Mobile transformation – the journey of converting a concept into reality Performance Food Group, Inc.

PwC

Introductions

2

Amandeep Lamba Director

IT Risk & Security Assurance PwC LLP

amandeep.lamba@us.pwc.com

(301) 943-8800

Colin Kibler Director

Information Security & Compliance

PFG, Inc.

ckibler@pfgc.com (804) 484-6227

PwC

Session objectives

The session is a case study on PFG’s mobility implementation journey, covering the following four key objectives:

1. Describe the business case and key considerations / challenges

2. Walkthrough the mobility implementation roadmap

3. Discuss key elements of the implementation framework and approach

4. Highlight lessons learned and next steps

3

PwC

Overview of PFG

4

• Food Service distributor/

wholesaler

• Delivers over 98,000 national and proprietary –branded products

• 11,000 Employees

• Markets – Independent/national chain restaurants, quick service eateries, pizzerias, theaters, schools, hotels, healthcare facilities

• A Blackstone and Wellspring portfolio company

• Business Units

• Performance Foodservice

• PFG Customized Distribution

• Vistar

PwC

Overview of PFG (cont.)

5

• HQ – Richmond, VA

• 36 Distribution Centers

• 7 USDA Inspected Meat Cutting Facilities

• Custom Cheese Processing facility in Rice, MN

• Seafood Importing, Processing, and Distribution Facility in Miami, FL

• Nations Largest Pizza and Italian Specialty Distributor

• HQ – Denver, CO

• 21 Distribution Centers

• 13 Merchant Marts (Cash and Carry)

• Leading distributor of Candy, Snacks, & Beverages to Unique Segments:

• Vending

• Theatre

• Office Coffee Service

• Concessions

• HQ - Lebanon, TN

• 9 Distribution Centers

• Logistics/distribution for national customers

• Customers include national brands such as Cracker Barrel®, Outback Steakhouse®, Ruby Tuesday®, and T.G.I. Friday's®

• Services Customers in all 50 states and 41 countries

PwC

Starting the mobility journey

6

PwC

Business case formation

Business Drivers

1. User driven change:

• Board Room and Senior Executives driving usage

• Users demanding enhanced collaboration and productivity

• Increased consumerization fostering a culture of instant gratification

2. Greater convenience:

• Applications moving beyond Email/Contacts/Calendars

• Mobile capabilities and applications aligning with the business model

• Rich content enables quick decisioning

3. Flexibility and employee satisfaction

Impact and Trends

7

Infrastructure to support increased adoption of Smartphones 1

BYOD/approved corporate mobile devices 2

Security, compliance, and legal considerations 3

Mobile/cloud applications, data and services 4

Need for stronger mobile governance and monitoring 5

PwC

Strategic considerations

8

Governance & Oversight

• Program

ownership and management

• Strategic direction

• Risk management

Security & Privacy

• Company’s

control over connected devices

• Acceptable use provisions

• Training and awareness

Implementation Challenges

• Decentralized

workforce • Business

segments with unique requirements

• Resources to support BYOD

Data and Information

• Access to

confidential data

• Adoption of mobile applications

• Personal vs. corporate data

PwC

Challenges and complicating factors

9

MDM – ActiveSync vs. Zenprise?

Proliferation of Devices / Device Diversity

Gap in Governance and Documentation

Security & Compliance – An afterthought!

Infrastructure Implementation Gaps

Privacy Concerns Impacting Adoption

Decentralized and Non-Tech Savvy Workforce

PwC

Mobility implementation

10

PwC

Path to a secure mobility environment

Destination State

Develop a Strategy

Show Quick Wins

Build a Governance Model

Analyze and Address Risk

Deploy Mobile Strategy

Operate and Maintain

• Develop a business case • Develop use cases and patterns • Define implementation roadmap and setup a PMO

• Create policies, standards, and procedures • Secure the mobile environment • Develop stop gap measures to promote consistent deployment

• Develop a model that includes roles, responsibilities, and decision flow charts for managing the direction of the program

• Perform risk assessment • Migrate to consistent MDM platform • Identify BYOD implications

• Implement key processes, technologies, controls, and user awareness initiatives

• Measure and report on key program metrics

• Monitor compliance

Current State

11

PwC

Organizational alignment

12

CIO Leadership and Oversight

Information Security &

Compliance Infrastructure Service Desk End-user

Computing

•Driving overall mobility governance and strategy

•Policies, standards, and procedures

•PMO for mobility implementation

•Monitor compliance and end-user experience

•Implementing MDM and supporting infrastructure

•Production support, patching, upgrades

•Active Directory integration

•MDM policy configuration

•Procurement and acquisition

•Device inventory and EOL management

•Level 2/3 device and service support

•Billing and service provider management

•Process device provisioning and de-provisioning requests

•Incident and problem management

•Level 1 device and service support

•AD user and group management

Legal / HR

•Policy acknowledgement / awareness / training

•Assess legal / privacy / other regulatory implications

•Employment affairs

•On-boarding / off-boarding support

PwC

Mobile policy framework

13

Procurement and Liability

Policies, Procedures, and Controls

Level of Support

Manage and Control Costs

•User training and awareness •Responsibilities and acceptable use •Secure network and data access •Protection of devices •Acquisition and device lifecycle

•Approval for devices and applications •Allowed devices and applications •Device loss, end-of-life, replacements, repairs, and employee terminations

•Usage charges and cost management

•Support and procurement processes •Supported devices •Insurance and contracts •Support from the device provider

•Support team and resources •Security incident response •Backup and retrieval of data •Device replacements and repairs

•Hardware •Service subscription •Usage

Device: •Employee owned vs. company owned •Liability •Procurement and cost management

Subscription: •Employee paid vs. company paid •Usage and monitoring •Allowable limits

•Budgeting •Monitoring •IT cost management

PwC

Mobile deployment

14

Mobile security policy

Mobile device standards

User-to-device interaction

Device management

Device protection

Policy management

•Authentication •Access / privilege / content restrictions

•Encryption •Training / awareness •Policy acknowledgement

•Wireless network

•Provisioning / de-provisioning

•Asset tracking •Patching / updates •Location •Device security support

•Cost management

•Network access control

•Policy enforcement •Anti-malware •Intrusion detection and prevention

•Forensics •Device integrity

•Access control •Policy update •Approved software •Standard config •Backup / Recovery •Audit trails and incident mgmt.

•Compliance

PwC

Approach to mobile device lifecycle

15

Initiation • Approval / authorization • Awareness, training, and

policy acknowledgment • New user vs. new device • License management

Provision • Procurement and acquisition • Establish security policies • Passwords, encryption, anti-

virus, peripheral controls • Install and configure

business applications

Production • Patching and updates • Backup device data • Enforce security policies • Monitor compliance, activity,

security violations, and device inactivity

Decommission • Disable and remotely wipe

lost or stolen device • Disable network / app access • End-of-life device mgmt. • Recycle / reuse corporate

devices

PwC

Implementation summary

Factors Implementation State Key Considerations

Device Ownership Corporate and Personal Devices Corporate-owned devices are issued for specific levels or based on management approval.

MDM Platform Zenprise (now Citrix) Use a Secure Gateway to prevent “back-doors”.

Mobile Operating Systems

iOS and Android Corporate owned devices are all iOS; however, Android is supported for personal devices.

Application Containers

Touchdown for Android Native email is enabled for iOS.

Access to Data •Email, Calendar, Contacts. •VPN access enabled via corporate VPN solution.

Business and IT applications are being considered / developed.

Security Controls and Compliance Monitoring

•Password configuration – length, complexity, expiration, timeouts

•Content restrictions •LDAP integration •Policy violation enforcement

Considering additional security controls: •Application blacklisting •Auto-expiration of inactive devices •Deactivation of non-supported devices

16

PwC

Closing thoughts

17

PwC

Lessons learned

18

Technology (MDM) alone will not solve BYOD challenges:

• Understand your environment - culture, objectives/strategy, infrastructure capabilities

• Don’t downplay the importance of governance, oversight, and strategy

• Find the right owner for MDM and make sure the support team is trained

Right size your mobility implementation:

• Develop a roadmap with a phased implementation approach – start small, with easier capabilities and show some quick wins

• Consider different use-cases, execute pilot / proof of concepts

• Develop a strong knowledge base, including detailed procedures for support teams and end-users

Connect with the end-users:

• Know your end-user community and their affinity for technology – organizations with less tech savvy community can require additional effort

• Communicate, over-communicate, and then some to the end-user community

1

2

3

PwC

Continuing this journey…

Completed Work in progress

Future Plans

19

Mobile device policy, standards, and procedures

Acceptable use policy provisions

MDM infrastructure implementation and configuration

Limited BYOD roll-out and support

Upgrading MDM infrastructure

Enterprise-wide BYOD roll-out

End-user training and awareness

Assessing self-service capabilities

Reviewing security and compliance monitoring features

• Continue expanding BYOD roll-out

• Mobile application development and provisioning to support business and IT needs

• Corporate mobile application store

• Optimize and automate mobile device monitoring controls

PwC

Thank you…

For more information, please contact: Amandeep Lamba Director, IT Risk & Security PwC 301.943.8800 amandeep.lamba@us.pwc.com Colin Kibler Director, Information Security & Compliance PFG, Inc. 804.484.6227 ckibler@pfgc.com

© 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.