PricewaterhouseCoopers integrated approach to Security Strategy and Planning

Virtually all organisations have invested in security to protect information assets. However, increasing threats and changing business models the inclusion of outsiders into the internal technology environment, for example call into question whether security efforts are meeting business needs as effectively as possible. The misalignment that currently exists between security efforts and business objectives must be addressed. Recognising these competing and sometimes conicting security objectives, our Security Strategy & Planning Service helps strike the appropriate balance between asset protection and process enablement, reviewing security initiatives against their associated costs and justifying the cost of such initiatives in terms of enhanced services, increased efciency of existing services, or mitigation of business risk. The resulting security strategy is designed to set the direction of the organisation and focus security resources on the areas of greatest value. Our knowledgeable consultants use proven methodologies that identify third-party compliance, risk management and competitive requirements to envision and plan for a balanced approach to security.

Our Approach
PricewaterhouseCoopers has developed reliable methodologies to help organisations build enterprise-level information protection programmes, or Enterprise Security Architectures (ESA). The approach is based on the Information Security Framework shown below.
Security Vision and Strategy Senior Management Commitment
Decision Drivers

Technology Strategy & Usage

Business Initiatives & Processes

Training and Awareness Program

Vulnerability & Risk Assessments

Enterprise Security Architecture Design

Policy Security Model Security Architecture and Technical Standards

Tools and Methodologies

Administrative and End-User Guidelines and Procedures

Enforcement Processes

Monitoring Processes

Recovery Processes

Information Security Management Structure

The Information Security Framework, like any architecture, has many different building blocks that, combined, form a solid foundation and structure. The result is a comprehensive, cohesive model for information protection that takes into consideration all of the aspects of an organisation from business processes to technologies to individual employees. ESA dene the Information Security Strategy that consists of layers of policy, standards and procedures, and how they are linked. The ESA is crucial to a successful information security programme. Without an established ESA to govern the infrastructure, adequate security cannot be achieved.

Even the most sophisticated companies can nd their approach to security focuses on individual components, specic events and responses to emergencies as they occur. Staff are kept busy solving individual problems, but problems keep occurring because root causes arent addressed. Such an approach can lead to islands of security in a sea of risk. Our suite of proven services, coupled with incomparable security know-how, helps you progress from a fragmented, emergency-response mode to one focused on the continued well-being of the whole enterprise.

PwC

Our Service Offerings

Strategic Assessment and Planning
We determine where your organisation stands with regard to security, and work with you to develop long-term plans for building a proactive, comprehensive security programme focused on business needs. Services in this area may include:

In addition, we assist you throughout the development, implementation and maintenance of your information protection programme, helping you implement a control based, measurable security programme. Some of the services in this area include:

Organisational Assessment To assess if current security functions t the needs of the overall business. Framework Gap Analysis To compare current security functions with our best-practice model. Security Benchmarking To measure current security functions against those of other organisations of the same size in the same industry. Strategy Development To design the structure of your future security programme, and establish a path to achieve it. Development of the Security Management Framework This framework includes the following key areas:

Technical control development. Technical security architectures. Asset inventories and information classication. Security awareness and training programmes. Standards implementation planning and rollout. Metrics development and reporting. Develop a Security Road Map and maturity plans. Develop strategic and tactical security plans. Provide security management education. Provide Security Governance assistance.

In Summary
PricewaterhouseCoopers has made signicant investments in the security industry in the form of thought leadership, security roundtables, and proven methodologies based on our experience in a myriad of security engagements. We have a comprehensive library of security knowledge, and our professionals have extensive experience in a variety of industries. Thats why when you engage our Security Strategy & Planning Service, you truly gain a trusted security advisor.

An Executive and Detailed Information Security Policy. The Information Security Management System specic to the organisations needs will be dened. Key risk assessments to identify the threats to assets, vulnerabilities and impacts on the organisation. The areas of risk to be managed will be identied based on the organisations information security policy and degree of assurance required. Selection of appropriate information security control objectives and controls for implementation by the organisation.

Contact details
For further information, please contact:

Angeli Hoekstra Tel. (011) 797 4162 / 082 783 1371 E-mail: angeli.hoekstra@za.pwc.com

Diane Kelway Tel: (011) 797 4705 / 082 575 6867 E-mail: diane.kelway@za.pwc.com