Cybersecurity

Your confidence in the future

How does the information security system help you achieve your business goals?

Currently companies are experiencing ever-increasing pressure to comply with regulatory requirements, maintain a high level of operational efficiency and business stability, and increase the company's shareholder value. At the same time, external threats critical to business information security are only growing. In these circumstances, companies can no longer afford to engage in information security only periodically.

To ensure the preservation and protection of intellectual property, confidential customer information and other information that is critical to business, it is necessary to have a comprehensive security strategy that is closely aligned with the goals and objectives of the business.

Our specialists in the risk assurance group perform their work in accordance with international and national standards in the field of information security (ISO / IEC 27001: 2013, PCI DSS, unified requirements in the field of information and communication technologies and information security, requirements for information security of banks and organizations that carry out certain types of banking operations of the National Bank of the Republic of Kazakhstan, etc.) We also perform the assessment against our own methodology for assessing information systems, which was created using our extensive experience in the field.

 

Drawing on key findings from the 2018 Global State of Information Security Survey (GSISS) and beyond, we offer nine insights on revitalizing privacy and trust in a data-driven world, concluding with next steps for global business leaders. 

  
PwC professionals can help companies in the following critical areas:

Security management

Security management involves the general security activities and concerns of an organization. This includes all projects and activities that surround the personnel responsible for security at the policy and general management levels.

Case: IT-services and IT-infrastructure of the Company evolve and IT security risks arise accordingly. The Company implements a new Information Security management system and must evaluate its effectiveness and efficiency in satisfying the established security requirements.

Our services include:

  • Knowledge management;
  • Personnel management;
  • Portfolio management;
  • Enterprise security feedback;
  • Third-party management;
  • Risk management;
  • Communication.

Resultminimized actual IS risks relevant for the Company and established effective IS management system.

View more

Security awareness and education

The PwC’s security awareness and education team is dedicated to increasing company-wide awareness of the importance of corporate security and educating entire organizations—at every level—about how they can securely maintain the company’s information and physical assets.

Case: Companies now recognize that the main reason for Information Security incident is a “human factor”. Contemporary as well as familiar instruments need profound knowledge and wealth of experience to avoid such incidents.

Our services include:

  • Awareness programs and procedures;
  • Educational programs around certifications and qualifications;
  • Communication strategies.

Resultmitigated risks of ”human factor” incidents and improved management of Information Security.

Threat and vulnerability management

PwC’s threat and vulnerability management practice is dedicated to the critical task of protecting the enterprise. The activities in this area range from traditional firewall and host security mechanisms to dealing with the increased security risks that are an outgrowth of ever-expanding network infrastructures.

Case: The Company is unaware of that an attack on critical company resources is in-progress or has already occurred.

Our services include:

  • Intrusion monitoring;
  • Malicious program detection;
  • Security information management;
  • Threat management;
  • Vulnerability management;
  • Incident response;
  • Asset management;

Resultdecreased risk of serious Information Security incidents and improved control over and security of critical information resources.

Information security architecture

Information security architecture describes all aspects of the system that relate to security, including the set of underlying principles that guide the design.

Case: The existence of anti-virus software and corporate network firewalls in the Company’s IT environment does not address all the risks of Information Security.

Our services include:

  • Enterprise requirements analysis and prioritization;
  • IT security reference architecture;
  • Common security services infrastructure;
  • Security implementation methodology or software development lifecycle (SDLC) and code review.

Resultreduced risks of Information Security relevant for the company IT infrastructure and comprehensive management of Information Security risks.

Regulatory and policy compliance

PricewaterhouseCoopers’ regulatory and policy compliance practice helps companies address the laws, regulations, and internal policies with which they must comply. Some of the key laws and regulations related to Information Security that companies Reed to be aware of include the following:

  • FZ 152 on personal data;
  • FZ 161 on national payment system;
  • The Information Security Standard of the Central Bank of the Russian Federation;
  • Payment Card Industry (PCI) and Payment Applications (PA) Data Security Standards;
  • Health Information Portability and Accountability Act (HIPAA);
  • The Gramm-Leach Bliley Act (GLBA);
  • Sarbanes-Oxley.

Case: the Company requires an external assessment of its Information Security maturity level and compliance status for their business partners -

Our services include:

  • Regulatory compliance management;
  • Policies and standards management;
  • Policy and standards compliance.

Result: ability for secure necessary certification based on required business objectives.

Identity and access management

Identity and access management relates to the granting or denying of access to a company’s equipment and data. Strong, effective access management enables the access of authorized workers while restricting the access of unauthorized workers and external third-parties.

Case: the Company management has no clear understanding of who has access to critical information.

Our services include:

  • Authentication and authorization analysis;
  • User management and provisioning;
  • Identity storage and data integration.

Result: decreased risk of unauthorized access to critical business information.

Privacy and data protection

The privacy and data protection practice provides companies with a series of important security capabilities. The team can help organizations ensure proper data handling practices for the collection, use, retention, and sharing of personally-identifiable information about customers and employees in its care.

Case: personal and business-critical infromation circulate both inside and outside the Company. Such data could be intercepted, altered or even destroyed without management’s knowledge.

Our services include:

  • Accountability;
  • Notice;
  • Choice and consent;
  • Data collection;
  • Data use and retention;
  • Data subject access;
  • Third-party data disclosure;
  • Data accuracy.

Result: decreased risk of information disclosure, unauthorized change or destruction.

Physical security

PwC’s physical security team considers the capabilities necessary to protect a company’s facilities, hardware, and people involved in information security.

Case: Physical security considerations related to electricity disruptions, fires, server rooms located in hospitable environments (e.g. exposed warehouse), could lead to data loss and theft.

Our services include:

  • Data center security review;
  • Policies and standards;
  • Access controls.

Result: decreased risk of unauthorized physical access and unexpected loss of company information.

Penetration testing

PwC’s penetration testing team performs infrastructure and application penetration testing that focuses on identifying and validating vulnerabilities associated with critical infrastructure and business applications, both internal and external facing.

Case: cybercrime is rapidly evolving (according to recent survey of leading analysts). Hackers exist both outside and inside the Company. Risk of “probing” as well as “hacking” of Company’s information resources is likely, as autonomous viruses can perform such unauthorized activities.

Our services include:                        

  • Comprehensive infrastructure penetration testing;
  • Website security testing procedures;
  • Black-box and white-box approach;
  • Recommendations on mitigating known security vulnerabilities.

Result: decreased risk of loss or theft of information through remediation of IT infrastructure weaknesses.

Contact us

Azamat Konratbayev

Partner, Risk assurance leader, PwC Kazakhstan

Tel: +7 727 330 3200

Boris Mazets

Senior Manager, information security and information technologies, PwC Kazakhstan

Tel: +7 727 330 3201 (вн. 3727)

Follow us