Security management
Security management involves the general security activities and concerns of an organization. This includes all projects and activities that surround the personnel responsible for security at the policy and general management levels.
Case: IT-services and IT-infrastructure of the Company evolve and IT security risks arise accordingly. The Company implements a new Information Security management system and must evaluate its effectiveness and efficiency in satisfying the established security requirements.
Our services include:
- Knowledge management;
- Personnel management;
- Portfolio management;
- Enterprise security feedback;
- Third-party management;
- Risk management;
- Communication.
Result: minimized actual IS risks relevant for the Company and established effective IS management system.
Security awareness and education
The PwC’s security awareness and education team is dedicated to increasing company-wide awareness of the importance of corporate security and educating entire organizations—at every level—about how they can securely maintain the company’s information and physical assets.
Case: Companies now recognize that the main reason for Information Security incident is a “human factor”. Contemporary as well as familiar instruments need profound knowledge and wealth of experience to avoid such incidents.
Our services include:
- Awareness programs and procedures;
- Educational programs around certifications and qualifications;
- Communication strategies.
Result: mitigated risks of ”human factor” incidents and improved management of Information Security.
Threat and vulnerability management
PwC’s threat and vulnerability management practice is dedicated to the critical task of protecting the enterprise. The activities in this area range from traditional firewall and host security mechanisms to dealing with the increased security risks that are an outgrowth of ever-expanding network infrastructures.
Case: The Company is unaware of that an attack on critical company resources is in-progress or has already occurred.
Our services include:
- Intrusion monitoring;
- Malicious program detection;
- Security information management;
- Threat management;
- Vulnerability management;
- Incident response;
- Asset management;
Result: decreased risk of serious Information Security incidents and improved control over and security of critical information resources.
Information security architecture
Information security architecture describes all aspects of the system that relate to security, including the set of underlying principles that guide the design.
Case: The existence of anti-virus software and corporate network firewalls in the Company’s IT environment does not address all the risks of Information Security.
Our services include:
- Enterprise requirements analysis and prioritization;
- IT security reference architecture;
- Common security services infrastructure;
- Security implementation methodology or software development lifecycle (SDLC) and code review.
Result: reduced risks of Information Security relevant for the company IT infrastructure and comprehensive management of Information Security risks.
Regulatory and policy compliance
PricewaterhouseCoopers’ regulatory and policy compliance practice helps companies address the laws, regulations, and internal policies with which they must comply. Some of the key laws and regulations related to Information Security that companies Reed to be aware of include the following:
- FZ 152 on personal data;
- FZ 161 on national payment system;
- The Information Security Standard of the Central Bank of the Russian Federation;
- Payment Card Industry (PCI) and Payment Applications (PA) Data Security Standards;
- Health Information Portability and Accountability Act (HIPAA);
- The Gramm-Leach Bliley Act (GLBA);
- Sarbanes-Oxley.
Case: the Company requires an external assessment of its Information Security maturity level and compliance status for their business partners -
Our services include:
- Regulatory compliance management;
- Policies and standards management;
- Policy and standards compliance.
Result: ability for secure necessary certification based on required business objectives.
Identity and access management
Identity and access management relates to the granting or denying of access to a company’s equipment and data. Strong, effective access management enables the access of authorized workers while restricting the access of unauthorized workers and external third-parties.
Case: the Company management has no clear understanding of who has access to critical information.
Our services include:
- Authentication and authorization analysis;
- User management and provisioning;
- Identity storage and data integration.
Result: decreased risk of unauthorized access to critical business information.
Privacy and data protection (GDPR)
The privacy and data protection practice provides companies with a series of important security capabilities. The team can help organizations ensure proper data handling practices for the collection, use, retention, and sharing of personally-identifiable information about customers and employees in its care.
Case: personal and business-critical infromation circulate both inside and outside the Company. Such data could be intercepted, altered or even destroyed without management’s knowledge.
Our services include:
- Accountability;
- Notice;
- Choice and consent;
- Data collection;
- Data use and retention;
- Data subject access;
- Third-party data disclosure;
- Data accuracy.
Result: decreased risk of information disclosure, unauthorized change or destruction.
Physical security
PwC’s physical security team considers the capabilities necessary to protect a company’s facilities, hardware, and people involved in information security.
Case: Physical security considerations related to electricity disruptions, fires, server rooms located in hospitable environments (e.g. exposed warehouse), could lead to data loss and theft.
Our services include:
- Data center security review;
- Policies and standards;
- Access controls.
Result: decreased risk of unauthorized physical access and unexpected loss of company information.
Penetration testing
PwC’s penetration testing team performs infrastructure and application penetration testing that focuses on identifying and validating vulnerabilities associated with critical infrastructure and business applications, both internal and external facing.
Case: cybercrime is rapidly evolving (according to recent survey of leading analysts). Hackers exist both outside and inside the Company. Risk of “probing” as well as “hacking” of Company’s information resources is likely, as autonomous viruses can perform such unauthorized activities.
Our services include:
- Comprehensive infrastructure penetration testing;
- Website security testing procedures;
- Black-box and white-box approach;
- Recommendations on mitigating known security vulnerabilities.
Result: decreased risk of loss or theft of information through remediation of IT infrastructure weaknesses.