Information Risk Management
Information risk assessment services
We can help our clients carry out an information risk assessment using proven methodologies to identify critical assets and business processes, evaluate the risk exposure and assist our clients to align their processes to their risk appetite.
Information risk assessment review and design
An information risk assessment is a continual process and we can help our clients to implement a programme to assess the risks on a periodic basis and taking the necessary measures to reduce the risks to an acceptable level.
Data leakage review
The leakage of critical business data can lead to a disaster for our clients. We can assist our clients by, either reviewing their current approach to prevent data leakage and protect their critical assets or by assisting our clients to investigate a data leakage incident.
Business Continuity Plan
Our clients often need assistance in designing a Business Continuity Plan to respond to an emergency, deploy backup operations and carry out a post-disaster recovery to ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation after a reasonable period of time.
Security strategy development
We can assist our clients by assessing their primary Information Security functions, identifying root causes of common pain points, develop a future state vision and strategic objectives, create a services maturity roadmap needed to achieve the client’s desired future state, and provide tactical recommendations based on services interdependencies, key issues and the risk appetite of the organisation.
PwC assists clients in addressing common issues by establishing the right management structure for security to take into consideration size, complexity, maturity, existing culture, relationships with external organisations.
Security metrics design
In addition to ensuring that our clients’ security objectives are aligned with their business objectives, we can assist our clients in identifying the security metrics that would permit them to measure their security effectiveness.
Physical and environment security review
Critical systems are often hosted by our clients in data centres and managed remotely. Yet, the physical and environmental security of these facilities is of utmost importance. We can assist our clients by reviewing the physical and environmental security controls implemented at these facilities and assess them against best practices and industry standards.
Management reporting design
Through our client experience, we know that management needs timely, accurate and concise reporting. We can advise our clients during the design of manual and/or automated reporting capabilities that would provide management with the right tools and information to effectively manage their business.
Managing the outsourcing
We have found that businesses’ outsourcing expectations are not met because often the organisation and the outsourcing service provider each has different needs and goals. During the transition to a managed security services provider, we provide strong business process knowledge to help organisations achieve a cost-effective transformation in both processes and technology.
Return on investment review
A return on investment review states the non-financial benefits, financial benefits and costs of Information Security or a security initiative to an organisation. Our clients request this service to justify the budget set for security projects, to assist in project appraisal and selection, and to provide general input for the management of Information Security.
Compliance and Awareness
Data Classification, Policy and standards review and development
A sound set of policies, standards, procedures and security baselines are an important component in the client’s security strategy to ensure that their operations are aligned to their objectives. We can assist our clients either by supporting in the development of the policy set or by reviewing existing policies and recommend improvements.
Threat and Vulnerability Assessment
Externally facing systems need to be adequately protected against malicious attacks. Clients may be required to prove or may want to gain assurance that their systems are not susceptible to known vulnerabilities.
Traditionally, security penetration testing has been a technically focused assessment technique that tests systems in isolation. We can assist our clients using a structured security penetration testing methodology.
Web application security assessment
Organisations are re-using their web-based environments for the deployment of internal and external (client-facing) applications. This paradigm shift resulted in a parallel shift in security. Whereas past attacks targeted networks, today’s attacks are targeting the applications that run on top of them. The increasing use of intranet and internet deployment of web-based applications exposes these companies to different risks that need to be carefully assessed and addressed.
PwC’s threat and vulnerability management practice is dedicated to the critical task of protecting the enterprise. The activities in this area range from traditional firewall and host security mechanisms to dealing with the increased security risks that are an outgrowth of ever-expanding network infrastructures.
Architecture, Applications and Network Security
When it comes to the core technology security challenges our Architecture, Applications and Network Security team really knows how to deliver. Encompassing experience across all the layers of the security environment our team is able to provide advice that addresses the detailed technical and industry sector challenges that help our clients to align security to their broader technology and business control environment.
Incident Response and Forensic Investigation
PwC draws on specialised forensic experts with deep technical and security backgrounds who are experienced in complex investigations.
The diagram below depicts typical services and expertise available to clients.
PwC is the trusted partner you can turn to for assistance in preventing an incident or to deal with an incident and to recover effectively and minimise damage.
01. Cyber Investigations
PwC is equipped with the resources and expertise needed to assist a client during a cyber-incident. Thanks to what we call as the Internet of Things (IoT), we are constantly exposed to threats that can severely affect our operational capabilities.
02. Insider Investigations
Research consistently shows that insider threats are the most common as well as the most damaging of all the digital threats analysed. Organisations need to continuously apply controls to make sure that no internal staff member can use the digital and physical assets present within the organisation to undermine the organization. The most common situations involve the copying or manipulation of data and fraud.
03. Malware Attacks
Malware is a lethal tool that cyber criminals resort to deliver widespread automated attacks on their victims. Using malicious software, criminals and terrorists have been able to hit-out at a wide-range of victims.
04. Social Engineering Methods
Social Engineering is the art of psychologically manipulating a human activity. Technology today allows for an attack without the necessary physical presence or physical action.
05. Evidence Preservation
Procedures used during disaster recovery and business continuity plans usually change or erase evidence pertaining to the incident. This presents a critical problem of accuracy and consistency of data during analysis and undermines its use in court prosecutions.
06. Expert Witnessing at Courts
We want to make sure that we are there to assist our clients at all phases of an incident, including during court hearings. Should our client opt to proceed to a court prosecution, our experience and reporting techniques can assist to present the findings of the incident analysis in such a way that is scientifically and forensically sound. We can also provide court testimony during court hearings should it be necessary.
07. Incident Response Training
As a pro-active measure to minimize damage and preserve evidence if or when an incident happens, PwC offers internal staff training on how to behave during an incident as well as how to preserve the original evidence present at that critical time.
Corporate cybersecurity incidents are by definition unpleasant, disruptive and stressful on many areas within an organization: Management; IT; and operations as well as anyone who may have been the “weak-link” that was exploited.