ISO 27001:2013 Certification Implementation Assistance
Consultancy Services for ISO 27001:2013 Certification consist of Gap assessments, risk assessment and treatment, Policy & Procedure development, training and internal audit.
Over the recent past we have assisted the highest number of Sri Lanka organizations across multiple industries to achieve exemplary success ISO/IEC 27001:2013 certification with our dedicated team of ISO/IEC 27001:2013 Lead Auditors.
Information Security Framework Development
PWC offer a suite of information Security Policies and procedures that align with business objectives and address risk and compliance requirements of your organization.
ISO27001:2013 Internal Audits
PWC provides organizations with ISMS Internal Audits to support maintain ISO 27001 certification with identifying implementation gaps and compliance status to ISO 27001
Information Security Policy & Procedure Review
PWC provides consultancy services to review organization's Information Security policy and procedures and provide recommendations to align them with industry best practices, Legal & Regulatory requirements and organization's risk and business objectives.
ISO27001 Managed Services
PWC Provides ISO27001 Managed Service suite which includes Information Security Policy & Procedure Review, Training for employees and ISMS Internal Audits.
Information Classification Framework Development
Information classification framework development includes, setting up information classification policy with consideration of organization's business objectives, sensitivity of information handled by the organization and compliance requirements. And provide assistance to identify and classify information according to the organization policy.
IT Governance, Risk and Compliance (IT GRC)
Business Continuity Management
As part of the Governance, Risk and Compliance services, we offer an array of customized and strategic solutions to our clients, including ISO 22301:2012 Business Continuity Management System.
- Business Continuity Plan development - PWC assist you in developing business continuity plans in an efficient, focused manner that drives repeatability into your organization's response and recovery efforts. We're ready to assist you in developing your business continuity plans aligning with your business objectives.
- ISO 22301:2012 Certification Implementation Assistance - ISO 22301:2012 implementation assistance consist of a step by step approach that has business impact analysis, risk assessment plans, BCP plans, mandatory documentations, BCP trainings & exercises and internal audit.
- BCP Documentation Review - PWC provides consultancy services to review organization's Business Continuity policy & plans and provide recommendations to align them with industry best practices, Legal & Regulatory requirements and organization's risk and business objectives.
- BCP Managed Services - PWC Provides BCP Managed Service suite which includes Business Continuity policy & plans Review, Training for employees and Internal Audits.
IT Strategy and Governance
- ISO 20000:2011 Certification Implementation Assistance - ISO 20000 takes a comprehensive approach to IT service management and defines a set of processes needed to deliver an effective service. PWC's Approach to ISO 20000:2011 Certification Implementation Assistance includes Policy procedure development to align your IT service management practices to fulfill business requirements, Trainings and Internal Audit.
- ITSM Review - PWC provides consultancy services to review your organization's IT service management related Documentation (ITSM documentation) and provide recommendations to align them with industry best practices, and business requirements
Privacy and data protection
The privacy and data protection practice provides companies with a series of important security capabilities. The team can help organizations ensure proper data handling practices for the collection, use, retention, and sharing of personally-identifiable information about customers and employees in its care.
Our services include:
GDPR Compliance Review - GDPR Compliance review is a gap assessment to identify organization's readiness towards EU GDPR Regulation.
GDPR Implementation Assistance - PWC provides Consultancy services for organizations to implement controls to comply with EU GDPR regulation
GDPR Training – Classroom - Classroom Training where organizations can train the employees and increase awareness on EU GDPR regulation and the standards/practices which need to be followed to ensure compliance with the regulation.
Threat and vulnerability management
New vulnerabilities are discovered each day and the speed at which these new threats are created makes securing your critical assets even trickier. The solution is to quickly immunize your infrastructure from these threats by eliminating their foundation. Our assessment would be customized base with your requirement such as:
- Black box - unauthenticated access and little prior knowledge, except the IP Address or URL, about the systems in scope.
- Gray box - test target systems as an authenticated user with user-level access. Ensuring users cannot access sensitive data; and
- White box - designed to assess a system or device with "administrator" or "root" level access and knowledge.
Our VA assessment mainly focused on four areas:
- External Network Vulnerability Assessment – Remotely performing the test for publicly open services and systems
- Internal Network Vulnerability Assessment – Onsite testing within the local LAN with direct or remote access.
- Wireless Security Assessment – We will assess the strength of your wireless network with our expertise knowledge and experience with various commercial and open source tools.
- Application Vulnerability Assessment – Assessment would be carried out for application and server level misconfigurations, weak controls and well known vulnerabilities. The Application vulnerability Assessment we focused on main four areas under different conditions;
- Web Application and Web Services/API Security Assessment: Base on your requirement we will do a comprehensive assessment either black box or Gray box.
- Mobile Application Security Assessment – We will assess your mobile application and its infrastructure security controls with latest security standards such as OWASAP Mobile application framework, PwC Mobile Application Security Standard and CBSL guideline for payment related application.
- Thin-Client/ Desktop Application security Assessment – Not only web base applications, insecure desktop/thin-client applications are also currently major threat on your organization. Weak configurations and known vulnerabilities of such applications could impact your business directly. Our expertise knowledge and experience would help to mitigate the risk.
Information security architecture
Internal and external network security controls are essential to protect financially significant systems from unauthorized access, network based attacks and unexpected outages. Our review of the network will assess the network infrastructure for security, availability, and performance to gauge security mechanisms deployed, the adequacy of such controls and effectiveness in providing strong security while ensuring minimum impact of productivity. Given below are key areas we are providing to you:
- Network Architecture Review - Review available pieces of network documentation and interview network administrators to determine that the network architecture adheres to the core security principles.
- Network Diagnostic Review - Obtaining and analysing the configurations and procedures of network equipment’s and technologies (including firewalls, routers, switches IPS/IDS, VPNs and any other network services and equipment’s ), Virtual Environments such as VMware / Hyper-V and Cloud Environment base on industry best standards.
- Traffic – flow Analysis - Review available network statistics to determine how traffic flows among systems and devices on the network.
- IT general Control review - based on PwC’s Technology Assurance Framework supported by our specific IT risks, we consider which risks affect the technology processes supporting the key business activities.
- Datacenter Risk Assessment – The benefits of an assessment extend beyond just prevention. They confirm alignment of business mission and facility performance expectations, quantify the risk and exposure of the critical facilities to failure, identifies vulnerabilities, become the first step in creating an action plan for site hardening, benchmark against the industry and assists in developing business case for capital expenditures. Applying physical, administrative, and technical safeguards could lift a business toward a higher level of information security and productivity. The risk assessment exercise attempts to:
- Validate the function of infrastructure system capacities;
- Identify single points of failure;
- Ascertain degree of compliance to Datacenter best practices; and
- Determine which systems fail to match design objectives.
Physical security reviews are an excellent way to provide security personnel and management officials with information helpful in determining the effectiveness and appropriateness of existing security guidelines. Site security reviews are a great first step to take prior to making security improvements at a facility or when trying to solve a specific security problem.
The vulnerability assessment and penetration testing approach is based on our years of developed and proven testing and unique attack, penetration and forensic experiences.
It allows our security professionals to identify potential access points into the network and prioritize vulnerabilities and attempt controlled penetrations of your networks and other points of access.
Our work plan has been aligned to your needs and operates proactively to identify threats your environment is exposed to and suggest clear remediation options.
Identity and access management
Identity and access management relates to the granting or denying of access to a company’s equipment and data. Strong, effective access management enables the access of authorized workers while restricting the access of unauthorized workers and external third-parties.
PwC Cyber security professionals support organizations on below assignments related to Identity and Access Management Solutions.
- Authentication and authorization analysis;
- User management and access provisioning reviews; and
- Identity storage and data integration infrastructure review
Security awareness and education
Information Security Classroom Trainings
Information Security (IS) Training sessions for employees of your organization or third parties which manage information if your organization, to train them on information security, how to protect information with best practices and how to adhere to organizations information Security policy. We address current IS attack trends and best practices to prevent them as well.
Computer Based Training (CBT)
We at PwC Sri Lanka Cyber Security, have developed our own Interactive Computer Based Training (iCBT) module, a state-of-the-art training module with customization capabilities according to the requirements of the client organization. Our CBT:
- Can be easily integrated with your existing learning management systems (example Moodle);
- Comes with customized branding options;
- Comes with cost-effective licensing and annual maintenance options;
- Comes with an optional Human Resource Aptitude tests; and
- Can be easily updated with content required by the client
Social engineering assessments
PwC will conduct various tests to verify social engineering security awareness among employees. These tests could be in the form of:
- Telephone-based threats
- Reverse social engineering
- Waste management threats
- Physical security threats
- Website based threats
Managed Cybersecurity Services
“help you innovate on the frontlines and at the same time bridge the gap from ‘Strategy to Execution”
Managed Cybersecurity Services is ideal for security technologies in niche fields where there is a shortage of adequately trained resources to meet the demands of monitoring requirements. Our Managed security services methodology settles the trouble of staffing a committed and exceptionally gifted group to oversee or manage activities outside of conventional technology operations by providing continuous improvement to the technology innovations.
The problems we are solving for our clients
Can you take ownership of delivering on cybersecurity needs?
We need specialist skills
A partner we can trust
We need to realize value from Security investments
What matters is quality of staff
Need a secure infrastructure with best in class technologies
PwC provides customized services for organizations to achieve and maintain secure posture that helps them effectively detect and respond to cybersecurity threats on a continuous basis.
Our solution area covers
Vulnerability Assessment and Penetration Test
ITGC & Application controls Review
Business Application Review
Web Application Security Review
Mobile Application and Infrastructure security review
Firewall and Network Infrastructure Review
Red Team Assessment
Information Security Management - ISO 27001:2013 ISMS Implementation
Business Continuity Management System (BCMS) inline with ISO 22301:2019
Phishing simulation and social engineering
Security Awareness workshop & Table topic sessions
Cloud Security Review
The pay-offs for your choice
Flexible and adaptable service delivery model tailor’s our approach to fit your needs and objectives,
Knowledge transfer through on-going guidance and training to your team by our security domain expertise merged with years of consulting experience for a differentiated experience unlike any other
Smoother coordination on staffing projects will minimize potential cost overruns due to inefficiency.
Enhance the organisation’s technical controls to prevent loss of intellectual property, frauds, leakage of customer data and other sensitive information
Access to specialised skills of cyber investigators, forensics experts, malware analysts, content specialists and security data scientists
Robust automated Operating Model for security operations leading to better protection from targeted attacks, focused approach on incident closure, increased efficiency of investigation processes and lower organisational risk