PricewaterhouseCoopers are highly experienced in delivering ISO27001 solutions. We assist our customers in the implementation of Information and standard in order to achieve certification or guide a company through the standards framework and methodology.
ISO 27001 encompasses a number modules including:
Gap Analysis
Analyses your organisations compliance with not only ISO 27001 best practises but also investigates the gaps in your defence should you be taken to court for security breaches or non-compliance issues. This is one reason our consultants are knowledgeable about the law and forensic investigations.
The analysis is performed in stages as listed below:
- Ascertain structure of organisation and scope of Information Security (IS) requirement
- Establish the company's stance on Information Security ( including interviews with randomly selected personnel across all disciplines of the business)
- Examine selection of existing policies
- Identify principal information assets and relative value to the business
- Establish extent of existing processes and procedures / examine sample of documentation
- Identify current procedural and technical safeguards in place / discuss strengths & compliance
- Assess degree of compliance with applicable legislation {e.g. The Data Protection Act (DPA)}
- Assess policy / procedural / technical IS improvements that would be necessary to achieve alignment with the ISO 27001 standard.
- Report on findings of gap analysis and make recommendations for remedial action/strategy to achieve alignment with the requirements of ISO 27001
Risk Assessment
Each organisation faces their own unique mixture of threats and vulnerabilities when it comes to Information Security. A thorough assessment of the potential risks can not only safeguard the important and valuable information assets, but also save time and money by avoiding the implementation of unnecessary controls. To ensure that the analysis is both appropriate and cost effective it is important that focus is centred on the most important information assets to avoid expenditure on unnecessary controls.
PwC can help you to reduce your exposure to information security risks by undertaking a thorough risk analysis of your security infrastructure. The detailed assessment of current threats and vulnerabilities balanced against the existing control measures provides a clear indication of where improvements are necessary. Risk management can then be practiced to avoid risks wherever possible and to reduce residual risk by introducing appropriate controls.
PwC can help to:
· Identify the operational risks & vulnerabilities
· Identify and value the important information assets
· Recommend measures to avoid or mitigate the risks
· Reduce the threats and vulnerabilities
· Identify control objectives
· Select effective and appropriate control measures
Business Continuity Planning
Often overlooked, due to the “it will never happen to me culture”, business continuity is an issue which is far too often put to the bottom of the corporate agenda. Our consultants work with companies to formulate a “business continuity” plan to cover incidents from total loss of business through, for instance, flooding through to lesser interruptions to business continuity e.g. loss of essential staff, long power outages.
The purpose of any business continuity plan is to :
· Establish an organisational structure in order that any unforeseen incident which threatens the continuity of business can be managed to minimise the risk/impact on the business.
· Identify and create key teams of staff to work along side senior Directors and Managers to effectively manage any business continuity incident.
· Ensure the safety of the company’s staff and individuals which the company has responsibility for following an incident.
· Ensure the rapid re-establishment of communications, computer systems, and critical business functions.
· Establish the principles upon which the logistics of recovery of the main business functions will be based.
· Establish a clear communications channel to the media and ensure that any reporting is in the best possible interest to the company.
· Ensure that internal communication to the staff is clear and effective following an incident and during the recovery process.
Policy Awareness and Training
Our consultants can provide a range of staff awareness training seminars based upon the defined policies that the company has adopted. The key aim is to ensure that staff (permanent and contract) are kept up to date about the adopted Information security policies and that they "sign-up" to execute these policies, in the course of their day to day work. This will typically involve the company's HR department to make Information Security awareness part of new staff induction process as well as part of the ongoing reviews of all personnel.
IT Security Assessment Service
The Cost of IT Security Breaches
· 44% of businesses have suffered at least one malicious security breach in the past year.
· The average cost of a single breach has been estimated at $75,000.
Introduction
In today's competitive climate, management of data and information security is critical to sustain business advantage and survival.
Although it's clear that risk awareness is the key to a successful security strategy, many companies, SMEs in particular, find it difficult to justify an infrastructure comprehensive enough to develop, review and measure such a strategy.
Our Security Assessment
PwC Security’s Security Assessment Service is designed to evaluate your Internet and information security weaknesses, minimising vulnerability whilst giving them a measurable level to gauge against
We can provide peace of mind for you by conducting an audit and analysis of your current infrastructure, with a comprehensive report detailing the findings along with any remedial activities we would recommend.
Our methodology is aligned to ISO27001 where appropriate and based on industry best practice including elements of OSSTMM and OWASP. No two clients are the same so we chose the most appropriate methodology per client. This enables us to most closely match the client’s requirements in order to deliver the best value possible.
Key Benefits
· Identification and assessment of risks to network security and integrity
· Assists with the prevention of loss of system availability, integrity or confidential information
· Comprehensive informative reporting
· ISO27001 Aligned
· OSSTMM & OWASP standards utilised where appropriate
Key Focus Areas
· High level review
· Network
· Firewall(s)
· Anti-virus
· Email security
· Web security
· Application usage
· End-point security
· User policies
· Policy review
· Patch management
PCI Compliance Services
Payment Card Industry (PCI) Compliance is a set of security standards that were created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect their customers from increasing identity theft and security breaches. If you accept, process, or store credit card information you are required to comply with the standards set by the Payment Card Industry.
PwC is able to provide expert services and consultancy to ensure your organisations compliance with the PCI standard and other best practice approaches to data security. Our unique experience allows us to take standards such as PCI and translate them into real-world requirements which can then be implemented in a planned and controlled manner. With both procedural and technical experience PwC can ensure your organisation reaches the required level of compliance as quickly and effortlessly as possible.
The requirements for becoming Payment Card Industry (PCI) Compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.
Level |
Criteria |
Requirements |
1 |
Merchants with over 6 million transactions a year
Merchants whose data has been compromised |
Annual Onsite Security Audit and quarterly network security scan
|
2 |
Merchants with 150,000 to 6 million transactions a year |
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved PCI Scanning Vendor |
3 |
Merchants with 20,000 to 150,000 transactions a year |
Quarterly Scan by an Approved PCI Scanning Vendor
Annual Self Assessment Questionnaire |
4 |
Merchants with less than 20,000 transactions |
Need to report compliance but must maintain compliance. |
The main control objectives for PCI compliance and validation are as follows:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
Penetration Testing
"You can't manage what you can't measure"... When an organisation is looking at their overall situation as far as systems and network security is concerned, often the first step is to understand where they are today in terms of systems and potential vulnerabilities that may exist on those systems. From this it is possible to draw up an action plan of how to address and minimise those risks. Often vulnerability assessment forms part of a gap analysis to see how compliant an organisation is with their security policy or against a standard such as ISO27001.
Our consultants have a great deal of experience in providing such services and recognise that there is a "practical" side to any such service. After performing the consultancy, a report is produced which outlines any risks or vulnerabilities found together with an explanation of how these may practically impact an organisation together with recommendations for minimising such risks.
We are pleased to offer two services:
Vulnerability Assessment
|
A vulnerability assessment is the identification of potential weaknesses in a system or systems that could be exploited to gain access to or steal data from the system in question. Using a range of commercial and public-domain tools, our consultants will quickly test the systems to identify any such vulnerabilities. The key skill is that, once the scans have been run, a "real-world" interpretation is put on the results to accurately inform you as to the real vulnerabilities. This service can be performed on site or across the Internet as required. A full report is produced which outlines any vulnerabilities found, their potential impact and also, where possible, instructions and advice on how to fix them, or at least minimise the impact of a breach.
|
Penetration Testing |
Penetration testing takes the vulnerability assessment to the next level. Once a scan has been performed to identify potential vulnerabilities, these are then exploited by one of our consultants to try and gain access to the system or systems in question. The testing then goes further to include (should you so wish) social engineering attacks (still one of the most successful forms of attack). Again, once complete, a full report is produced which outlines the results of the various tests and also suggested fixes. A presentation can also be prepared and given to executive or technical audiences.
|
Risk Assessment Services
Each organisation faces their own unique mixture of threats and vulnerabilities when it comes to Information Security. A thorough, focused assessment of the potential risks can not only safeguard the important and valuable information assets, but also save time and money by avoiding the implementation of unnecessary controls. PwC can help you to reduce your exposure to information security risks by undertaking a thorough risk analysis of your security infrastructure.
The detailed assessment of current threats and vulnerabilities balanced against the existing control measures provides a clear indication of where improvements are necessary. Risk management can then be practiced to avoid significant risks wherever possible by introducing appropriate controls and/or mitigating measures.
PwC can help you to:
- Identify the operational risks & vulnerabilities
- Identify and value the important information assets
- Recommend measures to avoid or mitigate the risks
- Reduce the threats and vulnerabilities
- Identify control objectives
- Select effective and appropriate control measures
PwC appreciates that you have to take responsibility for your risk management, and, using a structured, uniquely tailored approach we can help you to focus on the key decisions that have to be made.
Training
PwC is pleased to be able to offer a number of training courses based around ISO27001 and best practice approaches to security solutions. These courses have been developed by consultants who are actively involved in the delivery of ISO27001 and security best practice consultancy so you are assured that they are up to date and relevant to businesses across the spectrum on industry.
For more information please click on the appropriate course title below:
An Introduction to ISO27001 Certification (1 day)
The Route to ISO27001 Certification (3 days)
Our consultants have a wide range of experience in developing and delivering unique and advanced solutions, if you require training in any other area of information security or technology please contact us to discuss your requirements.
Security Policy Consultancy
Writing an effective security policy is not as simple as it may seem. Before the policy is creating a number of questions should be asked to help shape the policy. If your organisation already has an information security policy, there are still a number of questions that should be asked about it, such as:
- Is it line with the current data protection act?
- Does it go far enough in protecting the employee and employer alike?
- From a legal standpoint will it stand up in a court of law and prove that a "duty of care" has been initiated thus giving a degree of protection to the board?
- Is it written in an unambiguous way so that employees have a thorough understanding of it?
- From a technical point of view does it go far enough or maybe too far?
- Is it in line with current good practice standards such as ISO27001 recommendations?
The answers to these and similar questions will help shape the policy and questions like these should be asked on a regular basis; driving forces such as legislation are constantly changing so it is important to know how your policy stacks up against such drivers.
At PwC, we recognise that writing security policies is not your main business and we can take the burden of policy writing completely (or just review a current policy) away from a company in order that they are free to concentrate on your core business. We will ensure that it is updated in line with the changes to the laws which are pertinent to a particular business. We will if needs be deploy it on site and ensure affirmation of its contents by your staff.
