With increasing ratio of ICT adoption in Public sector, there is a heightened need to address information Security and privacy related concern across various government interfaces with citizen, enterprises and other participants of the economy.
We at Ernst & Young offer IT risk advisory services to help understand and improve effectively the ability to manage risk, increase control, compliance adherence and IT audit support. We provide a clear framework to evaluate these risks, and offer proven tools and methodology's to assess, control, monitor and measure them.
We have the following four step approach to ITRA services
Application Controls and Security services focus on assessing, improving and monitoring business applications controls and security associated with:
- Upgrades; and
- Other application related change initiatives.
Application Controls and Security consists of:
- IT General Controls and Review
Designing and implementing a system of rationalized and cost- effective IT General Controls that address efficient functioning of IT business processes. The IT General Controls Review would include an assessment of:
- Change control policy and procedures
- Access control procedures
- Password controls
- Database security
- Operating system security
- Physical security procedures
- Application Control Design and Implementation
Implements specifically designed ERP security architecture and processes that address the protection of ERP environments, data, and segregation of duties according to business needs, constraints and risks.
The Application Controls Design and Optimization would include an assessment of:
- Determining criteria for selecting ERP vendor, and help companies to evaluate the potential vendors against those criteria.
- We do not select the ERP vendor on behalf of the client; the decision of selecting an ERP vendor is made by the client.
- Enables companies realize greater value from the significant investments made in ERP systems
- ERP Post Implementation Review
- Conduct an assessment of whether all the ERP functionalities for process are optimally utilized as per leading practices.
- Assess whether the business processes have been adequately and appropriately mapped in the ERP.
- ERP Post Implementation service covers
- ERP Optimization & Effectiveness Review
- ERP Controls Review
- Authorization Review
- Infrastructure Integrity Review
Information Security is concerned with the confidentiality, integrity, reliability and availability of data and information assets, regardless of the form it may take or where it resides in the organization.
Information Security Services includes:
- Defining security management processes based on globally accepted industry standards.
- Measuring the compliance of these processes
- Monitoring improvements
Information Security consists of:
- It is the union of process, people, and technology that an organization uses to establish, implement, operate, monitor, review, maintain, and improve a documented security program within the context of the organization's overall business activities and the risks it faces.
- Offers design and development of a security strategy in line with business and IT strategies and the implementation and integration into an organization's risk management functions based on a global security standard.
- Offers design and development of a security strategy in line with business and IT strategies and the implementation and integration into an organization's risk management functions. Based on a global security standard.
- Security Management includes:
- Information Security Assessment
- Strategy and Organizational Alignment
- Threat and Vulnerability Assessment
- Assess the security configuration of various production servers, network components and security infrastructure
- Assessment aids the organization in finding the vulnerabilities and gaps present in the system or application
- System configurations are aligned to leading practices which secures the hosts from external as well as internal threats
- Attack and Penetration Testing
- An assessment of organization's security position is carried out by Systematically enumerating, Scanning; and Compromising systems.
- Identifies systems that are vulnerable to attacks by intruders
- Business Continuity/Disaster Recovery Planning
- Business Continuity Planning (BCP) is an ongoing process providing integrated continuity and recovery capabilities for the successful and continuous delivery of critical services and products.
- Some of the following elements of business continuity are provided below:
- BCP Program Policies & Procedures (overall governance)
- Current State Assessment (benchmarking against best practices, peer industry, etc.)
- Business Impact Assessment/Impact Tolerance
- Alternative Strategy Development (strategies addressing people, process and technology)
- Business Continuity/Disaster Recovery/Crisis Management/Incident Response Plans
- Testing/Training/Maintenance of Program
- BCP/DR Awareness Program
- ISO 27001:2005 Advisory and Audit
- We determine how organizations' information security processes compare to a globally accepted standard, as well as their peers (in industry, size, and geography).
- We use the proprietary methodology which involves the company personnel working along with EY consultants, which ensures that they understand the ISO 27001 concepts and obtain hands-on training till the completion of the project
- We also Audit the organization's information security practices and even audit them as per the ISO 27001 Standard;