Forrester Wave™: Security consulting, Q3 2007
The Risk Intelligent IT Internal Auditor
Helping clients manage risk and enhance performance
Deloitte named a leader in information security and IT risk consulting in Q1 2009
Information leakage prevention
Cyber security services
Deloitte's Information & Technology Risk practice helps organizations to deal with issues related to business processes, technology, operational and financial risks. Our aim is to enable clients to measure, manage and control risk and thereby to enhance the reliability of processes and systems across the board. We understand business and industry issues coupled with technology, audit and security expertise. This allows us to determine the real business impact of risks and to frame our findings and recommendations in a business context. A number of our professionals possess CISA and CISSP certifications.
Segregation of duties in ERP systems
To reduce the risk of fraud and unauthorized transactions, no single individual should have control over two or more parts of a process. This is a segregation (or separation) of duties. A simple example would be of an assistant in the accounts department who has been assigned access to amend supplier master file details and to make payments, which could lead to fraud as individuals create a supplier and process fraudulent payments to themselves. From experience, most segregation of duties issues occur because an organization has not taken a risk-managed approach to designing processes. There is frequently a lack of focus and attention given to the design, operation and monitoring of segregation of duties with organisations.
- SAP health check to gain clarity on your organization’s Segregation of Duties violations and identify the possible implications.
- Implementation or optimization of SAP controls through automation and rationalization to streamline existing controls or implement automated control solutions.
- Implementation support for SAP GRP Access Control.
Information security compliance
Organizations must implement and maintain a security management framework, aligning people, process and technology, to survive in today’s competitive market and comply with external requirements.
- Assessment of the current state of information security against the requirements of the Central Bank of Russia’s security standard and Law of the Russian Federation “On Personal Data”, PCI DSS, ISO27000 and others.
- Risk assessment, development of information security strategies, business cases and implementation roadmaps.
Business continuity & resilience
The need to provide continuity of service has never been greater due to more and more organizations operating 24/7 and there being an increasing dependence on technology in order to conduct business.
ncreasing stakeholder and regulatory expectations demand an approach that gives equal consideration to managing the immediate and longer term outcomes from incidents affecting people, processes, systems or events external to the organization.
- Business impact and current state analysis
- Management of your business continuity program
- Development of business continuity plans
- Business continuity testing and training
Information leakage prevention
All organizations hold sensitive data that customers, business partners, regulators, shareholders and the board expect them to protect. Despite this, high profile security breaches involving personal and corporate data continue.
The impact of regulatory intervention combined with negative publicity and public perception is prompting organizations to take immediate measures to understand the sensitive information they hold, how it is controlled and how to prevent it from being leaked.
- Information flow analysis to understand how the organization currently manages sensitive information, where that information is stored, who is using it and how it is processed
- Assessment of the likelihood and impact of information loss
- Review of how the information is handled and the controls in place
- Development of remediation plans
- Assistance with the selection and implementation of automated DLP solution
Internal control services