Skip to main content

Identify Compliance Gaps

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain how to implement a cybersecurity compliance framework.
  • Identify how to assess existing policies, procedures, and technologies to pinpoint compliance gaps.
  • Explain how to analyze threats, risks, and vulnerabilities to find weak spots in critical assets.

Using a Cybersecurity Compliance Framework

The key to protecting your customers’ data is complying with binding laws, regulations, standards, and policies put in place by governments, regulatory authorities, and your organization regarding cybersecurity. As a cybersecurity compliance analyst, you enable your organization to stay one step ahead by anticipating and minimizing cybersecurity risks, threats, and vulnerabilities and by meeting multiple information technology (IT) compliance requirements. You do so by completing compliance assessments, which help identify gaps between your existing control environment and what is required. You conduct this analysis by interviewing internal team members and evaluating processes and procedures. 

How do you keep track of all these requirements and at the same time assess your organization’s compliance? Use a cybersecurity compliance framework, which provides the foundation for dealing with compliance risks. This framework helps you map capabilities and controls to applicable regulations and standards. Because different laws, regulations, standards, and policies often have similar overlapping requirements, you map these requirements across cybersecurity compliance frameworks. This helps identify where a particular set of requirements can be met by one control, thus making your organization's security approach more efficient. Then, if there are deviations from the requirements, you help the business interpret what exactly it’s required to do. 

So what are these different laws, regulations, standards, and policies that you need to be aware of? It depends on what jurisdiction you do business in, what industry you’re in, and what type of data you handle. Here are some examples of standards that can impact your organization.

Cybersecurity Standard

Applicability

American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) for Cybersecurity

A voluntary reporting framework used by certified public accountants (CPAs) to evaluate the controls within a service organization’s cyber risk management program

Federal Risk and Authorization Management Program (FedRAMP)

A US federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services; applies to any of these services used to process or store federal government data 

General Data Protection Regulation (GDPR)

A regulation that covers companies that serve customers or do business with individuals in the European Union (EU), and requires that personal data must be processed securely using appropriate technical and organizational measures

Health Insurance Portability and Accountability Act (HIPAA)

A set of security, privacy, and breach notification rules put in place by the U.S. Department of Health and Human Services (HHS), which covers healthcare providers, healthcare plans, insurance billing firms, benefits managers, claims processors, and others and protects individually identifiable health information, called protected health information (PHI)

ISO/IEC 27001 Industry Standards for Information Security Management 

A voluntary international standard that helps organizations of any kind manage the security of assets such as financial information, intellectual property, and employee details by addressing people and processes, as well as technology

National Institute of Standards and Technology (NIST) Cybersecurity Framework

A voluntary framework based on existing standards, guidelines, and practice developed by the US federal government in collaboration with industry for reducing cyber risks to critical infrastructure. 

Payment Card Industry Data Security Standard (PCI DSS)

A standard that covers retailers, payment card issuers, and any organization that accepts, processes, or transmits payment card data

Identifying Cybersecurity Compliance Gaps

Maintaining compliance with the laws, regulations, standards, and policies that apply to your organization requires taking a close look at your cybersecurity environment to identify cybersecurity gaps that attackers can exploit. You start by assessing existing policies and procedures to ensure they align with business goals, are clear and easy to understand, and follow best practices to minimize risk. Next, you assess your technology for any gaps. Some of the tools you use to do so include the following.

  • Bug bounty programs: Identify vulnerabilities in your websites, products, and services by encouraging security researchers within, or external to, your organization to report vulnerabilities in return for a reward. For example, a security researcher may discover that they have unauthorized access to a cloud storage container, alerting you before an adversary makes the same discovery.
  • Phishing simulations: Assess your workforce’s ability to identify and report a phishing attack. For example, by conducting a phishing simulation, you discover that some of your administrative users fall for a suspicious email containing a malicious link. If this was a real phishing email, an attacker could have gained unauthorized access to their account. Discovering this may point to a gap in your security awareness training, email controls, and authentication mechanisms.
  • Penetration tests: Simulate a cyberattack against a computer system to check for exploitable vulnerabilities. For example, a penetration test conducted by a third-party against one of your systems may find that the testers are able to gain access to administrative credentials using a phishing email, and then use those credentials to exfiltrate data and delete log files associated with the exfiltration. This can point to gaps in your implementation of auditing and logging, segregation (or separation) of duties, as well as gaps in your authentication mechanisms.
  • Red team assessments: An internal team collects as much information as possible about the people and technology in your environment, tries to gain access to sensitive information, and tests the organization’s detection and response capabilities. For example, the team may drop a USB loaded with ransomware on your receptionist’s desk that he then plugs into his laptop. The ransomware may allow the team to encrypt and lock important files the company needs to succeed. If the company is unable to restore the files from a trusted backup, this can indicate a gap in your disaster recovery and contingency planning, as well as a need for further security training and technical controls to educate users about, and block, malicious technology peripherals and block these peripherals from accessing the network in the first place.

You’ve finished reviewing your assets, infrastructure, controls, and strategy. What’s next? It’s time to analyze relevant threats, risks, and vulnerabilities to further discover where there may be cybersecurity compliance gaps that threaten your organization.

Identify Threats, Risks, and Vulnerabilities

Threats 

Meet Sanako. Sanako is a cybersecurity compliance analyst for Capital International, a financial corporation that specializes in credit cards. One of her roles is to work with Capital International’s threat intelligence team to analyze threats against the organization’s assets and stay ahead of them. Some of the threats that Sanako and the team are concerned with include: 

  • Malware: Malicious software, such as a computer virus, that consists of code developed by cyberattackers and is designed to cause extensive damage to data and systems or to gain unauthorized access to a network.
  • Ransomware: Malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.
  • Phishing: The fraudulent practice of sending emails purporting to be from reputable companies or individuals in order to induce users to reveal personal information, such as passwords and credit card numbers.

Risks

Sanako also works with Capital International’s risk managers to identify risks and measure the organization’s risk exposure. This includes not only cybersecurity risk but also financial, legal, and reputational risk. For example, a failure to implement a required security control—such as restricting access to cardholder data to those who need to know the information to conduct business—can lead to fines for noncompliance with the PCI DSS, representing both a cybersecurity and financial risk. 

In assessing these risks, Sanako looks at both internal systems and third-party vendors. She collects data to evaluate the cybersecurity posture of various systems and uses questionnaires to understand business and technology risks. She does this within a context of assessing the business’s core competencies and goals and how they impact Capital International’s level of risk for a cybersecurity breach.

Vulnerabilities

Finally, Sanako assesses Capital International's vulnerabilities. She works with the vulnerability management team to find weak spots in the organization’s critical assets. She also works with system owners to take corrective action, stopping attackers from exploiting weak spots to sabotage the business or steal confidential data. Then, she maps vulnerabilities against the standards the organization is required to meet. 

For example, Sanako may find that customer payment card data is exposed by a cloud storage container that uses the vendor’s default setting of “public” for access permissions. She knows that this is a vulnerability that an attacker can exploit. It’s also in violation of the PCI DSS requirement to not use vendor-supplied defaults for security parameters and to protect stored cardholder data. She notifies the system owners of this gap right away. She also incorporates it as part of her cybersecurity compliance framework to ensure that Capital International is aware and has a plan to address it. Taking this organizational view ensures the company remains compliant and provides strong cybersecurity protections to its customers. It’s a lot of work but worth the effort!

A woman surrounded by puzzle pieces containing a scale, a computer with a gear, a triangle with an exclamation point, a bug, a meter, and a checklist

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now