www.pwc.

ru/riskassurance

PwCs capability statement

Information Security Services
2014

PwCs information security team

We have 500+ information security professionals who are part of a
global network of more than 154,000 people in 153 countries. In Russia
we have a team of 5 professionals with a focus on information security.
We use specialists in process improvement, value management, change
management, human resources, forensics, risk, information security
and our own
in-house legal firm.
We leverage well established PwC tools and methodologies to ensure
rigour, control and the application of good practice to meet the
individual needs of each client.
Our information security team has been recognised by Forrester as a
Leader in Information Security and IT Risk Consulting.
We actively participate in industry forums such as RISSPA, The
Information Security Forum, The Security Awareness Special Interest
Group, ISC(2) and The Institute of Information Security Professionals.

PwC

Our information security offerings

Our integrated approach draws on the
skills of a wide range of people across our
organisation, recognising the complexities
and multi-faceted nature of information
security.

Setting direction

Security
Management
Responding to major
incidents
Business Continuity assessment
services, BCM review
and design, DR Planning review.

Managing incidents
Incident response process review and
design, incident response services,
forensic investigation and readiness.

Business
Continuity and
DR Planning

Security strategy development, organisational review, security metrics

design, management reporting design, return on investment review,
stakeholder and user buy-in.

Governance,
risk and
compliance

People
Process
Technology
Incident
Response and
Forensic
Investigation

Securing the IT infrastructure

Threat and
Vulnerability
Assessment
Architecture,
Applications and
Network Security

Creating a sound
framework of control
Risk, policy, standards review and
development, ISO and regulatory
compliance review, privacy review and
design, awareness raising, training.

Indentifying and
remediating information
risk
Vulnerability scanning, penetration
testing, vulnerability remediation,
patch management, threat
monitoring, open source
monitoring, content monitoring.

Security architecture development, application code review, IAM review

and design, security controls design, ERP security, network security design.

PwC

Security Management

How can PwC help?

Case study

PwC is able to leverage its broad experience and deep specialists skills
to assist clients with:

The benefits of a security strategy

Critical Business Issues:

Security strategy development

The client was in constant fire fighting mode and had suffered
several high profile data breaches. The business units were very
siloed and were not aware of key projects or initiatives that could
impact them.

Organisational reviews
Security metrics design
Management reporting design

PwCs Approach:

Return on investment reviews.

SecurityATLAS

PwC setup a facilitated workshop with 10 senior executives from

across the business with the goal to:
TM

Align key objectives with the business

Help establish clear direction / leadership

Leadership

Clarify key roles / responsibilities

Regulatory and
Policy Compliance

Information
Protection
Architecture

Alignment

Following the workshop PwC provided the client with a detailed

security strategy report, recommendations and identified several
areas of overlap that resulted in significant cost savings.

Governance

Identity
Management

Indentify possible cost savings and ensure stakeholder support

Physical
Security and
Investigations

Threat and
Vulnerability
Management

Awareness
and
Education

Privacy and
Data
Protection

Service Delivery

PwC

Architecture, Application and Network Security

How can PwC help?

Case study

PwC has a proven track record in the area of governance and

compliance with market leading expertise in:

The importance of information security policies

Policy and standards review and development

ISO 27001 and PCI DSS compliance reviews
Data privacy review and design
Security awareness raising and training.

Critical Business Issues:

The clients existing policies were poorly written and difficult to
interpret. Continued pressure from the FSA on the importance of
clear and easily to reference polices was of great concern to the
client.
PwCs Approach:
PwC helped develop an IT Governance and risk and controls
framework based on current IT best practises such as COBiT and
ISO 27001 and then deployed the framework across 20
locations/business units in 18 countries.
The project included the implementation of global policies,
standard risk assessments and a standard set of controls for
information assets.
PwC provided specialists who were able to train the clients staff
and validate the implementation of the risk assessments and
controls across all locations.

PwC

Information Risk Management

How can PwC help?

Case study

PwC leverages its deep expertise, standard methodologies and

experience in the area of information risk management to assist
organisations with:

The importance of identifying and managing

risk

Information risk assessments

Critical Business Issues:

Information risk assessment reviews and design

A large global financial institution wanted to ensure that it

maintained and protected all information it stores in accordance
with its value and sensitivity. The organisation also sought to
manage the risk to which it was exposed in a manner consistent
with legal, regulatory and contractual requirements.

Data leakage reviews

Vulnerability assessments.

PwCs Approach:
PwC conducted a baseline review of the clients current
information risk management capabilities.
PwC identified the key information risks that the client faced and
the maturity of the clients capabilities to manage these risks.
PwC performed a detailed analysis of the maturity of the clients
capabilities and provided detailed recommendations to enhance
the clients information risk management framework.

PwC

Architecture, Application and Network Security

How can PwC help?

Case study

PwC has extensive experience, methodologies and broad relationships

with leading technology vendors to help provide expertise in:

Implementing an effective user access and

entitlement management platform

Identity and access management review and design

Security architecture development

A large global commercial banking organisation faced numerous

issues with existing user access and entitlement management
processes, resulting in adverse internal and external audit findings
as well as operational inefficiencies.

Application code reviews

Security controls design
ERP security and network security design.

PwCs Approach:
PwC helped the client design a buy vs build assessment to
compare their existing recertification platform to vendor products.

EAEM Phase 2 Conceptual Design Recertification &

Provisioning
Fully instrumented management reporting
for governance and monitoring

Legacy

Legacy N

Access and entitlements

report presented by user

Periodic
Recertification
Access and
entitlement data sorted
using User rather
than Application

Access and
entitlement data
consolidated
in a central repository

App 1

Role mining &

definition

Central Access &

entitlement
repository
Recertification &
rules engine

Provisioning
Infrastructure
Self
Service/Automated
Provisioning
Provisioning performed
by the
Centralised/Offshore
Security Administration
Group

PwC

Role-based
provisioning

Legacy
provisioning

User B

Exception reports
(Toxic Combinations,
leavers, movers) for
action
Organisation Chart

Leavers
& movers
feed

Director
(Equity Derivatives
)

App N

HR database
Identity
store

Critical Business Issues:

FO Equity
Derivatives
Manager

1. User A
2. User B
3. User C

BO Finance&
Control Manager

1. User B
2. User E
3. User F

Following the evaluation, the client decided to implement a vendor

platform and PwC assisted the client team in presenting a business
case for the move to a vendor platform.
Once the client had selected a vendor, PwC worked closely with the
client on managing the implementation of the new platform.
Finally, PwC provided support for the end-to-end recertification
process including the de-provisioning of invalid accounts.

Recertification performed
by Line
Manager

Incident Response and Forensic Investigation

How can PwC help?

Case study

PwC draws on specialised forensic experts with deep technical and

security backgrounds who are experienced in complex investigations.
Areas of expertise include:

A public investigation and review following the

loss of confidential data

Incident response process review, design and rectification

Critical Business Issues:

Incident response services

As a result of the loss of two discs containing child benefit data, the
client commissioned a public review. The terms of reference of
this review were to establish the circumstances that led to the
significant loss of confidential personal data on child benefit
recipients.

Forensic investigation and readiness

Fraud risk assessment.

PwCs Approach:
The PwC engagement incorporated the following phases: a forensic
investigation, a review of policies and procedures, and a series of
recommendations.
The forensic investigation focused on establishing the facts leading
to the loss of confidential data.
The policies and procedures review focused on the adequacy of
existing policies and procedures.
Finally the review incorporated a detailed series of
recommendations including the setting of information security
targets in line with ISO 27001.

PwC

Threat and Vulnerability Assessment

How can PwC help?

Case study

PwC deploys market leading tools and methodologies in the field of

threat and vulnerability assessment, leveraging our global network, to
provide services including:

Understanding where to focus your resources

Vulnerability scanning and penetration testing

Patch management and threat monitoring

A large international bank had suffered several attacks from an

external agent trying to access the banks systems and data.
Despite lengthy internal investigations they were unable to identify
what weaknesses and systems had resulted in the attacks.

Open source monitoring and content monitoring.

PwCs Approach:

Vulnerability remediation

Critical Business Issues:

PwC provided a full perimeter review which covered networks,

operating systems and applications as well as POTS (war dialling).
The PwC team produced an exhaustive report with prioritised
recommendations with which the client was able to resolve and
mitigate the vulnerabilities which had been identified.

PwC

10

Contact details
Michael Hurle
Partner
Tel.:+7 (495) 223 5039
michael.hurle@ru.pwc.com

Chris Gould
Partner
Tel.: 7 (495) 232 5438
christopher.gould@ru.pwc.com

PwC

PwC Russia (www.pwc.ru) provides industry-focused assurance, tax, legal and advisory services. Over 2,600 professionals working in PwC offices in Moscow, St Petersburg, Ekaterinburg, Kazan, Novosibirsk,
Rostov-on-Don, Krasnodar, Voronezh, Yuzhno- Sakhalinsk and Vladikavkaz share their thinking, experience and solutions to develop fresh perspectives and practical advice for our clients. The global network of
PwC firms brings together more than 184,000 people in 157 countries.
2014 PricewaterhouseCoopers Russia B.V. All rights reserved.
PwC refers to PricewaterhouseCoopers Russia B.V. or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate legal entity.