Security Capability Statement - Print_eng
description
Transcript of Security Capability Statement - Print_eng
-
PwCs capability statement
Information Security Services
www.pwc.ru/riskassurance
2014
-
PwC
PwCs information security team
We have 500+ information security professionals who are part of aglobal network of more than 154,000 people in 153 countries. In Russiawe have a team of 5 professionals with a focus on information security.
We use specialists in process improvement, value management, changemanagement, human resources, forensics, risk, information securityand our ownin-house legal firm.
We leverage well established PwC tools and methodologies to ensurerigour, control and the application of good practice to meet theindividual needs of each client.
Our information security team has been recognised by Forrester as aLeader in Information Security and IT Risk Consulting.
We actively participate in industry forums such as RISSPA, TheInformation Security Forum, The Security Awareness Special InterestGroup, ISC(2) and The Institute of Information Security Professionals.
-
PwC
Our information security offerings
4
Our integrated approach draws on theskills of a wide range of people across ourorganisation, recognising the complexitiesand multi-faceted nature of informationsecurity. Security strategy development, organisational review, security metrics
design, management reporting design, return on investment review,stakeholder and user buy-in.
Incident response process review anddesign, incident response services,forensic investigation and readiness.
Business Continuity assessmentservices, BCM reviewand design, DR Planning review.
Responding to majorincidents
Managing incidents
Setting direction
Security architecture development, application code review, IAM reviewand design, security controls design, ERP security, network security design.
Risk, policy, standards review anddevelopment, ISO and regulatorycompliance review, privacy review anddesign, awareness raising, training.
Indentifying andremediating informationrisk
Securing the IT infrastructure
Creating a soundframework of control
Vulnerability scanning, penetrationtesting, vulnerability remediation,patch management, threatmonitoring, open sourcemonitoring, content monitoring.
BusinessContinuity andDR Planning
SecurityManagement
Governance,risk and
compliance
Threat andVulnerabilityAssessment
Architecture,Applications andNetwork Security
IncidentResponse and
ForensicInvestigation
PeopleProcess
Technology
-
PwC
Security Management
How can PwC help?PwC is able to leverage its broad experience and deep specialists skillsto assist clients with:
Security strategy development
Organisational reviews
Security metrics design
Management reporting design
Return on investment reviews.
Case study
The benefits of a security strategyCritical Business Issues:
The client was in constant fire fighting mode and had sufferedseveral high profile data breaches. The business units were verysiloed and were not aware of key projects or initiatives that couldimpact them.
PwCs Approach:
PwC setup a facilitated workshop with 10 senior executives fromacross the business with the goal to:
Align key objectives with the business
Help establish clear direction / leadership
Clarify key roles / responsibilities
Indentify possible cost savings and ensure stakeholder support
Following the workshop PwC provided the client with a detailedsecurity strategy report, recommendations and identified severalareas of overlap that resulted in significant cost savings.
5
SecurityATLAS TM
Regulatory andPolicy Compliance
InformationProtection
ArchitectureAlignment
IdentityManagement
PhysicalSecurity and
Investigations
Threat andVulnerabilityManagement
Awarenessand
Education
Privacy andData
Protection
Governance
Leadership
Service Delivery
SecurityATLAS TM
Regulatory andPolicy Compliance
InformationProtection
ArchitectureAlignment
IdentityManagement
PhysicalSecurity and
Investigations
Threat andVulnerabilityManagement
Awarenessand
Education
Privacy andData
Protection
Governance
Leadership
Service Delivery
-
PwC
Architecture, Application and Network Security
How can PwC help?PwC has a proven track record in the area of governance andcompliance with market leading expertise in:
Policy and standards review and development
ISO 27001 and PCI DSS compliance reviews
Data privacy review and design
Security awareness raising and training.
Case study
The importance of information security policiesCritical Business Issues:
The clients existing policies were poorly written and difficult tointerpret. Continued pressure from the FSA on the importance ofclear and easily to reference polices was of great concern to theclient.
PwCs Approach:
PwC helped develop an IT Governance and risk and controlsframework based on current IT best practises such as COBiT andISO 27001 and then deployed the framework across 20locations/business units in 18 countries.
The project included the implementation of global policies,standard risk assessments and a standard set of controls forinformation assets.
PwC provided specialists who were able to train the clients staffand validate the implementation of the risk assessments andcontrols across all locations.
6
-
PwC
Information Risk Management
How can PwC help?PwC leverages its deep expertise, standard methodologies andexperience in the area of information risk management to assistorganisations with:
Information risk assessments
Information risk assessment reviews and design
Data leakage reviews
Vulnerability assessments.
Case study
The importance of identifying and managingriskCritical Business Issues:
A large global financial institution wanted to ensure that itmaintained and protected all information it stores in accordancewith its value and sensitivity. The organisation also sought tomanage the risk to which it was exposed in a manner consistentwith legal, regulatory and contractual requirements.
PwCs Approach:
PwC conducted a baseline review of the clients currentinformation risk management capabilities.
PwC identified the key information risks that the client faced andthe maturity of the clients capabilities to manage these risks.
PwC performed a detailed analysis of the maturity of the clientscapabilities and provided detailed recommendations to enhancethe clients information risk management framework.
7
-
PwC
Architecture, Application and Network Security
How can PwC help?PwC has extensive experience, methodologies and broad relationshipswith leading technology vendors to help provide expertise in:
Identity and access management review and design
Security architecture development
Application code reviews
Security controls design
ERP security and network security design.
Case study
Implementing an effective user access andentitlement management platformCritical Business Issues:
A large global commercial banking organisation faced numerousissues with existing user access and entitlement managementprocesses, resulting in adverse internal and external audit findingsas well as operational inefficiencies.
PwCs Approach:
PwC helped the client design a buy vs build assessment tocompare their existing recertification platform to vendor products.
Following the evaluation, the client decided to implement a vendorplatform and PwC assisted the client team in presenting a businesscase for the move to a vendor platform.
Once the client had selected a vendor, PwC worked closely with theclient on managing the implementation of the new platform.
Finally, PwC provided support for the end-to-end recertificationprocess including the de-provisioning of invalid accounts.
8
EAEM Phase 2 Conceptual Design Recertification &Provisioning
Legacy 1
Legacy N
App 1
Recertification performedby Line
Manager
User B
Access and entitlementsreport presented by user
Access andentitlement data sorted
using User ratherthan Application
Provisioning performedby the
Centralised/OffshoreSecurity Administration
Group
HR database
Fully instrumentedmanagement reportingfor governance and monitoring
Identitystore
Leavers& movers
feed
Exception reports(Toxic Combinations,leavers, movers) for
action
Role-basedprovisioning
Legacyprovisioning
Role mining&definition
PeriodicRecertification
App N
Central Access &entitlementrepository
Recertification &rules engine
ProvisioningInfrastructure
SelfService/Automated
Provisioning
Access andentitlement data
consolidatedin a central repository
BO Finance&Control Manager
Director(Equity Derivatives)
FO EquityDerivativesManager
1. User A2. User B3. User C
1. User B2. User E3. User F
Organisation Chart
-
PwC
Incident Response and Forensic Investigation
How can PwC help?PwC draws on specialised forensic experts with deep technical andsecurity backgrounds who are experienced in complex investigations.Areas of expertise include:
Incident response process review, design and rectification
Incident response services
Forensic investigation and readiness
Fraud risk assessment.
Case study
A public investigation and review following theloss of confidential dataCritical Business Issues:
As a result of the loss of two discs containing child benefit data, theclient commissioned a public review. The terms of reference ofthis review were to establish the circumstances that led to thesignificant loss of confidential personal data on child benefitrecipients.
PwCs Approach:
The PwC engagement incorporated the following phases: a forensicinvestigation, a review of policies and procedures, and a series ofrecommendations.
The forensic investigation focused on establishing the facts leadingto the loss of confidential data.
The policies and procedures review focused on the adequacy ofexisting policies and procedures.
Finally the review incorporated a detailed series ofrecommendations including the setting of information securitytargets in line with ISO 27001.
9
-
PwC
Threat and Vulnerability Assessment
How can PwC help?PwC deploys market leading tools and methodologies in the field ofthreat and vulnerability assessment, leveraging our global network, toprovide services including:
Vulnerability scanning and penetration testing
Vulnerability remediation
Patch management and threat monitoring
Open source monitoring and content monitoring.
Case study
Understanding where to focus your resourcesCritical Business Issues:
A large international bank had suffered several attacks from anexternal agent trying to access the banks systems and data.Despite lengthy internal investigations they were unable to identifywhat weaknesses and systems had resulted in the attacks.
PwCs Approach:
PwC provided a full perimeter review which covered networks,operating systems and applications as well as POTS (war dialling).
The PwC team produced an exhaustive report with prioritisedrecommendations with which the client was able to resolve andmitigate the vulnerabilities which had been identified.
10
-
PwC
Contact details
Michael HurlePartnerTel.:+7 (495) 223 [email protected]
Chris GouldPartnerTel.: 7 (495) 232 [email protected]
-
PwC Russia (www.pwc.ru) provides industry-focused assurance, tax, legal and advisory services. Over 2,600 professionals working in PwC offices in Moscow, St Petersburg, Ekaterinburg, Kazan, Novosibirsk,Rostov-on-Don, Krasnodar, Voronezh, Yuzhno- Sakhalinsk and Vladikavkaz share their thinking, experience and solutions to develop fresh perspectives and practical advice for our clients. The global network ofPwC firms brings together more than 184,000 people in 157 countries.
2014 PricewaterhouseCoopers Russia B.V. All rights reserved.
PwC refers to PricewaterhouseCoopers Russia B.V. or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate legal entity.
PwCs capability statementSlide Number 2PwCs information security teamOur information security offeringsSecurity ManagementArchitecture, Application and Network SecurityInformation Risk ManagementArchitecture, Application and Network SecurityIncident Response and Forensic InvestigationThreat and Vulnerability AssessmentSlide Number 11Slide Number 12