User:Shawndouglas/sandbox/sublevel3
A gap analysis is different from a risk analysis in that the gap analysis represents a high-level, narrowly-focused comparison of the technical, physical, and administrative safeguards in place with how well they actually perform against a cyber attack. As such, the gap analysis can be thought of as introduction to potential vulnerabilities in a system, which is part of an overall risk analysis.[1] The gap analysis asks what your cyber capabilities are, what the major threats are, and what the differences are between the two. Additionally, you may want to consider what the potential impacts would be if a threat were realized.[2]
The gap analysis can also be looked at as measure of current safeguards in place vs. what industry best practice controls dictate. This may be done by choosing an industry standard security framework—we're using the NIST SP 800-53, Rev. 4 framework for this guide—and evaluating key stakeholder policies, responsibilities, and processes against that framework.[3]
References
- ↑ Norton, K. (21 June 2018). "Similar but Different: Gap Assessment vs Risk Analysis". HIPAA One. https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/. Retrieved 23 July 2020.
- ↑ Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 23 July 2020.
- ↑ Sell, C. (28 January 2015). "How To Conduct An Information Security Gap Analysis". CIO. IDG Communications, Inc. https://www.cio.com/article/2876708/how-to-conduct-an-information-security-gap-analysis.html. Retrieved 23 July 2020.