Residual Gaps
Purpose
This page identifies and documents the remaining security gaps within Scheol Security Lab after considering existing and planned controls.
The objective is to:
- highlight areas of insufficient coverage
- support risk-informed prioritisation
- improve transparency and auditability
- provide a clear view of what is not yet under control
Residual gaps are considered a normal outcome of a developing environment and are explicitly tracked rather than hidden.
Gap Identification Approach
Residual gaps are identified through the combination of:
- risk analysis outputs (risk register)
- control status review
- architectural constraints
- validation and monitoring limitations
A gap may exist when:
- no control is implemented for a relevant risk
- a control is only partially implemented
- a control exists but lacks validation
- dependencies introduce unresolved exposure
Gap Categories
For readability, gaps are grouped into major areas.
1. Identity & Access
- incomplete MFA coverage across all sensitive services
- absence of fully centralised identity management (LDAP/AD not yet fully deployed)
- administrative access still partially dependent on non-dedicated workstations
2. Network & Segmentation
- incomplete internal segmentation in the on-premise environment
- lack of strict isolation between certain service categories
- absence of private network isolation for some externally exposed services
3. Monitoring & Detection
- absence of fully centralised logging across all systems
- limited correlation and detection capabilities (SOC stack not yet operational)
- detection coverage not yet aligned with defined threat scenarios
4. Backup & Recovery
- reliance on provider-level snapshots for critical systems
- absence of external, immutable backup strategy
- restore procedures not yet formally tested
5. Application Security
- absence of dedicated WAF for exposed applications
- limited hardening specific to application-layer threats (e.g. ERP exposure)
- lack of structured vulnerability management process
6. Governance & Traceability
- incomplete linkage between risks, controls and evidence
- partial population of control catalog and mapping
- limited audit simulation capability at current stage
Gap Prioritisation Logic
Gaps are prioritised based on:
- associated risk level (from risk register)
- exposure level (internal vs internet-facing)
- potential impact (data sensitivity, service criticality)
- feasibility of remediation
This prioritisation feeds the Roadmap / Next Phase section.
Relationship with Risk Management
Residual gaps represent:
- unmitigated risks
- partially mitigated risks
- controls lacking validation
They are therefore directly linked to:
- risk register entries
- control status
- validation coverage
Known Limitations
At the current stage:
- gap identification is not exhaustive
- some gaps remain implicit or undocumented
- prioritisation remains qualitative
- dependencies between gaps are not fully modelled
This reflects the current maturity level of the lab.
Current Maturity
At the current stage, residual gap identification is considered in progress.
Established
- identification of major security gaps across key domains
- initial categorisation of gap areas
- explicit acknowledgement of architectural and operational limitations
In Progress
- refinement of gap identification based on risk analysis
- improved linkage between gaps, risks and controls
- better prioritisation based on exposure and impact
- integration with control status and validation activities
Planned / Next Phase
- more exhaustive and structured gap tracking
- stronger alignment with risk register and audit activities
- improved traceability and documentation consistency
- support for audit simulation and remediation tracking
This page is intended to provide a realistic and evolving view of remaining security weaknesses within the lab.