Who Needs this Service
Security and privacy gap analysis are broadly applicable services that help companies with either immature security programs or evolving products and markets. Companies seeking these services have often been instructed by funders, customers, or partners to improve their security posture, or have been subject to additional privacy obligations due to new legislation or expansion into additional jurisdictions. Others are trying to win prospects, investors, or partners who insist on security or privacy programs that address controls specified in specific frameworks or legislation.

What are the Goals of the Service
Our objective in providing Security Gap Analysis and Privacy Impact Assessment services is to help our customers understand the threat and privacy landscapes in which they operate, and their readiness to respond to events that will impact their ability to deliver their product or service. The analyses are usually performed against a specific control framework or legislative act, but less formal approaches can also be used at the client’s direction.

What is the Service
When we begin a Security Gap Analysis or Privacy Impact Assessment we will provide an information request list (IRL) asking for a series of artifacts including network design, enterprise assets/applications, software architecture, deployment architecture, organization structure, customer service processes, etc. We will also request interview time to validate our understanding of the provided documents once we have reviewed them. From the information gathered, we will perform modeling and analysis and provide a series of recommendations to improve security and privacy posture and alignment with any chosen control framework or legislation.

Business Outcomes
The business outcome of the analyses is primarily awareness of key weaknesses in the organization’s service resilience and privacy controls. The secondary outcome is access to a roadmap of initiatives including concrete remediation guidance that the customer can use to improve its security posture and privacy controls. The implemented remediations can be used to demonstrate the implementation of the control frameworks to stakeholders.