SlideShare a Scribd company logo

Cybersecurity It Audit Services Gt April2012

Danny Miller
Danny Miller

IT Audit and Cybersecurity Services with Grant Thornton, LLP.

1 of 28
Download to read offline
Cyber Security Consulting, IT Audit & Assessment Services Protecting Information in the Enterprise Grant Thornton, LLP A QSA Company Danny Miller, CISA, CGEIT, CRISC, ITIL April 2012 -1- © Grant Thornton LLP. All rights reserved.
Grant Thornton overview At-a-glance Founded in 1924, Grant Thornton LLP is the U.S. member firm of Grant Thornton International. Through member firms in more than 80 countries including 50 offices in United States, the partners of Grant Thornton provide personalized attention and the highest quality of service to companies around the globe. Grant Thornton Grant Thornton Statistics International Ltd LLP Revenues $ 4 billion $ 1.2 billion Personnel 29,890 5,505 Partners 2,539 540 Offices 498 52 Statistics as of Sept. 30, 2008 July 31, 209 -2- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Solution Practice Grant Thornton's Cyber Security practice is focused on protecting the enterprise's information no matter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitally important to understand how information is created, processed, transmitted and stored. We address our client's complex security requirements through a variety of consulting support, including strategy, information protection, data leakage, assessing security vulnerabilities, advising on establishing or improving the operations of a security organization, remediating compliance failures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developing approaches and programs to effectively assess and manage risk by implementing appropriate security countermeasures through the entire life cycle of information in the enterprise. -3- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Our IT Audit Services  Our approach to technology risk is compatible with all major frameworks, including COSO, the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not provide. We also cover application risk with a lens from the Global Technology Audit Guides (GTAG) from the IIA.  The team that will be managing and executing this engagement have more than 90 years of combined technology experience in industry, Big-4 consultancy and as practitioners. Their credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP, CCNA, or MCSE, ITIL, CGEIT  Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry. Relevant clients include:  Sunoco  Lyondell Chemical  Quaker Chemical  Amerigas  Philadelphia Gas Works  Airgas  Donegal Insurance  Valspar Corporation -4- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services ©2010 ISACA. All rights reserved. -5- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Guiding Principles of IT Risk Management  Ensure a connection to enterprise objectives and enterprise risk  Align the management of IT-related business risk with overall enterprise risk management  Balance the costs and benefits of managing risk  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels  Risk is a continuously changing landscape and risk management acknowledges that it is a continuous process -6- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton Cyber Security services - Information protection at all levels - Data Leakage detection and prevention - Security Strategy and Design - Threat Analysis - Vulnerability Assessments - Penetration Testing - Anti-phishing consulting - Risk-event consulting - Data Privacy & Protection - PCI Data Security Standards QSA Consulting - HIPAA -7- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Services • Experienced and dedicated cyber security personnel – Deep technical background – real expertise in cybersecurity – Experience across industries – Practical and cost effective strategies to mitigate risk • Address the security risk within the context of business risk – Understand the relationship of IT risk management within overall enterprise risk management – Communicate technical risks using layman terms and business impact • Proven cyber security methodologies, tools, and techniques -8- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cybersecurity Life Cycle and Service Components Life Cycle ITIL* Framework Solution Set Activities/Scope Component Component Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain Risk, Data privacy and classification, Breaches, Programs, Monitoring, PCI, Strategy and Design, HIPAA, Vulnerability and Penetration Assess Threats testing, Cloud, Agreements with third Evaluate parties, Service Level Agreements (SLA), Operational Level Agreements (OLA) Threat Profiling, PCI, HIPAA, IDS/IPS, VPN, Firewalls, SIM/SEM, Application Plan, Design and Implement Implement (including Cloud-based), SDLC, Data Implement classification, Data privacy (state, federal, international) Threats, Incidents, Master Data Risk, Policy, Standards, Management (MDM),IT Audits, Self Manage Procedures, Programs Assessment, Penetration and Control/Maintain Vulnerability, Communication, Response Threat reduction, Countermeasures, Data Investigate, Respond, Respond Remediate leakage and breaches, PCI breaches, Control/Maintain HIPAA information exposure * - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services. -9- © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cyber Security Strategy & Design Based upon the IT Infrastructure Library (ITIL) framework of best practices in IT, the ITIL Information Security Management's (ISM) strategy goal is the alignment of IT security with business security to ensure that information security is effectively managed in all service and Service Management activities. This strategy includes managing risk and security over information assets while balancing the needs of the business for: • Availability of information and assets • Confidentiality of information • Integrity of information - 10 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services The problem with "Big Data" Attribution: Cloud Security Alliance (CSA) - 11 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Vulnerability assessment vs. Penetration test • The terms "vulnerability assessment" and "penetration test" are sometimes used interchangeably, so it's important to define and distinguish them. • Vulnerability assessment – a service that provides a comprehensive prioritized identification of vulnerabilities, but does not attempt to exploit them. • Penetration test – a goal oriented service that attempts to gain unauthorized access to a specified target by exploiting one or more vulnerabilities. - 12 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Other assessment services Wireless Assessment − a service that assesses the security mechanisms (e.g., authentication, encryption) of a wireless network, and attempts to identify rogue access points. Web Application Security Assessment − a service that assesses the security of a web application, including session management, authentication, authorization, and input validation. Voice Over IP (VoIP) Security Assessment − a service that assesses the security of a deployed VoIP infrastructure, including the infrastructure support, the VoIP components, and the VoIP protocols. Data Leakage Prevention Assessment − a service that measures an organization's risk of information leakage. - 13 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information Trends • Every day, companies collect, use, profile, disclose, and analyze customer information • Employees who have access to sensitive information inside an organization also represent a key risk – we see this as the fastest rising threat • Unfortunately, some of this information is: • Misused • Stolen • Sold , traded or given to organizations (e.g., WikiLeaks) • This has led to a trust gap among customers, employees and corporate leadership - 14 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Personally Identifiable Information (PII) Personal information is any information that is, or reasonably could be, attributable to a specific individual. The information can be either factual or subjective, and recorded in any form or even unrecorded. Some examples include: Social Security number Driver's license number or state-issued identification card number  financial account number, credit card number, or debit card number Name, address, email address Credit records Buying history Employee records Much of this information is sensitive and greater cause for concern. - 15 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information stakeholder concerns • Customers – Concerned with how and why their information is collected, used, disclosed, and retained – Want businesses to earn trust • Businesses – Trying to strike a balance between collection and use of information – Concerned with reducing privacy risk of poor privacy practices – Want to leverage good privacy practices and retain trust of customers • Government – Taking increased action on growing concerns about privacy to: – Protect rights of citizens – Better manage its own data stores - 16 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA GT Healthcare IT Security Offerings: • IT Security Risk Assessment • IT Security Program Implementation Assistance • IT Security/HIPAA Review and Recommendations • HIPAA Compliance Attestation Report - 17 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Risk Assessment - 18 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Program Implementation Assistance • Based on HIPAA/ISO/CobiT/NIST • IT Security Risk Assessment • Policies • Procedures • Business Impact Analysis • Incident Management Program • Security Awareness Program • IT Contingency Plans/Updated DRP • Vulnerability Assessment/Pen Tests • Controls Testing - 19 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security/HIPAA Review and Recommendations • Evaluate and test: – Administrative safeguards, – Physical safeguards – Technical safeguards – Organizational safeguards – Policies, Procedures and Documentation Requirements - 20 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA HIPAA Compliance Attestation Report and Readiness Review Similar to SAS70, except opinion on HIPAA Compliance • Evaluate and reaffirm the appropriateness of the design of processes and controls with management Criterion Observation Reporting Definition and testing • Evaluate and reaffirm management’s interpretation of compliance to ensure that the defined criterion are measurable, objective and will be understood by any Management Checkpoints readers of the report • Test the operating effectiveness of identified controls for the testing period • Determine whether controls were operating effectively throughout the testing period • Confirm the validity of identified findings with the process owner and inform management of validated findings • Evaluate the significance of any instances of non-compliance with the specified criterion - 21 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Assessment Approach 1 2 3 4 Information Identify Scope Gap Analysis Remediation Planning & Collection Reduction Roadmap Opportunities Identify entry points Reduce / modify data Conducted Gap Recommendation Develop process collection Analysis with remediation projects flows Reduce data storage Enhanced Privacy Develop prioritized Map flows onto IT Modify business Framework approach infrastructure processes Leverage DLP to validate Gained an understanding of Reduced Scope and Risk Created Gap analysis Remediation plan the environment document with gap prioritization - 22 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS)  The Payment Card Industry Data Major payment card security Security Standard (PCI-DSS) is a set breaches since 2005 of comprehensive requirements for the protection of payment card • Card Systems information. 2005 • 40 Million Cards, Processing Ability Revoked by Visa and MasterCard  The PCI-DSS is managed by the PCI • TJX Security Standards Council (PCI-SSC) 2007 • At least 45.7 Million Customers Affected, Over $250 Million in costs and sponsored by the major card brands. • Hannaford Foods 2008 • 4.2 Million Cards, Validated Compliant at time of breach, Liability and Results Pending  The PCI-DSS is applicable to any organization that stores, processes or • Heartland Payment Systems transmits cardholder data (CHD). 2009 • Potentially more than 100 Million cards compromised and untold amounts of resulting damages - 23 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) PCI DSS high level requirements The PCI DSS prescribes requirements that any business of any size must adhere to in order to accept payment cards. - 24 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services What information must be protected? Storage Protection Encryption Data Element Permitted Required Required Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Cardholder Data Service Code Yes Yes No Expiration Date Yes Yes No Full Magnetic Stripe Data No N/A N/A Sensitive Authentication Data CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A - 25 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Some common PCI DSS myths: • PCI doesn’t apply to us because: – We don’t take enough credit cards, or – It only applies to retailers and ecommerce • PCI makes us store cardholder data • We are compliant because we: – Encrypt our cardholder data, or – Use vendor/product ABC, or – Outsource our credit card processing • PCI compliance is an IT project • PCI will make us secure • We completed our SAQ so we’re compliant - 26 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Grant Thornton PCI DSS Capabilities Current capabilities: • An experienced Qualified Security Assessor Company (QSAC) with a significant number of QSA's in our practice across two countries • Client base that we can reference from in the QSA space • Extensive PCI DSS consulting experience • Performing PCI DSS penetration testing and risk assessments • Performing PCI DSS readiness assessments for all merchant levels - 27 - © Grant Thornton LLP. All rights reserved.
Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Contact information Danny Miller Grant Thornton LLP Principal & Practice Leader Tel: 215.376.6010 | email: Danny.Miller@us.gt.com Or e-mail cybersecurity@us.gt.com - 28 - © Grant Thornton LLP. All rights reserved.

Recommended

Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
Sunera
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consulting
IDBI Intech
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]
jdimaria
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
Phil Agcaoili
 

Recommended

Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
Sunera
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consulting
IDBI Intech
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
kpatrickwheeler
 
The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]The Value Of HISP Certification [Compatibility Mode]
The Value Of HISP Certification [Compatibility Mode]
jdimaria
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
Phil Agcaoili
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
Yarko Petriw
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce
Zeshan Sattar
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
Rachel Anne Carter
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
Nathan Desfontaines
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
IT compliance
IT complianceIT compliance
IT compliance
Phan Vuong
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Deconstructing the cost of a data breach
Deconstructing the cost of a data breachDeconstructing the cost of a data breach
Deconstructing the cost of a data breach
Patrick Florer
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
nsheel
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
Rahul Bhan (CA, CIA, MBA)
 
Riskpro legal and compliance audits
Riskpro legal and compliance auditsRiskpro legal and compliance audits
Riskpro legal and compliance audits
Rahul Bhan (CA, CIA, MBA)
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
Rahul Bhan (CA, CIA, MBA)
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
Marlabs
 
The paypers Vol 5.
The paypers Vol 5. The paypers Vol 5.
The paypers Vol 5.
EastNets
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
Dinesh O Bareja
 
Riskpro brief introduction
Riskpro brief introductionRiskpro brief introduction
Riskpro brief introduction
Rahul Bhan (CA, CIA, MBA)
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
Patrick Florer
 
Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product Family
Cagdas Tanriover
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting Services
ePlus
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
Digicomp Academy AG
 

More Related Content

What's hot

The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
Rachel Anne Carter
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Riskpro legal and compliance audits
Riskpro legal and compliance auditsRiskpro legal and compliance audits
Riskpro legal and compliance audits
Rahul Bhan (CA, CIA, MBA)
 
The paypers Vol 5.
The paypers Vol 5. The paypers Vol 5.
The paypers Vol 5.
EastNets
 

What's hot (19)

Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce Ensuring Cyber Security Resilience with a Skilled Workforce
Ensuring Cyber Security Resilience with a Skilled Workforce
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
IT compliance
IT complianceIT compliance
IT compliance
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Deconstructing the cost of a data breach
Deconstructing the cost of a data breachDeconstructing the cost of a data breach
Deconstructing the cost of a data breach
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
 
Riskpro legal and compliance audits
Riskpro legal and compliance auditsRiskpro legal and compliance audits
Riskpro legal and compliance audits
 
Riskpro Legal And Compliance Audits
Riskpro Legal And Compliance AuditsRiskpro Legal And Compliance Audits
Riskpro Legal And Compliance Audits
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
 
Cyber Threat Management Services
Cyber Threat Management ServicesCyber Threat Management Services
Cyber Threat Management Services
 
The paypers Vol 5.
The paypers Vol 5. The paypers Vol 5.
The paypers Vol 5.
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 
Riskpro brief introduction
Riskpro brief introductionRiskpro brief introduction
Riskpro brief introduction
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 

Viewers also liked

Viewers also liked (8)

Netas Nova Cyber Security Product Family
Netas Nova Cyber Security Product FamilyNetas Nova Cyber Security Product Family
Netas Nova Cyber Security Product Family
 
Security Consulting Services
Security Consulting ServicesSecurity Consulting Services
Security Consulting Services
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)
 
Cyber Security Needs and Challenges
Cyber Security Needs and ChallengesCyber Security Needs and Challenges
Cyber Security Needs and Challenges
 
Marlabs Capabilities Overview: Cyber Security Services
Marlabs Capabilities Overview: Cyber Security Services Marlabs Capabilities Overview: Cyber Security Services
Marlabs Capabilities Overview: Cyber Security Services
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 

Similar to Cybersecurity It Audit Services Gt April2012

DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
DFLABS SRL
 
Technology Risk Services
Technology Risk ServicesTechnology Risk Services
Technology Risk Services
sarah kabirat
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide share
Sunera
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting Overview
Ronan Martin
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
subramanian K
 

Similar to Cybersecurity It Audit Services Gt April2012 (20)

DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 
Technology Risk Services
Technology Risk ServicesTechnology Risk Services
Technology Risk Services
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide share
 
Magnus Management Group Capability Presentation 2020
Magnus Management Group Capability Presentation 2020Magnus Management Group Capability Presentation 2020
Magnus Management Group Capability Presentation 2020
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010MENA IT Governance, Risk & Compliance 2010
MENA IT Governance, Risk & Compliance 2010
 
MitKat Ad
MitKat AdMitKat Ad
MitKat Ad
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting Overview
 
Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011Security architecture rajagiri talk march 2011
Security architecture rajagiri talk march 2011
 
Inv306 going social in a world of grc v.1.1
Inv306 going social in a world of grc v.1.1Inv306 going social in a world of grc v.1.1
Inv306 going social in a world of grc v.1.1
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro Information Risk Management
Riskpro Information Risk ManagementRiskpro Information Risk Management
Riskpro Information Risk Management
 
Riskpro information risk management
Riskpro information risk managementRiskpro information risk management
Riskpro information risk management
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
in-ra-service-brochure-December-23-noexp.pdf
in-ra-service-brochure-December-23-noexp.pdfin-ra-service-brochure-December-23-noexp.pdf
in-ra-service-brochure-December-23-noexp.pdf
 
Risk Advisory’s new narrative Mitigate risks effectively
Risk Advisory’s new narrative Mitigate risks effectivelyRisk Advisory’s new narrative Mitigate risks effectively
Risk Advisory’s new narrative Mitigate risks effectively
 

More from Danny Miller

More from Danny Miller (7)

Cip Multichannel Retail Webcast 091112 (2)
Cip Multichannel Retail Webcast 091112 (2)Cip Multichannel Retail Webcast 091112 (2)
Cip Multichannel Retail Webcast 091112 (2)
 
Social Media Presentation Gt Vfinal
Social Media Presentation Gt VfinalSocial Media Presentation Gt Vfinal
Social Media Presentation Gt Vfinal
 
Iia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V FinalIia 2012 Spring Conference Philly V Final
Iia 2012 Spring Conference Philly V Final
 
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
Nfp Seminar Series Danny November 18 Emerging Technology Challenges And...
 
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
Draft Webinar Template Enterprise Master Data Mgt Oct24 2011(V5)
 
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
2011 IIA Pittsburgh Grant Thornton LLP Presentation (Nov 2011)
 
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) VfinalBcp Dr Grant Thornton Llp(Danny Miller) Vfinal
Bcp Dr Grant Thornton Llp(Danny Miller) Vfinal
 

Cybersecurity It Audit Services Gt April2012

  • 1. Cyber Security Consulting, IT Audit & Assessment Services Protecting Information in the Enterprise Grant Thornton, LLP A QSA Company Danny Miller, CISA, CGEIT, CRISC, ITIL April 2012 -1- © Grant Thornton LLP. All rights reserved.
  • 2. Grant Thornton overview At-a-glance Founded in 1924, Grant Thornton LLP is the U.S. member firm of Grant Thornton International. Through member firms in more than 80 countries including 50 offices in United States, the partners of Grant Thornton provide personalized attention and the highest quality of service to companies around the globe. Grant Thornton Grant Thornton Statistics International Ltd LLP Revenues $ 4 billion $ 1.2 billion Personnel 29,890 5,505 Partners 2,539 540 Offices 498 52 Statistics as of Sept. 30, 2008 July 31, 209 -2- © Grant Thornton LLP. All rights reserved.
  • 3. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Solution Practice Grant Thornton's Cyber Security practice is focused on protecting the enterprise's information no matter where it is. In this age of distributed, mobile and cloud-based systems and data, it is vitally important to understand how information is created, processed, transmitted and stored. We address our client's complex security requirements through a variety of consulting support, including strategy, information protection, data leakage, assessing security vulnerabilities, advising on establishing or improving the operations of a security organization, remediating compliance failures or gaps – including gaps related to PCI and HIPAA/HITECH compliance and developing approaches and programs to effectively assess and manage risk by implementing appropriate security countermeasures through the entire life cycle of information in the enterprise. -3- © Grant Thornton LLP. All rights reserved.
  • 4. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Our IT Audit Services  Our approach to technology risk is compatible with all major frameworks, including COSO, the latest Risk IT framework from ISACA and fills the gaps that other frameworks do not provide. We also cover application risk with a lens from the Global Technology Audit Guides (GTAG) from the IIA.  The team that will be managing and executing this engagement have more than 90 years of combined technology experience in industry, Big-4 consultancy and as practitioners. Their credentials include one or more of CPA, CIA, CISA, CISM, CISSP, GAWN, GCWN, CCNP, CCNA, or MCSE, ITIL, CGEIT  Grant Thornton has a long history of consulting in the Oil, Gas and Chemicals Industry. Relevant clients include:  Sunoco  Lyondell Chemical  Quaker Chemical  Amerigas  Philadelphia Gas Works  Airgas  Donegal Insurance  Valspar Corporation -4- © Grant Thornton LLP. All rights reserved.
  • 5. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services ©2010 ISACA. All rights reserved. -5- © Grant Thornton LLP. All rights reserved.
  • 6. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Guiding Principles of IT Risk Management  Ensure a connection to enterprise objectives and enterprise risk  Align the management of IT-related business risk with overall enterprise risk management  Balance the costs and benefits of managing risk  Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels  Risk is a continuously changing landscape and risk management acknowledges that it is a continuous process -6- © Grant Thornton LLP. All rights reserved.
  • 7. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton Cyber Security services - Information protection at all levels - Data Leakage detection and prevention - Security Strategy and Design - Threat Analysis - Vulnerability Assessments - Penetration Testing - Anti-phishing consulting - Risk-event consulting - Data Privacy & Protection - PCI Data Security Standards QSA Consulting - HIPAA -7- © Grant Thornton LLP. All rights reserved.
  • 8. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Grant Thornton's Cyber Security Services • Experienced and dedicated cyber security personnel – Deep technical background – real expertise in cybersecurity – Experience across industries – Practical and cost effective strategies to mitigate risk • Address the security risk within the context of business risk – Understand the relationship of IT risk management within overall enterprise risk management – Communicate technical risks using layman terms and business impact • Proven cyber security methodologies, tools, and techniques -8- © Grant Thornton LLP. All rights reserved.
  • 9. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cybersecurity Life Cycle and Service Components Life Cycle ITIL* Framework Solution Set Activities/Scope Component Component Policy Strategy and Assessment Develop and test policy, best practices Plan/Maintain Risk, Data privacy and classification, Breaches, Programs, Monitoring, PCI, Strategy and Design, HIPAA, Vulnerability and Penetration Assess Threats testing, Cloud, Agreements with third Evaluate parties, Service Level Agreements (SLA), Operational Level Agreements (OLA) Threat Profiling, PCI, HIPAA, IDS/IPS, VPN, Firewalls, SIM/SEM, Application Plan, Design and Implement Implement (including Cloud-based), SDLC, Data Implement classification, Data privacy (state, federal, international) Threats, Incidents, Master Data Risk, Policy, Standards, Management (MDM),IT Audits, Self Manage Procedures, Programs Assessment, Penetration and Control/Maintain Vulnerability, Communication, Response Threat reduction, Countermeasures, Data Investigate, Respond, Respond Remediate leakage and breaches, PCI breaches, Control/Maintain HIPAA information exposure * - The IT Infrastructure Library (ITIL) is a global framework for service management and is the most widely accepted approach to managing information technology. Services are assets from which the customer gains value, hence cybersecurity is one of those services. -9- © Grant Thornton LLP. All rights reserved.
  • 10. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Cyber Security Strategy & Design Based upon the IT Infrastructure Library (ITIL) framework of best practices in IT, the ITIL Information Security Management's (ISM) strategy goal is the alignment of IT security with business security to ensure that information security is effectively managed in all service and Service Management activities. This strategy includes managing risk and security over information assets while balancing the needs of the business for: • Availability of information and assets • Confidentiality of information • Integrity of information - 10 - © Grant Thornton LLP. All rights reserved.
  • 11. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services The problem with "Big Data" Attribution: Cloud Security Alliance (CSA) - 11 - © Grant Thornton LLP. All rights reserved.
  • 12. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Vulnerability assessment vs. Penetration test • The terms "vulnerability assessment" and "penetration test" are sometimes used interchangeably, so it's important to define and distinguish them. • Vulnerability assessment – a service that provides a comprehensive prioritized identification of vulnerabilities, but does not attempt to exploit them. • Penetration test – a goal oriented service that attempts to gain unauthorized access to a specified target by exploiting one or more vulnerabilities. - 12 - © Grant Thornton LLP. All rights reserved.
  • 13. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Other assessment services Wireless Assessment − a service that assesses the security mechanisms (e.g., authentication, encryption) of a wireless network, and attempts to identify rogue access points. Web Application Security Assessment − a service that assesses the security of a web application, including session management, authentication, authorization, and input validation. Voice Over IP (VoIP) Security Assessment − a service that assesses the security of a deployed VoIP infrastructure, including the infrastructure support, the VoIP components, and the VoIP protocols. Data Leakage Prevention Assessment − a service that measures an organization's risk of information leakage. - 13 - © Grant Thornton LLP. All rights reserved.
  • 14. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information Trends • Every day, companies collect, use, profile, disclose, and analyze customer information • Employees who have access to sensitive information inside an organization also represent a key risk – we see this as the fastest rising threat • Unfortunately, some of this information is: • Misused • Stolen • Sold , traded or given to organizations (e.g., WikiLeaks) • This has led to a trust gap among customers, employees and corporate leadership - 14 - © Grant Thornton LLP. All rights reserved.
  • 15. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Personally Identifiable Information (PII) Personal information is any information that is, or reasonably could be, attributable to a specific individual. The information can be either factual or subjective, and recorded in any form or even unrecorded. Some examples include: Social Security number Driver's license number or state-issued identification card number  financial account number, credit card number, or debit card number Name, address, email address Credit records Buying history Employee records Much of this information is sensitive and greater cause for concern. - 15 - © Grant Thornton LLP. All rights reserved.
  • 16. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Information stakeholder concerns • Customers – Concerned with how and why their information is collected, used, disclosed, and retained – Want businesses to earn trust • Businesses – Trying to strike a balance between collection and use of information – Concerned with reducing privacy risk of poor privacy practices – Want to leverage good privacy practices and retain trust of customers • Government – Taking increased action on growing concerns about privacy to: – Protect rights of citizens – Better manage its own data stores - 16 - © Grant Thornton LLP. All rights reserved.
  • 17. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA GT Healthcare IT Security Offerings: • IT Security Risk Assessment • IT Security Program Implementation Assistance • IT Security/HIPAA Review and Recommendations • HIPAA Compliance Attestation Report - 17 - © Grant Thornton LLP. All rights reserved.
  • 18. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Risk Assessment - 18 - © Grant Thornton LLP. All rights reserved.
  • 19. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security Program Implementation Assistance • Based on HIPAA/ISO/CobiT/NIST • IT Security Risk Assessment • Policies • Procedures • Business Impact Analysis • Incident Management Program • Security Awareness Program • IT Contingency Plans/Updated DRP • Vulnerability Assessment/Pen Tests • Controls Testing - 19 - © Grant Thornton LLP. All rights reserved.
  • 20. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA IT Security/HIPAA Review and Recommendations • Evaluate and test: – Administrative safeguards, – Physical safeguards – Technical safeguards – Organizational safeguards – Policies, Procedures and Documentation Requirements - 20 - © Grant Thornton LLP. All rights reserved.
  • 21. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services HIPAA HIPAA Compliance Attestation Report and Readiness Review Similar to SAS70, except opinion on HIPAA Compliance • Evaluate and reaffirm the appropriateness of the design of processes and controls with management Criterion Observation Reporting Definition and testing • Evaluate and reaffirm management’s interpretation of compliance to ensure that the defined criterion are measurable, objective and will be understood by any Management Checkpoints readers of the report • Test the operating effectiveness of identified controls for the testing period • Determine whether controls were operating effectively throughout the testing period • Confirm the validity of identified findings with the process owner and inform management of validated findings • Evaluate the significance of any instances of non-compliance with the specified criterion - 21 - © Grant Thornton LLP. All rights reserved.
  • 22. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Privacy Assessment Approach 1 2 3 4 Information Identify Scope Gap Analysis Remediation Planning & Collection Reduction Roadmap Opportunities Identify entry points Reduce / modify data Conducted Gap Recommendation Develop process collection Analysis with remediation projects flows Reduce data storage Enhanced Privacy Develop prioritized Map flows onto IT Modify business Framework approach infrastructure processes Leverage DLP to validate Gained an understanding of Reduced Scope and Risk Created Gap analysis Remediation plan the environment document with gap prioritization - 22 - © Grant Thornton LLP. All rights reserved.
  • 23. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS)  The Payment Card Industry Data Major payment card security Security Standard (PCI-DSS) is a set breaches since 2005 of comprehensive requirements for the protection of payment card • Card Systems information. 2005 • 40 Million Cards, Processing Ability Revoked by Visa and MasterCard  The PCI-DSS is managed by the PCI • TJX Security Standards Council (PCI-SSC) 2007 • At least 45.7 Million Customers Affected, Over $250 Million in costs and sponsored by the major card brands. • Hannaford Foods 2008 • 4.2 Million Cards, Validated Compliant at time of breach, Liability and Results Pending  The PCI-DSS is applicable to any organization that stores, processes or • Heartland Payment Systems transmits cardholder data (CHD). 2009 • Potentially more than 100 Million cards compromised and untold amounts of resulting damages - 23 - © Grant Thornton LLP. All rights reserved.
  • 24. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) PCI DSS high level requirements The PCI DSS prescribes requirements that any business of any size must adhere to in order to accept payment cards. - 24 - © Grant Thornton LLP. All rights reserved.
  • 25. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services What information must be protected? Storage Protection Encryption Data Element Permitted Required Required Primary Account Number (PAN) Yes Yes Yes Cardholder Name Yes Yes No Cardholder Data Service Code Yes Yes No Expiration Date Yes Yes No Full Magnetic Stripe Data No N/A N/A Sensitive Authentication Data CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A - 25 - © Grant Thornton LLP. All rights reserved.
  • 26. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Some common PCI DSS myths: • PCI doesn’t apply to us because: – We don’t take enough credit cards, or – It only applies to retailers and ecommerce • PCI makes us store cardholder data • We are compliant because we: – Encrypt our cardholder data, or – Use vendor/product ABC, or – Outsource our credit card processing • PCI compliance is an IT project • PCI will make us secure • We completed our SAQ so we’re compliant - 26 - © Grant Thornton LLP. All rights reserved.
  • 27. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Payment Card Industry Data Security Standard (PCI DSS) Grant Thornton PCI DSS Capabilities Current capabilities: • An experienced Qualified Security Assessor Company (QSAC) with a significant number of QSA's in our practice across two countries • Client base that we can reference from in the QSA space • Extensive PCI DSS consulting experience • Performing PCI DSS penetration testing and risk assessments • Performing PCI DSS readiness assessments for all merchant levels - 27 - © Grant Thornton LLP. All rights reserved.
  • 28. Cyber Security Strategy & Vulnerability & Other assessment Privacy PCI Contact & IT Audit Design Services Penetration Services services Contact information Danny Miller Grant Thornton LLP Principal & Practice Leader Tel: 215.376.6010 | email: Danny.Miller@us.gt.com Or e-mail cybersecurity@us.gt.com - 28 - © Grant Thornton LLP. All rights reserved.