1

Gap Analysis Matrix

 2

Gap Analysis Matrix

Critical Level of Level of Responsible Findings Recommendations

Requirement Compliance Organization

The requirement to Non- Security Currently, there is The security team is

maintain a secure Compliant team no secure network responsible for

perimeter perimeter to protect establishing a safe zone

business data. surrounding the

premises.

The requirement to Non- Security There is no incident The security team must

maintain an Compliant team response plan; thus, develop and implement a

incident response the organization has plan for handling

plan no strategy for occurrences.

dealing with data

security breaches.

The requirement to Non- IT team The organization is IT should encrypt

encrypt all Compliant vulnerable to assault sensitive data before

sensitive data since it does not storing it.

encrypt its most

sensitive data.

The requirement to Non- Security It is hard to track The security team must

log all access to Compliant team and monitor actions implement a logging

sensitive data inside the system to monitor who

 3

corporation since can access private

not every access to information.

sensitive data is

recorded.

The requirement to Non-  HR team Not all staff get Human resources must

provide security Compliant security awareness develop and implement a

awareness training training, so many plan to train all

to all employees may not know how employees on safe work

to keep the practices.

company's data

secure.

Access Control Compliant IT Team The policy Do a comprehensive

controlling access audit of all permissions

control is not being and implement a

applied consistently, uniform control system.

and some users have

been granted

unnecessary access.

Physical Security Compliant Facilities There is The physical security

Team inconsistency in measures at each

enforcing controls location must be

designed to assessed, and the same

 4

guarantee people's controls should be

physical safety at applied elsewhere.

different locations.

Communications Compliant There is no agreed- Create an official policy

Security upon encryption on using encryption,

method, and not all then review and improve

IT Team communication the security of all

channels are communication

adequately channels.

protected.

Security Training Compliant However, efforts to Workshops for training

and Awareness raise awareness and and raising awareness

Information provide training are should be held often, and

Security inconsistent and do the programs utilized for

Team not reach as many these purposes should be

people as they reviewed and updated

might. regularly.

Compliance Compliant Compliance Compliance with Continuously monitor

Team relevant laws and compliance with the law

regulations is not and report any

continually discrepancies you find.

monitored and
 5

reported.

Hypothesis

There are several critical information security requirements that the organization is not

meeting. The security team is responsible for enforcing a secure perimeter, creating an incident

response plan, and setting up a logging system. Sensitive information must be encrypted, which

falls to the information security team (Kirrane, 2021). Human resources are responsible for

training employees to improve their awareness of potential security threats.

References

Kirrane, S. (2021). Intelligent software web agents: A gap analysis. Journal of Web

Semantics, 71, 100659.