consulting technology security delivered - pwc.com our proven methodologies, tools and ... • risk...
TRANSCRIPT
From risk management to real business advantageSecurity Delivered
ConsultingTechnology
pwc
Consulting - TechnologyPricewaterhouseCoopers 2
As you read this booklet, PwC consultants from across our firm’s competency network are working together to address the complex IT and Information Security concerns of our most valued clients.
Security DeliveredFrom risk management to real business advantage3
Contents
Enterprise security services 1.
Information security delivered - What do we mean?2. Information risk assurance•Security strategy & governance•Infrastructure, networks and application security•Legal, privacy & forensics •Business continuity management•
Industry knowledge3.
Thought leadership4.
Our People5.
Page 4
5678910
11
12
15
In this publication, the terms ‘PricewaterhouseCoopers’, ‘PwC’, ‘our’ and ‘we’ are used to refer to PricewaterhouseCoopers Ltd in Mauritius.
“PwC has one of the largest information security and IT risk practices globally. The firm has a long history of innovations in this space and continues to be a significant presence with pragmatic solutions.”
The Forrester Wave: Information Security and IT Risk Consulting, Q1 2009
Consulting - TechnologyPricewaterhouseCoopers 4
Back to content
Enterprise Security Services
We focus on delivering pragmatic solutions leveraging the broadest range of truly independent specialist skills in the market.
Align the processes
Business Agenda for security
Security as strategic partner to the business
Security as a business enabler
Security as a managed business
Monitor Risk
Information Risk Assurance
Evaluate the risk
Manage Reporting
Ensure Governance
Security Strategy &
Governance
Define the framework
Manage the security
controls
Infrastructure, Networks & Applications
Architect in security
Forensics Analysis
Assure compliance &
protection
Legal, Privacy and Forensics
Manage the legal issues
Implement andsustain
Implement andsustain
Define Strategies
Business Continuity
Management
Assess the risk
Delivering security to enhance business value
Security DeliveredFrom risk management to real business advantage5
Back to content
Information Risk Assurance
When taking an Information Risk Assurance approach our teams work with clients to evaluate their risk profile and assure that they are approaching security in the most effective and appropriate way, thereby enabling them to achieve their business, compliance and risk management objectives.
Security Strategy & Governance
Our experience in the Security Strategy and Governance space has long since established PwC as a thought leader in information security. Using our proven methodologies, tools and programme accelerators we are able to rapidly deliver security strategy and governance models that are ‘cut to fit’ to clients business not ‘forced to fit’ as is so often the case.
Infrastructure, Networks & Applications
When it comes to the core technology security challenges our Infrastructure, Network and Applications security centre of excellence really knows how to deliver. Encompassing experience across all the layers of the security environment our teams are able to provide advice that addresses the detailed technical and industry sector challenges that help our clients to align security to their broader technology and business control environment.
Business continuity Management
We work closely with clients to develop recovery capabilities that are aligned to business goals. The PwC top-down approach to business continuity focuses on key functions and processes, while also recognizing the integral role that information systems and technology play in the organisation. We evaluate the many recovery considerations to quickly and effectively get you to your optimal cost/benefit point. The end result is a cost effective enterprise-wide strategy that encompasses all facets of an organisation.
Legal, Privacy & Forensics
Our team work closely with clients to deliver customised legal solutions balancing the legal risks and practical requirements around information security. This can range from ad hoc data protection and confidentiality advice to conducting international privacy audits. In addition our forensic technology specialists are trained in the acquisition/analysis.
Security delivered - what do we mean?
Consulting - TechnologyPricewaterhouseCoopers 6
Back to content
How do you assess risk and assure your security?
Common Challenges:Changing threat levels•Regulatory compliance•Acceptable level of risk•Enabling business change•Investment control•Workable business •continuity plans
Information Risk Assurance
Our teams work with clients to evaluate their risk profile and assure that they are approaching security in the most effective and appropriate way, thereby enabling them to achieve their business, compliance and risk management objectives.
Potential IssuesHow do you identify, assess and prioritise •your key information risks?Are your current processes robust and able •to deliver?How do you compare against others in your •industry?Do you have a clear picture about the •movement of your critical information so as to prevent leakages?
Evaluate the riskIdentify critical assets and business process•Information flow and data leakage •possibilitiesReview business requirements•Evaluate regulatory requirements•Review effectiveness of controls•Risk Assessment•Threat & vulnerability assessment•
Align the processesAssess business priorities•Risk Mitigation Strategy•Risk Appetite•Regulatory Compliance (e.g. Data •Protection Act)Data leakage Prevention•
Analyse the gapsIndustry Trends•Future Developments•On going maturity assessment•Program management•International Standards (e.g iSO 27001, •27005)
How can we support you?
Security DeliveredFrom risk management to real business advantage7
Back to content
Is your model a workable long term solution?
Common Challenges:Effective governance•Alignment with Business•Clear accountability•Evolving standards•Organisational and •business process changeEvidence of compliance•Creating visibility•Return on Investment•
Security Strategy & Governance
Our experience in the Security Strategy & Governance space has long since established PwC as a thought leader in information security. Using our proven methodologies, tools and project accelerators we are able to rapidly deliver security strategy and governance models that are ‘cut to fit’ to clients business not ‘forced to fit’ as is so often the case.
Potential IssuesHow do you define & deliver security to your •business?What security model is best for your •organisation ?Are you able to present a clear consistent •message to the business?
Define the FrameworkBusiness case development•Strategic and operational requirements•Internal and external relationships•Develop strategy and roadmap•Formulate policies, standards and procedures•Process design•
Ensure Governance
Responsibility frameworks, awareness•IT Organisation•Board level reporting•Programme management•Communications and change program•Cost Control and ROI measurement•International Standards (e.g COBIT, ISO 27001, •ITIL)
Manage Reporting
Key Performance Indicators•Business scorecard•Control framework•Programme effectiveness•Security dashboards•Service level Management•
How can we support you?
Consulting - TechnologyPricewaterhouseCoopers 8
Back to content
Are you looking at all the security layers?
Common Challenges:Technology change•Scalability & future •proofingDelivering end-to end •securitySingle vs. multi vendor•Complexity of technology•Appropriate protection & •investmentBenchmarking with •standards
Infrastructure, Networks & Applications
When it comes to the core technology security challenges our Infrastructure, Network and Applications security centre of excellence really knows how to deliver. Encompassing experience across all the layers of the security environment, our teams are able to provide advice that addresses the detailed technical and industry sector challenges that help our clients to align security to their broader technology and business control environment.
Potential IssuesHow do you address policy, process & •technology together?Is your business adequately addressing its •security risks?Are your security systems appropriate for •your business?
Architect SecurityUnderstanding risk profile•Threat & vulnerability assessment•Web applications security assessment•Application code review•Design network and security architecture•Physical security integration•Build framework and standards•
Manage the security ControlsSecure Network Management•Event correlation, logging & monitoring•Content monitoring and open source monitoring•Prevention and Detection systems•Policy enforcement•Emerging technologies•Penetration testing•Physical security integration•
Assure the information
Periodic assessments•Configuration and change management•Incident response•Vulnerability management•Emerging Technologies•
How can we support you?
Security DeliveredFrom risk management to real business advantage9
Back to content
Are you complying everywhere?
Common Challenges:Legal compliance•Legal protection•Timely detection and self •awarenessCompany reputation•International •interpretations
Legal, Privacy & Forensics
Our team work closely with clients to deliver customised legal solutions balancing the legal risks and practical requirements around information security. This can range from ad hoc data protection and confidentiality advice to conducting international privacy audits. In addition our forensic technology specialists are trained in the acquisition/analysis of data.
Potential IssuesWhat are your compliance obligations in •each country?Do your policies and practices meet all local •and international requirements?Are you appropriately addressing the legal •issues?Do you have an effective investigation •process?
Assessing the legal issuesAdequacy of security•Retention requirements•Data segregation•Purpose specification•Consents and notifications•Contractual safeguards•Breaches and disputes •
Assure compliance and protectionImplementation of policies and procedures•Robust contractual terms•Intellectual property management•Compliance reviews•Ongoing awareness and training•Enforcement and defense•
Forensic analysis
Evidence retention•Event analysis•Risk reduction•Legal compliance•
How can we support you?
Consulting - TechnologyPricewaterhouseCoopers 10
Back to content
How do you assure business continuity?
Common Challenges:Changing technology •dependenceAcceptable level of risk•Prioritising business •processesEnabling business change•Workable business •continuity plansPeople/process •management during disaster
Business Continuity Management
We work closely with clients to develop recovery capabilities that are aligned to business goals. The PwC top-down approach to business continuity focuses on key functions and processes, while also recognising the integral role information systems and technology play in the organisation. We evaluate the many recovery considerations to quickly and effectively get you to your optimal cost/benefit point. The end result is a cost effective enterprise-wide strategy that encompasses all facets of an organisation.
Potential IssuesHow do you define your current business •availability risks?How do you define minimum acceptable •recovery time for different business proceses?How do you ensure that people, process •and technology enablers of business have the capability to recover within the defined recovery time?Are your processes prioritized to handle a •disaster scenario?
Risk and impact analysisBusiness Impact Analysis•Identify business process enablers•Assess business requirements•Conduct risk assessment•Review effectiveness of controls•Single points of failure•
BCP/DR Strategy
Failure scenarios•Alternate business recovery options•Cost benefit analysis/SWOT•Disaster recovery technical architecture•Proactive and reactive measures•BCP/DR organisation•Business continuity processes and plan•
Sustenance and compliance
Programme Management•Implementation assistance•Drills and testing•Training and user awareness•Focused teams and groups•International standards (BS25999, NIST)•
How can we support you?
Security DeliveredFrom risk management to real business advantage11
Back to content
Knowledge
Our industry knowledge allows us to share the latest research and thinking on emerging industry trends, develop industry-specific performance benchmarks and methodologies based on global best practices, as well as find solutions to security or technical issues unique to a particular industry.
Our core strength in delivering pragmatic enterprise security for our clients comes from a combination of:
the ability to bring together a diverse range of skills and experiences from across our firm;•the ability to provide truly independent trusted advice; and•the ability to leverage our global skill base to deploy consistent capabilities in 120 different •countries.
Our team delivers solutions that generate real business benefit by addressing legal and regulatory issues, mitigating business and technology risks and improving business performance through automation and simplification of security related business processes.
Center for Technology and Innovation
I for innovation*The next-generation CIO
Consulting - TechnologyPricewaterhouseCoopers 12
Back to content
The Enterprise Security Business Model
Thought leadership in Security
RecoverResume Operations
Perform PostmortemCommunicate Recovery
Reevaluate Security Strategy
MaintainCounteract Threats
Track IncidentsImplement Upgrades & PatchesMaintain Security Configurations
DeployImplement Secure Infrastructure
Integrate & Test TechnologiesDeploy Security & Privacy Policies
Provide Training & Awareness
AlignMonitor Strategy
Create Security GovernanceAlign Financial Budget Assess Security Value
Assess Secure
Develop
Control
Deploy Manage
Prevent
Maintain
Detect
Stabilize
Repair
Investigate
RecoverAlign
Strategize
Analyze
Envision Engineer Operate Respond
AssessIdentify Business Needs
Appraise Information Assets Valuate Risk Tolerance
Develop Cost Model
SecureAuthorise Resources
Establish Authentication MechanismsGrant EntitlementsConfigure Options
DetectIdentify Intrusion Attempts
Monitor System ActivityDiscover Unauthorize DevicesDetect Malicious Programmes
RepairIdentify Root Cause
Eliminate VulnerabilityImprove Security Posture
StabilizeAssess Risk ExposureMinimize Threat ImpactProtect Business Operations
ManageAdminister Identify InfrastructureUpdate Standards & PoliciesManage Technology InfrastructureReport Security Status
DevelopSet Technical & Control ObjectivesClassify ResourcesDevelop User RepositoriesDefine Access Control Model
AnalyzeAnalyze Cost of OwnershipDefine Resource RequirementsPrioritixe Initiatives
InvestigatePreserve Evidence & LitigateDetermine Legal ImplicationsAppraise ImpactPerform Forensic Analysis
PreventResearch Security IntelligenceMonitor Standards ComplianceMaintain Operational ResilienceScan & Test for Vulnerabilities
ControlEstablish Control FrameworkIdentify RolesAssign User Roles
StrategizeIdentify Security OpportunitiesDetermine Operational Impact Evaluate Support CapabilitiesDevelop Strategy
Business Objectives
Security DeliveredFrom risk management to real business advantage13
Consulting - TechnologyPricewaterhouseCoopers 14
“PwC differentiates itself by offering its clients a globally consistent service through its network of firms around the world, its partnerships across geographies, and its capacity to work with clients who have operations in all areas of the globe.”
The Forrester Wave: Information Security and IT Risk Consulting, Q1 2009.
Security DeliveredFrom risk management to real business advantage15
Back to content
The Information Security Team of PricewaterhouseCoopers Mauritius comprises of trained professionals who have an enterprise-wide view of information security risks, helping clients to achieve the organisational goals that minimise hazard, resolve uncertainty and maximise opportunity.
Our team members have in-depth knowledge and experience in process and technologies.
By drawing our extensive firm-wide knowledge base, our information security professionals can meet both your current requirements and future needs for security support.
Jean-Pierre YoungConsulting Partner
[email protected]: +230 4045028
Vikas SharmaConsulting Senior Manager
[email protected]: +230 4045015
Your Key Contacts
Consulting - TechnologyPricewaterhouseCoopers 16
© 2010 PricewaterhouseCoopers. All rights reserved. "PricewaterhouseCoopers" refers to PricewwaterhouseCoopers Ltd in Mauritius or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity.
pwc.com/mu
© 2010 PricewaterhouseCoopers Ltd. All rights reserved. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers Ltd in Mauritius or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity. pwc
PricewaterhouseCoopers18 CyberCityEbèneRepublic of MauritiusTel: +230 4045000Fax: +230 4045088/89