No one is perfect ; not even the Almighty!!
And definitely any implemented management system is bound to have certain gaps. A gap can be defined as “a difference between the defined procedure, a policy requirement, legal or statutory requirements or a standard requirement vis a vis the practice being followed and/or implemented.”
Technically we can say :
1. Gap exists when their is a failure to identify the risk, evaluate the risk or mitigate the risk properly.
2. Gap exists when any control required to mitigate a risk has failed and there has been no action taken to reassess the risk or control effectiveness. For example there was a malware breakout and organization did not analyze why anti-virus failed.
3. Gap can exist due to ineffective practice or process. For example multiple password cracking attempts were made and finally hackers were able to break a password. Post investigation of breach it was found that the hackers started the attack some time back before they were finally able to crack the password. A failure of monitoring process to analyze access denials lead the breach.
4. Gap can also exist due to lack of training or knowledge upgradation. If new employees are not informed about the security policies of organizations, they may leak the data unintentionally e.g loss of a USB disk with organization data.
Some of the other common reasons for existence of security gaps can also be attributed to lack of vision, No GRC board, poor management involvement, lack of segregation of duties or insufficient manpower etc. Leaving aside all reasons lets try to go understand the gaps at various levels to ensure these can be patched.
Please note information provided on this portal is based on my personal experience. Users/visitors are advised to refer to other sites and sources for making a conscious decision of their own. I shall not be responsible for any of the risks that may arise while adopting/implementing any of the practices mentioned anywhere on this portal.
- Understanding Firesafe Cabinets
- Firewall Audit – Common issues
- Domain Controller Audit – What is not controlled