Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Staying Ahead of Risk
June 2019
ID4AFRICA2019
Presented by:
Rakesh Kaul
Government & Public Sector Leader
PwC India
Technology is helping solve some of the largest societalproblems at scale for the people..
…and Identity is the foundation for the “Digital Nation” construct ..
Social
Welfare
Social security
Pensions
Scholarships
Retirement
Seeding in other Functional ID systems
e-GOVERNMENT
Smart Services
Adaptive Planning and Monitoring
Digital documents
e-HEALTH
Electronic Medical
Records
Patient Management
Connected Healthcare
e-LEARNING
Student
Management
MOOCs
SMART UTILITIES
Smart Meter
Management
e-SECURITY
Image Surveillance
E-sign
e-FINANCE
Mobile and Online
Banking
Virtual Banks
Peer-to-Peer
Money Transfer
SOCIAL WELFARE
Social security
Food Subsidy
Scholarships
Retirement
SMART TRANSPORT
Multi Modal Integration
DIGITAL REAL ESTATE
Property Registration
Property Transfer
RISK MANAGEMENT
PwC 3
… and this Identity Ecosystem needs to be reliable and resilient..
Biometric Service Provider
Other Interfaces
CRM Support
Letter Printing
System
Integrator
Research &
Innovation
Others
Enrolment
Registrars
Enrolment
Agencies
Banks
Testing &
Certification
Authentication User Agency /
eKYC User Agency
Admin BI Portals
National ID
Lifecycle
Critical challenges in implementation of National IDs
Gaps in Legal and institutional environment such as absence of
personal data protection
Complicated Enrolment process and the cost associated with
getting one enrolled in the National ID program
Sustainability of the Program
1
Scarcity of Infrastructure and associated challenges4
3
5
Privacy of Personal Sensitive Information and Security related risks2
Identity Ecosystem
4PwC
To make it reliable and resilient, managing risk becomes paramount..
Note: Information regarding the ID programs is based on public information available on the respective newspaper websites
Personal Information
stolen from National
ID Database
National ID program
discontinued due to
privacy concernsVulnerability in ID
cards due to security
flaw
PwC 5
To make it reliable and resilient, managing risk becomes paramount..
Note: Information regarding the ID programs is based on public information available on the respective newspaper websites
Personal Information
stolen from National
ID Database
National ID program
discontinued due to
privacy concernsVulnerability in ID
cards due to security
flaw
Staying Ahead of Risk..
Staying ahead of risks
ComplianceGovernance
• Governance Framework
• Organization Skill and Capability
• Adoption of the right Framework
• Periodic Assessment
• 24*7 Continuous Monitoring
• Forensics
Risk
GRC Framework
6PwC
Risk Management -Identify Risks
Objective Identify risks Assess risks Determine risk response
How
Leveraging Information Security
Forum and knowledge repositories
Early deployment of Risk Simulation
and Fraud Analytics to analyse the past
incident data and simulate risks
Consider the organizational
goals & business drivers of NID
Scan the internal & external
environment and assets of NID
Inventory Threat Landscape
Historical & forward-looking
analyses
Inventory key risks that should
be assessed and monitored
Key highlights
1
2
3
4
5
External Threats
Regulatory
Landscape
Internal
Threats
Risk Register
1 Risk
7PwC
Risk Management - Assess Risks
Objective Identify risks Assess risks Determine risk response
How
Almost Certain Reputation, Legal/Regulatory
Likely
Occasional
Unlikely
Remote Earnings, Solvency, Ratings
Minor Moderate Adverse Significant Severe
Overall Lik
elihood
Risk Limit
Risk Scenarios
Heat Map
Likelihood, impact & correlation
using simulations / scenario
analyses
Identify the interrelationships and
concentrations of risk
Develop risk rating scales that
consider cross-organizational
impact
Develop a heat map or radar of key
risks
Update risk appetite and
tolerances
1
2
3
4
5
Risk Appetite
Risk Classification
PwC 8
Risk Management - Determine Risk Response
Objective Identify risks Assess risks Determine risk response
How
Identify and design Controls
Implement Controls
Assess and Test Controls
On-going Risk Monitoring
1
2
3
4
9PwC
UIDAI GRCP Program • PwC
In order to effectively mitigate and respond to the Risks it is essential to have a robust Governance in place…
2 Governance
• Discuss and agree GRC vision
• Align GRC vision with the objective
• Identify applicable regulations and standards
• Identify applicable compliance requirements
• Review and update policy and procedures
with respect to information security and
privacy
Vision & Strategy
Accu
racy
Pri
vacy
Business Requirement Contractual Requirement
Se
cu
rity Av
aila
bility
People Processes PolicyTechnology
Org. Structure , Roles & Responsibility
• Identify and define GRC organization
structure
• Define the Role and Key Performance
Indicators(KPIs) for the individuals
• Institutionalized GRC by proposing various
groups :
• Executive Committee
• Working group
Reporting & Dashboarding
• Define reporting requirements
• Type
• frequency
• Mechanism
• Discuss and define communication strategy
• Define integrated Dashboard for various levels
• Senior Management
• Operation team
Laws and Regulations
PwC 10
..and regular Compliance checks through continuous monitoring and periodic assessment
3 Compliance
• Monitoring
• Incident Identification• Incident Classification
• Real Time Device Monitoring• Vulnerability & Penetration Testing
• Security Intelligence
• Advising• Incident Notification
• Awareness & Technology • Countermeasures Selection
• Managing
• Incident Response• Incident Recovery
• Tracking and Tracing
24* 7 Continuous monitoring
Accu
racy
Pri
vacy
Business Requirement Laws and Regulations Contractual Requirement
Se
cu
rity Av
aila
bility
People Processes PolicyTechnology
Periodic Assessments
• Planning
• Audit Charter• Understand sub process, controls and risk
• Prepare work program
• Field Work• Process walk through
• Conduct testing (walkthrough, observations, enquires etc)
• Identify gaps
• Report and closure• Prepare draft report- (observations, risk
rating etc)• Agree and closure
Forensic
• Evidence Extraction and Storage
(Acquisition)• Appropriate clearances
• Appropriate chain of custody log• Time record
• Review and Analysis
• Backup of the "original" • Time-zone checks
• Perform testing
• Investigation Completion and Engagement Wrap-up
11PwC
Netw ork Servers End points Applications Databases
Security
Appliances
AUA
Enrolment Agencies
Call Center Logistics
ASA
Registrars
Others
Device Testing & Certification
Op testing & Certification
Technology View to the GRC Solution..
Forensic
Disk
duplication Security
investigation
Password
recovery
toolkit Integrated Disk
forensic
Live Server
acquisition
Dashboarding & Reporting
Modelling
Fraud Detection
Fraud Management
Risk Modelling &
Simulation
IT GRC
Enterprise
GRC
GRCForensics
Periodic Audits
BCP/DR Process Assessments
Security in Change Management
Physical and Environmental Security Awareness
SLA Process Assessments
Root Cause Analysis Assessment
Fraud Risk Assessment and Fraud Management Process Assessment
Security Information and Event Management (SIEM)
Event Correlation & Aggregation
Database Monitoring
Malware Analysis
(End Point)
Network Monitoring Malware Analysis
(Host)
Vulnerability
MonitoringWebApp Security
Assessment
Penetration TestingSourceCode Security
Assessment
Infrastructure Partner
Incident
Management
Global
Intelligence
Feed
12PwC
“It is not the strongest of the species that survives, nor the most
intelligent, but the most responsive to change.”
–Charles Darwin
Thank You
© 2 019 PricewaterhouseCoopers. A ll rights reserved. “PricewaterhouseCoopers”, a registered trademark, refers to Pricewaterhou seCoopers Private Limited (a limited company in In dia) or, as the context requires, other member firms of PricewaterhouseCoopers In ternational Limited, each of which is a separate and independent legal entity.
Th is publication may n ot, in whole or in part, be lent, copied, photocopied or r eproduced in any form for use. In formation/ m aterial contained in this publication is of general purpose on ly and is not intended to prov ide com prehensive a dvice and analysis in relation to the subject matter. This publication is not a substitute for specific profes sional advice. No person should undertake or refrain from any a ction based on the information in this
pu blication without first seeking the adv ice from a partner of Pr icewaterhouseCoopers. PricewaterhouseCoopers does n ot assum e r esponsibility or liability for any loss or damage which may result from inaccuracy or omission in su ch material in this publication or from its use and make n o warranties, express or implied, in relation to such matters.
Benefits of GRC Program
Management of existing and emerging risks• Early identification of threats for prosecution
Governance• Actionable, real time reporting to ID Entity• Ensure closed looping
Compliance• Processes aligned to risks• Consistent compliance across entire ecosystem
Risk culture• Risk ownership and accountability• Culture of ethics and compliance
Performance• Timely prioritized reporting• Support RCA for breaches
Key risks Benefits
Insiders and ecosystem partner’s threats
Intrinsic vulnerabilities associated with technology such as zero day attacks
Process vulnerable to fraud
Changing risk landscape
Targeted attacks on ID entity
SLA breaches
14PwC