This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Security and Privacy

Data Privacy and Protection

Why is it an issue?

Privacy and Data Protection issues present a growing challenge to TMT organisations as they must interpret and comply with complex and diverse international laws and regulations on how they handle personal information. Customer and employee concerns over personal information have increased the reputational, regulatory and operational impact of a breach. A pro-active approach to privacy and data protection is now seen as a competitive advantage and can minimize the likelihood and significance of such a breach.

Service overview

We have a tried and tested, flexible methodology that can be used to address a range of compliance issues from thematic reviews to programme design. Our Privacy and Data Protection capabilities include:

  • Privacy strategy and operating model design and implementation
  • Policy and standard review
  • Risk-based compliance assessments and internal audits
  • Data discovery exercises
  • Third party privacy reviews
  • Breach response reviews
  • Training and awareness programmes.

Find out more about our Data Privacy and Protection services

Back

Extended Enterprise

TMT organisations are often reliant on third parties to bring cost savings, improved agility and a high quality of service to their customers. As a result, sensitive information and resources become shared and held externally. The organisation must rely on the controls of the third party in order to protect these assets; however a large number of publicly reported breaches have involved subcontractor losing sensitive data.

Why is it an issue?

Reported data losses typically hold the originating organisation responsible, even for third party breaches. Now more than ever, organisations need to understand what sensitive information third parties have, and if the controls protecting it are sufficient. With the thousands of third party relationships large organisations can have, this can be a formidable task.

Service overview

We offer a range of services to help you in meeting the challenges associated with securing the extended enterprise including:

  • Assessing the level of inherent risk from third parties’ handling of sensitive information
  • Gaining an insight into third parties’ attitudes and practices
  • Establishing and quantifying compliance to contractual obligations relating to information security
  • Implementing effective tracking and escalation of issues and resolution activities
  • Helping establish clear accountability and governance
  • Helping create an awareness of the importance of effective third party assurance
  • Providing the opportunity to rationalise your number of third parties and methods of connection.

Find out more about our Extended Enterprise services

Back

Identity and Access Management

Why is it an issue?

  • In TMT organisations, IAM solutions are implemented to improve the usability of IT systems through through Secure Sign On (SSO), improve process via automatic provisioning and create unified identities across the organisation
  • Automated provisioning and reduced sign on can result in increased efficiency, increased control and increased business satisfaction
  • TMT organisations typically have a large volume of subscriber identities to manage across disparate systems – IAM solutions can support a single customer view in both customer/billing and network provisioning systems.

Service overview

Our solutions cover all components of IAM including:

  • Enterprise single sign on - seamless access to applications and systems across business reducing interruptions to the user experience and increasing efficiency
  • Powerful provisioning engines - reducing management overhead and improving efficiency with a central provisioning engine connected to many end applications, coupled with a self service portal enables users to get the most of an organisation’s infrastructure
  • Enterprise identity – provision of a framework for access control and user administration that is integrated with HR joiner, mover, leaver processes with a single mechanism for requesting access
  • Customer identity - enable a streamlined customer registration process and risk-based security framework across all products and services with seamless network access for corporate customers
  • Information rights management - gain control of digital information by securing and tracking where it is stored and how it is used
  • Cloud identity services - provide a seamless user /customer experience by integrating cloud-based services with internal access control through federation. Reduce helpdesk costs by automating user provisioning and password management
  • Access governance – implementation of a business-friendly control framework that consistently enforces policy across HR processes and IT infrastructure and application access
  • Privileged access management - separate high-privileged capabilities from regular user capabilities. Implement privilege user access management solution to audit access to administrative accounts.

Find out more about our Identity and Access Management services

Back

PCI DSS

If an organisation accepts payments on Visa, MasterCard, or American Express cards, it must comply with the PCI Data Security Standard. This sets out a number of technical and non-technical requirements on how card data must be handled and stored.

Why is it an issue?

  • Organisations who store, transfer or process payment card information are required to comply with the Payment Card Industry Data Security Standard (PCI DSS).
  • Not complying with the standard, can put you at risk of non-compliance fines; and, if compromised could mean far greater costs from forensic investigations, card replacement costs and reputational damage.
  • The demand from customers to use credit cards and the benefits of using automated payment solutions to sell direct to customers have lead to a big increase in the number of telecommunications and media companies taking online payments. Often the security and PCI DSS requirements are not considered in the initial design and the effort to then make the chosen solution compliant after can be considerable.
  • The compliance landscape is complex, involving payment card schemes (Visa, MasterCard, AmEx), acquiring banks and qualified security assessors (QSA) among others. Effectively managing these relationships is crucial to achieving compliance in a pragmatic and cost-effective manner.

Service overview

We provide services across the PCI DSS lifecycle, including

  • Scoping and solution design review:
  • Remediation programmes
  • Audit support
  • Stakeholder and QSA management
  • Programme management.

Find out more about our PCI DSS services

Back

Preventing Information Leakage

Recent high profile security breaches involving personal data have created intense publicity and significant regulatory action against those responsible.

Why is it an issue?

The serious impact of security breaches is prompting TMT organisations to take immediate measures to understand the sensitive information they hold, how it is controlled and how to prevent it from being leaked. For many TMT organisations, personal and, in particular, customer information are amongst their most valuable assets. A number of factors continue to challenge organisations in their attempts to secure this information and prevent leakage and theft, for example.

Service overview

The key to achieving good security is through a multi-layered approach that builds an IT security conscious culture within all areas of the organisation: governance, people, process, technology. Our approach first looks at understanding the critical information and data your organisation processes, where it comes from, how it is stored and sent. Following this we undertake a controls review to assess who has access to it, which applications process it and what controls are in place.

We use powerful technology solutions and, through a short risk assessment, will quantify the risk you may be facing in relation to data leakage. We configure the technology to monitor your network for various types of data that are stored or being sent in violation of your policies. We follow a 4-step process:

  • Requirements gathering: we work with you to identify your top data security and privacy priorities
  • Policy definition: based on the information gathered in step 1, we configure the tools to be run on the identified areas according to your requirements
  • Confidential data monitoring: the next step is monitoring your confidential data across the identified areas, be that endpoint, network or storage systems
  • Reporting: following the monitoring and discovery stage, our team gathers with the key decision makers and information owners from your organisation to review the project results, examine the risk assessment reports and discuss next steps.

Find out more about our Information leakage services

Back

Securing Mobility

Why is it an issue?

Consumerisation and the increasing use of mobile devices is a hot topic across the TMT enterprises as organisations look to take advantage of new technologies to empower users in their day to day jobs often using their own devices. This can provide efficiencies in ways of working and improved mobility, as well as increasingly becoming a differentiator when looking to attract and retain top talent.

However, the dramatic increase in the use of new technology and tools such as smart phones, tablet PCs and social networking tools presents a new challenge for the CIO given their ability to transport and access corporate data as well as their dual usage (work and personal). Given the blurring between the managed corporate environment and the less controlled personal environment and the speed at which information can spread across the globe following a leak or breach of security, such devices may increase information security risks and strain existing controls. For example, portable mass storage devices must be handled with increasing care given they can store huge volumes of sensitive data; users are using their devices both to access that data whilst at work as well as using the device at home for their personal data.

Service overview

Our security team can help organisations to understand the risks associated with increased mobile working and support the definition and implementation of a secure mobile programme. This includes:

  • Understanding and assessing the regulatory implications of the increased use of mobile devices
  • Mobile device risk assessments
  • Vendor selection
  • Definition of baseline technical controls required to secure mobile devices
  • Training and awareness to support the roll-out of mobile technology, to complement the technical controls in place
  • Review of existing policies and procedures around mobile technology, including assessment of monitoring, acceptable usage policies and
  • Assessment of device build and technical configuration.

Back

Security Transformation

Why is it an issue?

As high profile security breaches continue to dominate the headlines, TMT organisation are under more pressure than ever to address their information security issues, yet at the same time reduce their operational overheads.

In many cases, this has led organisations to inwardly assess their existing security infrastructure, capacity and capabilities to determine whether the function is fit for purposes from both a staff and technology tool point of view. Increased internal focus has also resulted in more audit issues, penetration test findings and risk assessment results, all of which need to be prioritised and actioned.

Service overview

A successful approach needs to consider a number of key questions. Deloitte offers a number of engagement scenarios to help an organisation answer one or more of the below questions, depending on how far it has already travelled along the path of change:

  • What framework will be used to define and measure progress against strategic objectives?
  • What is the current maturity of the organisation’s security capabilities?
  • Where would the organisation like to be? Is it realistic?
  • How will the organisation achieve its desired future state?
  • How will the organisation ensure successful delivery of its transformation?

We work with organisations to understand where their weaknesses may lie and using our industry experience, define a target vision or future-state model for information security. This can involve definition of team structure and roles, through to implementation of specific security tools such as data loss prevention and event monitoring tools.

Find out more about our Security Transformation services

Back

Business and Technology Resilience

Why is it an issue?

High-consequence events for TMT organisations can be broad ranging; from significant business disruptions due to severe weather, acts of terrorism, industrial strikes and pandemics, to a major project ‘go-live’, share price collapse, a new product launch or product recalls, significant fraud or data leakage. In short, any significant event which has the potential to seriously disrupt operations, damage reputation and destroy shareholder value.

Service overview

Our resilience team helps organisations anticipate, plan and prepare for a full range of events, from predictable and common to worst case scenarios. Our focus on resilience can help clients reduce disruptions, withstand failures or breakdowns, better understand critical dependencies and ensure resources are appropriately allocated.

Find out more about our Resilience services

Back

Securing Data in the Cloud

There are a growing number of vendors offering a wide range of ‘cloud computing’ services. These are attractive to many organisations due to the cost, mobility, and control advantages they offer. Cloud computing can offer significant cost savings, and the ability to implement policy changes instantly for all users, without worrying about updating multiple desktop software instances. With the right approach, cloud data can also be held more securely, with better visibility of who is accessing data. However there are important data management issues that enterprises and vendors need to resolve before full migration to a cloud-based infrastructure is a feasible strategy.

Why is it an issue?

Clients may not have the skills or expertise to ensure that the value of the cloud is fully understood and that the cost-benefit proposition has been fully explored. There is also a need to evaluate the enterprise’s data and information needs and define the required cloud architecture. Policies and procedures will be required to manage information assets in the cloud. Cloud architecture design and planning should be informed by comprehensive risk analysis of security threats.

In contrast to physical security, it may be difficult to detect illegitimate access to sensitive data caused by poor data architecture.

Service overview

Deloitte are well-positioned to assist organisations with moving to a cloud data architecture using our well-established Enterprise Information Management framework. Assistance provided could include:

  • Defining technical procedures and standards for all software applications and managing development and implementation in the cloud
  • Ensuring that the user experience for business functions is at the required level and that no business processes are impaired
  • Executing full testing of all business and system functions in the cloud to ensure that performance is not affected

Back

Share this page

Email this Send to LinkedIn Send to Facebook Tweet this More sharing options
Follow:

Get in touch

More on Deloitte