Embed Size (px)
Citation preview
KPMG's Cyber Practice
kpmg.com
1 | KPMG's Cyber Practice
KPMG's Cyber Practice | 1
About KPMG Cyber
KPMG Cyber assists global organizations in transforming their security, privacy, and continuity controls into business-enabling platforms while maintaining the confidentiality, integrity, and availability of critical business functions. Our approach to strategic cyber security and information protection services is aligned with client business priorities and compliance needs.
2 | KPMG's Cyber Practice
External threats
Change in the way business
is conducted
Rapid technology change
Staying ahead of the threats
Regulatory compliance
Organized crime, nation-states, cyber espionage, hactivism, insider threats
• Are our incident response and monitoring programs tuned to catch the attacks of today and not those of five years ago?
• If all security fails at some point, are we prepared to fail gracefully by having a defined incident response program?
Cloud computing, big data, social media, consumerization, Bring Your Own Device (BYOD), mobile banking
• Why are we struggling to keep up with the requirements of fast-changing operational risk mandates?
• How do we provide executive committees the required insight into risk and compliance across the stack of enterprise IT?
• Does our monitoring process also identify risks to the business?
Critical national infrastructure, smart/metering, internet of all things
• Can we efficiently architect, assess, deploy, and monitor security controls in our hybrid (cloud and noncloud) environments?
• Can we provide existing security compliance management policies, controls, auditing and monitoring practices to infrastructure, applications and data residing in cloud environments?
Strategic shift, situational awareness, intelligence sharing, cyber response
• How are we measuring the right things to show our stakeholders that we are being effective and successful?
• Are we taking advantage of threat intelligence (internal and external) to become more proactive?
• Are we extending our risk awareness to our supply chain and external vendors?
Data loss, privacy, records management
• Do we know what sensitive information you have, where it is stored, who has access to it, and how it is destroyed?
• Do we know what sensitive information is being sent outside of our organization to third parties or to the cloud?
• Do we store or process sensitive personally identifiable information that is protected by industry or national regulations?
• Are we spending too much time and money coordinating controls testing activities?
Drivers impacting information security
KPMG's Cyber Practice | 3
KPMG’s approach to cyber risk
Our approach – Keep it simpleKPMG’s approach to information security services is designed to be simple and effective—aligned to the needs of our clients in resolving their security services; following a Prevention/Correction/Detection/Response model.
PREVENTION
Helping clients assess their
cyber maturity to industry standards
and develop a security target
operating model and strategy.
CORRECTION
Helping clients stay secure and assured as their
broader business and technology
programs evolve and mature.
DETECTION
Helping clients build and
improve their cyber security, supported by
the right people, organization, and
technology.
KPMG Cyber is segmented, which allows KPMG professionals to become specialists, providing our clients with the right resources for any particular information security related need. Furthermore, our professionals leverage other segments to bring the entire Cyber practice to any client engagement. Below is the breakdown of our practice along with our observations of the market impacts.
RESPONSE
Helping clients detect and respond to
cyber incidents, understand the threat to their business, their vulnerabilities,
risks and forensic preservation.
Aligned with client business priorities and compliance needs
Pre-Breach Post Breach
4 | KPMG's Cyber Practice
STRATEGY & GOVERNANCE
CYBER RISKTRANSFORMATION AND
IMPLEMENTATIONCYBER RESPONSE &
INVESTIGATIONS
• CyberSecurity/Maturity Assessment
• Security Strategy Alignment w/Business Goals/Objectives
• Metrics/Reporting/Dashboards
• Security Organization & Governance
• Security Architecture
• Policy & Procedure Improvement
• Privacy Strategy & Assessment
• Social Media Strategy, Policy Development, and Monitoring
• Data Governance Strategy Development
• Enterprise Risk Management
• Vendor Security/Privacy Programs
• Compliance/Framework Gap Assessment
• Business Impact Assessments
• Business Continuity and Disaster Recovery Planning and Coordination
• High-Availability Design and Implementation
• Crisis Management and Contingency Planning
• Information Security Metrics
• Global Vulnerability and Penetration Security Assessment
• Malware Assessment
• Application/Host/Database Virtualization Security Assessment
• Mobile Application Code Security Review and Integration
• Forensic Analysis and Support
• Cloud-based Security Assessment
• Security Operations Center Strategy, Design and Implementation
• Vulnerability and Incident Management Strategy, Design, and Implementation
• Security Analytics
• Log Management, Security Monitoring, and Analysis
• Incident Response Program
• Technical Remediation Activities
• Identity and Access Management (IAM)
• IAM Current-State Assessment
• IAM Strategy and Road Map
• Privileged User Management
• Cloud IAM
• IAM Project Governance
• Role Management/Engineering
• Access Certification and Compliance
• Identity Federation
• Access Management and User Provisioning
• Archer and IT Governance, Risk, and Compliance (GRC) Integration and Implementation
• Vulnerability Management/Incident Response Program Integration with GRC Solution
• Logging Monitoring and Analytics
• Asset Protection
• Security Program Delivery
• Industrial Control Systems Security
• Information Security Metrics
Investigation Services:
• Cyber Investigation & Digital Evidence Recovery
• Cyber Investigation Assessment Response
• Merger and Acquisition (M&A) cyber due diligence
Preventive Services:
• Cyber Threat Risk Assessment
• Third-Party Threat Intelligence Model Development
• Cyber Attack Detection Program Development
• Cyber Awareness Training
• Malware Analysis
• Cyber Threat Intelligence “Red Team” Service
• Corporate Intelligence Services
Core capabilities A representative sample of KPMG Cyber capabilities is organized below.
STRATEGY & GOVERNANCE
CYBER RISKTRANSFORMATION AND
IMPLEMENTATIONCYBER RESPONSE &
INVESTIGATIONS
The threats remain unpredictable—our clients are increasingly under attack from governments, criminals, hacktivists, and insiders.
The topic is becoming increasingly business-oriented and focus of board and C-Level conversation and action.
The time frame to detect and respond to cyber breaches is in the order of weeks and months—clients are not able to effectively respond.
High-profile cyber issues are driving the desire for improved preventative threat and risk intelligence.
Our most successful projects have been large-scale security transformation programs.
Our clients have realized a need to transform and mature their security capabilities— reducing risk and allowing adaptability in a volatile threat landscape.
Ongoing high-profile cyber breaches are resulting in increased regulatory and business impact.
Clients need to forensically collect and analyze certain data related to the breach to secure evidence and support legal and law enforcement investigations.
KPMG's Cyber Practice | 5
Your organization is notified by an external partner that they believe your company may have been “hacked” and your customer data may be at risk. What do you do?
• Prepare to conduct an investigation.
• Contact Law Enforcement.
• Prepare Communication Strategy.
• Conduct Immediate Impact Assessment.
• Determine Preliminary Legal Approach.
You have now confirmed that an unauthorized individual or team has gained access to your systems and data. You’re not sure exactly what was accessed or what may have been lost. What next?
• Continue the investigation.
• Contact Law Enforcement.
• Approve Communication Strategy.
• Update Impact Assessment.
• Finalize Legal Approach Strategy.
You now know, with some degree of certainty, what data has been lost and who is likely impacted. The methods and approaches are understood and have been tactically remediated. How do you respond?
• Prepare notification approach.
• Execute Communication Strategy.
• Enter Business Resumption Mode.
• Establish Proactive Legal PMO.
You have completed your obligations under various Data Breach notifications. Security vulnerabilities have been remediated. How do you regain trust of customers and regain market momentum?
• Provide Transparency.
• Establish Ongoing Security Improvement Plan.
• Establish Executive & Board Priorities.
• Conduct a Post Mortem.
Responding to the cyber threatThe scenarios below describe high level actions to guide organizations on responding to the cyber threat.
A Cyber Breach is “Suspected”
A Cyber Breach is “Confirmed”
Data Loss is Validated:
How to Regain Stakeholder Trust:
6 | KPMG's Cyber Practice
Stages of Response after a Cyber BreachKPMG's approach to responding to cyber breaches follows the React/Respond/Transform/Sustain model below.
Phase REACT RESPOND TRANSFORM SUSTAIN
Focus Understand the issue Address key concerns and gaps
Change organizational perspectives
Create sustainable approaches
Timeline 30–60 Days 3 Months 6–12 Months Ongoing
Key Activities
• Legal evaluation for impact
• Forensic investigation
– Discovery and evidence preservation
– Validation of data
– Report on findings
• Communications to customers, internal stakeholders, and key business partners
• Impacted by regulatory and legal expectations
• Written notice and disclosure as required
• Define governance for tactical remediation and future response
• Understand the control environment
– People
– Process
– Technology
• Build a tactical plan
– Ensure root cause is addressed
– Plan to remediate all known gaps
• Define the control framework
– Regulatory
– Business Expectations
• Update policies and procedures
• Implement awareness campaigns
• Classify data and map regulations to data elements
• Deploy technical control solutions
– Encryption
– Access control
– Security event mgmt.
– Data loss prevention
– GRC
• Clearly align responsibilities and accountability to performance needs
• Implement metrics and key performance indicators
• Create a monitoring program to help ensure adherence
• Review reports
• Review the program at specified intervals
Key Participants
• Incident response team, exec. team, key customers and vendors, IT management, legal, public/investor relations, corp. communications
• Incident response team, IT management, vendors, legal, business stakeholders, information security, internal audit
• Information security, IT team, executive management, business stakeholders, vendors, internal audit
• Information security, IT team, business stakeholders, internal audit
KPMG's Cyber Practice | 7
Area of assistance Background/client challenges
9 Conduct an information security program architecture assessment
9 Develop different information security strategies
9 Build out the selected security strategy and provide recommendations
• After suffering a HIPAA breach, the client completed an assessment and was provided recommendations on how to improve their organization based on industry standards and better practices. One of the recommendations to the client was to assist the client with an information security program architecture assessment, where KPMG enumerated different information security strategies, and based on the client’s management decision, the client builds out the security strategy
Key activities
• Assisted in performing current state analysis, by reviewing existing organizational structures and processes
• Held facilitated workshops with key stakeholders to facilitate alignment of the security strategy with the goals and plans of these areas
• Defined future-state metrics and developed detailed organizational structures around those metrics. The client was provided with pros and cons of each model to help better assist in the decision process
• After the client chose the desired organizational model, they were provided recommendations and key considerations for the selected model
Outcomes
• Developed an Information Security Service Offering Model
• Provided the client with recommended oversight and/or operations control per security organizational domain
• Estimated skillset and levels for each organizational domain, including high-level job requirements and skills definitions for the client to populate job descriptions
• Provided the client with capabilities interactions mapping between their Information Security Governance and Security Operations and other elements of IT operations and RACI
Strategy and governance: Case study 1Large Healthcare Payer Security and Organizational strategy and road map
8 | KPMG's Cyber Practice
Area of assistance Background/client challenges
9 Develop IT GRC road map with detailed requirements and design for each GRC component
9 Implement the different modules of the GRC solution as per the road map, in order to have a single point for all assets, risks, and controls
• The client is undergoing significant organizational changes. As part of the restructuring efforts, the client began a process of rationalizing its governance, risk, and compliance processes. The client had recently begun the development of a common risk and control framework within which all GRC disciplines would operate. The client required assistance with developing a road map for onboarding the various disciplines onto the GRC program and deploying a tool to standardize and automate GRC practices across the organization
• The client also wanted to leverage Archer to achieve a single view of risk and control data and a single point for management to obtain details on all issues identified across the enterprise, through customized management reports for various business units within the organization as well as external auditors
Key activities
• Assisted in performing current state analysis, by reviewing existing GRC-related processes and technology. Conducted workshops and reviewed key GRC process inputs/outputs and reports
• Assisted in the alignment of existing processes and data structures with enterprise-wide GRC framework and identification of automation opportunities
• Assisted in implementing Archer’s compliance, enterprise, and risk management solutions, through all stages of the delivery (i.e., functional and technical requirements gathering/analysis, design and develop prototype, build and refine, test, and deploy in production)
• Developed detailed end-user training documentation
Outcomes
• Integrated GRC framework, comprising a centralized risk and control library, common governance structures, and processes for leveraging GRC data across the enterprise
• GRC deployment roadmap, establishing clear requirements and milestones for the onboarding of new disciplines
• Process automation through achieved through Archer deployment (compliance management, enterprise management, audit management, policy management, and incident management modules)
• Increased consistency and transparency from enterprise-wide alignment of GRC structures and processes
• Increased efficiencies from automated workflow and reporting of GRC processes
• A centralized view of GRC issues, events, and unresolved findings and improved accountability and tracking
• Cost savings from ability to leverage data and processes across departments (e.g., control testing data, risk data, etc.)
Transformation: Case study 2Leading investment bank GRC strategy, road map, and implementation
KPMG's Cyber Practice | 9
Cyber risk: Case study 3Global automotive manufacturer Technical security assessment
Area of assistance Background/client challenges
9 Security strategy and risk assessment assistance
9 Technical security assessment assistance
9 Architecture design assistance
9 Operational security process improvement assistance
• Client looked for assistance with moving their existing security program from technology-focused to business-risk-focused
• Increased complexity of security issues due to the size of the environment. The client had operations throughout the world
• There were challenges with both strategically and tactically managing such a large number of security issues, along with managing remediation plans
Key activities
• Executive interviews
• Security awareness assessments and social engineering
• Web application security reviews
• Network vulnerability scanning
• Physical site reviews, including rogue wireless detection
Outcomes
• Reported assessment results as risk-based heat maps with root causes and actionable recommendations, providing the foundation for leadership to focus spend and better align security projects
• Assessed and reported vulnerabilities from a life cycle standpoint to gain insight into root causes and to allow for repair of foundational issues
• Developed security metrics to provide a normalized measure to compare vendors, regions, platforms, and physical facilities. This allowed organization to draw the link between security findings and operations
• Streamlined findings acceptance from vendors resulting in faster remediation and reduced time spent debating technical validity of results
10 | KPMG's Cyber Practice
Area of assistance Background/client challenges
9 To provide security services around security monitoring and intelligence
9 To enhance the event correlation with various security devices in environment
9 To assist the global information security with Security Information and Event Management deployment across different environments
9 To provide investigative services in response to information technology incidents
• The client required to correlate and analyze security events over 10 subsidiaries and link with its corporate security monitoring environment to detect security events and take actions.
• The client wanted to bring this solution in-house from outsourced model, which required reconfiguring and reinstalling its monitoring capabilities and redesigning the infrastructure.
• The client could not effectively correlate and analyze security events from its production environments or link with its central (PROD) security monitoring environment to take corrective actions.
• The client could not effectively respond to security incidents due to lack of resources and/or capabilities.
Key activities
• Developed a list of critical infrastructure items in scope where SIM solution would be deployed.
• Developed the architecture and data flow for various event logs in-scope.
• Identified if SIM servers/related connectors needed to be upgraded. If upgrade was required, performed the upgrade and tested the same prior to migration to production.
• Redirected the logs to internal SIM console for testing and validated with respective teams.
• Coordinate activities with subsidiaries, information security and IT operations team and reported event metrics.
• Developed and tested new event correlation rules based on the requirements and implemented in production.
• Collaborate with client’s information security team to respond to security incidents and provided evidence details of the security scenario, thus acting as the extension of the client’s own forensic analysis team.
Outcomes
• Developed and tested the new event correlation rules in production environments across different business adjacencies and in central (PROD) environment.
• Deployed SIM across different business environments.
• Provided forensic evidence to remediate a number of security incidents.
Cyber response and investigations: Case study 4Global e-commerce Company Security monitoring and incident response
KPMG's Cyber Practice | 11
About KPMG Cyber
Global footprintWe have:• A global team of 1,700+ people
• Established offshore capability with 1000+ professionals based in Bangalore and Gurgaon
• A client base of over 1,750 clients
:
US:Organic growthto 500 by 2016,
7 acquisitiontargets
UK: No 1 inmarket,
growing toexceed allother Big 4
combined by2016 (team of
circa 500)
Germany:Growing
from 60 to200 staff by
2016
Nordics:Investing in
hub
ASEAN:Investing in
hub
LatAm:Investing in
hub
Top ten strategic marketsFurther potential growth marketsOther markets
Key:
KPMG's Cyber Practice | 12
KPMG's Cyber Practice | 13
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.
© 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. NDPPS 365706
kpmg.com/socialmedia
Michael Ebert Partner M: 856-404-2764 T: 267-256-1686 [email protected]
Ronald Plesco Principal – Forensic Cyber M: 412-953-0777 T: 717-260-4602 [email protected]
James Wilhelm Director M: 215-913-8440 T: 267-256-7271 [email protected]
Contact us
Kenneth Brown Director M: 267-337-2329 T: 267-256-3096 [email protected]
Matthew Sadler DirectorM: 717-649-6464 T: 717-260-4617 [email protected]
Kerri Murphy Manager M: 732-267-3547 [email protected]
kpmg.com
