Government Procurement Service

Transcription

1 Government Procurement Service PwC and the G-Cloud: knowledge, experience, value V1.0 PwC Service Definition 9: G-Cloud Cyber Security Design and Assurance 06 October 2015

2 Table of Contents G-Cloud Procurement Vehicle... 3 Transforming business using the cloud... 3 LOT 4 Specialist Cloud Services... 4 PwC Service Definition 9: Cyber Security Design and Assurance... 6 Our cyber security experience... 9 Why PwC? Our global cloud computing network Our cloud accelerators Our cloud industry participation Our cloud thought leadership... 12

3 G-Cloud Procurement Vehicle Having worked with several central and local government clients supporting the implementation of their cloud objectives, we want to share our expertise and experience with you so that you successfully realise your cloud ambitions. There are some great cloud successes from private sector organisations that we also want to share. Transforming business using the cloud Deciding how to transform business using cloud is one of the most complex decisions enterprises are grappling with. Cloud can provide significant cost reduction, eliminate technology bottlenecks, and facilitate rapid business innovation. Generally we are seeing four primary cloud opportunities for enterprises: Implementing private and hybrid clouds for infrastructure and applications. Smart use of the public cloud for business function optimisation. Using cloud for implementing new business services. Reducing costs by only paying for the IT capacity, and new technologies, that you need and use. However, cloud is disruptive for enterprises and cloud transformation must be properly choreographed for success. We understand the realities and risks that exist, and that they should be carefully considered and understood before moving to the cloud: Availability and reliability of services and the avoidance of operational downtime is a concern that if encountered may result in lost revenue or a blemished reputation. Even large providers have experienced well-publicised service outages which, although typically last less than an hour, can disrupt a business s operations. Decentralised support structures employed by cloud service providers may increase the risk that sensitive information is viewed by unauthorised users or even competitors. This type of incident is rare, but it has been reported on at least two occasions when a large cloud service provider inadvertently shared user documents with others who had not been granted access to them. Given the limited understanding of data flow in a cloud environment, data classification, and data-handling practices employed by companies is also a concern. In several incidents hackers have guessed user passwords to gain access to confidential documents stored in the cloud and then forwarded those documents to online news outlets. In other cases, cloud service providers simply lost customer data. Compliance with data privacy regulatory requirements is a concern as many of today s privacy regulations affect where and how information can be stored or processed. The cloud model enables data to bounce swiftly around the world by using available server capacity in various geographic locations. Businesses now face new regulatory requirements that address where its data is physically stored and how it is accessed. A careful assessment of an organisation s needs and different cloud service provider s controls is required, enabling all concerns to be addressed and the correct path to the cloud is selected.

4 LOT 4 Specialist Cloud Services We are delighted to participate in LOT 4 of the G-Cloud Procurement Vehicle ITT and have responded with sixteen PwC service definitions to address your requirements: 1. Strategy and Planning Services - provides the processes, tools and capability to set the strategic direction for the programme of work and align the technical and business activities with the strategic goals of the change programme. This enables the delivery of a fit for purpose solution that meets the business need. 2. Managing Change Services - provides the processes, tools, people and capability to manage the change programme against the agreed business strategy. This service includes iterative management of the Technical Design through adherence to the Target Architecture and management of the releases through adherence to the Target Operating Model. 3. Delivering Change Services - provides the processes, tools, people and capability to deliver the strategic change programme. This includes development, and management, of roadmaps with clear delivery milestones, business benefits, releases and approval activities that enable the delivery of technology to the business that clearly meets the stated business need. 4. Oracle Business Intelligence Innovative business intelligence solutions across the full range of Oracle BI products - BICS, Cloud Analytics, OBIEE, and OBIA. Using our holistic and agile approach, we provide services for the full implementation lifecycle including BI adoption strategy, capability-building, enterprise BI solution design, implementation, maintenance and rapid deployment of analytics applications. 5. Oracle Enterprise Performance Management Services PwC help organisations make the right decisions to improve business performance though strategy development, planning, budgeting, consolidation and financial reporting using Oracle Hyperion EPM applications. Working across the Oracle EPM suite - we help clients create a blueprint, business case, design and implement the solution and provide application support. 6. Application Management Services - ITIL aligned, and ISO accredited, Application Management Services is manned by UK based dedicated managed services consultants. AMS will maintain, operate and improve your systems across a range of platforms including ERP, Business Intelligence, EPM and Cloud. Services include application maintenance, production support, service management and release and configuration management. 7. ERP Services Related to Oracle - Cloud is the direction of travel in terms of the digital transformation of business applications. PwC provide Oracle Cloud roadmap planning and readiness assessments, implementation and re-implementation consultancy and training. Our primary responsibility is to provide the best independent advice and consultancy to our clients. 8. Custom Application Development - PwC can develop Cloud customisations designed to meet your business needs. We can develop custom applications that work with your existing applications (PaaS), provide integrations to third party systems, develop custom reports and can work with other cloud service providers to construct bespoke cloud solutions (Iaas). 9. Cyber Security Design and Assurance - PwC provides a wide range of services that can help your organisation assess and build cyber security defences, as well as respond to incidents and manage and assure your cyber security capabilities. We view Cyber Security as a whole-organisation challenge and our integrated approach reflects this.

5 10. Penetration Testing and IT Health Check (ITHC) Services A true, reflective threat scenario is the starting point for any testing. This allows us to tailor the testing performed to maximize value for you. All of our testing is bespoke and in response to the real world threat scenarios experienced by our global client base. 11. Identity and Access Management (IDAM) Services - PwC will work with you to manage all enterprise and citizen identities, keep business assets secure and enhance the user experience. We support a range of technology vendors and specialise in the SailPoint and ForgeRock IdAM offerings. 12. Commercial Assurance - Our Commercial Assurance and Contract Management cloud specialists provide market-leading advice on the end-to-end contract lifecycle, identifying critical project delivery risks and providing Assurance over cloud/it projects. We combine IT technical, Data, Commercial and Financial experience to help you navigate through these risks to reach a successful outcome. 13. P3M Program and Project Assurance - Programme and project assurance helps clients realise the value and benefits of their strategic technology investments through effective programme and project management. Our approach helps manage risks by employing an integrated programme assurance risk model that encompasses programme methodology and leadership best practices with focus on technology and business outcomes. 14. engage Implementation Services -PwC s engage Implementation Services provides the processes, tools and capability to deliver digital services across national and local government, using our cloud deployed engage platform. Our approach enables the delivery of a solution that meets your business needs as well as the citizens. 15. ediscovery Cloud Services - Specialist services to implement and use cloud ediscovery systems, such as Nuix and Relativity, which enable clients to identify, collect, preserve, search, analyse and disclose data. Techniques such as forensic capture and imaging, evidence handling, data processing, data visualisation and keyword searching are used to find relevant information quickly. 16. Information Governance Services - enable our clients to identify information of value, classify it and move it to a cloud-based collaboration or enterprise content management (ECM) environment such as SharePoint. Using data profiling we identify key information risks that define record management requirements, retention and disposal policy for more efficient migration. This document provides our response to PwC Service Definition 9: Cyber Security Design and Assurance and includes a selection of our recent success stories. We have also provided some introductory information on our cloud capabilities for your reference. We hope you find the information interesting and welcome the opportunity to discuss your requirements in further detail.

6 PwC Service Definition 9: Cyber Security Design and Assurance This section describes in more detail the service features and benefits included within this service definition document. Cyber Security Design and Assurance Service Description PwC provides a wide range of services that can help your organisation assess and build cyber security defences, as well as respond to incidents and manage and assure your cyber security capabilities. We view Cyber Security as a whole-organisation challenge and our integrated approach reflects this. PwC Service Definition 9: Cyber Security Design and Assurance Service Features Assess: Understanding your capabilities and maturity to prioritise investment Build: Designing and delivering cyber security improvement programmes Respond: Rapid incident containment, investigation and crisis management expertise Manage: Threat assessment, detection and monitoring, tailored to your business Manage: Integrated managed security services Manage: Augmenting, enhancing and developing your own cyber security team Preparing or reviewing your cyber security strategy Specialist cyber/cloud consultancy, advice, risk assessments and RMADS production Cyber security audit and review planning and delivery Cyber security awareness and training. PwC Service Definition 9: Cyber Security Design and Assurance Service Benefits Fully informed investment decision making, tailored to your security priorities Faster, higher quality and lower risk cyber security transformation/delivery Rapid response to incidents, minimising damage, cost and disruption. Clear understanding of who may be targeting you, and why. Efficient and economically attractive security managed service delivery Knowledge transfer leading to a strengthened in-house security capability Independent assurance of your security strategy and implementation Trusted help to achieve secure system delivery and procurement Assurance over the security of your third party suppliers Access to a wide range of experienced cyber security experts

7 Our view on the service features and benefits within this service definition document are presented below. In an interconnected world, organisations are dependent on digital business processes. This amplifies the business and organisational impact of cyber-attacks, affecting intellectual property, financial security, operational stability, regulatory compliance, and reputation. Organisations that seize the digital advantage must be confident that they are able to manage cyber security risk. Those that are able to build trust with their stakeholders (and customers) for their digital strategies will be successful; trust that data and transactions will be safe; that identity and privacy issues have been dealt with and trust that systems and processes will be available when needed. Trust takes a long time to build but can be lost in an instant. PwC provides a range of cyber security assurance and support services that can help your organisation build and improve confidence in your digital future, enabling you to focus your cyber security investment choices and protecting what matters most to your organisation. We can help you: Become more aware of your cyber security risks Assess which threats could affect your business goals Build and adapt your defences to deal with new threats as they arise Help you respond to security incidents quickly to minimise impact and recovery time We can provide you with the full range of cyber security expertise, from business focussed experts who can help you balance the benefits of agile cloud services with cost and security implications, to specific CESG Certified Professionals (CCP). Because cyber security isn t just about technology, our approach covers people, information, systems, processes, culture and physical surroundings. The aim is to create a secure environment where businesses can remain resilient in the event of an attack. Understanding the implications of using cloud services impacts all the aspects above, and many of our clients find our insight into the security of cloud services valuable. 1. Assess PwC can help you with every stage in understanding your cyber security landscape, capabilities and maturity in order to help you decide where, and how much, you should be investing in cyber security. We can conduct an objective assessment of your current capabilities to give you assurance that your defences are both comprehensive, well aligned to your threats and risks, and are actually working properly. We have frameworks that blend the aspects of good cyber security practice and can apply them to your overall organisation in terms that non-technical/cyber people can understand and use effectively, giving you a combination of assurance through compliance to standards blended with the specifics of your own business. Our Assess set of services range from initial threat and risk assessments to a comprehensive set of assurance activities to help enable your defences to tackle the right threats and operate effectively. Our experience covers the very highest level assessments of overall cyber security strategy and how it applies to your organisation through to detailed testing of processes and technology (including penetration tests). We have worked across both leading Private sector organisations and public bodies, and our approach to assuring cyber security is being adopted by large central Government Departments. Our work across a broad range of public and private sector clients helps us to stay absolutely current with the constantly evolving threat environment, and to consider the wider aspects of your cyber security posture.

8 2. Build We can help you through the definition and planning of cyber security improvement programmes, provide objective assessments and options appraisals of market-leading security solutions and support you as you enhance your cyber security posture. We provide consultancy and advice, using experienced cyber security practitioners, including CLAS (and successor) scheme members and can help you with the design and accreditation of secure systems. This helps you build your internal business case for prioritising and investing in your cyber security capabilities, and the confidence that you will get the right solution for you when you go to market for solution elements. Our culture and change experts can help you to embed good security behaviours in your people an ever more important component of your cyber-security defences and we can look at how security can become an inherent part of your operating processes and environment. 3. Respond Most organisations now accept that significant cyber security incidents are inevitable. PwC offers a comprehensive set of incident response services, backed by crisis management expertise. Services are tailored to your specific situation, but typically include: Breach notification; Computer, network and malware forensics; Crisis management; Cyber incident legal advice including privilege; Cyber incident response and forensic investigation; e-discovery and disclosure; Fraud and ecrime data analytics; Human resource advice employee breaches; Network intrusion containment and remediation; Regulatory proceedings; Third party litigation. PwC s services can be quickly mobilised, or even held ready for faster response on a retainer basis. Our global experts can help you formulate and deliver a response to an incident that is based on sound knowledge and experience, thereby minimising the impact to your business, and can help you with the fallout from incidents with sound advice based on experience and practice. 4. Manage Managing your security is not straightforward in the dynamic and fast-moving cyber threat environment. Attackers can be relentless in their attempts to breach your security, and the rewards can be significant. We can help you to manage and maintain control of your business, enabling you to focus on your core priorities. Typical help in this area ranges from advanced threat detection and monitoring and threat intelligence (in order to give advance notice of attacks, and identify when they may be underway but without triggering your defences), through to full integrated managed cyber security services and helping you to improve the capability of your own, in-house, cyber security teams allowing you the freedom and flexibility to choose the model that best aligns with your business strategy.

9 Our cyber security experience PwC has completed many cyber security engagements, covering the full range of cyber security services, both for private sector and Government clients, and bringing insight to both communities. Selected examples are shown below, but if you would like to talk to us about our service offerings, or to find examples that are relevant to your situation, please do get in touch. Large Central Government Department PwC helped a large Government Department develop a strategy and plan for assuring cyber security across their entire estate. The key to designing a successful plan was to use a risk-based approach, underpinned by a thorough understanding of the client s information systems, processes, security functions and organisation, as well as the likely threats they faced. This was then subjected to a wide-ranging set of theoretical attacks to develop a map of the areas of highest risk. By looking at the emerging themes, we were able to propose a set of assurance activities that efficiently addressed the areas of highest risk, and test this against the client s risk appetite. The result was that the client was able to make highly informed decisions about where they should invest in cyber security assurance activities. The approach was supported by the Cabinet Office and is being repeated at several other Central Government Departments, where it has helped senior security stakeholders work together with assurance functions to agree where assurance activities should be prioritised, but without losing sight of areas where remedial work is required to address risks saving everybody time, effort and distraction. Large UK Critical National Infrastructure organisation The customer engaged with us to help re-define the security business case and strategy for their organisation. The existing security activities were observed to be ad-hoc, un-coordinated across the business and mixed in terms of quality. We provided an interim CISO to engage with their board, management and staff to resolve the positioning of the security function within the business. We proposed a programme of work to transform the group level security management function and drive security culture change throughout the business. As a result of this work, the client gained a clear roadmap for transforming its security function and has raised its international profile in global security forums for its market. PwC has been retained for the long term (5yrs) to provide a complete group level security management function whilst also representing the organisation globally at regulatory and industry security working groups.

10 Large Global Telecomms provider The client needed to be aware of threats their organisation was facing and their overall preparedness to respond and manage major crises arising from cyber attacks. The board wanted to understand the overall security posture of their information systems, if they could be compromised and the risks to the services they provide. To provide this information PwC: Conducted a strategic security review assessing the operations, governance, security management, policies and procedures. Conducted invasive penetration testing on both internal and external networks and systems. Produced device configuration reviews Examined the client Crisis management function to assess their ability to respond to a known form of cyber attack. Conducted a simulation exercise replicating a live attack scenario. Provided strategic advice on tackling key issues to the Board

11 Why PwC? Our global cloud computing network PwC is one of the leading firms in business technology advisory services providing services to support cloud engagements. We have completed a variety of cloud engagements with several central and local government clients. We have also been involved in some excellent cloud successes made by organisations in the private sector. We are confident this experience will add value to UK government engagements. We have recently been accepted onto the University College Dublin (UCD) framework agreement for Cloud Computing Advisory & Implementation Services. The insights and lessons learned from this ongoing collaboration will be applied to our future work with UK government clients. Our senior practitioners insights are regularly published in the business press and will bring a cutting edge perspective to UK government engagements. PwC has helped our clients implement private / hybrid / public clouds, transform business on the cloud, and benefit from successful cloud sourcing experiences that will be leveraged to deliver successful services to UK government clients. PwC has substantive and relevant experience in cloud infrastructure, applications, outsourcing, business innovation, change management. We have developed standardised cloud implementation frameworks, tools, processes. Our people and memberships with industry groups means that we can bring extensive industry knowledge and a proven record for delivering business transformation with technology. Our cloud accelerators Our clients tell us that the most critical element of cloud transformations is mobilising quickly, and delivering long-term business impact that is cost-efficient, timely and sustainable. With this in mind, we have developed a set of cloud accelerators allowing us to focus on helping our clients. These accelerators are: PwC Cloud Workshop Tool to identify and/or confirm cloud opportunities consistent with needs and direction of the enterprise. PwC Cloud Transformation Assessment to identify where opportunities exist to adopt cloud and assess the gap between the current state and future state. PwC Evergreen Technology Adoption methodology, enabling the adoption of point technical solutions. PwC Cloud Reference Architecture used to facilitate the incorporation of private, public, and integrated cloud computing concepts into enterprise architecture blueprints. PwC Cloud Adoption Model to identify where a client is relative to the adoption of cloud and provide a path maximising business value while minimising risk. PwC Transform, our global delivery methodology used to manage enterprise transformations.

12 Our cloud industry participation PwC is represented on several standard setting boards and task forces, helping to drive the future standards of reporting and controls related to cloud computing technology. It is this deep technical insight that we will know will add insight and value to UK government engagements. PwC is a member of the American Institute of Certified Public Accountants Task Force that develops guidance for reports on controls related to cloud computing. PwC is a member of the ISACA Cloud Task Force. PwC is a member of the Cloud Security Alliance. PwC is a member of the Information Security Forum. PwC is an Advisory Board Member on the IDC/IDG Cloud Leadership Forum. PwC is an Advisory Board Member of Cloudcor, Inc., the founder of CloudSlam and UP cloud conferences. PwC is a patron of the MIT centre for information systems research. Our cloud thought leadership PwC has established a cloud innovation lab, intending to be at the forefront of new cloud trends, identifying and exploring new business opportunities. PwC continues to publish a series of papers and publications on the cloud, a selection of which are provided below: 1. The View Cloud computing gets strategic PwC leaders discuss the growing momentum and hype around cloud computing and explain why the real story is less about technology and more about business strategy. 2. Making the move to cloud-based ERP: Balancing the risks and rewards This recent publication discusses cloud-based services as a strategy to not only reduce costs but also deliver business value through transformation and that not rushing into adopting cloudbased services is the best approach for this increasingly complex environment. 3. PwC Alumni Paper: Cloud computing: Taking advantage of the silver lining A recent PwC alumni article looks in more detail at the benefits that can be gained from cloud adoption.

13 Confidential. This document is provided for the purposes of your discussions with PricewaterhouseCoopers LLP. This document, and extracts from it and the ideas contained within it, may not be used for any other purpose and may not be disclosed to any third parties. This document does not constitute a contract of engagement with PricewaterhouseCoopers LLP, and is subject to the terms of any subsequent engagement contract that may be entered into between us. If you receive a request under freedom of information legislation to disclose any information we provided to you, you will consult with us promptly before any disclosure PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.