Gap Assessment Process

What Is A Gap Assessment?

The Dash Gap Assessment feature, enables teams to perform a smart AI-powered security gap assessment on the administrative policies and procedures within your organization.

• Baseline Security recommendations are based on industry established controls (CIS IG1) that are relevant for all other Dash provided security and compliance standards. This process is a good first step for ensuring your team has base level controls required for most security programs.

• If your team does not have any policies or procedures in place, the gap assessment will provide recommendations on initial policies to create.

• Your team may rerun the gap assessment multiple times with updated policies to see how your security controls and administrative policies have improved and how they meet the baseline security standard.

• Policies and controls are evaluated based on the Dash Baseline Security standard and conducted with smart AI processes.

  • Dash AI analysis allows for automated classification of administrative policies, and analysis of files against a standard set of IT security controls.

  • Note: AI models, LLMs, and data are managed in a Dash secured and hosted environment. No policy files, data, or results are shared with AI models, public AI services (such as ChatGPT, etc).

The Gap Assessment provides actionable insight for teams looking to evaluate the effectiveness of current administrative policies or determine next steps for meeting specific regulatory and compliance standards.

Performing A Gap Assessment

Your team may gather all administrative security policies and follow the steps below to run a Gap Assessment, analyze existing policy files, and view baseline security gaps and recommendations.

If you have already run a Gap Assessment and want to perform a new Assessment, see Restart Gap Assessment section.

1. Login to Dash ComplyOps

2. On the home dashboard, under the “Security Baseline” box click the “Start Security Gap Assessment” button

3. Upload all of your administrative policies and procedure files for your organization

   1. What should I upload? - IT security policies, administrative policies, and standard operating procedures used by your organization and your security program should be uploaded.

      1. IE. System Access Policy, Risk Management Policy, Configuration Management Policy

      2. You should only upload the latest version of a policy (no duplicates of the same policy)

   2. Types of files - The Dash Gap Assessment process supports PDF, DOCX, TXT, and XLXS filetypes for analysis.

   3. If you do not have any policies, you should select the “No, I don’t have an existing policies” option.

   4. If you have already uploaded policy files into the Gap Assessment process before, do not add them again, they will already be stored in this process (until manually deleted). You will get to review all policy files in the next step.

4. Once all files are uploaded, click the “Next” button.

   1. It may take a minute to process and classify your files, then you will be taken to the next Classification page.

5. Classify all files by the closest Policy Type possible.

   1. All files must be classified as a “Policy Type” before you can continue to the next step.

   2. Multiple files can be classified as the same policy type. (IE. You can have 2+ files classified as a “System Access Policy”

6. During this step you can edit policy files in the following manner.

   1. Delete: Click the “Delete” button next to a specific policy to delete any unnecessary policy and remove it from further gap analysis.

   2. Set as Main: Click the “Set as Main” button to define a policy file as the main document for context when there are multiple policy files for a specific policy type.

      1. Only one file can be defined as the “Main” policy for a policy type, if multiple files are classified as the same policy type

   3. You can add additional policy files by clicking the “Add More Policies” button and uploading additional files in the last step.

7. Once you have all policy files classified, click the “Save and Continue” button

   1. You will be prompted to confirm that you want to start analyzing policies for gap assessment.

   2. If you have any edits click the “Add More Policies” button

8. Once ready, click the “Analyze Policies” button.

9. Dash will start performing a gap analysis for all uploaded policy files.

   1. You will see a loading screen while this baseline security analysis is conducted.

   2. The analysis may take 5-10 minutes based on the number of policy files, length of file text, etc

10. After the gap analysis is complete:

    1. The page will refresh/update to show you the Gap Assessment Report.

    2. You will also receive an email with a link to the Gap Assessment Report.

Viewing Gap Assessment Report

After you have completed running a Gap Assessment, you will receive an email with a link to your Gap Assessment Report.

• You can view your Gap Assessment Report by clicking on the link in the or by logging into Dash and clicking the “View Gap Assessment Results” button

• This report will show a full list of passing/failing security controls as measured against the Dash Baseline Security standard.

1. You can view your Gap Assessment Report by:

   1. Clicking on the link in the Gap Assessment email and logging into Dash.

   2. Or Login to Dash and click the “View Gap Assessment Results” button on the home dashboard.

2. Once you are on the Gap Assessment Report page you will be able to see a list of “Passing” and “Failing” controls for the Dash baseline security program

   1. Passing: Outlines a security control where relevant policy sections or policy text has been defined in the policy files you have uploaded.

   2. Failing: Outlines a security control where no related policy section or policy text was found related to meeting this standard. Recommendations for updating policies to meet this control are shown in the Gap Recommendations Page.

3. Further options for viewing Gap Assessment results:

   1. Filters: You can view a specific subset of controls (IE. Show only failing or passing controls) by clicking the filter icon next to the Status column.

   2. Source Policies: Click on the “Source Policies” button to view a list of the all policy files/filenames that were used for evaluation in the current Gap Assessment.

4. Click the “Go to Gap Assessment Recommendations” button to view recommendations for how to improve your current policies and resolve failing controls.

Viewing Gap Assessment Recommendations

Dash provides a list of recommendations for improving/adding policy sections and policies to meet failed security controls in the Gap Recommendations Page.

You can take the following steps to view and address to Gap Recommendations.

1. Navigate to the Gap Recommendations Page:

   1. Login to Dash

   2. In the left sidebar. Click Policy Center > Gap Assessment

   3. You can also get to the Gap Recommendations for the buttons in the Gap Report page .

2. You will see all recommendations listed on the Gap Assessment Recommendations Page.

3. The Gap Assessment Recommendations provides two types of recommendations you may see:

   1. Create Policy: The Gap Assessment may recommend creating a new policy for areas where there are multiple failed controls

   2. Add Policy Section: The Gap Assessment will provide an example policy section or “Suggested Policy Text” you should consider customizing and adding to your existing policy.

4. For Recommendations to “Add Policy Section”, click the “+” button next to the recommendation to see the recommended policy section to add and the following information:

   1. Reason: The reason why the policy text is suggested and why it should be added into your administrative policies.

   2. Suggested Policy Text: The policy text/section you should consider adding to your policy. You may want to customize the policy section, replace any variables, and add this section to your policy.

   3. Possible Existing Policy Text: A list of any related policy texts or standards from your uploaded policies (if any) will be shown in this area. You may click the “+” button for any items listed under this section to see the excerpt found from the existing policy.

   4. Copy Policy Text Into ABC Policy: A button next to the recommendation allows you to copy the full policy section to insert it into your policy.

5. For Recommendations to “Create Policy”, click the the “Start Policy” button

   1. You will be directed to the Dash Policy Center where you may start the related policy.

6. Further options for the Gap Assessment Recommendations page:

   1. Source Policies: Click on the “Source Policies” button to view a list of the all policy files/filenames that were used for evaluation in the current Gap Assessment.

   2. Restart Gap Assessment: Click on the “Restart Gap Assessment” button to restart the gap assessment. You will be taken the beginning of the gap assessment process and will need to complete analysis steps again.

   3. Go the Gap Assessment: Click on the “Go the Gap Assessment” button to navigate to the Gap Assessment Report page with the listing of all passing/failing controls.

7. Consider re-running the gap assessment (“Restart Gap Assessment”) once your team has updated existing policies/created new policies to meet controls.

   1. This will allow your team to upload new/updated policies and re-analyze policies versus the baseline security standard.

Restarting Gap Assessment

After viewing results and recommendations for improving policies and meeting Baseline Security controls, your team may update policy sections and add additional policies. To evaluate how your updated administrative policies and files meet Baseline Security controls, you can restart the Gap Assessment process and perform a new Gap Assessment.

You can repeat this Gap Assessment as many times as needed by following the steps below:

1. Login to Dash and click the “View Gap Assessment Results” button on the home dashboard OR Navigate to the Gap Assessment Report or Gap Assessment Recommendations page.

   1. Click the “Restart Gap Assessment” button to start a new Gap Assessment.

   2. Note: Your uploaded policy files will still be available in the Gap Assessment process

   3. Note: You will lose access to the Gap Assessment Report and Gap Assessment Recommendation pages until you complete the Gap Assessment again

2. Click “Yes” to confirm that you want to restart the Gap Assessment process.

   1. You will be taken to the first step of the Gap Assessment.

3. Note: To reclassify or delete any existing policies click the “No Additional Policy Files” and click the “Next” button.

   1. You will be presented with the classified policy list and can click the “Delete” button next to any outdated policies.

   2. You can return to the upload policy step to add additional policies

4. Upload any new administrative policy files to be classified and analyzed and click “Next”

5. Ensure that all policy files listed are accurate and are classified with a Policy Type.

6. Once ready, click the “Save and Continue” > Confirm and start the Gap Assessment by clicking the “Analyze Policies” Button

7. Dash will start performing a gap analysis for all uploaded policy files.

   1. You will see a loading screen while this baseline security analysis is conducted.

   2. The analysis may take 5-10 minutes based on the number of policy files, length of file text, etc

9. After the gap analysis is complete:

   1. The page will refresh/update to show you the Gap Assessment Report.

   2. You will also receive an email with a link to the Gap Assessment Report.

10. You will now be able to see all results for the new Gap Assessment Report and Gap Assessment Recommendations.