1. Gap Analysis Areas of Interest – CyberWar, CyberTerror, CyberCrime: A Guide to the Role of Standards in an Environment of Change and Danger

Appendix 1. Gap Analysis Areas of Interest

Area of Interest

Sample documentation

Cybersecurity Planning

Information security policies


Organization mission statement


Organization roles and responsibilities


IT and security organization chart


Most current risk assessment


Most recent cybersecurity assessments

Incident Response

Incident response plan, processes, and procedures


Procedures for incident monitoring and reporting

Risk Management

Cybersecurity risk management plan


Vulnerability management plan

Vendor Management

Polices regarding vendor selection, monitoring, cybersecurity responsibilities


Service level agreements (SLA)

Network Operations

System security engineering standards and policies


Configuration specifications for information systems


Secure application procurement/development processes and policies


Anti-virus procedures


Patch management


Network architecture diagrams, to include boundary protection mechanisms

Access Control

Access policies (e.g. passwords, etc.)


Access policies (e.g. request, approval, termination, account management)

Change Control

System inventory procedures and results


Change control procedures


Change approval documents and tracking mechanisms

Physical Security

Physical security policy


Badge and identification policies and procedures


Sensitive area access procedures and policies


Visitor access procedures and policies

Data Handling

Data classification policy and procedures


Encryption standards for data at rest and in transit


Computer disposal policy and procedures


Electronic record retention policy and procedures

Personnel Security

Hiring policy and procedures


Termination policy and procedures


Monitoring procedures and policy

Acceptable Use

End-user acceptable use policy


Privacy impact assessments


Personally-identifiable information protection policy and procedures

Cybersecurity Training & Awareness

Cybersecurity training programme requirements


Cybersecurity training and awareness tracking


Self-assessment policy and procedures


Copies of executed self-assessments

Cybersecurity Metrics

List of identified cybersecurity metrics


Metrics collection and analysis policies and procedures


Sample metrics report

Mobile Computing

Policies and procedures for the use of laptops, PDAs, and other mobile systems


Telecommuting policy and cybersecurity procedures


Removable media policy and procedures

Wireless Computing

Wireless deployment policies and procedures


Wireless security policies and procedures