What to ask in a gap assessment

 

A disarmingly simple question on the ISO27k Forum this morning set me thinking. "RP" asked:
"Does anybody have a generic [set of] high level questions for business departments other than IT, that can be asked during gap assessment?"
As is so often the way with newcomers to the Forum, RP evidently hasn't caught up with past Forum threads (e.g. we recently chatted about various forms of gap analysis, and the markedly different ways that people [including dentists!] use and interpret the term), paid scant attention to forum etiquette (e.g. he/she didn't tell us his/her name), and provided little to no context in which to address the question (e.g. what size and kind of organization is it? What industry/sector? Does it have a functional, certified and mature ISO27k ISMS already, is it working towards one, or is RP just idly thinking about it over coffee?).

Despite that, a couple of us responded as best we could, making assumptions about the context, the meaning and purpose of the 'gap assessment', and RP's situation. I suggesting posing questions along these lines:
"What kinds of information do you use? Tell me more. Which is the most important information for your business activities, and why? What would happen if it was lost, damaged, out of date, inaccurate, incomplete, misleading, fraudulent, or disclosed e.g. on the Web?
Roughly how much of the information you handle is classified? How much is SECRET/TOP-SECRET? [You’d probably need to be security cleared, and have management support, to get a meaningful answer to that!]
What information do you generate? What happens to it? Where does it go? Who uses it, and for what? Would it matter to them if it stopped coming, or was late, or inaccurate, or incomplete, or was disclosed on the Web?
When was the last time you examined your information risks? What was the result? Show me! What changed as a result?
When was the last time you completed a business impact analysis and business continuity planning? Show me! When were your plans last exercised? I’d like to see the results and actions arising. How would you cope if something drastic happened that wiped out your IT systems and data? What about information and IT services, not least your ISPs and CSPs?
What are you doing to protect/secure information that matters to your department? How confident are you that it is adequately secured? 
Tell me about your information security incidents. [If they say “We’ve had none”, you should be worried!] What happened? How long was it before you found out about them? How much damage was caused? What changed as a result?
Are there any laws, regulations, contracts or agreements relevant to information, security, privacy, governance etc. that apply or concern your department? How do you ensure compliance?
When did you last: 
  • Review system/network/app access rights for your department?
  • Check that your backups and archives are usable?
  • Consider what would happen if you unexpectedly lost one or more key people?
  • Confirm that all your IT systems and devices and services are patched, secured, monitored etc.? [If the answer is ‘Just before the end of 1999', worry again!]
  • Participate in a risk workshop, awareness seminar, security-related training course, business continuity exercise, post-incident review, management review, or IT audit?
  • Speak to your colleagues about information risk and security matters?
  • Report an information security incident or near-miss?
  • Check for fraud?
On a percentage scale (where 0% means not at all and 100% means perfectly), how well would you say you understand:
  • Information risk and security, as a whole? 
  • Privacy?
  • Business continuity?
  • Governance?
  • The corporate strategy on information risk and security?
  • Company policies and procedures in this area?
  • What I am doing and why I’m here?"
My friend Anton Aylward suggested a more elegant approach. He would simply start by asking:
"Do you have a set of policies? If so, show me."
Anton quite rightly pointed out that I had made several implicit assumptions in my questions. I also displayed my usual bias towards information risk (not just cyber), being overtly business-driven, and using metrics. I acknowledge all that. It's no secret. It's just how I am.

Anton's simple question and classic auditor request is a starting point. If it turns out they have no [information security-related] policies [and procedures and guidelines], he suggests no response other than perhaps hinting at 'Turn around, walk away, shaking head'! If they have policies, those policies should guide and determine what they ought to be doing, so examining the documentation would provide a basis for follow-up checks and questions (such as mine, or not: actually it's contingent on the requirements stated in the documentation).

I should mention that greybeard Anton has done a lot of audit work. "Show me!" is the #1 audit mantra, backed with a subtle whisper of "Prove it!" leading to the chorus "Go ahead, make my day!"

Establishing requirements is a necessary first stage for many audits, particularly in the case of 'compliance audits' of course. But RP was asking about 'gap assessments' not 'compliance audits': I could be wrong but I don't think that's quite what RP meant.

Re-examining my response and Anton's, it occurred to me that I had made another implicit assumption based on the apparent naivete of RP's question. I assumed RP was new to the game, perhaps about to make his/her first ever foray from IT into The Business - a scary step beyond the comfort zone for most technologists. There be dragons.

Assuming that is indeed the situation, RP taking a genuine interest in what’s important to the business people would be a good foundation for future working relationships. Arguably, finding out about the business (particularly the associated information risks) and forging business relationships is an even more fundamental and valuable starting point than getting answers to generic or customized ‘gap assessment’ questions. Turning this on its head, someone asking business people seemingly inane, inappropriate and presumptive questions is likely to annoy them, potentially harming the prospects of ever forming a productive and open relationship between the business and RP plus the IT or Information Security function RP presumably represents. In my book, that's an information risk worth treating carefully.

If I remember, I'll extend that point another time. In some ways, security awareness is Information Security's business outreach program. Hmmm. By all means remind me about this later.