PricewaterhouseCoopers’ integrated approach to Security Strategy and Planning

Virtually all organisations have invested in security to protect information assets. However, increasing threats and changing business models – the inclusion of outsiders into the internal technology environment, for example – call into question whether security efforts are meeting business needs as effectively as possible. The misalignment that currently exists between security efforts and business objectives must be addressed. Recognising these competing and sometimes conflicting security objectives, our Security Strategy & Planning Service helps strike the appropriate balance between asset protection and process enablement, reviewing security initiatives against their associated costs and justifying the cost of such initiatives in terms of enhanced services, increased efficiency of existing services, or mitigation of business risk. The resulting security strategy is designed to set the direction of the organisation and focus security resources on the areas of greatest value. Our knowledgeable consultants use proven methodologies that identify third-party compliance, risk management and competitive requirements to envision and plan for a balanced approach to security.

Our Approach
PricewaterhouseCoopers has developed reliable methodologies to help organisations build enterprise-level information protection programmes, or Enterprise Security Architectures (ESA). The approach is based on the Information Security Framework shown below.
Security Vision and Strategy Senior Management Commitment
“Decision Drivers”

Technology Strategy & Usage

Business Initiatives & Processes

Training and Awareness Program

Vulnerability & Risk Assessments

Enterprise Security Architecture Design

Policy Security Model Security Architecture and Technical Standards

Tools and Methodologies

Administrative and End-User Guidelines and Procedures

Enforcement Processes

Monitoring Processes

Recovery Processes

Information Security Management Structure

The Information Security Framework, like any architecture, has many different building blocks that, combined, form a solid foundation and structure. The result is a comprehensive, cohesive model for information protection that takes into consideration all of the aspects of an organisation – from business processes to technologies to individual employees. ESA define the Information Security Strategy that consists of layers of policy, standards and procedures, and how they are linked. The ESA is crucial to a successful information security programme. Without an established ESA to govern the infrastructure, adequate security cannot be achieved.

Even the most sophisticated companies can find their approach to security focuses on individual components, specific events and responses to emergencies as they occur. Staff are kept busy solving individual problems, but problems keep occurring because root causes aren’t addressed. Such an approach can lead to islands of security in a sea of risk. Our suite of proven services, coupled with incomparable security know-how, helps you progress from a fragmented, emergency-response mode to one focused on the continued well-being of the whole enterprise.

PwC

Security awareness and training programmes. Key risk assessments to identify the threats to assets. Develop a Security Road Map and maturity plans. Services in this area may include: In addition.pwc. Provide security management education. security roundtables.com . and our professionals have extensive experience in a variety of industries. Develop strategic and tactical security plans. measurable security programme. Security Benchmarking – To measure current security functions against those of other organisations of the same size in the same industry. Development of the Security Management Framework – This framework includes the following key areas: • • • • • • • • • • Technical control development. Framework Gap Analysis – To compare current security functions with our best-practice model.Our Service Offerings Strategic Assessment and Planning We determine where your organisation stands with regard to security. • • • • • An Executive and Detailed Information Security Policy. Strategy Development – To design the structure of your future security programme. helping you implement a control based. please contact: Angeli Hoekstra Tel. and establish a path to achieve it. vulnerabilities and impacts on the organisation. Metrics development and reporting. Contact details For further information. and work with you to develop long-term plans for building a proactive. Standards implementation planning and rollout.hoekstra@za. comprehensive security programme focused on business needs. The Information Security Management System specific to the organisation’s needs will be defined. Selection of appropriate information security control objectives and controls for implementation by the organisation.com Diane Kelway Tel: (011) 797 4705 / 082 575 6867 E-mail: diane. We have a comprehensive library of security knowledge. In Summary PricewaterhouseCoopers has made significant investments in the security industry in the form of thought leadership. implementation and maintenance of your information protection programme. Provide Security Governance assistance. Technical security architectures. Some of the services in this area include: • • • • • Organisational Assessment – To assess if current security functions fit the needs of the overall business. (011) 797 4162 / 082 783 1371 E-mail: angeli.kelway@za.pwc. you truly gain a trusted security advisor. That’s why when you engage our Security Strategy & Planning Service. Asset inventories and information classification. we assist you throughout the development. The areas of risk to be managed will be identified based on the organisation’s information security policy and degree of assurance required. and proven methodologies based on our experience in a myriad of security engagements.