Perform a Gap Analysis for Information Security

The intent of the Gap Analysis process is for units which support IT resources, or individuals who manage their own IT resources, to proactively identify and manage information security risks on an ongoing basis, by analyzing and documenting gaps between their current practices and the required security controls defined in the University's information security standards.

Individuals can work with their collegiate or unit IT partners to complete the gap analysis process.

Process

Performing a gap analysis to the University's information security standards is a recurring activity for units or individuals supporting IT assets.

  1. The unit or individual submits an Asset Survey for the IT assets involved. The survey includes online help.
  2. University Information Security (UIS) reviews the survey and works with the submitter to clarify any details, then generates a controls spreadsheet listing required controls for the asset(s) included in the survey. The spreadsheet includes an instructions tab.
  3. The submitter completes the controls spreadsheet to document any gaps with the required controls, dependencies on University or vendor IT resources, and outline of plans to address control gaps.

If a gap is identified and the unit can implement the required control within 6 months of the publication of the information security standard, no further documentation of the gap is required.

If the required control cannot be implemented within 6 months of the publication date of the information security standard, the unit must request an exception to an information security standard.

Gap Analysis: Frequently Asked Questions

Note: Please check the “Help” fields in the survey and the Instructions tab on the spreadsheet for additional guidance.

Q: Who should complete the gap analysis?

Usually a gap analysis is conducted by the IT staff who support the technology, unless the particular IT asset is unique or administered by non-IT staff, e.g. a lab device managed by faculty or researchers. The spreadsheet allows for assigning responses to multiple team members. If a team member changes role, please inform UIS to update our gap contacts.

Q: What is the expectation for completing the gap analysis?

Gap spreadsheets are envisioned as living documents during the gap analysis. For new assets, it is advisable to conduct a partial gap analysis of relevant controls in advance to develop requirements for the new technology or service, raise any questions before implementation and avoid purchasing and implementing non-compliant solutions. For existing assets, OIT services are expected to complete their gap analysis (and request any Exceptions that are identified) by the effective date of new controls. Non-OIT units are strongly encouraged to complete their gap analysis (and request any Exceptions that are identified) by the effective date. 

Q: What is the schedule for recurring gap analyses?

The expectation is a completed gap analysis will be reviewed and updated at least annually. A new gap analysis may be initiated by changes to the IT environment, or revisions to the University’s information security standards. Typically, controls will be revised or new controls added when the Information Security policy is reviewed every 2 years, following the Policy Library review and input process. If the expectation to complete gap analysis conflicts with other prioritized tasks, consult your supervisor and contact UIS as soon as possible.

Q: How do we scope the gap analysis?

It may be helpful to consider:

  • a functional approach of grouping similar assets into a common gap analysis, e.g. desktops and laptops could be grouped. 
  • a vertical approach of grouping supporting technologies if they are managed by the service, e.g. administrative apps used to maintain a business app.
  • vendor-hosted assets as well as on-premise/locally hosted assets.
  • If any assets are planned for imminent decommission, it may be reasonable to exclude the asset. If the decommissioning is subsequently extended, the asset should be included.

Use the free text fields in the survey or the Notes column in the spreadsheet to provide enough context for your unit and UIS to understand your rationale for scope.

Q: Who is the Risk Owner?

The Risk Owner(s) is usually both the University-designated Data Owner for the type of data involved and the Data Custodian/person accountable for the asset’s operation. Data is considered to be accessed by a system or application if the data access is part of the asset’s primary function. This does not include ‘pass-through’ or tangental access to enterprise data that is not stored locally.

Q: What is the difference between multi-user and single-user assets?

Examples of multi-user assets include platforms, databases, networks or servers. Single-user assets are primarily used by a single person at a time, e.g. a lab or clinical laptop or tablet that is operated by different users sequentially.

Q: How much detail should be included?

Include enough detail that someone else in your group could take over the response, or that it will be clear enough to resume in 6 months, particularly if selecting 'N/A due to technology' or 'Vendor-supported'. Use the free text fields in the survey or the Notes column in the spreadsheet to provide enough context for UIS to recognize the type of asset, or to help clarify current controls for future gap analyses. There is also an optional Documentation column in the spreadsheet that can be used for reference.

Q: Can a gap sheet be shared with a vendor? 

Units can create a blank copy of the spreadsheet for a vendor and indicate which controls they should address, e.g. for a vendor-hosted application, then review and copy the vendor responses into the unit’s spreadsheet. Do not share internal UMN information with vendors.  

Q: How do we respond for other teams that share responsibility?  

If another team has responsibility for and is currently managing a control, e.g. physical security of servers in the Data Center, enter the team name in the Party Responsible column and add a Note to explain the division of responsibilities.

If the responsible team is part of your organization, confirm the status with them and select Yes or No rather than Supported by Another Team. Only use the Supported by Another Team option if the team is external to your organization, belongs to a different department or reports to a different Service Owner. 

Q. How do we respond to controls for the SA. Information Security Awareness, Education and Training Standard?

The requirement to participate in Information Security Awareness training (SA.A) applies across the University. The requirement to manage delivery and track completion of training (SA.B) applies to any unit responsible for Information Security Awareness. For more information, see https://it.umn.edu/resources-it-staff-partners/information-security-standards-guidelines/information-security.

Q: When should I use ‘N/A due to Technology’?

Use this response when the technology of the asset will never be able to comply with the control, e.g. a microscope that does not have logging functionality; rather than the asset has the capability to comply but it is not currently enabled, e.g. logging has not been configured. Include a reason in the Notes column to document your rationale.

Q: How do I write a Gap Closure Plan with a Targeted Gap Closure Date?

Include the Who, What, When, and Where of initial steps to close the gap, e.g. ‘team will contact vendor regarding road map by X date’; or ‘team will develop document templates and draft procedures to be stored in Shared drive by X date’. Include the action items that can be addressed within 6 to 12 months in the Plan. 

Use the Notes column to document your priorities or decisions, or add links to documents for your team’s reference.

Contact UIS via [email protected] for other questions.