Information Security

Открыть страницу: на русском языке

How information security can help meet business objectives?

Companies today are under ever-increasing pressure to meet regulatory requirements, maintain strong operational performance and stability, and increase shareholder value. In this hyper-competitive environment, companies can no longer afford ad-hoc security measures.

Keeping and protecting intellectual property, sensitive customer information and other business-critical information requires a comprehensive security strategy that closely aligns with business objectives.

PwC's Risk Assurance professionals leverage international and local information security standards (ISO/IEC 27001:2005, PCI DSS, STO BR IBBS, etc.) as well as SecurityATLAS™, PwC's security assessment framework based on our extensive client and industry experience. We use this proprietary methodology to develop, communicate, and help maintain an enterprise-wide information security strategy delivered throughout eleven functional areas.

PwC professionals can help companies in the following critical areas:

Security management

Security management involves the general security activities and concerns of an organization. This includes all projects and activities that surround the personnel responsible for security at the policy and general management levels.

Case: IT-services and IT-infrastructure of the Company evolve and IT security risks arise accordingly. The Company implements a new Information Security management system and must evaluate its effectiveness and efficiency in satisfying the established security requirements.

Our services include:

  • Knowledge management;
  • Personnel management;
  • Portfolio management;
  • Enterprise security feedback;
  • Third-party management;
  • Risk management;
  • Communication.

Result: minimized actual IS risks relevant for the Company and established effective IS management system.

Security awareness and education

The PwC’s security awareness and education team is dedicated to increasing company-wide awareness of the importance of corporate security and educating entire organizations—at every level—about how they can securely maintain the company’s information and physical assets.

Case: Companies now recognize that the main reason for Information Security incident is a “human factor”. Contemporary as well as familiar instruments need profound knowledge and wealth of experience to avoid such incidents.

Our services include:

  • Awareness programs and procedures;
  • Educational programs around certifications and qualifications;
  • Communication strategies.

Result: mitigated risks of ”human factor” incidents and improved management of Information Security.

Threat and vulnerability management

PwC’s threat and vulnerability management practice is dedicated to the critical task of protecting the enterprise. The activities in this area range from traditional firewall and host security mechanisms to dealing with the increased security risks that are an outgrowth of ever-expanding network infrastructures.

Case: The Company is unaware of that an attack on critical company resources is in-progress or has already occurred.

Our services include:

  • Intrusion monitoring;
  • Malicious program detection;
  • Security information management;
  • Threat management;
  • Vulnerability management;
  • Incident response;
  • Asset management;

Result: decreased risk of serious Information Security incidents and improved control over and security of critical information resources.

Information security architecture

Information security architecture describes all aspects of the system that relate to security, including the set of underlying principles that guide the design.

Case: The existence of anti-virus software and corporate network firewalls in the Company’s IT environment does not address all the risks of Information Security.

Our services include:

  • Enterprise requirements analysis and prioritization;
  • IT security reference architecture;
  • Common security services infrastructure;
  • Security implementation methodology or software development lifecycle (SDLC) and code review.

Result: reduced risks of Information Security relevant for the company IT infrastructure and comprehensive management of Information Security risks.

Regulatory and policy compliance

PricewaterhouseCoopers’ regulatory and policy compliance practice helps companies address the laws, regulations, and internal policies with which they must comply. Some of the key laws and regulations related to Information Security that companies Reed to be aware of include the following:

  • FZ 152 on personal data;
  • FZ 161 on national payment system;
  • The Information Security Standard of the Central Bank of the Russian Federation;
  • Payment Card Industry (PCI) and Payment Applications (PA) Data Security Standards;
  • Health Information Portability and Accountability Act (HIPAA);
  • The Gramm-Leach Bliley Act (GLBA);
  • Sarbanes-Oxley.

Case: the Company requires an external assessment of its Information Security maturity level and compliance status for their business partners -

Our services include:

  • Regulatory compliance management;
  • Policies and standards management;
  • Policy and standards compliance.

Result: ability for secure necessary certification based on required business objectives.

Identity and access management

Identity and access management relates to the granting or denying of access to a company’s equipment and data. Strong, effective access management enables the access of authorized workers while restricting the access of unauthorized workers and external third-parties.

Case: the Company management has no clear understanding of who has access to critical information.

Our services include:

  • Authentication and authorization analysis;
  • User management and provisioning;
  • Identity storage and data integration.

Result: decreased risk of unauthorized access to critical business information.

Privacy and data protection

The privacy and data protection practice provides companies with a series of important security capabilities. The team can help organizations ensure proper data handling practices for the collection, use, retention, and sharing of personally-identifiable information about customers and employees in its care.

Case: personal and business-critical infromation circulate both inside and outside the Company. Such data could be intercepted, altered or even destroyed without management’s knowledge.

Our services include:

  • Accountability;
  • Notice;
  • Choice and consent;
  • Data collection;
  • Data use and retention;
  • Data subject access;
  • Third-party data disclosure;
  • Data accuracy.

Result: decreased risk of information disclosure, unauthorized change or destruction.

Physical security

PwC’s physical security team considers the capabilities necessary to protect a company’s facilities, hardware, and people involved in information security.

Case: Physical security considerations related to electricity disruptions, fires, server rooms located in hospitable environments (e.g. exposed warehouse), could lead to data loss and theft.

Our services include:

  • Data center security review;
  • Policies and standards;
  • Access controls.

Result: decreased risk of unauthorized physical access and unexpected loss of company information.

Penetration testing

PwC’s penetration testing team performs infrastructure and application penetration testing that focuses on identifying and validating vulnerabilities associated with critical infrastructure and business applications, both internal and external facing.

Case: cybercrime is rapidly evolving (according to recent survey of leading analysts). Hackers exist both outside and inside the Company. Risk of “probing” as well as “hacking” of Company’s information resources is likely, as autonomous viruses can perform such unauthorized activities.

Our services include:

  • Comprehensive infrastructure penetration testing;
  • Website security testing procedures;
  • Black-box and white-box approach;
  • Recommendations on mitigating known security vulnerabilities.
Result: decreased risk of loss or theft of information through remediation of IT infrastructure weaknesses.

Game of Threats™ Cyber Threat Simulation

Game of Threats™ is a digital game that simulates the speed and complexity of a real-world cyber breach to help executives better understand the steps they can take to protect their companies. The game environment creates a realistic experience where both sides – the company and the attacker, are required to make quick, high impact decisions with minimal information.

PwC’s Cybersecurity experts coach players through realistic scenarios with different types of threat actors and their preferred methodologies, and explain what they can do to better prevent, detect and respond to an attack.

Key takeaways from players

  • Learn about different threat actors targeting your company, and the attack strategies they use
  • Recognize the reputational, financial and regulatory impacts of cyber attacks and breach response
  • Identify the potential ramifications and remediation options after an attack
  • Understand what can be done to prevent an attack
  • Learn key cybersecurity trends and terminology