Create gap analysis

Status: Live

The organization will review existing control strategies for identified risks and implement new controls for them if necessary, or consider appropriate measures for transferring, accepting, reducing or avoiding each critical risk. [UCF ID 00704]

Supporting and supported controls

This control directly supports:

Risk quantification and analysis [UCF Control ID 00701]

There are no supporting controls.

Authority documents complied with:

Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § I.iv; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 12, Pg D-6; FFIEC IT Examination Handbook – Operations, July 2004, Pg 15; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 5-4.a; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § D.4.2; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; Australian Government ICT Security Manual (ACSI 33), § 3.5.15; OMB Circular A-123 Management’s Responsibility for Internal Control, § I.A; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 37, Pg 39; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.2.1; Archer Control Table, ATCS-027, ATCS-028

Sarbanes Oxley Guidance

After a risk assessment is completed, the old controls should be reviewed to ensure they are still protecting the system against the identified risks. If they are not, new controls should be examined to determine if they should be implemented, or it should be determined if a way exists to upgrade the existing control to dissipate the risk. [§ I.A, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should develop a list of all controls that exist for each identified risk and determine if the control is functioning effectively and correctly. If the control is not functioning correctly, management should decide if they want to accept the risk or if a compensating control should be implemented to fix the problem. [Pg 37, Pg 39, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

If the organization fails to meet any standard, it should create a plan to meet the compliance requirements. [App A § I.iv, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

[Exam Tier II Obj D.2, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should perform a gap analysis. A gap analysis is a comparison of the existing continuity plan versus what procedures should be implemented to recover and resume normal business operations. [Pg 12, Pg D-6, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Controls should be implemented to reduce the internal and external threats to the organization. Management should ensure the controls are balanced by the cost, effectiveness, and operational requirements of the organization. [Pg 15, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

The organization should review all risks and determine countermeasures for each of the risks. [§ 5-4.a, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Records Management Guidance

[§ D.4.2, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

General Guidance

It is recommended that an organization reviews existing control strategies for identified risks and implements new controls for them if necessary, or considers appropriate measures for transferring, accepting, reducing or avoiding each critical risk. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

Other European and African Guidance

The Board of Directors should establish a control system to ensure that all identified risks are corrected. [¶ 3.2.1, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

When vulnerabilities cannot be patched, the organization should use other controls to minimize the risks associated with the vulnerabilities. [§ 3.5.15, Australian Government ICT Security Manual (ACSI 33)]