From risk management to real business advantageSecurity Delivered

ConsultingTechnology

pwc

Consulting - TechnologyPricewaterhouseCoopers 2

As you read this booklet, PwC consultants from across our firm’s competency network are working together to address the complex IT and Information Security concerns of our most valued clients.

Security DeliveredFrom risk management to real business advantage3

Contents

Enterprise security services 1.

Information security delivered - What do we mean?2. Information risk assurance•Security strategy & governance•Infrastructure, networks and application security•Legal, privacy & forensics •Business continuity management•

Industry knowledge3.

Thought leadership4.

Our People5.

Page 4

5678910

11

12

15

In this publication, the terms ‘PricewaterhouseCoopers’, ‘PwC’, ‘our’ and ‘we’ are used to refer to PricewaterhouseCoopers Ltd in Mauritius.

“PwC has one of the largest information security and IT risk practices globally. The firm has a long history of innovations in this space and continues to be a significant presence with pragmatic solutions.”

The Forrester Wave: Information Security and IT Risk Consulting, Q1 2009

Consulting - TechnologyPricewaterhouseCoopers 4

Back to content

Enterprise Security Services

We focus on delivering pragmatic solutions leveraging the broadest range of truly independent specialist skills in the market.

Align the processes

Business Agenda for security

Security as strategic partner to the business

Security as a business enabler

Security as a managed business

Monitor Risk

Information Risk Assurance

Evaluate the risk

Manage Reporting

Ensure Governance

Security Strategy &

Governance

Define the framework

Manage the security

controls

Infrastructure, Networks & Applications

Architect in security

Forensics Analysis

Assure compliance &

protection

Legal, Privacy and Forensics

Manage the legal issues

Implement andsustain

Implement andsustain

Define Strategies

Business Continuity

Management

Assess the risk

Delivering security to enhance business value

Security DeliveredFrom risk management to real business advantage5

Back to content

Information Risk Assurance

When taking an Information Risk Assurance approach our teams work with clients to evaluate their risk profile and assure that they are approaching security in the most effective and appropriate way, thereby enabling them to achieve their business, compliance and risk management objectives.

Security Strategy & Governance

Our experience in the Security Strategy and Governance space has long since established PwC as a thought leader in information security. Using our proven methodologies, tools and programme accelerators we are able to rapidly deliver security strategy and governance models that are ‘cut to fit’ to clients business not ‘forced to fit’ as is so often the case.

Infrastructure, Networks & Applications

When it comes to the core technology security challenges our Infrastructure, Network and Applications security centre of excellence really knows how to deliver. Encompassing experience across all the layers of the security environment our teams are able to provide advice that addresses the detailed technical and industry sector challenges that help our clients to align security to their broader technology and business control environment.

Business continuity Management

We work closely with clients to develop recovery capabilities that are aligned to business goals. The PwC top-down approach to business continuity focuses on key functions and processes, while also recognizing the integral role that information systems and technology play in the organisation. We evaluate the many recovery considerations to quickly and effectively get you to your optimal cost/benefit point. The end result is a cost effective enterprise-wide strategy that encompasses all facets of an organisation.

Legal, Privacy & Forensics

Our team work closely with clients to deliver customised legal solutions balancing the legal risks and practical requirements around information security. This can range from ad hoc data protection and confidentiality advice to conducting international privacy audits. In addition our forensic technology specialists are trained in the acquisition/analysis.

Security delivered - what do we mean?

Consulting - TechnologyPricewaterhouseCoopers 6

Back to content

How do you assess risk and assure your security?

Common Challenges:Changing threat levels•Regulatory compliance•Acceptable level of risk•Enabling business change•Investment control•Workable business •continuity plans

Information Risk Assurance

Our teams work with clients to evaluate their risk profile and assure that they are approaching security in the most effective and appropriate way, thereby enabling them to achieve their business, compliance and risk management objectives.

Potential IssuesHow do you identify, assess and prioritise •your key information risks?Are your current processes robust and able •to deliver?How do you compare against others in your •industry?Do you have a clear picture about the •movement of your critical information so as to prevent leakages?

Evaluate the riskIdentify critical assets and business process•Information flow and data leakage •possibilitiesReview business requirements•Evaluate regulatory requirements•Review effectiveness of controls•Risk Assessment•Threat & vulnerability assessment•

Align the processesAssess business priorities•Risk Mitigation Strategy•Risk Appetite•Regulatory Compliance (e.g. Data •Protection Act)Data leakage Prevention•

Analyse the gapsIndustry Trends•Future Developments•On going maturity assessment•Program management•International Standards (e.g iSO 27001, •27005)

How can we support you?

Security DeliveredFrom risk management to real business advantage7

Back to content

Is your model a workable long term solution?

Common Challenges:Effective governance•Alignment with Business•Clear accountability•Evolving standards•Organisational and •business process changeEvidence of compliance•Creating visibility•Return on Investment•

Security Strategy & Governance

Our experience in the Security Strategy & Governance space has long since established PwC as a thought leader in information security. Using our proven methodologies, tools and project accelerators we are able to rapidly deliver security strategy and governance models that are ‘cut to fit’ to clients business not ‘forced to fit’ as is so often the case.

Potential IssuesHow do you define & deliver security to your •business?What security model is best for your •organisation ?Are you able to present a clear consistent •message to the business?

Define the FrameworkBusiness case development•Strategic and operational requirements•Internal and external relationships•Develop strategy and roadmap•Formulate policies, standards and procedures•Process design•

Ensure Governance

Responsibility frameworks, awareness•IT Organisation•Board level reporting•Programme management•Communications and change program•Cost Control and ROI measurement•International Standards (e.g COBIT, ISO 27001, •ITIL)

Manage Reporting

Key Performance Indicators•Business scorecard•Control framework•Programme effectiveness•Security dashboards•Service level Management•

How can we support you?

Consulting - TechnologyPricewaterhouseCoopers 8

Back to content

Are you looking at all the security layers?

Common Challenges:Technology change•Scalability & future •proofingDelivering end-to end •securitySingle vs. multi vendor•Complexity of technology•Appropriate protection & •investmentBenchmarking with •standards

Infrastructure, Networks & Applications

When it comes to the core technology security challenges our Infrastructure, Network and Applications security centre of excellence really knows how to deliver. Encompassing experience across all the layers of the security environment, our teams are able to provide advice that addresses the detailed technical and industry sector challenges that help our clients to align security to their broader technology and business control environment.

Potential IssuesHow do you address policy, process & •technology together?Is your business adequately addressing its •security risks?Are your security systems appropriate for •your business?

Architect SecurityUnderstanding risk profile•Threat & vulnerability assessment•Web applications security assessment•Application code review•Design network and security architecture•Physical security integration•Build framework and standards•

Manage the security ControlsSecure Network Management•Event correlation, logging & monitoring•Content monitoring and open source monitoring•Prevention and Detection systems•Policy enforcement•Emerging technologies•Penetration testing•Physical security integration•

Assure the information

Periodic assessments•Configuration and change management•Incident response•Vulnerability management•Emerging Technologies•

How can we support you?

Security DeliveredFrom risk management to real business advantage9

Back to content

Are you complying everywhere?

Common Challenges:Legal compliance•Legal protection•Timely detection and self •awarenessCompany reputation•International •interpretations

Legal, Privacy & Forensics

Our team work closely with clients to deliver customised legal solutions balancing the legal risks and practical requirements around information security. This can range from ad hoc data protection and confidentiality advice to conducting international privacy audits. In addition our forensic technology specialists are trained in the acquisition/analysis of data.

Potential IssuesWhat are your compliance obligations in •each country?Do your policies and practices meet all local •and international requirements?Are you appropriately addressing the legal •issues?Do you have an effective investigation •process?

Assessing the legal issuesAdequacy of security•Retention requirements•Data segregation•Purpose specification•Consents and notifications•Contractual safeguards•Breaches and disputes •

Assure compliance and protectionImplementation of policies and procedures•Robust contractual terms•Intellectual property management•Compliance reviews•Ongoing awareness and training•Enforcement and defense•

Forensic analysis

Evidence retention•Event analysis•Risk reduction•Legal compliance•

How can we support you?

Consulting - TechnologyPricewaterhouseCoopers 10

Back to content

How do you assure business continuity?

Common Challenges:Changing technology •dependenceAcceptable level of risk•Prioritising business •processesEnabling business change•Workable business •continuity plansPeople/process •management during disaster

Business Continuity Management

We work closely with clients to develop recovery capabilities that are aligned to business goals. The PwC top-down approach to business continuity focuses on key functions and processes, while also recognising the integral role information systems and technology play in the organisation. We evaluate the many recovery considerations to quickly and effectively get you to your optimal cost/benefit point. The end result is a cost effective enterprise-wide strategy that encompasses all facets of an organisation.

Potential IssuesHow do you define your current business •availability risks?How do you define minimum acceptable •recovery time for different business proceses?How do you ensure that people, process •and technology enablers of business have the capability to recover within the defined recovery time?Are your processes prioritized to handle a •disaster scenario?

Risk and impact analysisBusiness Impact Analysis•Identify business process enablers•Assess business requirements•Conduct risk assessment•Review effectiveness of controls•Single points of failure•

BCP/DR Strategy

Failure scenarios•Alternate business recovery options•Cost benefit analysis/SWOT•Disaster recovery technical architecture•Proactive and reactive measures•BCP/DR organisation•Business continuity processes and plan•

Sustenance and compliance

Programme Management•Implementation assistance•Drills and testing•Training and user awareness•Focused teams and groups•International standards (BS25999, NIST)•

How can we support you?

Security DeliveredFrom risk management to real business advantage11

Back to content

Knowledge

Our industry knowledge allows us to share the latest research and thinking on emerging industry trends, develop industry-specific performance benchmarks and methodologies based on global best practices, as well as find solutions to security or technical issues unique to a particular industry.

Our core strength in delivering pragmatic enterprise security for our clients comes from a combination of:

the ability to bring together a diverse range of skills and experiences from across our firm;•the ability to provide truly independent trusted advice; and•the ability to leverage our global skill base to deploy consistent capabilities in 120 different •countries.

Our team delivers solutions that generate real business benefit by addressing legal and regulatory issues, mitigating business and technology risks and improving business performance through automation and simplification of security related business processes.

Center for Technology and Innovation

I for innovation*The next-generation CIO

Consulting - TechnologyPricewaterhouseCoopers 12

Back to content

The Enterprise Security Business Model

Thought leadership in Security

RecoverResume Operations

Perform PostmortemCommunicate Recovery

Reevaluate Security Strategy

MaintainCounteract Threats

Track IncidentsImplement Upgrades & PatchesMaintain Security Configurations

DeployImplement Secure Infrastructure

Integrate & Test TechnologiesDeploy Security & Privacy Policies

Provide Training & Awareness

AlignMonitor Strategy

Create Security GovernanceAlign Financial Budget Assess Security Value

Assess Secure

Develop

Control

Deploy Manage

Prevent

Maintain

Detect

Stabilize

Repair

Investigate

RecoverAlign

Strategize

Analyze

Envision Engineer Operate Respond

AssessIdentify Business Needs

Appraise Information Assets Valuate Risk Tolerance

Develop Cost Model

SecureAuthorise Resources

Establish Authentication MechanismsGrant EntitlementsConfigure Options

DetectIdentify Intrusion Attempts

Monitor System ActivityDiscover Unauthorize DevicesDetect Malicious Programmes

RepairIdentify Root Cause

Eliminate VulnerabilityImprove Security Posture

StabilizeAssess Risk ExposureMinimize Threat ImpactProtect Business Operations

ManageAdminister Identify InfrastructureUpdate Standards & PoliciesManage Technology InfrastructureReport Security Status

DevelopSet Technical & Control ObjectivesClassify ResourcesDevelop User RepositoriesDefine Access Control Model

AnalyzeAnalyze Cost of OwnershipDefine Resource RequirementsPrioritixe Initiatives

InvestigatePreserve Evidence & LitigateDetermine Legal ImplicationsAppraise ImpactPerform Forensic Analysis

PreventResearch Security IntelligenceMonitor Standards ComplianceMaintain Operational ResilienceScan & Test for Vulnerabilities

ControlEstablish Control FrameworkIdentify RolesAssign User Roles

StrategizeIdentify Security OpportunitiesDetermine Operational Impact Evaluate Support CapabilitiesDevelop Strategy

Business Objectives

Security DeliveredFrom risk management to real business advantage13

Consulting - TechnologyPricewaterhouseCoopers 14

“PwC differentiates itself by offering its clients a globally consistent service through its network of firms around the world, its partnerships across geographies, and its capacity to work with clients who have operations in all areas of the globe.”

The Forrester Wave: Information Security and IT Risk Consulting, Q1 2009.

Security DeliveredFrom risk management to real business advantage15

Back to content

The Information Security Team of PricewaterhouseCoopers Mauritius comprises of trained professionals who have an enterprise-wide view of information security risks, helping clients to achieve the organisational goals that minimise hazard, resolve uncertainty and maximise opportunity.

Our team members have in-depth knowledge and experience in process and technologies.

By drawing our extensive firm-wide knowledge base, our information security professionals can meet both your current requirements and future needs for security support.

Jean-Pierre YoungConsulting Partner

jean-pierre.young@mu.pwc.comTel: +230 4045028

Vikas SharmaConsulting Senior Manager

v.sharma@mu.pwc.comTel: +230 4045015

Your Key Contacts

Consulting - TechnologyPricewaterhouseCoopers 16

© 2010 PricewaterhouseCoopers. All rights reserved. "PricewaterhouseCoopers" refers to PricewwaterhouseCoopers Ltd in Mauritius or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity.

pwc.com/mu

© 2010 PricewaterhouseCoopers Ltd. All rights reserved. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers Ltd in Mauritius or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate legal entity. pwc

PricewaterhouseCoopers18 CyberCityEbèneRepublic of MauritiusTel: +230 4045000Fax: +230 4045088/89