IT Security and IT Risk

How information security can help meet business objectives

Companies today are under ever-increasing pressure to meet regulatory requirements, maintain strong operational performance, and increase shareholder value. In this hyper-competitive environment, companies can no longer afford ad-hoc security measures.

Protecting intellectual property, sensitive customer information, and other business-critical information requires a comprehensive security strategy that closely aligns with business objectives.

The PwC Security practice is dedicated to providing our clients world-class security advice.  This advice is based on our knowledge and experience providing security consulting services, including the strategy, design, configuration, and assessment of enterprise security and identity/access management solutions, to our non-audit clients.  PwC provides security and risk services to audit and non-audit clients in 153 countries worldwide in the territories of North America, Europe, Middle East, Asia Pacific and the rest of the world.

Our Capabilities

Our Capabilities


Value for our clients

  • How to drive value by adopting a strategic approach to security planning and assessment
    - Assess how clients align security governance and planning to support business and compliance requirements
    - Evaluate security prioritization process by analyzing key program drivers and industry practices
    - Assess current security strategy and make actionable recommendations to improve the sustainability of their program
    - Leverage PwC’s SecurityATLAS toolset and overall security taxonomy, including various capability and process models to evaluate security programs
    - Provide industry-centric security benchmarks and metrics

  • How to better design, integrate and implement technology and security solutions
    Provide assessment and recommendations for key security domains, such as:
    - Security architecture/design
    - Application security as well as architecture and code reviews
    - Sensitive Data Protection
    - Identity and access management solutions
    - Integrated threat and vulnerability management solutions
    - Mobile security strategy, analysis, design and assessment services
    - Key security processes such as those supporting security communications and reporting
    - Emerging technologies, such as Cloud Computing and Social Media

  • How to improve risk management and compliance activities
    - Work with clients to identify risk areas and suggest options for improvement
    - Use proven methodologies and industry knowledge to identify security measures (people, processes and technology) and process standardization opportunities
    - Assess current compliance monitoring capabilities against established standards and policies to identify compliance gaps and continuous improvement opportunities

  • How to manage the impact of unplanned security events
    - Help companies assess their security response and investigation capabilities and provide recommendations in the following areas:
    - Security-related cyber crime dispute analysis and digital forensics
    - Security crisis and response policies and procedures
    - Post-mortem security processes which analyze and help prevent future incidents
    - Security monitoring processes, and incident response policies and procedures

  • How to protect privacy and sensitive business data
    - Help clients understand their current state of maturity with privacy program related activities by assessing:
    - Privacy awareness programs
    - Reporting process of privacy related risks at the board, executive management and task force level
    - Integration of privacy and security assessment activities
    - Current inventory and map business processes that involve high-risk data elements throughout the data lifecycle
    - The third-party privacy and security oversight program including contractual safeguards, manual or automated pre-contract risk-based assessments and ongoing program

Data Protection Services

In the broad context of data and identity theft, privacy pertains to the protection of sensitive information that is of a personal nature to individuals. A wide variety of federal, state, and industry regulations (e.g. the Gramm- Leach-Bliley Act, the Federal Trade Commission’s (FTC) Red Flags Rule, the PCI Data Security Standard, and the Massachusetts Data Protection Regulation (MA 201 CMR 17)) have been created to protect sensitive personal information. Although the definition of sensitive information varies, it typically includes a person’s name in combination with a social security number, driver’s licence number, or financial account number. Each organisation’s compliance requirements vary depending upon the industry as well as the nature of the organisation’s business, customers, and employees. As headlines have shown, companies that incur data breaches risk lawsuits, fines, regulatory sanctions, and reputational damage. As companies increasingly adopt more complex, highly collaborative business models predicated on the sharing of sensitive information, most notably personally identifiable information (PII), the focus on privacy and compliance continues to rise in proportion to the legal, regulatory, and reputational risks associated with such business practices.

In response to this threat, PwC has services to assist clients to protect their sensitive data. The key service offerings are:

  • Risk Assessment
  • Enterprise Data Protection Framework Development
  • Data Protection Technology Deployment
  • Data Classification and Ownership
  • Business Process Creation