Access Governance as a ServicePwC’s AccessAble

www.pwc.co.uk

May 2016

PwC 2

Key messages Access Management issues

How AccessAble can help you

SummaryPurchasing AccessAble

Contents

1 2 3

4 5

PwC

Key messages

13

Weak IT access controls cost Société Générale $7.2 billion.

The case should prompt you to rethink how you balance IT security with employee access to critical systems.

“

”CIO Magazine

Access Governance as a Service

PwC

AccessAble gives you the confidence to know whether the right people in your business have access to the right applications – at all times

• Quickly and cost effectively give you the confidence to take control of your access management risk:

• Developed in response to our clients across the globe expressing frustration with the cost, time and effort of developing their own solutions or the market alternatives.

• AccessAble can help you:

• Improve your security

• Reduce your management overhead

• Protect your reputation

• Reduce your risk efficiently

• We are not a technology company – we have developed AccessAble to solve real client problems, quickly and cost effectively.

4

PwC’s assurance and access management expertise

Market-leading technology

Pre-configured cloud-based tool means you are up and running quickly, scaled to your business’ needs

Access Governance as a Service

PwC

Access Governance Issues

25

Insider threats represent one of the most significant information security risks.

“”

Ponemon Institute

Access Governance as a Service

PwC

What issues are organisations facing?

Access Governance as a Service

6

• Are my processes working correctly?

• How much is it costing me to test and monitor the JML process?

Governance

• Who owns the Joiner-Mover-Leaver process?

• Do I know which are my critical applications?

Ownership

• Do I know who has access to what?

• Do I know who poses an ‘insider threat’?

Access risk

• Can I easily identify employees, contractors and third parties?

• Is access terminated in tandem with contract expiry/termination?

Identity

PwC

How AccessAble can help you

37

Much time is spent on protecting the external threat…

…but the internal threat can be even larger in terms of risk to the company.

“

”Bearingpoint

Access Governance as a Service

PwC

PwC’s AccessAble

Access Governance as a Service

8

What is AccessAble?

• Combining PwC’s audit experience with the market leading technology

• PwC hosted

• Intuitive web interface

Why a hosted service?

• On premise can be

• Costly

• Complex

• Long delivery timescales

How does this solve your issues?

• A clear record of access

• Embedded monitoring

• Generic account usage

• Simple to use business interface

• Risk scored accounts

PwC

How does it work?

Access Governance as a Service

9

What are the levels of functionality?

Where is my access governance data?

How do my users interact with the service?

What support do we get post go-live?

• An industrialised solution based upon best practice COBIT and Sarbanes-Oxley guidance.

• Users receive alerts if there is a policy breach.

• The ability to undertake user and application re-certifications

• The service is run from a PwC data centre.

• Each client has their own secure and individual instance

• Minimal systems integration to lower risk and minimise startup time.

• Secure acquisition, transfer and storage of client’s identity data.

• Flexibility

• The service is presented as if it’s ‘on-premise’ with access to a dashboard that is secure, easy to understand and use.

• All staff

• Ad-hoc reporting

• Revision to the service will reflect changes to the regulatory market.

• Uses the world’s leading technology

• A service desk is provided to log calls (either break-fix or service / training assistance).

PwC

Let’s look in a little more detail

Access Governance as a Service

10

Inventory ofuser access

Good practiceaccess policies

Generic account identification

User recertification

User risk profiling

Inventory of user access across your application

estate.

Repository of up-to-date access related policies

aligned to CoBiT

Rapid identification of generic accounts and

whether they are actively used.

A user re-certification process which allows

management to evaluate the appropriateness of

user access on a regular basis.

A risk profiling facility which allows

identification of high risks users for specific

treatment

Policy violation detection facility which provides

alerts to breaches of access-related policies.

PwC

Benefits of AccessAble

Access Governance as a Service

11

Reputation protection

Taking advantage of simpler access governance processes tied to automated management and reporting tools delivers greater security at lower cost.

Reduced overhead

Reducing the risk of major losses through data breaches and protecting your reputation.

Improved security

Minimising the opportunity for inside attacks through mistakes, misuse or malicious activity by managing user access and using effective controls.

1AccessAble is a lower-risk route to identity governance, charged on a pay as you go basis, with the delivery of the return on investment at least six months quicker than a typical on-premise solution.

Having a second line of defence to identify what needs to be controlled and who owns it lowers your operational costs, while taking a risk-based approach ensures greater reporting efficiency.

Risk-managed access

Lower risk, lower financial outlay

2

3

4

5

PwC

Alternatives to AccessAble

Access Governance as a Service

12

Build your own Use PwC’s serviceDevelop an on-premise

service

Scalability

Repeatability

Early value realisation

Drives business

ownership

Cost Efficient

Timeliness Scalability

Repeatability

Early value realisation

Drives business

ownership

Cost Efficient

Timeliness Scalability

Repeatability

Early value realisation

Drives business

ownership

Cost Efficient

Timeliness

PwC

Purchasing AccessAble

413

While employees remain the most cited source of compromise, incidents attributed to business partners climbed 22%

“

”Global State of Information Security Survey - 2016

Access Governance as a Service

PwC

A tried and tested approach to rapid deployment

Information gathering

• Identify processes and policies

• Establish the criteria for high risk users

• Nominate applications

Configure and test

• Deploy baseline instance into service

• Configure standard instance

• Acquire data and undertake data acquisition rehearsals

• Penetration testing

• Stress testing

Design

• Data collection

• Risk scores

• Policies

• Processes

• Access security

Deploy

• Initial data import

• Switch on live instance

• Enable live user access

• Commence Maturity phase

14

Access Governance as a Service

PwC

Pricing

Access Governance as a Service

15

• On-board up to five applications

• Agree which controls and policies to monitor, definition of recertification processes

• Setup will take no longer than three months

• Setup costs waived for five year contracts

Rapid setup

• Monthly per-user fee with discount for increased user estate

• Five year contract as standard, although four and three years available

• Support included

Recurring

• Menu based pricing for various activities e.g. update policy, add new applications, etc.

Ad-hoc

PwC

Summary

516

Access Governance as a Service

PwC

AccessAble gives you the confidence to know whether the right people in your business have access to the right applications – at all times

• Quickly and cost effectively give you the confidence to take control of your access management risk:

• Developed in response to our clients across the globe expressing frustration with the cost, time and effort of developing their own solutions or the market alternatives.

• AccessAble can help you:

• Improve your security

• Reduce your management overhead

• Protect your reputation

• Reduce your risk efficiently

• We are not a technology company – we have developed AccessAble to solve real client problems, quickly and cost effectively.

17

PwC’s assurance and access management expertise

Market-leading technology

Pre-configured cloud-based tool means you are up and running quickly, scaled to your business’ needs

Access Governance as a Service

PwC

Contacts

Access Governance as a Service

18

Richard MardlingT: +44 207 7804 0037M: +44 771 158 9047E: richard.w.mardling@uk.pwc.comPricewaterhouseCoopers LLP1 Embankment Place, London WC2N 6RHhttp://www.pwc.co.uk

Twitter: @rmardling

Director, Identity and Access Management