Escolar Documentos
Profissional Documentos
Cultura Documentos
br
Corporate
Security Statement
February 2013
Table of Contents
2 • Overview
3 • Disclaimer
4 • Security Police
4 • Security Organization
5 • Asset Management
6 • Human Resources Security
7 • Physical and Environmental Security
8 • Communications and Operations Management
10 • Access Control
11 • Information Systems Development Cycle
12 • Information Security Incident Management
12 • Business Continuity Management
13 • Compliance
Overview
3 | PwC
Security Policy
• Determination of the
data classification level of
information assets;
• Identification of the
information owner;
• Identification of disaster
recovery risk factors.
5 | PwC
Human Resources Security
• Copyrights and license All partners, staff and service Security awareness training is
agreement terms and conditions. providers sign a personal liability a component of the PwC hiring
agreement acknowledging their process. An awareness program
responsibility for the professional reinforces periodically the concepts
equipment and tools received and responsibilities defined in the
to develop their work, being Information Security Policy.
also responsible for the physical
security of these assets. Termination Processes
• Lightning suppression;
7 | PwC
Communications and Operations Management
Operational Procedures and Security Software Suite • Secure Remote Access - PwC
Responsibilities utilizes virtual private network
PwC uses a combination of (VPN) software, configured to
PwC’s IT organization has technology tools to provide a secure require dual factor authentication
established and maintains computing environment equipped to enable secure remote access to
controls over standard operating with: its networks.
procedures, including a repository
of procedures, formal review and • Antivirus - the virus protection • Lotus Notes - The Firm uses
approval processes, and revision software package is loaded Lotus Notes for a number of
management. during the operating system applications, including e-mail.
start up process and performs Lotus Notes’ security features are
Change Control on-access scans of all data. The widely recognized in the market.
software is configured to clean
PwC’s IT organization has or delete infected files and Spam Blocking and URL Filtering
established and maintains a provides other safeguards. Virus
Change Management/Change signatures are automatically and PwC has deployed and regularly
Control process which includes constantly updated through a updates URL filtering software that
risk assessment, test and retrieval process managed on a central blocks access to inappropriate web
procedures and review and approval basis. sites from its network. The Firm
components. has also established and maintains
• Antispyware - PwC installs e-mail gateway with spam-blocking
Development Environments spyware detection and removal and anti-virus software.
of malicious software on all the
PwC maintains separate Firm’s computers.
development and production
environments. Development • Desktop Firewall - PwC’s desktop
environments are required to firewall software is automatically
be physically separated from enabled and uses the Firm’s
production environments. The standard configuration to protect
transfer of an application from against malicious network traffic,
development to production follows including internet-based network
the procedures established in the threats, untrusted networks or
Change Management/Change malicious software. Database
Control process. configuration settings are secured
against change, tampering or
disablement by end users or
malicious programs.
Data center systems are routinely All data center internet access PwC has established procedures
backed up for disaster recovery points feature firewall segregation. for secure erasure or destruction
purposes. Restoration success Intrusion Prevention Systems of data center storage media prior
metrics are maintained. PwC utilizes (IPS) are positioned or installed at to disposal, aimed at protecting
an information protection and strategic locations in all internet the secrecy and confidentiality of
storage provider for secure transport connections. Firewall logging is information.
and offsite storage of backup media. enabled to track communications
(failed and successful access Application Security Reviews
Wireless Networks attempts) between the internet and
PwC’s internal network. Console Procedures for conducting
Only IT-managed wireless networks access to the firewalls is limited to application security reviews have
are permitted on PwC’s network. administrative personnel using the been established and include the
Wireless access security controls Secure Shell protocol. following:
include standards for encryption and
authentication that are managed by • Asset classification;
PwC’s IT department.
• Infrastructure vulnerability
scanning;
9 | PwC
Access Control
Authorization and Authentication Privileged Access VPN tunnels are secured using 3DES
Controls or higher encryption.
Access to authentication servers at
PwC follows a formal process to grant administrative, root or system levels The client software uses smart
or revoke access to its resources. is limited to those professionals tunneling technology to ensure
System access is based on the designated by PwC. that communications between the
concepts of “least-possible-privilege” host PC and the PwC network are
and “need-to-know” to ensure that Password Requirements transmitted via an encrypted VPN
authorized access is consistent with tunnel.
defined responsibilities. The Firm The Firm’s security policy establishes
uses a combination of user-based, requirements for password changes, Communications to internet-routed
role-based and rule-based access reuse and complexity. addresses will be conducted outside
control approaches. of the established VPN tunnel.
PwC requires the use of screensavers
PwC has established documented that reactivate after a period of Also, session timeout settings
procedures for secure creation inactivity through the use of a are configured to automatically
and deletion of user accounts, password. disconnect the user from a session
including processes to disable and/ after a period of mouse or keyboard
or delete accounts of employees Remote Access inactivity.
temporarily away from the Firm.
All PwC’s partners and staff are PwC uses virtual private network Processes are established to limit
required to agree to take reasonable (VPN) software to enable secure, third-party remote access to PwC
precautions to protect the integrity internet-based remote access for systems. Such access requires
and confidentiality of security its professionals. VPN users are approval from the security
credentials. required to authenticate using organization and access is limited
two-factor authentication; both a to those systems required for the
valid user name/password and a third-party to complete the task and
corresponding password-protected is monitored on a regular basis.
VPN token are required to create a
VPN tunnel.
All PwC desktops and laptops are Mobile device access is only permitted
protected by hard drive encryption from Blackberry devices configured
software through the 256-bit AES in accordance with the Firm’s security
encryption algorithm. The software policy.
enforces password controls and
uses a dynamic password time-out This security policy requires a
to prevent brute force password password to be entered to access the
attacks. device, that the information in the
device be erased after ten incorrect
Additionally, the software is bound access attempts and allows remote
to the hard drive, protecting not only erasure if the Blackberry device is
the operating system, but also the reported lost or stolen.
data.
11 | PwC
Information Systems Development Cycle
PwC has established a methodology Internal and External Network This process includes steps to
to manage the acquisition, Scanning evaluate vendor supplied patches
development and maintenance of to determine servers that require
systems. Key security components PwC utilizes multiple vulnerability patches and updates, to document
related to this methodology include: scanning tools to assess its internal procedures for patching and
and externally facing network updating servers, and to deploy
• Business criticality assessment; environments. These tools are patches and updates in a timely
selected and configured to match manner to protect the PwC
• Risk assessment; the requirements of PwC’s IT infrastructure.
infrastructure, and are updated
• Security organization on an ongoing basis. Processes are PwC continually reviews patches
involvement in project reviews established to assess and correct the and updates, as they are released, to
and key contracts; and, vulnerabilities discovered. determine their criticalities. Patches
released on a regularly scheduled
• Utilization of established change basis are applied following the
control processes to transfer Patch Management release; patches released on a
changes from the development regular basis and others determined
to the production environment. PwC has patch management to be critical are applied as
processes and tools to assess and needed to ensure protection from
deploy operating system and vulnerabilities.
application-specific patches and
updates.
13 | PwC
Business Continuity Management
PwC has established processes for PwC has an Internal Audit PwC has established Data Protection
performing periodic vulnerability organization responsible for rules that define, among other
scans of its IT systems. These assessing internal operations, issues, the standards of behavior
procedures specify the use of including the Security and IT regarding the protection of PwC
multiple vulnerability scanning organizations. information.
software packages, the creation of
vulnerability assessment reports,
and the presentation of vulnerability Ethics & Compliance
scanning results to the IT Operations
organization and IT leadership. PwC has implemented
communication channels (telephone
Access to vulnerability scanning hotline and email) which can be
tools is restricted to authorized used to report, either anonymously
members of the security team. or not, any misconduct of its
professionals or third-parties with
respect to the Code of Ethics and
laws and regulations referring to
property, secrecy, confidentiality,
ethics, business conduct, as well as
to internal policies and procedures.
15 | PwC
PwC Brazil Offices
“PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context
requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of
PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts
or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No
member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another
member firm’s professional judgment or bind another member firm or PwCIL in any way.