Documente Academic
Documente Profesional
Documente Cultură
com
Chicago IIA/ISACA
2nd Annual Hacking Conference
October 2015
Introductions
Paul Hinds
Managing Director
Cybersecurity and Privacy Practice
Chicago, IL
paul.hinds@pwc.com
David Eccles-Ambrose
Senior Associate
Cybersecurity and Privacy Practice
Chicago, IL
david.eccles-ambrose@pwc.com
• What sensitive data does the company collect, use, disclose, dispose, etc.?
• Is there a process to ensure customers are provided proper notice, choice, and consent with respect
Sensitive
2 Information
to the company’s data collection, use, and disclosure practices?
• How does the company ensure data practices comply with customer privacy notices/policies?
• Has the company classified and inventoried that data?
• Has the company's data been exposed – and would management know if it were?
• Does the company know what breach indicators it should be monitoring?
3 Threats •
•
Has the company released any new products that collect PII/SPI (i.e., websites, mobile apps, etc.)?
Has the company introduced any new technologies that access or store sensitive information (i.e.,
mobile devices , social media sites, cloud service providers, etc.)?
• Has the company established formal governance and controls around the data privacy lifecycle (i.e.,
Building notice, consent/choice, collection, access, disclosure, use, retention, disposal, security, etc.)?
4 Protections • Are such controls and safeguards periodically tested and monitored?
• Have the controls and safeguards been updated to respond to changing business models?
• Has the company established formal plans to respond to privacy and security incidents when they
occur?
Responding to
5 Incidents
• Is there a cross-functional team in place to monitor, investigate and respond to incidents?
• Is the company prepared to respond to legal actions?
• If a regulator were to inquire or investigate, would the company be prepared to respond?
Threat and Vulnerability Management (TVM) October 2015
PwC 6
Having a Program In Place to Protect Data
A comprehensive program is needed to address the myriad of compliance
requirements, and to protect consumer information and sensitive company
information.
Incident
Response Governance
Training &
Processes &
Awareness
Controls
Technical
Security &
Controls
www.pwc.com/gsiss2015
Threat and Vulnerability Management (TVM)
Programs
Why?
1
• Acquire running state information from information technology network
Baseline Network Scan Customize and tune
•
using WMI/Linux shell scripts
Configure scanning tools to network specifications our solution for the
• Use initial scan data to represent current state of network client network
2
• Review and analyze collected running process information for Determine present
Analysis of Running
Processes •
workstations and servers
Analyze for statistical anomalies and compare against our proprietary list
state deviation from
baseline
of known breach indicators
3
• Review collected information for network connections
May request certain log data from monitoring technologies for analysis
Correlate end-point
Network Log Analysis
•
(firewall, proxy, Web server, Intrusion Detection System, etc.) results with expanded
• Provide a thorough picture of the state of the network network knowledge
4
• Work with internal information technology teams to determine business
Validate technical
Output Analysis / Threat
Intelligence Review
justification for processes and network connections that exist within
environment results and build
threat profile
• Establish baseline limited to authorized system or network activity
5
• Categorize the assessment observations by risk in a detailed observations Document results for
Report Findings
•
matrix for leadership to review
Business impact discussion with key stakeholders
stakeholder
remediation decisions
TVM Security
Actively monitoring and enhancing Strategy & Detecting breaches, rogue
the TVM program Planning technologies, and malicious activities.
Threat and
vulnerability
management
program
Program ownership
Policy and procedures
Integration with risk management
Security intelligence
Communication and tracking
Controls effectiveness evaluation
Threat and Vulnerability Management (TVM) October 2015
PwC 12
TVM Program – Scorecard
Program ownership
Policy and procedures
Integration with risk management
Security intelligence
Communication and tracking
Controls effectiveness evaluation
Threat and Vulnerability Management (TVM) October 2015
PwC 13
TVM Security Strategy & Planning Assessment
Vulnerability scanning
Threat and
Enhance vulnerability scanning capabilities by assessing vulnerability
management
factors such as tools, techniques, scope and frequency program
Nessus, Nexpose, QualysGuard.
Intelligence analysis
Security intelligence should be gathered from multiple
sources and effectively leveraged through use of
Actively identifying asset
intelligence tools.
weaknesses before they can be
exploited by an attack
Threat and
implementation
Planning
Security remediation
Security remediation of the vulnerabilities detected should Threat and
Vulnerability
be a key performance indicator for the security program. Evaluation
Incident response
Adopt mature IT service management (ITSM), i.e. ITIL.
Isolating and resolving asset
security issues once identified
Threat awareness
Enhance the organization’s defenses with security Threat and
vulnerability
awareness activities to educate relevant users on threats. management
program
Reporting
Identify key performance and key risk indicators for
reporting the status of the TVM program and the actions Threat and
Vulnerability
taken in response improve the current capabilities. Evaluation
© 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.
PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see
www.pwc.com/structure for further details.
This content is general information purposes only, and should not be used as a substitute for consultation with professional advisors.
PwC US helps organizations and individuals create the value they're looking for. We're a member of the PwC network of firms, which has firms in 157 countries
with more than 195,000 people. We're committed to delivering quality in assurance, tax and advisory services. Find out more and tell us what matters to you by
visiting us at www.pwc.com/us.