How-to

Perform a Gap Analysis for Information Security

Departments or units which support IT resources, or individuals who manage their own IT resources, need to identify and manage information security risks by analyzing gaps between their current practices and the required security controls defined in the information security standards.  Individuals can work with their collegiate or unit IT partners to complete the process.

Process

The gap analysis process includes:

  • identify the data security classification of the data
  • identify the security level of the IT resources or IT Service
  • review the required controls for the security level 
  • document current practices compared to the required security controls  
    • an optional spreadsheet tool to track and document gaps is available on the right of this page
  • document plans to meet security control requirements (documentation is for internal unit planning).

If unable to complete the implementation of the required controls within 6 months of the publication date of the information security standard, the unit must request an exception to an information security standard