Staying Ahead of Risk

June 2019

ID4AFRICA2019

Presented by:

Rakesh Kaul

Government & Public Sector Leader

PwC India

Technology is helping solve some of the largest societalproblems at scale for the people..

…and Identity is the foundation for the “Digital Nation” construct ..

Social

Welfare

Social security

Pensions

Scholarships

Retirement

Seeding in other Functional ID systems

e-GOVERNMENT

Smart Services

Adaptive Planning and Monitoring

Digital documents

e-HEALTH

Electronic Medical

Records

Patient Management

Connected Healthcare

e-LEARNING

Student

Management

MOOCs

SMART UTILITIES

Smart Meter

Management

e-SECURITY

Image Surveillance

E-sign

e-FINANCE

Mobile and Online

Banking

Virtual Banks

Peer-to-Peer

Money Transfer

SOCIAL WELFARE

Social security

Food Subsidy

Scholarships

Retirement

SMART TRANSPORT

Multi Modal Integration

DIGITAL REAL ESTATE

Property Registration

Property Transfer

RISK MANAGEMENT

PwC 3

… and this Identity Ecosystem needs to be reliable and resilient..

Biometric Service Provider

Other Interfaces

CRM Support

Letter Printing

System

Integrator

Research &

Innovation

Others

Enrolment

Registrars

Enrolment

Agencies

Banks

Testing &

Certification

Authentication User Agency /

eKYC User Agency

Admin BI Portals

National ID

Lifecycle

Critical challenges in implementation of National IDs

Gaps in Legal and institutional environment such as absence of

personal data protection

Complicated Enrolment process and the cost associated with

getting one enrolled in the National ID program

Sustainability of the Program

1

Scarcity of Infrastructure and associated challenges4

3

5

Privacy of Personal Sensitive Information and Security related risks2

Identity Ecosystem

4PwC

To make it reliable and resilient, managing risk becomes paramount..

Note: Information regarding the ID programs is based on public information available on the respective newspaper websites

Personal Information

stolen from National

ID Database

National ID program

discontinued due to

privacy concernsVulnerability in ID

cards due to security

flaw

PwC 5

To make it reliable and resilient, managing risk becomes paramount..

Note: Information regarding the ID programs is based on public information available on the respective newspaper websites

Personal Information

stolen from National

ID Database

National ID program

discontinued due to

privacy concernsVulnerability in ID

cards due to security

flaw

Staying Ahead of Risk..

Staying ahead of risks

ComplianceGovernance

• Governance Framework

• Organization Skill and Capability

• Adoption of the right Framework

• Periodic Assessment

• 24*7 Continuous Monitoring

• Forensics

Risk

GRC Framework

6PwC

Risk Management -Identify Risks

Objective Identify risks Assess risks Determine risk response

How

Leveraging Information Security

Forum and knowledge repositories

Early deployment of Risk Simulation

and Fraud Analytics to analyse the past

incident data and simulate risks

Consider the organizational

goals & business drivers of NID

Scan the internal & external

environment and assets of NID

Inventory Threat Landscape

Historical & forward-looking

analyses

Inventory key risks that should

be assessed and monitored

Key highlights

1

2

3

4

5

External Threats

Regulatory

Landscape

Internal

Threats

Risk Register

1 Risk

7PwC

Risk Management - Assess Risks

Objective Identify risks Assess risks Determine risk response

How

Almost Certain Reputation, Legal/Regulatory

Likely

Occasional

Unlikely

Remote Earnings, Solvency, Ratings

Minor Moderate Adverse Significant Severe

Overall Lik

elihood

Risk Limit

Risk Scenarios

Heat Map

Likelihood, impact & correlation

using simulations / scenario

analyses

Identify the interrelationships and

concentrations of risk

Develop risk rating scales that

consider cross-organizational

impact

Develop a heat map or radar of key

risks

Update risk appetite and

tolerances

1

2

3

4

5

Risk Appetite

Risk Classification

PwC 8

Risk Management - Determine Risk Response

Objective Identify risks Assess risks Determine risk response

How

Identify and design Controls

Implement Controls

Assess and Test Controls

On-going Risk Monitoring

1

2

3

4

9PwC

UIDAI GRCP Program • PwC

In order to effectively mitigate and respond to the Risks it is essential to have a robust Governance in place…

2 Governance

• Discuss and agree GRC vision

• Align GRC vision with the objective

• Identify applicable regulations and standards

• Identify applicable compliance requirements

• Review and update policy and procedures

with respect to information security and

privacy

Vision & Strategy

Accu

racy

Pri

vacy

Business Requirement Contractual Requirement

Se

cu

rity Av

aila

bility

People Processes PolicyTechnology

Org. Structure , Roles & Responsibility

• Identify and define GRC organization

structure

• Define the Role and Key Performance

Indicators(KPIs) for the individuals

• Institutionalized GRC by proposing various

groups :

• Executive Committee

• Working group

Reporting & Dashboarding

• Define reporting requirements

• Type

• frequency

• Mechanism

• Discuss and define communication strategy

• Define integrated Dashboard for various levels

• Senior Management

• Operation team

Laws and Regulations

PwC 10

..and regular Compliance checks through continuous monitoring and periodic assessment

3 Compliance

• Monitoring

• Incident Identification• Incident Classification

• Real Time Device Monitoring• Vulnerability & Penetration Testing

• Security Intelligence

• Advising• Incident Notification

• Awareness & Technology • Countermeasures Selection

• Managing

• Incident Response• Incident Recovery

• Tracking and Tracing

24* 7 Continuous monitoring

Accu

racy

Pri

vacy

Business Requirement Laws and Regulations Contractual Requirement

Se

cu

rity Av

aila

bility

People Processes PolicyTechnology

Periodic Assessments

• Planning

• Audit Charter• Understand sub process, controls and risk

• Prepare work program

• Field Work• Process walk through

• Conduct testing (walkthrough, observations, enquires etc)

• Identify gaps

• Report and closure• Prepare draft report- (observations, risk

rating etc)• Agree and closure

Forensic

• Evidence Extraction and Storage

(Acquisition)• Appropriate clearances

• Appropriate chain of custody log• Time record

• Review and Analysis

• Backup of the "original" • Time-zone checks

• Perform testing

• Investigation Completion and Engagement Wrap-up

11PwC

Netw ork Servers End points Applications Databases

Security

Appliances

AUA

Enrolment Agencies

Call Center Logistics

ASA

Registrars

Others

Device Testing & Certification

Op testing & Certification

Technology View to the GRC Solution..

Forensic

Disk

duplication Security

investigation

Password

recovery

toolkit Integrated Disk

forensic

Live Server

acquisition

Dashboarding & Reporting

Modelling

Fraud Detection

Fraud Management

Risk Modelling &

Simulation

IT GRC

Enterprise

GRC

GRCForensics

Periodic Audits

BCP/DR Process Assessments

Security in Change Management

Physical and Environmental Security Awareness

SLA Process Assessments

Root Cause Analysis Assessment

Fraud Risk Assessment and Fraud Management Process Assessment

Security Information and Event Management (SIEM)

Event Correlation & Aggregation

Database Monitoring

Malware Analysis

(End Point)

Network Monitoring Malware Analysis

(Host)

Vulnerability

MonitoringWebApp Security

Assessment

Penetration TestingSourceCode Security

Assessment

Infrastructure Partner

Incident

Management

Global

Intelligence

Feed

12PwC

“It is not the strongest of the species that survives, nor the most

intelligent, but the most responsive to change.”

–Charles Darwin

Thank You

© 2 019 PricewaterhouseCoopers. A ll rights reserved. “PricewaterhouseCoopers”, a registered trademark, refers to Pricewaterhou seCoopers Private Limited (a limited company in In dia) or, as the context requires, other member firms of PricewaterhouseCoopers In ternational Limited, each of which is a separate and independent legal entity.

Th is publication may n ot, in whole or in part, be lent, copied, photocopied or r eproduced in any form for use. In formation/ m aterial contained in this publication is of general purpose on ly and is not intended to prov ide com prehensive a dvice and analysis in relation to the subject matter. This publication is not a substitute for specific profes sional advice. No person should undertake or refrain from any a ction based on the information in this

pu blication without first seeking the adv ice from a partner of Pr icewaterhouseCoopers. PricewaterhouseCoopers does n ot assum e r esponsibility or liability for any loss or damage which may result from inaccuracy or omission in su ch material in this publication or from its use and make n o warranties, express or implied, in relation to such matters.

Benefits of GRC Program

Management of existing and emerging risks• Early identification of threats for prosecution

Governance• Actionable, real time reporting to ID Entity• Ensure closed looping

Compliance• Processes aligned to risks• Consistent compliance across entire ecosystem

Risk culture• Risk ownership and accountability• Culture of ethics and compliance

Performance• Timely prioritized reporting• Support RCA for breaches

Key risks Benefits

Insiders and ecosystem partner’s threats

Intrinsic vulnerabilities associated with technology such as zero day attacks

Process vulnerable to fraud

Changing risk landscape

Targeted attacks on ID entity

SLA breaches

14PwC