Cyber Security Gap Assessment: Identify Vulnerabilities and Reduce Risks

Get backup from our team of security and compliance experts to enable your organization to pass any regulatory obligation.

Gap Assessment

Regulatory and Compliance Guidance

What is a Gap Assessment?

Identify the steps needed to reduce risk and pass audits

Whether it’s a government body, a contractual obligation with a customer, an industry requirement, a private-sector framework, or a nonprofit authority, organizations often have a set of rules and security controls they must adhere to. To ensure you can earn contracts, stay accredited, and stay certified, identifying where you currently fall short in your administrative, physical, and technical security is a crucial step.

How can we help?

Speak with one of our security experts to get started on your path to meeting your regulatory obligations.

How does FRSecure approach gap assessments?

After determining which regulation(s) your organization must adhere to, FRSecure analysts will work with your team to understand which capabilities and controls are in place—ultimately helping you identify shortcomings in your requirements. With an emphasis on improving your overall security fundamentals, compliance falls naturally in place after that. Because of this, we can support a wide range of requirements across almost any industry.

Gap Assessment Steps

01.

Interview Staff

It’s important to talk to staff who are responsible for each area of the requirement in question. We need to be if the staff understands how their daily functions impact the security program and its requirements.

02.

Review Evidence

After the interview is conducted, our analysts will take the information gathered, assess what’s being done, and see where there are discrepancies between the two.

03.

Develop Roadmap

Once the evidence is reviewed, the analyst can determine where there are shortcomings in the regulatory requirements. Then they’ll develop a detailed plan outlining the to-dos, timeline, and cost needed to comply.

AWIA

America's Water Infrastructure Act (AWIA) was enacted in 2018 to protect water quality and infrastructure. This requires systems of certain sizes to have risk assessments and emergency response plans.

FFIEC

The FFIEC is a counsel intending to bring consistency to financial institutions. As part of this, regulations were put in place to consider and improve information security risks and program maturity among them.

CCPA

The California Consumer Privacy Act allows California residents to take back some control with regards to the collection, storage, usage, and selling of their personal information.

CIS

The Center for Internet Security is a nonprofit that developed standards in the form of the CIS Controls and CIS Benchmarks. Their 20 controls are a prioritized list of action items to minimize attacks.

HIPAA

The Health Insurance Portability and Accountability Act, enforced by the Department of Health & Human Services and the Office for Civil Rights, is all about protecting patient information in healthcare.

FINRA

The Financial Industry Regulatory Authority is a not-for-profit that regulates the financial markets and protects investors. These regulations include a number of cybersecurity controls that firms must adhere to and have reviewed by FINRA.

PCI

In 2006 the major cardholder companies came up with a set of security standards so that merchants and vendors could better protect the cardholder data they process and store. How and how much you take payment information determines your efforts.

CMMC

The Department of Defense created the Cybersecurity Maturity Model Certification as a way to keep tabs on its contractors’ security measures. By 2026 any and all DOD contracts will require that the contractor adhere to its matching level requirements.

FERC/NERC

The Federal Energy Regulatory Commission (FERC) has the authority to establish cybersecurity regulations over electric utility companies and operators. The standards are created by the North American Electric Reliability Corporation (NERC).

NYDFS

The NY State Department of Financial Services’ (NYDFS) has cybersecurity requirements for financial services companies. The rules were released in 2017 with 23 sections focused on assessing risks and developing plans to address them.

SOPPA

The Student Online Personal Protection Act, or SOPPA, is the data privacy law that regulates student data collection and use by schools, the Illinois State Board of Education, and education technology (EdTech) vendors. It currently includes Illinois school districts' and healthcare.

NIST 800-53

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems (except those related to national security).

NIST 800-171

NIST 800-171 governs Controlled Unclassified Information (CUI) in non-federal information systems. It is essentially a set of standards that define how to safeguard material deemed sensitive but not classified.

NIST CSF

This framework was prepared by the National Institute of Standards and Technology (NIST). It is a voluntary framework focused on helping organizations manage and reduce risks, and fostering communication among internal and external stakeholders.

GLBA Safeguards Compliance

The FTC has updated its 2003 Safeguards Rule. This rule outlines expectations and regulations around information security for financial industries, and more businesses than ever are required to be compliant.

“Thanks to FRSecure’s detailed understanding of both technical requirements and healthcare regulations, the complex site has maintained impeccable compliance and reliable performance. FRSecure’s responsiveness, customer-focused attitude, and robust audit processes continue to promote stability.”

President

Trailhead Health

Gap Assessment FAQ

What do the deliverables look like?

FRSecure uses a risk assessment methodology and platform called S2. The final report will list specific controls you need to adhere to and map to the corresponding controls in S2. It will also list the specific control and whether it’s being met, not being met, or if not applicable.

What does the timeline look like?

It typically takes between 4-16 hours to conduct interviews with your staff. In total, it takes anywhere from 4-6 weeks to complete the entire engagement.

How often does this need to be done?

On average, regulatory requirements need to be met every 1-2 years, so these need to be conducted at least that often. It cannot be a one-and-done—it must be an ongoing process.

Does FRSecure conduct the audit too?

It is crucial to us that we stay objective when handling cybersecurity services. Grading your own paper is an easy way to bring unintentional bias, leading to a false sense of security. We help improve security programs and determine gaps in compliance—but we stop there.

The FRSecure Way

Why work with FRSecure?

Expertise

FRSecure has been in business for over 10 years, and our team has more than 300 years of combined experience working in information security and boasts 30 different kinds of certifications. When it comes to growing a security program that complies with regulatory standards, you have the benefit of experience in your corner.

Mission

Our mission at FRSecure is to fix the broken information security industry. Not only do we help you comply with standards, but we also solve as many weaknesses as we can in your security environment. We are dedicated to making real, lasting, impactful changes to your security program.

Style

Our style isn’t “cookie cutter.” We recognize that each organization is different, and every security program is at a different stage of maturity. We get to know your security program intimately, use assessents to determine what your strengths and weaknesses are, and then apply industry best practices to provide next steps that’ll help you meet regulatory requirements.

Focus

Information security is all we do. We don’t do IT, sell hardware, or provide telco services. We only do security. Because of this, our team can provide unbiased recommendations that will actually make a dramatic impact to the way you do security. We work hard to be a partner—collaborating with and educating your team every step of the way.

“FRSecure’s recommendations have resulted in a level one PCI certification, which is the highest level of certification a company can achieve. Their highly personalized recommendations and services have resulted in heightened security and continual growth in business.”

Security Administrator

Premier Printing Company