through internal corporate networks.

This activity of the GAP analysis checklist progresses beyond routine work performed by standard scanners and other testing devices. It applies test results and recommendations to a company's specific environment and business goals.

The scope of IVA testing provides:
1.     A high-level architectural review of a company's system
2.     Review of a company's internal infrastructure
3.     A detailed, hands-on, system-by-system evaluation of the company's security status

You can reduce or eliminate uncertainty and false alerts by supporting findings with concrete as well as empirical testing as part of your GAP analysis checklist. The goal is to identify known security issues with routers, servers, desktops, and network hardware.

Additional steps in your GAP analysis checklist include a physical infrastructure review and an analysis of policies and physical procedural controls. The main aim is to identify weakness that could result in a security breach or loss of service. This is not exhaustive, and attempts to do whatever is best with the existing system.

About the author: In his professional capacity, Vicky Shah provides consulting and advisory services for information security practices, information security awareness, research, corporate fraud investigations, incident handling and response, computer forensics services, cyber crime prevention methodology as well as training. He can be contacted on [email protected]

You can follow our Twitter feed at @SearchSecIN

Read more on Regulatory compliance and standard requirements