RCS - IT Advisory Services

PricewaterhouseCoopers is a global leader in information security and privacy solutions, with more highly trained professionals in the field than any other organization. Our multidisciplinary teams help clients effectively identify, assess, implement and manage security and privacy solutions. Our IT Security Advisory practice is devoted to the critical business issues of security, privacy and compliance, operational effectiveness and management assurance. Through proven methodologies, current tools, and recommended practice, we provide services in Information Assurance, Threat and Vulnerability Management and Business Continuity Management.

We currently provide, and have provided information technology (IT) and controls assurance services to a variety of business organisations, in various industries within Trinidad and the Caribbean. Our dedicated IT Security practice provides a range of services and solutions which includes the following:

 

Penetration Testing

Security penetration assessments identify information security risks, articulate their impact on the business and result in the development of mitigating strategies for critical security risks before they lead to financial or reputation loss. PwC’s services:

  • Simulate realistic threats, providing perspective on your security defences from an attacker’s point of view;
  • Target higher-risk vulnerabilities across the infrastructure in a short timeframe;
  • Demonstrate results with impact.  We clearly illustrate simulated compromises through appropriate evidence and walkthroughs;
  • Test incident response processes and certain aspects of employee security awareness; and,
  • Include flexible and iterative test procedures executed by experienced practitioners to identify non-linear paths of compromise, something not provided by automated vulnerability scanning tools.

 

Threat and Vulnerability Assessments

The vulnerability of systems to attack and penetration by hostile hackers, crackers or viruses is a top concern of leading businesses. By combining state-of-the-art analysis software, sophisticated techniques, industry knowledge and a proven methodology which helps facilitate that client operations are not interrupted, our security specialists will assess your susceptibility to a variety of attacks. These include parameter-tampering, execution of arbitrary code, privilege escalation, denial of service and a host of other attacks commonly used to gain unauthorized access or compromise sensitive systems and resources.

 

Network and System Security Assessment

This assessment performs diagnostics on primary IT infrastructure. Assessments of critical IT Systems and Devices evaluate the security of the system or device configuration to identify threat of attack (internal and external), loss and/or manipulation of data and code and loss of service within the environment.  This review includes detailed technical reviews of the system/device configurations to identify its susceptibility to threat of attack (internal and external), loss and/or manipulation of data and code and loss of service within the environment. This assessment includes technical reviews of the following:

  • Active Directory
  • Operating systems (Windows, UNIX, LINUX, AS400)
  • Databases (SQL, ORACLE)
  • Email Systems (Exchange, Lotus Notes)
  • Routers
  • Firewalls

 

Web Application Security Assessment

PwC has developed a proprietary Web Application Security Assessment (WASA) methodology based on years of web application security assessments and penetration testing experience.  With this methodology, we can provide a repeatable, thorough, and consistent security assessment of internet facing applications. PwC’s WASA methodology consists of the four key techniques are focused on when working to compromise web based applications: Password abuses and user authentication system vulnerabilities, Session hijacking, Buffer overflow, buffer under run, cross-site scripting, SQL injection, information retrieval from cookies, test and temporary files and backup data.

Although usually at a lower risk level, static websites are still susceptible to many of the vulnerabilities that are generally found on dynamic web applications such as infrastructure and platform-level vulnerabilities.  When exploited, these vulnerabilities may lead to a defacement of the website, denial of service, or unauthorized access to the server and data contain therein.

PwC assesses web application’s susceptibility to other forms of attack including the following selection:

  • Parameter manipulation              
  • Hard coded usernames and passwords 
  • Defacement via HTTP PUT method         
  • Forceful browsing
  • Directory enumeration
  • Cookie poisoning
  • Hidden field manipulation
  • Path truncation                
  • Files containing authentication information
  • Identification of backup files

 

Wireless Security Assessment

Wireless communication technology creates a whole new medium for data transmission complementing existing wired networks offering unparalleled flexibility, portability, lower installation cost and new capabilities. However, new risks are brought into the picture as hackers now have a new playground to unleash their mayhem in. Our consultants who specialise in wireless technology analyse an organisation’s vulnerability through wireless access points.

Wireless penetration testing is typically conducted for two reasons:  Identifying rogue access points (APs) connected to the client’s internal network and identifying weaknesses in the client’s implementation of wireless encryption.

 

IT Risk Assessment

An IT Risk Assessment assesses and manage information related risks, as well as the underlying information technology (IT) related risks and is essential in ensuring that controls and expenditures are fully commensurate with the risks the organization is exposed to.

Risk Assessment is that major part of Risk Management that assists an organization in understanding its perceived risks and any inherent risk that may be prevalent in its operating environment.  It identifies external, internal, accidental and intentional threats to the organization, the organization’s level of exposure to these threats based on vulnerabilities and ultimately determines the level of risk the organization faces.  To add value, a Risk Assessment is usually followed by risk mitigation recommendations and implementation. 

 

Business Continuity Program

Organisations cannot possibly prepare for every scenario but the more extensive planning and preparation, the better prepared is the organisation to react to the unexpected. A robust Business Continuity Plan (BCP) documents the steps to be taken, the resources needed and the procedures to be followed before, during and after the crisis.

A BCP assessment includes the development and implementation of Risk Assessment and Business Impact Analysis processes, tools and templates; enterprise-level business continuity plan framework; assistance with the implementation of a more robust incident management process; development of a testing strategy, testing schedule and rotation plan; and testing processes, which includes the creation of process flows, templates and instruction guides. This assessment also facilitates training sessions with client staff to create awareness and educate them in the execution of the newly developed processes.

 

IT Environment/Operations Gap Analysis

An IT Framework Gap Analysis compares the security environment of the Client with industry standard practices of our PricewaterhouseCoopers Information Security Framework in order to identify shortcomings and gaps, and to develop specific and actionable recommendations for improvement. 

In order to achieve an adequate level of information security, organizations must have appropriate security elements in place. These elements are covered within the Framework Gap Analysis review:

  • Security vision and strategy;
  • Senior management commitment;
  • Information Security management and structure;
  • Training and security awareness;
  • Technology strategy and usage;
  • Business initiatives and processes;
  • Threats, vulnerabilities and risk assessment;
  • Security policies;
  • Security architecture and technical standards;
  • Administrative and end user guidelines and procedures;
  • Enforcement processes;
  • Monitoring processes;
  • Recovery processes.

 

Information Technology General Controls

This review identifies the relevant controls over the current information systems and assesses its adequacy.  It entails an analysis of the information systems environment and structure.  The review looks at changes to programs and related infrastructure components within the IT environment; access to programs and data within the core application (including security administration, physical security, operating system security and network security); the processing of day-to-day IT operations, which will include batch scheduling/real time processing, backup, and problem management and disaster recovery. 

  • Information Technology (IT) General Controls review will mainly cover the following areas:
  • IT department organisation and management;
  • Logical and physical security (including user access);
  • Operating systems and network security (including Windows 2000/3; UNIX(various flavors) and OS400)
  • System maintenance activities (including change management);
  • Computer operations;
  • Backup/recovery procedures;
  • Software development and implementation.

 

Information Security Policy & Framework

This review assesses existing information security policies and framework, benchmarking them against ISO27001. Also, assist in the development of the IS security framework, policies, standards, security baselines and procedures.

 

IT Governance Review

Review of IT Governance and its implementation including: the processes for planning and organising IT activities, the process of monitoring that activity and benchmarking against the international IT governance framework such as Control Objectives for Information and related Technology (CobiT).

This includes reviewing of the following areas:

  • Strategic IT planning and direction
  • Information Technology Architecture
  • IT Processes, Organization and Relationships
  • Management of the IT Investment
  • Communication of Management Aims and Direction
  • Management of IT Human Resources
  • Assessing and Management of IT Risks
  • IT Project Management