Security Gaps
Identify security gaps and align to the policy.
At this stage, CISOs should consider the organization's unified security policy the "desired" state of the network, and not necessarily the "actual" state of the network. The actual state comes from the segmented network topology that was modeled in step 2. This is when it's necessary to compare the two. Chances are, they will not be identical. Identify any security gaps that exist between the two and take measures to close those gaps. Continuing with the previous hypothetical PCI example, the "desired" state is that no other application has access to the network segment where your payment process application is stored. After comparing your model to the actual state of your network, you learn that a marketing application also resides on that portion of the network in order to have occasional access to customer data from the payment application. Not only is this a significant violation of PCI DSS, but it also puts the enterprise at risk for a costly data breach. This condition should be flagged for remediation immediately.