WIXLIB

Cyber Strategy Framework (CSF)ForewordThree fundamental drivers thatdrive growth and create cyber risks:Managing cyberrisk to growand protectbusiness valueThe Deloitte CSF is abusiness-driven, threat-basedapproach to conductingcyber assessments basedon an organization’s specificbusiness, threats, andcapabilities. CSF incorporatesa proven methodology toassess an organization’s cyberresilience; content packswhich enable us to conductassessments against specificstandards; and an intuitiveonline platform incorporatinga range of dashboards thatcan be customized for anexecutive, managerial, andoperational audience.CEO:“I read about phishingin the news. Are weexposed?”HomeHomeForewordInnovationInformation sharingCIO:“Where and how much doI need to invest to optimizemy cyber capabilities?”Trusting peopleBoard:“What is our level ofresilience against thesecyberattacks?”What ismy riskappetite?Threat landscapeWhat is mybusinessstrategy?What aremy crownjewels?What are theyinterested in?CyberStrategyCyber Strategy,Transformation, andAssessmentCyber Risk Managementand ComplianceCyber SecurityOrganizations need a holistic, business-driven, and threat-based approach to manage cyber risks.While securing assets is important, being vigilant, and resilient in the face of cyberattacks is imperative.Business risksCyber StrategyCyber Training, Education,and AwarenessCyber capabilitiesWhat tacticsmight theyuse?Who are myadversaries?GovernanceIdentify toprisks, aligninvestments,develop anexecutive-ledcyber riskprogramSecureTake a measured, risk-prioritizedapproach to defend againstknown and emerging threatsVigilantDevelop situational awarenessand threat intelligence toidentify harmful behaviorResilientHave the ability to recoverfrom and minimize the impactof cyber incidentsCyber VigilanceSecureA strong cyberrisk programhelps drivegrowth,protects value,and helpsexecutives tobe on top ofcyberthreatsVigilantCyber ResilienceResilientContactsUnderstandthe businesscontext andobjectivesUnderstandmy threatlandscapeUnderstandcurrent maturity level of cybercapabilitiesFocus onthe rightprioritiesDefine targetDevelopmaturity level ofcyber strategycyber capabilities androadmaprecommendationsEnhancevalue fromcyber securityinvestmentsCommunicatewith internaland externalstakeholdersNext10

Cyber Risk Managementand ComplianceChallengesUnderstanding the current status of anorganization’s security posture requiresconstant evaluation of evolving risks,security standards, and cyber regulations.Today’s complex and distributed ITlandscape and third-party involvementmeans organizations must take a structuredapproach to understanding the road ahead.How we can helpDeloitte’s diverse experience in managing cyberrisk and compliance can help organizations:define tailored cyber risk managementframeworks; support risk transfer via cyberinsurance; set and implement cyber-controlframeworks; and ensure compliance withcybersecurity regulations.Key differentiators Mature proprietary methodologies andtools, complemented by vendor alliances. Strong experience in integrating cyberrisk into the broader enterprise riskmanagement framework. Deep knowledge and experiencewith security control frameworksand regulations.HomeForewordCyber StrategyCyber Strategy,Transformation, andAssessmentCyber Risk Managementand ComplianceCyber Training, Education,and AwarenessSecureVigilantResilientContactsNext11

Cyber Risk Managementand ComplianceKey solutionsSecurity Control FrameworkAdvise ImplementAdvise ImplementDefines framework and methodologies toassess cyber risks in order for theorganization to understand theirmagnitude and make informed decisionsthat align the organization’s risk appetitewith the risks it faces.Defines tailored security-controlframeworks based on best practices asguiding principles. Develops policies,procedures, and standards.Advise Implement ManageDesigns and implements risk dashboardconstituents, including Key Risk Indicators(KRIs) and dashboards to facilitateeffective monitoring of cyber risk from theboardroom to the network.Cyber InsuranceAdvise ImplementEvaluates coverage of existing insurancepolicies. Determines areas whereresidual cyber risk could be transferredto an insurer.ForewordCyber StrategyCyber Risk ManagementCyber Risk DashboardingHomeThird-Party Risk ManagementAdvise ImplementCyber Strategy,Transformation, andAssessmentCyber Risk Managementand ComplianceCyber Training, Education,and AwarenessSecureCustomizes services at each step of thethird-party cyber risk management lifecycle.Provides end-to-end oversight of thethird-party risk management program.VigilantSecurity and RegulatoryComplianceResilientAdvise ImplementAssists and prepares compliance withnational and/or sectoral cybersecurityregulations.ContactsNext12

Cyber Training, Education,and AwarenessChallengesEven with excellent people and technologyin place, the organization’s own employeesare the weakest link when it comes tocybersecurity. The so-called insider threat isreal. Building secure defenses against outsidethreats is not enough if data is leaked fromwithin an organization.How we can helpDeloitte can help to accelerate behavioralchange. Organizations that adopt the rightbehavior make themselves more secure, vigilant,and resilient when faced with cyberthreats.Deloitte can help organizations developand embed a mature cyber risk culture bydefining, delivering, and managing programs,both online and on-site, to improve technicalskills, foster security awareness, and planother initiatives needed to effect digitaltransformation successfully.HomeForewordKey solutionsCyber StrategyInsider RiskTechnical Cyber TrainingAdvise ImplementAdvise ImplementHelps organizations identify, monitor,and manage the main sources of insiderthreat. We help to establish Potential RiskIndicators (PRIs) and create awareness ofthe main indicators of maturity in managinginsider risk.Delivers both introductory and highlyspecialized technical training in cybersecurity,either on-site or through a purpose-builtonline platform. Our catalog of coursescovers areas such as: Hacking, SecureDevelopment, Forensics, Reversing,Industrial Control System (ICS) security,and Incident Response.Cyber Security AwarenessProgramAdvise Implement ManageUnderstands the current state of acompany’s awareness level, defines astrategy, and develops a recognizableawareness campaign, multimedia contentpackage, and communication tools.Certification ReadinessCyber Strategy,Transformation, andAssessmentCyber Risk Managementand ComplianceCyber Training, Education,and AwarenessSecureVigilantImplementDelivers training to prepare employeesfor qualifications such as CertifiedInformation Systems Auditor (CISA), CertifiedInformation Systems Security Professional(CISSP), and Certified Information SecurityManager (CISM).ResilientContactsNext13

Cyber Training, Education,and AwarenessKey differentiators We deliver online and on-site technicaltraining and awareness programs toclients and internal practitioners viaa dedicated Cyber Academy OnlinePlatform. The Academy collaborates withuniversities and educational institutionsto create expertise and professionalperformance in the area of CyberSecurity, with programs such as aMaster’s Degree in Cyber Security amongour online postgraduate offering. We work with leadership and learningpsychologists, human resources, andcyber specialists to build and deliver themost effective learning and awarenesscourses tailored to each audience.HomeForewordDeloitte’s own CyberAcademy Online PlatformCyber StrategyCyber Strategy,Transformation, er Risk Managementand ComplianceCyber Training, Education,and AwarenessSecureVigilantResilientContactsNext14

SecureWe focus on establishing effective controls around theorganization’s most sensitive assets and balancing the needto reduce risk, while enabling productivity, business growth,and cost optimization objectives.HomeForewordCyber y ManagementApplication ProtectionIdentity and AccessManagementInformation PrivacyInformation ProtectionVigilantResilientContactsNext15

Infrastructure ProtectionHomeForewordChallengesHow we can helpCyber StrategyHyper-connectivity is creating a new era forcyber infrastructure. Ever more connecteddevices pose new cybersecurity challenges forpublic and private-sector organizations as thevolume of threats to their infrastructure rises.Deloitte has developed a set of services thatcomprehensively address cybersecuritychallenges in the architecture, deployment,and maintenance of traditional and newinfrastructure and technologies.SecureDevices connected to corporateinfrastructures need to continuouslyacquire, store, and use large amounts of data,a significant proportion of which willbe sensitive. Protecting this data againstcyberattack is of paramount importance.Deloitte’s security professionals,from diverse architecture, engineering,and operational technologybackgrounds, are experts acrossthe evolving infrastructure andproduct landscape.Today’s smart cybersecurity protects databy using secure data platforms, clear datagovernance, and smart access protocols suchas electronic finger printing.The development of new technologies willdrive exciting innovations in Smart Cities,Smart Factories and the Internet of Things(IoT) as communication and automationcontrol become ubiquitous.InfrastructureProtectionVulnerability ManagementApplication ProtectionIdentity and AccessManagementInformation PrivacyInformation ProtectionVigilantResilientContactsNext16

Infrastructure ProtectionHomeForewordKey solutionsIoT Strategy, Roadmap, andArchitectureAdvise Implement ManageReviews industrial and consumer productcodes and delivers secure developmentpractices to enhance clients’ capabilitiesin implementing next-generationconnected products. We help organizationsundertake readiness assessments, aligntheir IoT security vision with their overallmission and vision statements, build IoTroadmaps and adapt traditional governancemodels to new IoT developments.Cloud SecurityAdvise Implement ManageEvaluates client requirements, assessescloud usage, builds the business caseand cloud roadmaps, and assists withcloud vendor evaluation.Key differentiatorsNetwork Strategy andOptimizationAdviseAnalyzes client infrastructure to identifyand remedy the configuration of networkcomponents and help clients design theirnetwork architecture into secure zones.Anti-DDoS AttacksAdvise ManageAnalyzes organizations’ readiness to defendthemselves against Distributed Denialof Service (DDoS) attacks. We providecloud-based anti-DDoS protection forinfrastructures, websites, and DNS servers. We offer secure, end-to-endsolution-transformation capabilities,from vision alignment to the design ofsecure products.Cyber y ManagementApplication ProtectionIdentity and AccessManagementInformation PrivacyInformation ProtectionVigilantResilientContactsNext17

Vulnerability ManagementHomeForewordChallengesHow we can helpCyber StrategyBusinesses rely on a stable and secure ITenvironment as the foundation for driving newdigital innovations, and products.Deloitte offers the expertise of highly skilledsecurity professionals to help organizationsidentify vulnerabilities. Deloitte’s teamworks side by side with organizations toremedy and manage these vulnerabilities.SecureNew security vulnerabilities are published on adaily basis and hackers are constantly lookingfor ways to gain access to systems and data.Identifying, managing, and correctingvulnerabilities in an environment that consistsof multiple applications, systems, and locationsis a significant management challenge.Our services include fully managedvulnerability assessments fromDeloitte’s award-winning ethical hackersand support in designing, implementing,and operating vulnerability managementsystems and processes.Supported by Deloitte’s network of CICs,we offer a range of managed solutionsincluding vulnerability assessments,remediation support, and vulnerabilitymanagement advisory.InfrastructureProtectionVulnerability ManagementApplication ProtectionIdentity and AccessManagementInformation PrivacyInformation ProtectionVigilantResilientContactsNext18

Vulnerability ManagementHomecenterOur solutions are supported byDeloitte’s network of CICsKey solutionsVulnerability AssessmentsImplement ManageUses known hacking methods andvulnerabilities, tests the security ofapplications and IT systems, andachieves increased levels of security.Deloitte can undertake this work fully onbehalf of organizations or complementorganization’s internal vulnerabilityassessment team.Hacking and Phishingas a ServiceManageProvides regular insight into anorganization’s potential vulnerabilities.Many organizations perform securitytests only once while cyber criminals areconstantly seeking to find and exploitnew vulnerabilities.Key differentiatorsVulnerability RemediationSupport Our professionals include a global poolof award-winning ethical hackers.Implement Manage We utilize proven Deloitte methodsand cutting-edge vulnerabilitymanagement tools.Configures and manages vulnerabilitymanagement solutions providing insightinto the business-relevant vulnerabilitiesthat matter.Vulnerability ManagementCapability DesignAdviseEstablishes vulnerability managementprocesses, governance, capabilities, tools,and expertise for organizations. Deloitte willenable an organization to identify, manage,and remedy issues with the variousstakeholders involved in a timely way. We offer a range of managed solutionsincluding vulnerability assessments,remediation support, and vulnerabilitymanagement advisory.ForewordCyber y ManagementApplication ProtectionIdentity and AccessManagementInformation PrivacyInformation ProtectionVigilantResilientContactsNext19

Application ProtectionHomecenterOur solutions are supported byDeloitte’s network of CICsChallengesApplications form a major part of everyIT landscape. Ensuring they are protectedrequires secure design, implementation,and configuration. Testing of the protectionrequires robust processes, dedicatedresources, and a skilled team.Many organizations find setting up suchprocesses and acquiring and maintaining therequired skills and knowledge to be a majorchallenge.How we can helpDeloitte software security specialists assistorganizations to thoroughly assess theprotection level of applications.With specialized knowledge of a largenumber of specific applications and securedevelopment methods, Deloitte helps securethe design, development, and configuration ofapplications.Key solutionsEnterprise Application SecurityAdvise Implement ManageAssesses the current state of anorganization’s applications and thesecurity controls on the application layersfor enterprise systems.Source Code ReviewManage ImplementAnalyzes application source code totest for common mistakes. The analysiscan be conducted through one-offapplication assessments or as an integralpart of an organization’s softwaredevelopment process.ForewordCyber StrategySecure by Design:Secure SDLCAdvise ImplementAssesses an organization’s softwaredevelopment life cycle (SDLC) to determineif security is properly incorporated. Inaddition, we help organizations embedSecure by Design principles and ty ManagementApplication ProtectionIdentity and AccessManagementInformation PrivacyInformation ProtectionVigilantResilientContactsNext20

Application ProtectionHomeForewordDeloitte ApplicationSecurity PlatformSource code analysis overviewWeaknesses foundAnalysis and validation of sourcesSource code review activitiescentralization15Advanced reporting capacities10Cyber StrategySecure21InfrastructureProtectionReal-time activities progress feedbackVulnerability lifecycle managementVulnerability ManagementActiveManaging5Application ProtectionIdentity and AccessManagementMulti-vendor supportCWE and CVSS aligned GAST taxonomyKey differentiators We leverage static application securitytesting technology which enables theclient to be one step ahead, with 40percent portfolio coverage versus fivepercent portfolio coverage using thetraditional approach. We help organizations raise theirsituational risk awareness and actionableremediation insights, empowering them toregulate application portfolios effectively.0AprMayJunJulTop CWEs detected12,000Information ProtectionVigilantTotal analyzed 0005002,0000Information Privacy13,033Validation of 4May16May18MayNext21

Identity and Access ManagementHomeForewordChallengesThe traditional network perimeter has faded.In response, organizations are increasinglyfocusing on user identity assurance andinformation access controls.Identity and Access Management (IAM)provides tools, processes, and methods toenhance the security of online transactionswhile minimizing friction in the user experience.IAM also provides a trusted environment foromni-channel communication between users(customers, business partners, and employees)and IT platforms.How we can helpIdentity and access are two of the keyelements that underpin digital commerce andautomated business processes. Deloitte hasestablished proven methodology to guideclients through the full IAM program lifecycle,from defining a clear vision and strategy forsecure access to information assets, to theactual deployment and operation of IAMplatforms, and integration with IT platforms.Key solutionsCyber StrategyIAM Drivers Identification andSelection of IAM InvestmentAreasIAM Functionality Design andPreparation for ImplementationAdviseFormalizes requirements, designs a fittingsolution landscape by selecting the mostappropriate solution set, and transforms theorganization and its processes to optimizereturns on IAM investments.Defines the objectives for IAM, such asenabling new information exchanges(e.g. low-friction customer registration),more efficient compliance demonstration(e.g. risk-focused access reviews), andenhanced controls (e.g. monitoring of ITadministrator actions).Current State Assessmentsfor IAM ComponentsAdviseAssesses the current maturity ofIAM-related controls and pinpointskey improvement areas.Advise ImplementIAM Platform DeploymentImplementMakes the IAM vision a reality byimplementing IAM solutions to supportyour IAM processes with Deloitte keytechnology partners (SailPoint, OKTA,CyberArk, and lity ManagementApplication ProtectionIdentity and AccessManagementInformation PrivacyInformation ProtectionVigilantResilientReach of IAMPlatform ExtensionManageIntegrates business applications with theIAM platform to increase the reach ofautomated controls.ContactsNext22

Identity and Access ManagementHomeForewordKey differentiatorsIdentity and Access Management components Business and user-centric view ofIAM as part of Deloitte DNA.AccesscontrolUsers Experience of global best practicesand IAM solution architectures. Close solution partner networkwith major IAM capability providers.Cyber rastructureProtectionVulnerability ManagementApplication ProtectionCustomersSCMEmployeesPortalBU1 HRBU1 HRInformation PrivacyInformation ProtectionEnter user IDadmin requestsMaster dataIdentity and AccessManagementIdentitygovernance &administrationApproverUser and retireuser tsContactsResourceownersNext23

Information Priv

Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approa