D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV

Transcription

1 D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV September 2013

2 Contents 1 Service Overview 1 2 Detailed Service Description 3 3 Commercials 6 4 Our G-Cloud Services 7 5 About Deloitte 8

3 1 Service Overview 1.1 Service Summary In a nutshell, what is it that Deloitte will do for you? All organisations hold sensitive data that their customers, business partners, regulators and senior management expect them to protect. Despite this, high profile security breaches involving personal and business information continue to occur. The mandated requirements of the Security Policy Framework, and public sector good practice such as GPG13 (Protective Monitoring), combined with negative publicity and public perception is prompting organisations to immediate measures to understand the sensitive information they hold, how it is controlled, and how to prevent it being leaked. The key questions any organisation needs to answer are: What is our important information? Where is stored, logically and physically? How is it being used? How is the risk of it being leaked being minimised? We use powerful technology solutions that help answer those questions, and through a short risk assessment, will quantify the risk you may be facing from data leakage. We configure the technology to monitor your network for various types of data being stored or sent in violation of your policies. The assessment looks at two key scenarios of data loss and data exposure: Data In Motion/Transit analyse traffic over the network to identify sensitive content sent by , web, FTP or instant messaging; Data At Rest scan and inspect data stores to identify where sensitive data is being kept. As a result of the assessment, we will summarise and prioritise the areas of risk, measure your compliance against standards and regulation, and provide a business-case for on-going remediation. Deloitte offers a Risk Assessment that allows government organisations to quantify and qualify their risk of data loss and exposure. At the end of the engagement they will understand: Where is sensitive information exposed in open file shares and desktops? How much and what type of sensitive information is exiting the network? Who is transmitting sensitive information outside the organisation? What network protocols carry the most violations? What business processes need to be updated? What regulations and policies are being violated? D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 1

4 In a typical Risk Assessment, our team of Data Loss Prevention (DLP) experts help create and implement data security policies to discover, monitor, and provide pragmatic guidance on the protection of sensitive data wherever it is stored or used. We will help you to quickly find sensitive data wherever it is stored including file servers, databases, document and repositories, and web sites. We can inspect common network communications for sensitive data sent in violation of data security policy. During the assessment, we will utilise an efficient reporting platform, where the policy for detection, and subsequent incident reporting can be easily reviewed, and collated. 1.2 Business Context What situations is this service designed to be used in? The rise in data security breaches and insider violations over recent year is a wake-up call for senior management network security is not enough. Government organisations require more than network security and access control to guard their sensitive data. They must protect the data itself. Most organisations have no visibility into where their sensitive data is stored on the network, control over where that data is going, or what to do once they find it. The key questions any organisation needs to answer are What is our sensitive data? Where is our sensitive data? How is it being used? What is my risk of data leakage and exposure? The Deloitte DLP Risk Assessment will provide answers to these fundamental questions so that informed decisions, based on risk can be made Our service is distinguished by: Negligible impact on existing business service; Holistic approach addressing business and technical requirements; Clear reporting focussed on identify and prioritising most significant losses. Evidence-based recommendations. D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 2

5 2 Detailed Service Description 2.1 Our Approach Requirements Gathering and Policy Definition We work with you to identify your top data security and privacy priorities, including the sources and locations of high risk information, and your current policies and regulations. Participants in this step typically include key decision makers and information owners, executive sponsors, project managers, security analysts and network engineers. Based on this we deploy and configure the tools with specific policies, to conduct the assessment. Sensitive Data Monitoring and Discovery We then monitor for the identified sensitive data; data that is leaving from or exposed on your network. In most cases, the monitoring and discovery stage can commence within 30 minutes of the infrastructure being ready. This phase is recommended to continue running over a four week period. Reporting Following the monitoring and discovery phase, our team gathers with the key decision makers and information owners from your organisation for a one-hour executive-level meeting to review the results of the assessment, and discuss next steps 2.2 Inputs We have assumed that you will be in a position to provide certain inputs to the service, which we have listed here. If you are not in a position to provide all of these inputs then please get in touch to discuss options, as it is likely we can reach agreement to alter our approach to accommodate your situation. Technical workshop The Risk Assessment requires temporary integration of equipment on your network. Given the potential complexity of infrastructure and network topology, a workshop is most effective to ensure the assessment is feasible and the technical details agreed. Business workshop The effectiveness and accuracy of the DLP Risk Assessment is enhanced with the involvement of business stakeholders and data owners. Their input will also ensure that the value of that data is acknowledged when its risk of loss and exposure may be quantified. 2.3 Your Contribution Our services are designed to be delivered with you rather than to you. We have assumed that you will be able to make the following contribution to the work. If you are not in a position to take on these responsibilities then please get in touch to discuss options, as it is likely we can reach agreement to alter our approach to accommodate your situation. D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 3

6 Throughout the assessment, we work with you to ensure that the final report is fit for purpose. As well as infrastructure and business teams, we would typically work close with a nominated senior sponsor for the Assessment. This individual would assist and help validate our review of DLP incidents, and agree any key themes to focus on during the engagement and approve the final DLP Risk Assessment report. 2.4 Outputs What will you get in terms of deliverables, outputs and outcomes from this service? The deliverables of this service will depend upon the roles that are agreed for Deloitte s scope in the Service Order. We deliver the following reports at the conclusion of the risk assessment in an executive presentation: Data Loss Risk Assessment Summary Identifies areas of Very High, High, Medium, and Low risk of data across network, and storage systems by data type, based on your evaluation of potential severity and your actual frequency of data loss. The summary will include trends, correlations, and an overview of high risk areas to the aware of. Industry Benchmark Comparison Benchmark your actual data exposure and loss metrics against industry averages, so you can learn how your organisation ranks in terms of overall risk. Compliance Scorecard Measure your risk of non-compliance with regulation, laws, and standards relevant to your business area, organisation and/or industry. This may include (but not limited to) Payment card Industry Data Security Standards (PCI DSS), UK Data Protection Act, protection of intellectual property and company sensitive information. Business case for Data Loss Prevention An executive level report that quantifies the frequency, severity, and risk of data loss, as well as anonymised examples of data loss and exposure. Remediation and Best Practice with next steps are also illustrated. This visibility and guidance allows your organisation to make informed, risk-based decisions on the protection of your valued information assets 2.5 Scale and Complexity The effort involved in delivering our service is driven partly by what we will do (which we have described in section 2.1 above) and what you will do before we arrive and alongside us whilst we work (which we have described in sections 2.2 and 2.3 above respectively). It is also driven by the scale and complexity of your business situation. This section describes the scale and complexity that we have designed this service to address. If your business situation is bigger or smaller than this then please get in touch to discuss options, as it is likely we can reach agreement to alter our approach to accommodate your situation. This service is designed for use by any public sector body that needs it. This DLP Risk Assessment is not intended to be an exhaustive exercise. It is a point-in-time heat map of the risk of data loss and exposure. Gateway monitoring points and enterprise repositories will be selected and pre-agreed based on the risk and/or employee and traffic coverage. It is intended to provide enough of a view of your business so that informed decisions can be made, and if required a business case can be developed. D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 4

7 Our price and service are based on major assumptions below. This pricing is based on a fixed four week timescale and a team of no more than three Deloitte resources. Access to business stakeholders (as well as IT Security), and/or data owners are engaged throughout the engagement. This includes the initial data classification to define the appropriately relevant policies, the on-going ad hoc tasks of highlighting incidents of note, through to the presentation of the executive summary/wrap up. Two physical servers are deployed to the client s data centre each with a particular server role to deliver on the DLP RA scope Client has gathered relevant supporting documentation as requested by Deloitte team. This includes any current and planned-for configuration schematics, network topology schematics, and network traffic analysis materials where appropriate to ensure successful deployment. Prior to the time that Deloitte is scheduled to arrive onsite, and servers despatched, Client must have 1U of rack space, Power, a static IP address and network cable for each of the two physical servers (typically) for this assessment. The receipt in the data centre and physical connectivity will follow the client s usual processes and owner The application used to manage the DLP RA, is accessible and configurable via a browser, so a workstation is required that will allow us to access the servers via Remote Desktop (in case any troubleshooting is required) and should also have access to the Internet from that workstation. Each server has two interfaces. One interface will be used for management (with the static IP) the other can be used for monitoring. This means we can monitor two different span ports These servers will typically be placed on the corporate network and that the Span will be accessible from there. Client has confirmed that span port or network tap changes have been made to network devices to allow for network traffic analysis where appropriate One server will be used for passive Network monitoring, (provided by a span port or network tap), and typically consisting of SMTP, HTTP, FTP, traffic. However, any TCP/IP protocol can be monitored providing it is not encrypted. A decision is frequently made by all parties as to the most appropriate egress point to monitor. More than one server to cover multiple egress points is possible, however this would be additional scope and require further discussion The second server is a combination of the management console, as well as the Discovery server. Connectivity between the two servers are required (standard ports are used, but can be configured). This Discovery scans (via SMB/CIFS/NFS) will require appropriate scan credentials, and file shares are the typical repositories Deloitte would scan, as jointly discussed and agreed by both parties. In this DLP Risk Assessment, we should not exceed 1TB worth of data. The protective marking for the network and data that is being monitored is up to Impact Level 2 / OFFICIAL. D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 5

8 3 Commercials 3.1 Cost This service is offered on a fixed price basis for a four week timescale and a team of no more than three Deloitte resources as described. The price is published in a separate pricing document available to download separately. The service is subject to the assumptions regarding scale and complexity or exclusions as listed in the service description. The level of detail of the reports and deliverables will be agreed with you at the start of the engagement so as to provide the maximum amount of value within the constraints of the fixed timescales, resources and price. 3.2 Location This service will be delivered predominantly in the customer's own premises. We will endeavour to resource projects with locally based resource where possible, but where the client s premise is not commutable for our people then additional charges for travel and accommodation may be charged. These will be agreed in the Service Order. 3.3 Ordering and Invoicing Process There are two ordering routes available: 1. Visit our G-Cloud service homepage at which contains information about the service and also has an online form for ordering. 2. Send an to [email protected] with the following information: a. Your organisation s name b. The name of this service, which is D-G4-L4-253 Data Loss Prevention Risk Assessment c. Your name and contact details d. A brief description of your business situation e. Your preferred timescales for starting the work We will agree an invoice schedule in our Service Order. Our invoices will be payable within 30 days. 3.4 Exclusions Our service description in section 2 above defines the scope of what we will deliver. For the avoidance of doubt, we have listed below any activities that (in our experience) are sometimes expected to be in our scope but which are not included within this service. Delivery of software licenses or packages (these must be bought separately by the customer) Delivery of hardware for servers, mobile devices or any other required use (these must be bought separately by the customer) D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 6

9 4 Our G-Cloud Services 4.1 Our G-Cloud Strategy Deloitte offers a range of services on the G-Cloud Store. Our strategy is to provide commoditised services for the public sector, which are suitable for public bodies addressing the changes required of them in a digital world. Our services cover the breadth of Specialist Cloud Services from business analysis to design and development; transition management to project specification and selection. We also offer some software-as-a-service options on the store, and intend to expand our service provision in response to customer demand in the future. 4.2 Further Information For more information about our G-Cloud strategy and services, please visit D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 7

10 5 About Deloitte 5.1 Our Business Deloitte LLP ( Deloitte ) is a leading professional services firm, employing over 13,000 staff across 20 locations in the UK. Our Public Sector practice includes over 1,000 experienced specialists in central civil government, health, transport, defence and local and regional government, some of whom have previously worked at senior level. In addition, we have over 1,000 staff who can work in both the public and private sectors, enabling transfer of experience and methods. As a Big Four professional services firm, we are well positioned to draw upon skills across a wide range of service offerings to deliver Cloud-based services. We work across the public sector as a trusted advisor and as a supplier of leading edge technology services. This includes an extensive portfolio of Specialist Cloud Services available as commoditised services in the G-Cloud catalogue. Our public sector team plays an active role in the development of methodologies, value propositions and points of view to assist our public sector clients. We conduct research in areas that are of current and emerging interest to our clients, identifying best practice and new developments in the UK and internationally. In this section we outline some of the elements which differentiate us in the marketplace. 5.2 Professional Standards As a leading supplier, Deloitte operates to high standards of professionalism: We recruit highly capable staff and maintain effectiveness through training, performance management and continuous professional development Quality on every engagement is managed through a Quality Management Plan and partner sign off of deliverables on all engagements. Technology Consulting services are accredited to ISO9001, the international quality standard, which includes acting on customer feedback and continuous improvement plans As members of the Chartered Institute for IT (BCS), our Technology practice and individual members are bound to its Code of Practice and Code of Conduct which defines good practice for ICT and technology consultancy. We are also registered with the TickIT scheme We are a Green classified CESG approved company and have a number of CHECK Team Leaders Our project management methodology, which is aligned with PRINCE 2, provides mechanisms for managing all aspects of engagements, including project risks and issues. We have over 300 staff with PRINCE2 or similar PIM qualifications Our Focus on delivery includes regular contact with client management and frequent progress updates when issues can be identified at an early stage to enable easier risk mitigation and help avoid escalation Deloitte is reliable to work with and sets out to deliver the services needed. Our high reputation in the market is based on our commitment to deliver even in difficult circumstances, while building trusted relationships with our clients D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 8

11 We actively promote sustainability within our supply chain and have a strong commitment to equality, diversity and corporate responsibility. Our firm is accredited to ISO14001, the international environmental management standard, and CAESAR (Corporate Assessment of Environmental, Social and Economic Responsibility). Deloitte is accredited to ISO27001, the international security management standard. We operate robust processes for safeguarding customer data and for confidentiality of information. We are registered under the Data Protection Act and have safeguards in place to protect the data of our own personnel or any personal data with which we are entrusted by clients We have processes in place to preserve the integrity and independence of the services we provide. For example, bids are subject to conflict checks to avoid conflicts of interest, all Deloitte staff are required to complete Anti-Bribery and Anti-Money Laundering training, partners and staff are subject to independence checks and there are frequent internal audits and compliance checks 5.3 Security The majority of our public sector team are vetted to Baseline Personnel Security Standard or cleared to National Security Vetting SC level. In total, this is over 1,000 people with some form of security vetting. Deloitte is a List X company. We employ a full time Security Controller and Security Team to manage security clearances, advise on development of Security Management Plans and manage compliance with security processes. We have comprehensive Business Continuity Plans in place in all locations. Staff are equipped to work remotely if client sites or Deloitte sites are inaccessible. 5.4 Responsible Business At Deloitte Responsible Business is not just a strap line. We appreciate that our everyday business activities affect wider society through our actions and through the actions of those with whom we do business. Our approach to Corporate Responsibility is fully integrated with our business strategy; as such we are fully committed to addressing requirements from the Social Value Act. In the last year we launched our inaugural Impact Report ( replacing our traditional annual report and providing the platform through which we will measure our impact and contribution to society into the longer term. 5.5 Geographical Coverage Deloitte has 20 office locations throughout the UK, plus offices in Guernsey, Jersey and the Isle of Man. We also have a National Solutions Centre which is based in Belfast and provides software engineering capabilities for our clients. 5.6 Innovation and Continuous Improvement Deloitte understands the importance of innovation to public sector clients in their endeavours to reduce costs and ensure better outcomes. Deloitte approaches public sector engagements from the standpoint of delivering tangible or measureable outcomes and effective use of resources. Cloud provides a major opportunity to challenge existing provision of IT in the organisation, and improve working practices, service levels and reduce operating costs. We are willing to challenge current ways of working in the public sector and to harness technology and lean thinking to produce satisfactory outcomes that deliver the client s objectives at lower cost. D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 9

12 We seek to ensure that our people, methods, infrastructure and working practices deliver high quality services to our clients and an environment where our staff can work effectively. We recognise that this is only possible if our working procedures, methods and tools, staff skills and training continue to improve. We undertake a number of activities to set objectives for key processes, measure performance against these objectives and assess and adjust our operational and engagement procedures to sustain improvement. 5.7 Capability Transfer Deloitte prefers to provide capability, knowledge or skills transfer on most projects. We can also work in such a way that capability transfer is at the heart of the engagement. Examples include: Training client staff for team roles at the outset of an engagement to reduce costs and provide for continuity of skills after we exit from the client Providing only those services which a client cannot provide for themselves and avoid practices such as staff substitution as much as possible Delivering comprehensive capability transfer so that client staff are able to take over fully the operation or extension of a service or continue to manage a change programme from their own resources. We also have a programme of secondments both to and from the public sector, which enhances our industry insight while strengthening our relationship with public sector. 5.8 Our Business Structure Deloitte LLP comprises a number of business units. Our G-Cloud services are provided from across our business, bringing in the skills and experience we need. Because our business structure is set up as a group, some of our business units are constituted as wholly owned subsidiaries of Deloitte LLP. For the purposes of our G-Cloud services, the Deloitte MCS Limited (company registration number ) is a sub-contractor that we may rely upon to deliver service. D-G4-L4-253 Data Loss Prevention Risk Assessment Deloitte LLP Service for G-Cloud IV 10

13 Important notice This document is not an offer and cannot be accepted. Should you wish to obtain our services, please contact us using the Ordering Process described in section 3.3 above to discuss your requirements and how we may meet them. Following these discussions and our internal acceptance procedures, we would then enter into a direct order with you in accordance with these Framework terms to confirm our appointment. The information contained in this document has been compiled by Deloitte LLP and includes material which may have been obtained from information provided by various sources and discussions with management but has not been verified or audited. This document also contains confidential material proprietary to Deloitte LLP. Except in the general context of evaluating our capabilities, no reliance may be placed for any purposes whatsoever on the contents of this document or on its completeness. No representation or warranty, express or implied, is given and no responsibility or liability is or will be accepted by or on behalf of Deloitte LLP or by any of its partners, members, employees, agents or any other person as to the accuracy, completeness or correctness of the information contained in this document or any other oral information made available and any such liability is expressly disclaimed. In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see for a detailed description of the legal structure of DTTL and its member firms Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom