Information assets as well as striving to ensure their integrity, confidentiality and availability are fundamental in order to achieve stable and controlled company growth. The awareness about this topic is already widely perceived and company’s investments in information technology besides granting continuity and availability of operational services, also allow to ensure strategic information security services and countermeasure tools against any type of exploit. Regardless of the size of the organization and the nature of its activities, it is commonly known that the effectivity of an internal control system in a field of technology security and information resources can determine the final result of a given project. This trend is extremely encouraging, although it can also be seen in the other side of the coin. The growing number of threats with the range of potential consequences of security incidents is forcing the companies to plan, implement and verify the protective measures.
Wishing to actively support you in activities regarding countermeasures and the effects of the materialization of the potential risks in the information technology environment, we present the main elements of our competence:
- Designing and analyzing the ICT security policies and information security. In order to effectively manage the security of information assets we should aim for total exclusion of any randomness through coherent and, just as important, supervised internal control system. For this purpose, we would like to offer you the support in the identification of needs and objectives in such areas as your organization’s information technology development, the maturity and efficiency analysis of the current control system and in the preparation of a plan for further actions and monitoring mechanisms. Our consultants have practical knowledge of the best market practices (e.g. ISO / IEC 27000, SABSA, COBIT), but it is thanks to the experience gained from the cooperation with our clients in creating from scratch customized IT security strategy that we are able to successfully answer for your needs in that area.
- Verification of compliance checks in the IT environment in relation to the relevant regulations. Depending on the market in which your organization operates or on the profile of its activities, the maturity degree of the internal control system in the area of information security and information technology may be subjected to the additional law regulation (e.g. the D recommendation for the banking sector). In this case achieving the compliance status with, for example, the ISO/ IEC27001 norm may not be sufficient and it will be necessary to take additional or more specific actions for preventing and mitigating potential threats in the IT environment. As a result of our involvement in audit and advisory projects, we obtained a lot of valuable experience gained in the areas of financial reporting, Due-Diligence researches, assurance services (e.g. ISAE 3402, ISAE 3000, PCI DSS), inspections ordered by financial service providers and in activities regarding the revised D Recommendation and its equivalent concerning the insurance companies. Because of this, we are able offer you comprehensive and effective support for the analysis of compliance checks used in the IT environment in accordance with your company’s regulations.
- Testing the security level of the internal control system as well as selected safeguard mechanisms. Taking into account the wide range of topic regarding the verification and the assessment of the Organization’s security level, we singled out for you our main services for assessing the level of IT security:
- APT tests (Advanced persistent threat). The most common advantage of attacking the security of Information resources is the time for planning and preparation attack vector applicable to the Organization. It allows potential attackers to carefully analyze business characteristics, the technologies used, staff activity on social media as well as administrative processes at the company headquarters (e.g. the presence of external caterers). Combining the elements of social engineering, operational security and information system security information enable to collect information necessary for the development of advanced and multi-dimensional method of attack long before interfering with the testes infrastructure. In order to enable you to experience this type of project and the potential impact of the measures described above, we offer the APT tests, which combine verification of the internal control system and preventing risks threatening the protected information resources. Actions that our consultants take as a part of this project are based on comprehensive procedures to identify weaknesses in the logical (e.g. in terms of security level of IT services), physical (e.g. in terms of protective mechanisms against unauthorized penetration into office space) and operational (e.g. the accuracy and efficiency of the processes that identify and counter the threats) security control defensive mechanisms. Depending on the client’s preferences, our actions can be focused on the verification of user’s awareness by performing social engineering techniques.
- Penetration Testing of IT Environment. By initiating penetration testing, our consultants are acting as intruders who are trying to cause the unavailability of the service (e.g. website) or to access to the protected information resources. Penetration tests are performed to the effectiveness of collateral used in the IT environment through controlled attempts to overcome them, circumvent or to exploit implementation flaws. The details of the implementation of featured test procedures, as well as the actions taken as a result of their success, are always agreed with the customer prior to the start of the project, unless the purpose of the initiative will be to perform a test simulating the realistic preparation process and carrying out the ICT attack. In this case, the knowledge about the methods of testing and about the customer’s environment are limited to the minimum. The risk associated with the identified (used during the testing) security vulnerabilities of evaluated systems is assessed in the form of cumulative effects of their actions. This evaluation beyond the technical aspects is made in terms of business risk so that the results of completed tests and the potential consequences were clear to the client’s management board.
- Security Tests of Industrial Supervision Technology IACS (Industrial Automation and Control Systems). The process of conducting a comprehensive assessment of the security level of industrial automation systems IACS components is very complex and requires a high concern for their stable functioning. Another important aspect of the effective risk prevention in IACS environments is the ability to ensure the proper and respective definitions of operating and business characteristics of each of the key elements of technology (e.g. SCADA, DCS, PLC etc.) for the Organization. Considering the above, KPMG has developed a dedicating testing methodology which implementation is based on internationally recognized standards and guidelines for IACS systems including, among others: DHS, GCHQ, ISA, etc. Our approach considers all relevant issues related to people, processes and technology. In particular, we focus on aspects of corporate governance, maintenance strategies, planning and development, principles of cooperation with external suppliers and processes that provide situational awareness and supervision of possibilities in terms of incidents analysis. In the wake of the procedures that verify the shape of internal control system in the IACS environment, our approach indicate the testing of implementation of best market practices for penetration tests configuration and complex APT tests (Advanced persistent threat).
- Resistance tests against the social engineering attacks. Elements of social engineering are an integral part of penetration testing. We, however, decided to distinguish for you this kind of service because of the high efficiency with an intruder, by using widely understood “human errors”, accesses to the institution’s most restricted resources around the world. Resistance tests against the social engineering attacks are our proposal to experience real trial of effectiveness and control system maturity in your organization. We achieve this goal by preparing established and accepted by the client testing scenarios which are based on conducting unauthorized attempts to obtain potentially sensitive information or to circumvent controls using manipulation techniques and tools. As a result of the proposed actions, we are able to assess the level of employees’ awareness of risks associated with ICT and just as importantly, the effectiveness of the process for responding to the identified security incidents.
- Physical security testing. Physical security of information resources, as well as the mechanisms used for their processing, is an important part of a coherent and effective control system of any company. The lessons learned from the implementation of various projects related to IT security issues point to the fact that there are no exceptions in cases regarding limiting countermeasure resources against potential threats to the corresponding yet single-time protection of the building’s main entrance, office space, and secondary entrances such as emergency and parking doorways. It is also worth noting that in the field of physical security besides the proper design of appropriate control systems, it is very important to maintain their effectiveness. The intention of KPMG is to enable you to experience the potential impact of simulated threats, and consequently the real and independent confrontation between the current security solutions and the toughest opponent which is the time and routine. Actions taken within the framework of such projects are oriented to observe the mechanisms used for protection against unauthorized access to the physical space. KPMG’s scope of interest will include any control mechanisms in the area of physical security and the potential possibility of using communal space, which at the same time will bring together employees from the specific organization (e.g. canteen, or the reception at the headquarters). The expected outcome of these observations is to identify potential vulnerabilities in the implementation of security checks or possible inefficiencies in their execution. For example, an “intruder’s” entry may be registered as a supplicant and then after providing the basic direction guidelines that person is left without any supervision.
- Review of component configuration services. Multidimensional experience gained in the implementation of projects relating to the verification and assessment of the effectiveness of the security controls in IT environments of our customers has allowed a note of certain repetitive observation. Despite the availability of tools which can improve the implementation of initiatives that link areas of IT maintenance, IT development and the business side of the enterprise (e.g. ITIL methodology), it may occur that we note the irregularities resulting from the inefficient processes, incorrect power distribution within the team or inefficient communication between departments. These observations concern in particular the processes of change management and IT environment configuration, affecting directly the issues of IT services component configuration (e.g. network devices, operating systems, databases etc.). Configuration surveys carried out by KPMG besides identifying and assessing the risks in relation to the best use in this range of market practices as well as taking into account the recommendation of potential changes based on establish risk level, they additionally include the element of verification of the business’s validity. In other words, besides the substantive assessment of the level of security of any component of information services, the configured functionalities and the implementation of access rights are also verified in terms of validity. It is also worth mentioning that KPMG is an organization completely independent from the implementation companies as well as from the suppliers of information technology.
- Training in the field of Information Technology Security. One of the fundamental elements of the dealing with any activities threatening the integrity, confidentiality and availability of protected information resources is the need for constant awareness of potential risks and to build appropriate prevention mechanisms. To meet this need we have prepared for you a training cycle dedicated to the users of IT systems. In its scope, we discuss and present the real methods and techniques used by intruders to break or circumvent the security systems and also together with you we prepare the best and proven countermeasure methods against indicated frauds.
One of our core values is to ensure the highest quality of services provided by KPMG.
These services are carried out by qualified KPMG experts in line with the best market standards and recommendations of organizations recognized around the world such as:
- OWASP (Open Web Application Security Project)
- OSSTMM (Open Source Security Testing Methodology Manual)
- NIST (National Institute of Standards and Technology)
- COBIT (Control Objectives for Information and related Technology)
- PN ISO/IEC
- ITIL (Information Technology Infrastructure Library).
KPMG experts will help you identify and adequately address the risks associated with security and to design and implement an effective monitoring system. Thanks to our experience and skills constantly developed in professional environments around the world, we help our clients to identify the weaknesses of applied technological and organizational solutions, to evaluate the impact of the identified problems on business, to design and implement a strategy for the information security and to implement security solutions.
However, we would like to emphasize that priority element within each conducted by KPMG service is its adaptation to your needs.