Information Protection and Business Resiliency Services kpmg.lu

ADVISORY Information Protection and Business Resiliency Services kpmg.lu

Information Protection and Business Resiliency Services 1 Table of Contents Information Protection Overview 2 How KPMG Luxembourg Can Help 4 Information Security Assessment 6 Privacy and Data Protection 8 Information Governance 10 Identity and Access Management 12 Business Continuity Management 14 Unified IT Compliance 16 Electronic Archiving 18 KPMG s Thought Leadership 20

2 Information Protection and Business Resiliency Services Information Protection Overview Information Is a Competitive Asset Customer information Employee or business partner information Intellectual property Critical business strategies Financial and operational data

Information Protection and Business Resiliency Services 3 Overview Information is the lifeblood of any organization and protecting that information has become an increasingly significant concern. Companies go to great lengths to ensure that no one can steal, leverage, or otherwise compromise what has become a valuable competitive asset. Traditional information protection initiatives include security risk assessments, compliance and risk management, legal and discovery efforts as well as security breach notification. Protecting your organization s information depends on all of these and more. Effective information protection is an understood, implemented, and measured program of policies, procedures, and controls that consistently achieve compliance, regulatory, legal, and business mandates. The industry is moving towards more proactive, risk-and-performance based programs that seek the information security initiatives embedded in enterprise business processes and metrics. Information Security Agenda An organization should implement and follow a comprehensive information security agenda to enhance their top-line growth, manage risks, and align and optimize spending. Enhance Top-Line Growth Brand Protection & Enhancement Alignment with Business Goals/ Objectives Security Strategy Linkage to Enterprise Risk Management Managing 3 rd Party Risk (Outsourcers) Executive/Board Reporting Privacy/Security Breach Vulnerability/Patch Management Staffing Support Evolving Threats High Availability Mergers & Acquisitions Culture/Awareness Metrics/Benchmarking Compliance/Internal Audit Identity Management Mobile Computing Disaster Recovery Business Continuity Manage Risk Align and Optimize Spend Manage risk by understanding and controlling risks related to privacy disclosure, information leakage, information integrity, and legal responsibility. Align and optimize spend by focusing appropriate level of control for the set of information without applying broad and expensive controls across the entire organization. Enhance top-line growth by enabling new technology to meet strategic objectives and demonstrating compliance and effective information protection capabilities to existing and prospective clients, customers, and business partners.

4 Information Protection and Business Resiliency Services How KPMG Luxembourg Can Help To help ensure that your business is as equipped as it can be to withstand a security incident, ask yourself a few vital questions: Are you confident that your IT networks and systems are secure? Do you know where your data comes from, where it is stored, and how it is used? Do staff understand the importance of good data handling? Do you have a clear plan of what to do should you lose data?

Information Protection and Business Resiliency Services 5 How KPMG Luxembourg Can Help KPMG s Information Protection and Business Resiliency (IPBR) services can help companies as they seek to protect their critical information assets. As business decisions become increasingly dependent on real-time, accurate information, organizations must assess, prioritize, and control the movement, use, and transformation of their critical business data. KPMG s approach to information protection balances value preservation with value creation. We recognize that entities want to protect and maintain the integrity of information while leveraging its strength as an asset to provide measurable benefits. Information Protection Value Creation Value Preservation Business Performance Risk Management Security as enabler to business Alignment with business needs Operational benefits Solid risk management Historical view of security ( It s like Insurance; part of the cost of doing business. ) CORE Mandated by regulations BENEFITS Driven by focus on Information risk elimination protection supports: Better business decisions Brand and reputation Business initiatives KPMG s IPBR services can help companies appropriately protect their critical information assets and gain greater benefits from expenditure on information protection by focusing on business priorities. We can help companies move information protection from a value preservation exercise to incorporating value creation approaches that help manage risk and improve business performance. We draw on professionals in our global network of member firms in 152 countries who have knowledge of local market conditions as well as regulatory requirements. With our ability to see the broader issues, companies can benefit from: Advice grounded in business perspective, objectivity, and impartiality An excellent track record in delivering global information protection services Clear understanding of risks related to core business processes A singular, coordinated approach to protecting key information assets Deep knowledge of the information protection market and key technology providers In-depth knowledge of industry processes and functions Thorough understanding of regulatory drivers Multidisciplinary teams Global breadth, local knowledge Over the past three years, more than 500 million people have been affected by data loss incidents. However, for the second year in a row, the number of publicly disclosed data loss incidents has dropped. Despite this decline, 2010 brings more news of data loss, so far affecting over 15 million people. (Source: 2010 KPMG Data Loss Barometer Issue 3)

6 Information Protection and Business Resiliency Services Information Security Assessment Key Questions: Does our existing security program support our regulatory compliance efforts? Are security controls adequate to support the financial reporting processes? How much are we spending on security? Is it enough or too much? How does this compare with others in our industry? How can we measure the true effectiveness of our information security efforts? How can we show the return on investment in information security? What are the true business risks to our organization and how do we develop a cost-effective information security strategy to manage these risks?

Information Protection and Business Resiliency Services 7 Information Security Assessment In today s information-driven economy, success hinges on having, and providing, access to information through sophisticated, ever-evolving business systems. But increased reliance on information technology and highly integrated networks can present substantial risks: significant penalties for failing to comply with new regulations that mandate verifiable information security as well as negative publicity, lawsuits, and loss of client confidence due to security gaps. Effectively protecting against information theft, corruption, unauthorized disclosure, and denial of service requires an objective approach to information security, one that inspires trust and supports the highest performance standards. How KPMG Can Help KPMG s Information Security Assessment services are based on the premise that security initiatives need to be driven by business requirements and support the achievement of your company s strategic goals. KPMG can help you focus on the issues that really matter to your business and enhance the effectiveness of your information security spending. KPMG s approach is based on the Information Security Capabilities Model and the associated security components. The inter-relationships between the components of the model allow for flexibility in the organization s approach in focusing its resources. In many instances, organizations may not be prepared to adopt an enterprise approach to developing their security architecture. Reasons for this include lack of awareness, limited resources, and competing enterprise initiatives. Accordingly, our services can be delivered on a point basis to accommodate these concerns. The suggested point services also reflect the demands of the marketplace and may change and adapt accordingly. Cause of data loss: number of incidents as % of total for 2010 (January - June) 21% of incidents involve Malicious insider 15% of incidents involve PC theft network exposure 12% of incidents involve hacking (Source: 2010 KPMG Data Loss Barometer Issue 3) Security Leadership Sponsorship, Strategy, and ROI/Metrics Security Program Structure, Resources, Skill sets Security Policies Security Policies, Standards and Guidelines Security Management Security Operations and Monitoring User Management User Management and Awareness Information Asset Security Application Database Host Internal/External Network Antivirus Technology Protection and Continuity Physical and Environmental Controls Continuity Planning Controls

8 Information Protection and Business Resiliency Services Privacy and Data Protection Key Questions: How do I respond to an evolving threat landscape? Is my organization at risk from confidential data leakage? How are my competitors addressing these challenges? How do our suppliers handle our sensitive data? What are the risks associated with adopting new technologies? How do I comply with the legislation, regulation and industry requirements?

Information Protection and Business Resiliency Services 9 Privacy and Data Protection Data breaches pose a serious threat to all organizations. Data loss incidents are increasing in number and significance every year. The impact on brand reputation is high and customer trust can be severely compromised. Organizations face a challenging array of business issues in efforts to protect sensitive information from theft and unintentional disclosure. To mitigate these risks effectively, organizations must mobilize and coordinate efforts across multiple functional areas, including legal, marketing, IT, internal audit, regulatory compliance, human resources, brand management and applicable local and international considerations. The burden of establishing an effective privacy program and a related incident / crisis management program can weigh heavily on an organization and should be treated as a high priority. Our regular discussions with peer regulators and experts led us to believe in an increase in the volume and scope of computer attacks in the near future (Source: David Hagen, Head of the IT and support PFS department, Commission de Surveillance du Secteur Financier (CSSF)- KPMG Banking Systems Survey 2011 ) How KPMG Can Help KPMG assists organizations in addressing the challenges of protecting private and confidential information through deployment of cross-functional teams with deep industry experience in the privacy, IT security, investigation, legal, marketing and compliance fields. KPMG can help identify, manage and monitor an organization s ability to maintain and communicate its regulatory compliance with banking secrecy, Luxembourg data protection and its third party service provider requirements. Phase 3: Infrastructure capabilities should help enable controlled transfer and movement of data. Aggregation Lineage Phase 3 - Transfer Integrity Public v. Private Networks Encryption Needs Access Control Phase 2 - Use Internal v. External Third Party Appropriateness Discovery/Subpoena Phase 1 - Generation Ownership Classification Governance Phase 4: Additional processing and/or manipulation to help achieve increased business value for reporting of specific business needs Phase 4 - Transformation Derivation Compliance Audit & Regulatory Legal Measurement Business Objectives Phase 5 - Storage Access Control Structured v. Unstructured Integrity/Availability/ Confidentiality Encryption Phase 5 et 6: Organizational capabilities to manage and maintain information in a cost effective manner for timely access or retrieval to achieve business objectives. Phase 6 - Archival Legal and Compliance Offsite Considerations Media Concerns Retention Phase 7 - Destruction Secure Complete Our Privacy and Data Protection services include: Identification of the applicable regulation requirements for the organization Development of an understanding of notice, consent, right to change and disclosure practices Development of an effective privacy program Identification and classification of sensitive information Development of data access policies Design of data access processing and security controls Development of a roadmap and a scorecard to facilitate ongoing monitoring and continuous improvement of the privacy program Identification of response protocols and processes for actual breaches Phase 1 and 2: Employee/Trusted thirdparty creation and usage should drive business value. Organizational responsibility to help ensure adherence to legal and regulatory requirements through each phase of the life cycle. Phase 7: Controlled destruction of information and storage media.

10 Information Protection and Business Resiliency Services Information Governance Key Questions: Do I know what information is most valuable to my business? Do I know where it is? Do my employees have access to information they shouldn t? Do they know how to handle, label, protect, and transmit restricted or confidential information? How is my information being passed throughout the organization and to my external contacts? Is it secure? Am I compliant with all applicable compliance, regulatory and legal requirements related to my industry? Are my information records destroyed at the appropriate time? Or are they destroyed too early, too late, or never? Am I prepared to deal with the media and manage the legal process if I have a breach? Are there unnecessary information, records handling, and management processes that could cut costs?

Information Protection and Business Resiliency Services 11 Information Governance Information is vital to any organization and should be treated as an asset. As organizations globalize and/or merge, managing and protecting information assets becomes more complex. Leadership is dependent on having quality and timely information to help make vital business decisions and enact timely and appropriate business change. In addition to being a regulatory requirement, having strong controls over critical business information helps organizations protect brands and reputation. Information governance helps enable the business to achieve and sustain evolving compliance requirements and having a planned governance structure around information allows organizations to support their business objectives more effectively and efficiently while meeting regulatory requirements. How KPMG Can Help KPMG s Information Governance services assist organizations with designing personnel, process, technology, and controls that address compliance requirements, while also protecting the most important information assets. KPMG s approach encompasses the complete governance life cycle, helping to enable clients to choose the appropriate services to achieve their specific business needs. Our cross-functional teams provide deep industry experience in the key areas of information governance, including Privacy, Data Protection, IT Security, Forensic and Regulatory Compliance services. We can help you understand the risks to the following information elements and how to adequately protect them: Intellectual Property (IP) Personally Identifiable Information (PII) Financial Information Human Resources Information Customer History or Patterns Employee Records Healthcare Information Supplier, vendor, and trusted third-party information The cost per breached record will be anywhere from $90 to $305, which represents discovery, notification, opportunity cost, regulatory fines, and other liabilities. (Source: Forrester Research) Data Classification Privacy INFORMATION Technology IT Security Data Flow Analytics INFORMATION LIFE CYCLE MANAGEMENT Business Process erecords Management Third-Party Management GOVERNANCE

12 Information Protection and Business Resiliency Services Identity and Access Management Key Questions: How does identity and access management fit into our overall enterprise strategy? How much money might we save if our IAM processes were more efficient? Who owns IAM in our organization, including policy, standards and operations and maintenance? Which functional and/or division executives are involved in helping define our IAM strategy? Where is our organization on the IAM maturity curve? How do we ensure that IAM capability keeps pace with the dynamic nature of our organization? Can we derive meaningful reports from our IAM solution to help enable security control audits, compliance requirements, and business processes?

Information Protection and Business Resiliency Services 13 Identity and Access Management Organizations face many challenges on the subject of identity and access management (IAM). For example, organizations may not be in control of their environment because, for example, passwords have been shared; there are silo solutions per application or platform which give rise to countless authentication methods and password regimens; authorizations are multilayered and duties are no longer clearly segregated; there is a lack of insight into the authorizations granted by management; the help desk costs to change passwords, provide rapid provisioning and deprovisioning, and authorizations are high. Many organizations have projects underway to improve the ingredients of IAM: user management, authentication management, authorization management, and provisioning. How KPMG Can Help KPMG s IAM services can help companies use IAM to resolve business issues by developing a process and approach to help companies realize their business strategy, instead of just providing technology to deal with compliance issues. We can help companies effectively and efficiently manage their electronic identities, authorizations, and demonstrable compliance efforts across large groups of customers, employees, and business partners. We take a process-centric approach, coupled with our experience in leading-practice technologies and architectures, to design an appropriate approach for creating, managing, and terminating access to critical systems and information. KPMG offers an extensive set of services based on KPMG s IAM Methodology. This approach consists of leading practices, templates, and other tools to efficiently execute an IAM project. This approach is used to implement an IAM project, and also to test existing IAM projects. Identity Management is a comprehensive set of business processes, and a supporting infrastructure for the creation, maintenance and use of digital identities. Burton Group Monitoring and Reporting Authentication Management Audit and Compliance Access Management Data Management Identity Provisioning User Management Governance Authorization Management Agility

14 Information Protection and Business Resiliency Services Business Continuity Management Key Questions: How does BCM fit into our overall enterprise strategy? How do we define organizational priorities and time frames? Who owns BCM in our organization, including policy, standards and operations, testing, and maintenance? Where is our organization on the BCM maturity curve? How do we reduce the need for decision making during a crisis? How do we implement processes for cost-effective prevention vs. cost-intensive recovery?

Information Protection and Business Resiliency Services 15 Business Continuity Management In a competitive environment, few organizations can afford costly interruptions to business processes or capabilities. But the continuity of core services, technologies, and operations is constantly threatened by technology infusions, rapidly evolving processes, and new business ventures. Business continuity management (BCM) is a sound business investment where it has been recognised that the potential benefits far outweigh the costs. Not having a planned course of action in the event of major business disruption can result in loss of revenue, defection of customers, deterioration of brand equity and permanent loss of shareholder value, or total loss of the business. How KPMG Can Help KPMG s Business Continuity Management (BCM) services addresses major disruptions natural or man-made that affect the smooth continuance of an organization s core processes. We assist organizations in adopting a practical and robust approach to BCM through a structured and demonstrated approach, which is underpinned by our global project management and BCM methodologies, and is supported by a range of processes and tools. These methodologies are well established and are based on four distinct phases: assessment, design, implementation, and governance. Our multiskilled team of professionals combines BCM experience across many industries, with a focus on developing practical and effective continuity solutions. Our understanding of financial, operational, and technical issues specific to your industry should provide you with valuable perspectives and knowledge during the project planning and implementation processes. KPMG has a well-established reputation for excellence in providing BCM services. We demonstrate this leadership through our involvement with the International Business Continuity Standards Boards: Disaster Recovery Institute International (DRII) Business Continuity Institute (BCI) Disaster Recovery Journal (DRJ) Magazine Board Continuity Insights Magazine Board Approximately half of the organizations surveyed experienced a Business Interruption in the last year. (Source: 2008 Continuity Insights/ KPMG Business Continuity Management Benchmarking Study) Business Continuity Management Enterprise Business Continuity Office Risk Assessment Business Impact Analysis Recovery Alternatives Analysis Business Continuity Plan Development Exercises Governance

16 Information Protection and Business Resiliency Services Unified IT Compliance Key Questions: Who within our organization is responsible for executive sponsorship of IT governance? What are the regulatory, contractual, and policy mandates that our organization must comply with? How do we define common criteria for measuring controls across various groups, processes, and systems within our organization to help ensure uniform measurement during assessments? How do we define key risk indicators based on our unique environment, risk tolerance, and key assets? How do we effectively manage resource allocation and appropriate skill-set alignment?

Information Protection and Business Resiliency Services 17 Unified IT Compliance The compliance burden in today s technology world is heavy and is bound to increase in weight. As companies grow, they can find themselves managing multiple sets of disparate compliance requirements. IT leaders find themselves repeatedly designing compliance systems for overlapping reporting, leaving strategic revenue or growth opportunities to compete for a distant second place in resource allocation. The majority of costs associated with improving IT compliance come from frequently repeating time-consuming processes. These manual processes include creating, defining, and distributing policies; tracking exceptions, managing standards and entitlements; remediating deviations; and performing both procedural and technical assessments. How KPMG Can Help KPMG s Unified IT Compliance services can help companies rationalize multiple compliance mandates to reduce the overall time and cost associated with complying. Our professionals have extensive experience helping companies to design control frameworks and assess the effectiveness of controls to meet the requirements of industry standards, such as ISO 20000/ITIL, ISO 27001, PCI, SOX, COBIT, ISAE3402, SOC1 and SOC2 reports (formerly SAS 70). Furthermore, our professionals focus on assessing risks and designing and implementing controls over your IT processes and technologies. Because the discipline of information security and compliance is critical to a well-controlled technology infrastructure, the risk and control perspective is key to an organization s ability to achieve compliance with any recognized information security standard and compliance mandate. Performing as a leader obviously costs time and money. Industry leaders are allocating 30 percent of IT staff time to regulatory compliance. (Source: IT Policy Compliance Group) Oversight Board Governance Program Management & Reporting Risk Management Compliance Continuous Improvement Risk Assessment Control Definition Control Testing & Monitoring Certification - SOC - ISO 27k Control Improvement Controls Integration Unified Risk/Control Matrix Control Remediation Provisioning Controls Monitoring Network Traffic Monitoring Automated Patch Mgmt PSFT Upgrade SOA Unified Control Processes IT Embedded Control Activities Non-Embedded Control Activities Change Controls Identity Access Controls Network, OS, & DB Access Controls Data Privacy Controls Patch Management Computer Operations Controls Vulnerability Management Incident Management Record Retention Controls

18 Information Protection and Business Resiliency Services Electronic Archiving Key Questions: In times where information that sits in systems which evolve with a tremendous speed represents the major part of a company s assets, did you take the time to appropriately safeguard these assets over the mid and long term? Does your company have a structured approach with respect to data archiving does it encompass paper based and electronic data and information? Are you confident that your processes and controls are set up and work in a way that all information is archived and retained according to the quality standards set out by legal and regulatory requirements? Are you able to find and retrieve information in an efficient way whilst being sure that you have the correct version? Is this information stored in a way that avoids unnecessary performance drawbacks of your core production systems? While information is produced throughout all areas and processes of your company, do you limit your archives to the pertinent instances of the information avoiding unnecessary duplication and risk? Have you analyzed the strategic opportunities to have your information archived by a specialized service provider in the field of electronic archiving?

Information Protection and Business Resiliency Services 19 Electronic Archiving Services Information that is produced and collected in all different natures and across all areas is becoming more and more vital for organisations today. At the same time, requirements to retain information or specific requirements on permissible use and treatment of information (e.g. Data Privacy regulations) are multiplying. This is resulting in rising costs and complexity to manage and store such information. The establishment of an efficient approach to archiving of information covering all material aspects of the information lifecycle, from the creation to the defined destruction of information, is becoming a challenge. At the same time the need to establish such an efficient approach is becoming imminent. The anticipated publication of the draft law on Electronic Archiving in April 2012 will create a new momentum in the development of new business cases (for Luxembourg). Luxembourg Minister of Economy Mr. Etienne Schneider at the Luxembourg Economy Days on February 8 th and 9th 2012. How KPMG Can Help KPMG s Electronic Archiving Services focus on an integrated holistic approach to identify information, related internal, legal and regulatory requirements, technology and also our clients strategic ambitions and context covering the full information lifecycle. KPMG can help to achieve efficiencies through identification and realization of cost savings by avoiding information redundancies and decrease of complexity via a methodical approach to manage information and technology. At the same time, KPMG s Electronic Archiving Services approach is risk averse, permitting minimization of the overall risk exposure resulting from information that may not be retrieved or might be void or outdated. KPMG s Electronic Archiving Services include: Establishing a strategic approach including assessment of potential sourcing scenarios for parts or the full value chain of Electronic Archiving; Establishing the minimum requirements for the electronic Archiving of information incorporating legal, regulatory, quality, technology and information management process considerations within a Archiving Policy; Defining the Data Classification Scheme as a basis to identify all relevant information throughout a client s enterprise or for specific business areas (e.g. HR, Finance); Defining, establishing and implementing the operational and technical processes and procedures for Electronic Archiving including transformation of existing records management solutions or paper archives; Implementation of the Electronic Archiving system including the operational set-up; Certification of the Electronic Archiving processes and systems against ISO27000 ISMS, ISAE3000 SOC. Compliance with specific requirements or on technical/organizational aspects. Standards Implementation Step A: Conduct preliminary investigation Step B: Analyse business activity Step C: Identify requirements for records Step E: Identify strategies to satisfy requirements Step F: Design records system Policy Design Step D: Assess existing systems Step H: Conduct post-implementation review Step G: Implement records systems

20 Information Protection and Business Resiliency Services KPMG s Thought Leadership Providing new information and perspective to the industry as a whole is a vital part of our role as global service advisors. KPMG professionals have technical strengths that not only serve the interests of our clients but also contribute to the industry. KPMG s thought leadership includes white papers and articles that offer new perspectives on critical issues as well as surveys that track emerging trends. Some of our recent publications are:

Information Protection and Business Resiliency Services 21 Governance, Risk, and Compliance: Driving Value through Controls Monitoring This white paper explores the potential benefits of controls monitoring as a means of improving decision making, reducing the costs of control performance and monitoring, and driving greater business value. IT Governance and the Audit Committee: Recognizing the Importance of Reliable and Timely Information This paper discusses audit committees increased recognition of the risks posed by information technology, which is causing many audit committees to consider their oversight responsibilities as well as the roles of other committees and the full board. The Changing Lens of Information Security Information protection is moving towards a more strategic focus on protection at the data level. Data Loss barometer This research is based on publicly disclosed incidents of data loss from 2007 to 2010. This report does not provide a definitive list of all data breaches; rather it is a snapshot of a global issue. Nonetheless, it is evident that incidents do occur, that data is lost, and that confidential information and persinal details are compromised. Information Risks Today Embrace or Deny? A Board member s guide to today s information security and risk revolution. Identity and Access Management Initiatives Too Much Application Focus, Not Enough Business Process Focus Executive Considerations When Building and Managing a Successful Cloud Service The move to cloud computing is underway, and technology companies ranging from start-ups to established players are rolling out cloud services at a dizzying pace.

Contact Michael Hofmann Partner, Regulatory Consulting IT Advisory T: +352 22 51 51 7925 E: michael.hofmann@kpmg.lu Estefania Rizzo Senior Manager, Regulatory Consulting IT Advisory T: +352 22 51 51 7912 E: estefania.rizzo@kpmg.lu Ralf Mutzke Senior Manager, Regulatory Consulting IT Advisory T: +352 22 51 51 7957 E: ralf.mutzke@kpmg.lu The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2012 KPMG Luxembourg S.à r.l., a Luxembourg private limited company, is a subsidiary of KPMG Europe LLP and a member of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. [Printed in Luxembourg.