Contents

Introduction 4

Scope 5

Security policy 6

Security organisation 7

PwC personnel responsibilities 8

Access controls 9

Cyber security incident management 11

Data protection 12

Service management 13

System development 15

Resilience 16

Compliance programme 17

Appendix A – Common terms and definitions 18

PwC | ISP Security Statement - Public 2

A printed copy of this security statement is considered outdated
Document history
Version Date Changes made Author(s)

1.00 September 2017 Initial Publication ISRC Team

1.01 August 2018 FY19 review. Minor edits for consistency. ISRC Team

2.00 July 2019 FY20 review. Minor edits for consistency. IT GRC Policy Team

3.00 July 2020 FY21 review. Minor edits for consistency. IT GRC Policy Team

4.00 September 2021 FY22 review. IT GRC Policy Team

5.00 October 2022 FY23 review. Minor edits for consistency. IT GRC Policy Team

6.00 July 2023 FY24 review. IT GRC Policy Team

7.00 July 2024 FY25 review. Minor edits for consistency. IT GRC Policy Team

Template version: 1.3

PwC | ISP Security Statement - Public 3

A printed copy of this security statement is considered outdated
Introduction
Information Security is a high priority for the PricewaterhouseCoopers (PwC) Network. PwC Member Firms are
accountable to their people, clients, suppliers and other stakeholders to protect information that is entrusted to them.
Failure to protect information could potentially harm the individuals whose information Member Firms hold, lead Member
Firms to suffer regulatory sanctions or other financial losses and impact the PwC reputation and brand. The Information
Security Policy outlines the minimum security requirements with which every Member Firm must comply.

The PwC Information Security Policy (ISP) has been developed to safeguard the confidentiality, integrity, and availability
of the information and technology assets used by the PwC member firms and is aligned with ISO/IEC 27002:2022
Information technology - Security techniques Code of Practice for Information Security Management industry standard.

PwC | ISP Security Statement - Public 4

A printed copy of this security statement is considered outdated
Scope
The Information Security Controls Standard applies to all 4. Access Controls – assigning correct and
PwC member firms for all information and systems. It is appropriate access to each PwC member firm’s
the policy of the PwC network that the information assets information and technology assets based upon a
of the member firms be protected from internal or data classification scheme and assigned roles
external threats, whether deliberate or accidental, and responsibilities.
such that:
5. Physical and Environmental Security – building
• Data subject rights are respected. access control, clear desk policy, laptop security –
• Confidentiality of information is maintained. with the overall aim of protecting each PwC member
firm’s business premises and the information and
• Integrity of information can be relied upon.
technology assets that reside within them.
• Information is available when the business needs it.
• Relevant statutory, regulatory, and contractual 6. Cyber Security Incident Management – controls
obligations are met. that each PwC member firm is expected to
implement to minimise the impact to PwC member
• The PwC brand is protected.
firms, in the event of a security breach.
The PwC Information Security Policy (ISP) serves to be
7. Data Protection – classification and security of a
consistent with best practices associated with
PwC member firm's information assets and systems,
organisational Information Security management. The
including data classification.
PwC ISP is aligned with the ISO 27002 standard and
tailored to the PwC policy framework. 8. Service Management – secure operation and
management of information processing centres. For
The purpose of this statement is to provide PwC clients
example, clear separation of test and production
and prospective clients with a high-level overview of the
environments, separation of operational duties
security controls in the PwC ISP.
based upon roles, strong change management
1. Security Policy – describes the need to protect controls, and secure network connections.
each PwC member firm's information and technology
9. Systems Development – development and ongoing
assets and to comply with regulatory and contractual
maintenance of information systems to include
obligations and PwC policies, standards and local
adequate security controls during the conceptual
security policies.
design phase.
2. Security Organisation – the management of
10. Resilience – business continuity and disaster
security within PwC, encompassing the PwC
recovery planning based upon service level
network-wide security model framework; third
agreements and recovery time objectives with the
party access to a PwC member firm's resources
overall aim of minimal impact to the PwC member
and security requirements for outsourced
firm's business in the event of a disaster.
service providers.
11. Compliance Programme – outlines controls that
3. PwC Personnel Responsibilities – areas affecting
measure and monitor compliance of the PwC
personnel security within a PwC member firm such
member firm's enterprise and systems with the ISP
as employee vetting, terms and conditions of
and other relevant security controls as agreed via
employment, confidentiality agreements, and user
the policies and standards process. Includes
awareness training.
additional controls required to determine compliance
with applicable regulations and legislation such as
data protection.

PwC | ISP Security Statement - Public 5

A printed copy of this security statement is considered outdated
Security policy
The member firms operate within an increasingly
electronic, interconnected, and regulated environment
that necessitates a consistent and standardised
approach to securing information and member firm
assets. The PwC ISP Framework is composed of a set
of hierarchical cross-referenced documents which
cascade down from the security policy statements
contained in this document. These statements are used
to communicate management’s expectations for the key
information security principles across PwC.

The ISP Framework will adapt to the changing

landscape with continuous improvements to address
emerging risks and business needs. The Network
Information Security organisation will coordinate an
annual review of the PwC ISP Framework and publish
amendments in accordance with the defined PwC ISP
governance procedure.

The PwC ISP Framework is aligned and compatible with

financial services industry recognised security
frameworks (e.g., ISO 27002:2022) and best practices.
An annual review of alignment and these processes is
conducted as part of the governance procedure.

All member firms and information technology resources

connected to the PwC network must comply with the
PwC ISP, controls and supporting standards that are
designed to establish the controls necessary to protect
information assets. Any deviation requires risk
evaluation that includes identification of mitigating or
compensating controls and a formal tracking of
exceptions in accordance with the PwC Network
Information Security issue management process.

PwC | ISP Security Statement - Public 6

A printed copy of this security statement is considered outdated
Security organisation
Clearly defined roles and responsibilities are crucial to
develop and deliver a successful information security
and Cyber Readiness Programme. The PwC Network
Information Security organisation is organised at a
network and region/sub-cluster/territory level to
effectively manage and execute the information
security objectives.
PwC | ISP Security Statement - Public
A printed copy of this security statement is considered outdated
These information security functions across PwC must
establish, implement, maintain and enforce PwC’s ISP
to protect information and member firm assets through
the development and implementation of information
security services.
7
PwC personnel responsibilities
Human resources security
PwC personnel are the first line of defence in protecting
and securing information and Member Firm assets.
Member firms are required to provide training and
guidance to all PwC personnel regarding how to be
responsible with use of technology and tools. PwC
personnel are accountable for complying with the ISP
Framework and must always report any suspected
violations through the appropriate reporting process.
Security responsibilities
PwC member firm staff connected to the PwC network
must conduct themselves in a manner consistent with
PwC’s Code of Conduct and operate in compliance with
their responsibilities defined in the ISP Framework and
relevant standards at all times (for example, on
premises, at clients, or working remotely).
Security and privacy awareness training
PwC member firms provide regular security and privacy
awareness training to personnel that must be completed
within the timeframes specified. New PwC personnel are
required to agree to abide by security and privacy
policies. PwC firms are encouraged to periodically
distribute newsletters and other communication methods
to reinforce security awareness.
Background checks
To the extent permitted by applicable laws and
regulations, PwC member firms screen all prospective
personnel prior to making an offer of employment. These
checks vary by country but may include financial profile,
education, professional licences and employment
verification.
Confidentiality agreements
Where permitted by law and in accordance with local
firm policy, confidentiality agreements (for example
non-disclosure agreements) may be implemented and
signed by PwC member firm staff and third party
suppliers as a condition of employment.
PwC | ISP Security Statement - Public
A printed copy of this security statement is considered outdated
Appropriate use
Use of electronic communication tools, the internet and
portable computer devices is permitted and encouraged
where such use supports the goals and objectives of the
business. PwC personnel are responsible for proper use
of these technologies to protect information and member
firm assets.
PwC maintains its own and respects others’ intellectual
property rights, which includes third party software. PwC
personnel have a responsibility to the firm and clients to
comply with rules for use of PwC and third party
intellectual property and protect creative ideas,
innovations or inventions.
PwC member firms deploy and regularly update web
traffic filtering software to block access to inappropriate
websites from the PwC network. The PwC member firms
must also establish and maintain email gateway service
that supports spam-blocking and anti-virus software for
attachments.
Secure printing
PwC member firm staff and third party suppliers must
use appropriate authorisation controls available on fax
and printer equipment when printing and sending
confidential materials.
Termination processes
PwC member firms document their termination
process, including their process for collection of
information assets and removal of access rights for
departing personnel.
8
Access controls
Strong access controls reduce the risk of accidental or
deliberate modification or destruction of data as well as
protecting against unauthorised access or dissemination.
Access to information must be commensurate with an
individual’s business role and the least privilege concept,
where the minimum access levels are granted based
upon their required business needs and the nature of the
information they are trying to access. Privileged access
must be properly authorised and limited to a defined
duration with adequate monitoring and oversight.
Password requirements
Passwords are the most frequently utilised forms of
authentication and when shared with user identification
information are classified as highly confidential and
protected accordingly. Passwords must be constructed
with complexity requirements enforced to reduce the risk
of unauthorised access to systems and applications.
Stronger password control requirements must be
implemented where there is higher security risk
associated with the access.

Authorization and authentication controls

Access credentials must uniquely identify an individual

and access permissions must be the minimum levels
required to perform a user’s specific job responsibilities.
Access credentials are used to identify the individual and
correlate that individual with any related activity
performed for which they will be held accountable and
responsible. Credentials, therefore, must not be shared
or compromised.

Proper business approval must be documented prior to

the creation of an individual account or access
provisioning. Access must be reviewed upon a change in
job responsibility and on a periodic basis, at least
annually. Access must be removed promptly
upon termination.

Authentication mechanisms such as login ID and

password are the primary means of protecting access to
systems, applications and data. It is essential that these
authenticators be strongly constructed and used in a
manner that prevents unauthorised access. It is
mandatory to implement authentication mechanisms
commensurate with the level of security risk.

Privileged access
Privileged access provides permissions to a network,
system or application that results in higher risk functions
and requires additional controls to mitigate those risks.
Privileged access must be kept to a minimum to limit the
risk of cyber attacks. Privileged access requests must be
individually approved, periodically reviewed and
documented with business justification.
Remote access
PwC provides personnel with the facilities and
opportunities to work remotely to meet client demand or
business needs as appropriate. Each member firm must
make any user authorised to work remotely aware of the
acceptable use of portable computer devices and remote
work rules. PwC member firms use virtual private
network (VPN) technology through a secure encrypted
communications channel where users are required to
authenticate using two-factor authentication.

PwC | ISP Security Statement - Public 9

A printed copy of this security statement is considered outdated
External connections with the PwC networks can leave
the network vulnerable to unauthorised access. External
perimeter access controls must be implemented based
on the risk related to the external connection and be
managed with the proper levels of authorisation,
oversight and restrictions. In particular, all inbound
connections must be terminated in an approved network
protected area.

Laptop security

Laptops and workstations expose the organisation to a

variety of risks that include points of entry from external
sources that could introduce malware or other threats to
the firm. In addition to user awareness and training,
automated controls that include hard drive encryption
must be utilised to further secure endpoints and protect
confidential information and related member firm assets.

Mobile devices

Mobile computing devices must be configured and fully

managed with adequate controls implemented to protect
from unauthorised disclosure, loss and theft of
confidential information in a member firm’s possession,
including information belonging to a member firm client
and any confidential business information of parties PwC
member firms conduct business with.

Physical and environmental security

Physical access is a necessary control to protect

computing equipment and confidential information that
resides in firm buildings, critical processing centres and
all hosting or storage facilities. Physical access to
buildings and critical processing centres must be
restricted to authorised personnel with a legitimate
business need in order to protect against theft, business
interruption and unauthorised access to data.

PwC network service delivery, service processing and

data centres are designed and constructed with site
security as a priority, a tiered approach to physical
access control, access limited to authorised personnel
and appropriate environmental controls.

PwC | ISP Security Statement - Public 10

A printed copy of this security statement is considered outdated
Cyber security incident management
PwC recognises that security incidents are disruptive
and may cause damage to individuals, clients or the
business function. PwC must be prepared to combat
these threats and quickly respond to prevent impacts
that may result in financial, legal or reputational
implications. In order to be properly prepared, an
incident management programme must be implemented
to identify, classify, escalate, respond and resolve
security incidents in a timely manner and reduce impact
to the individuals and the business.
Adequate controls must be implemented to properly
detect and defend the firm against malicious software
designed to disrupt computer operations. To keep up
with the changing threats, encryption methods and
up-to-date malware protection software must be
implemented to protect data on servers, workstations,
laptops, mobile and removable devices.
Detection or suspicion of a security incident is critical
for early identification and containment of the impacts of
a security incident. PwC personnel must be familiar with
the process and points of contact to report and escalate
any suspected violation or perceived security incident.
PwC | ISP Security Statement - Public
A printed copy of this security statement is considered outdated
Network and system monitoring and logging
Monitoring, logging, scanning or other security utilities
are necessary with detection of network or system
vulnerabilities. All security, audit and system tools must
be configured, registered and protected with restricted
access privileges, including output that is considered
confidential and must be secured in accordance with
PwC policy and procedures.
Monitoring and logging are detective controls to identify
unexpected system activity that may include a decline in
expected system performance or unauthorised activity.
Early identification provides support teams with warning
indicators of system performance trends that can be
addressed to ensure system availability. Appropriate
monitoring and logging of systems, applications and
networks provide a tracing capability; combined with
proper levels of recording of activity, these controls are
critical for the containment and remediation process. In
addition, filtering and monitoring controls for ingress and
egress points prevent malicious activities, cyber attacks,
data leaks and other harmful events.
11
Data protection
PwC gathers and generates, stores and processes large amounts of data of varying levels of sensitivity during the course
of its business. The confidentiality, integrity, and availability of information and information systems is critical to
uninterrupted operations and timely provision of services. To accomplish this, member firms implement data management
procedures to identify, classify and inventory data with the respective information owner.

Data management procedures must clearly define relevant stakeholders (for example, information owner, information
custodian, data privacy/protection officer), data classifications based upon potential business impact of unauthorised
access and data lifecycle management (for example, retention, destruction, discovery, user education).

Data must be identified based on data classification and confidentiality requirements and must be protected with use of
encryption where appropriate (for example, at rest, during transmission) and consider compliance with local and
international laws.

Data loss prevention and removable media

When implemented with appropriate security controls, data loss prevention helps limit the exposure of confidential
information. PwC member firms must comply with data loss prevention controls for removable media, email, secure
instant messaging, file sharing, web browsers and other technologies. Devices must be configured to prevent writing to
unapproved removable media.

Retention, disposal and destruction of data and technology equipment

A retention schedule defines how long business records must be retained and organises records (for example, paper,
electronic, other media) based on data classification. Member firms must implement appropriate controls for handling
each data classification.

Member firms must also implement control procedures for disposal and destruction of data and technology equipment.
Controls must comply with business, legal and regulatory requirements.

PwC | ISP Security Statement - Public 12

A printed copy of this security statement is considered outdated
Service management
Effective delivery of information technology
services must be aligned to the organisation and
security strategy.
PwC maintains various types of technology assets to
provide automation to improve processes, strengthen
controls, and enable the business and client delivery
teams. To protect these assets, baseline security
configuration standards are important for the
implementation of network devices, databases, servers,
user endpoints, mobility devices and cloud computing.
Equivalent controls are required when introducing
automated solutions or technology from third party
suppliers into the PwC network. Additional monitoring
and logging controls are used to provide risk
identification and audit tracking to protect data and the
PwC brand.
Internal network
The PwC internal network is used to bring together
technology with business processes that enables the
operations of PwC; it is imperative that the network be
procured, configured, secured and monitored
accordingly. All network devices, servers, workstations,
laptops and mobile devices must be properly procured
and installed or configured with appropriate security
controls in place to secure against unauthorised access
and comply with technology build and support standards.
Adequate controls must be implemented when
outsourced to ensure proper service level agreements
are implemented and asset maintenance is in
compliance with any manufacturer or software provider
service agreements.
Network security devices that enable production systems
must have configuration standards and change
management procedures that are documented, readily
available and inspected for compliance on a regular
basis. All access to the PwC network from a non-PwC
location must be monitored for intrusion detection
and prevention.
PwC member firms protect network diagrams, network
devices, routers, diagnostic equipment or other
equipment accordingly and ensure these are accessible
only by authorised personnel.
PwC | ISP Security Statement - Public
A printed copy of this security statement is considered outdated
Wireless networks
Only approved and managed wireless networks are
permitted to connect to the PwC network. Wireless
access security controls must include centrally managed
standards for encryption and authentication.
Database environments
Databases are the central repository for storage of most
confidential data and as such require security control
configuration and administration procedures.
Non-production databases must be separated from
production and relevant controls must be implemented to
protect any confidential data stored.
Cloud computing
Cloud computing offers a number of advantages
including low costs, high performance and quick delivery
of services. Cloud computing must have adequate
controls implemented to protect personal data and
confidential information in a member firm’s possession,
including personal data and confidential information
belonging to a member firm client and any confidential
business information of third parties with whom member
firms conduct business. Cloud services must undergo
security review and risk assessments following the same
conditions as newly deployed applications.
Third party suppliers
PwC member firms leverage the expertise and
relationships of third party suppliers for services and
solutions that enable client delivery, supplement
processes and create efficiencies. PwC must identify
and assess security risks during third party supplier
selection, engagement and ongoing service delivery.
Security risks identified against the PwC ISP Framework
must have business risk acceptance as defined in the
ISP issue management process and mitigating or
compensating controls implemented where legally
permissible.
Third party suppliers that require access to IT resources
must agree to establish and maintain PwC defined third
party security controls and allow the PwC contracting
firm, or its authorised representative, the right to audit
against the agreed security controls or review existing
audit results.
13
Technology asset inventory
Member firms are required to use a centralised inventory
tool and maintain an inventory of technology assets,
applications, data, and business process information
related to the assets.
PwC | ISP Security Statement - Public
A printed copy of this security statement is considered outdated
Vulnerability and patch management
PwC reviews vulnerabilities, patches and fixes in order
to determine risk and the relative priority for patch
deployment in accordance with the PwC security policy.
Member firms must implement procedures that include
appropriate approvals, timely identification, reporting and
treatment of vulnerabilities.
14
System development
Formal system development

PwC member firms follow a secure system development

lifecycle (SDLC) with formal documentation that includes
appropriate levels of approval and oversight. This
enforces implementation of secure system
development methodologies and standards as well as
proper change management procedures to identify,
track, validate and approve changes before being
implemented in production.

Application security reviews

Application development practices must use security and

privacy/data protection by design principles to identify
and mitigate software vulnerabilities and protect the
information stored. The level of security controls
implemented (for example, code review, security scans,
penetration and vulnerability tests) must be
commensurate with the application risk assigned as part
of a formal risk assessment.

Development environments

PwC member firms maintain separate development and

production environments and establish procedures that
require the use of a change control process to transfer
changes from development to production.

Capacity management

PwC member firms create and maintain capacity

management plans and review capacity-planning
reports periodically.

PwC | ISP Security Statement - Public 15

A printed copy of this security statement is considered outdated
Resilience
PwC is prepared with an effective disaster recovery and business continuity plan to respond to unplanned events or
crises. This planning is an effective risk mitigation to minimise business interruption.

PwC member firms maintain business continuity programmes that evaluate potential events and respond to actual events
to minimise disruption to services. They have dedicated recovery teams to develop, maintain and periodically test
processes and procedures related to business continuity and disaster recovery planning. PwC member firms' IT disaster
recovery plans should include a business impact analysis, business continuity and disaster recovery plans, testing, audit,
backup approach, training and awareness.

System backup

Systems are routinely backed up for disaster recovery purposes. Backup removable media must be encrypted,
transported securely, stored in a secure location and clearly identified.

PwC | ISP Security Statement - Public 16

A printed copy of this security statement is considered outdated
Compliance programme
Establishing an effective compliance programme is critical to evaluate if control effectiveness is aligned with the PwC ISP
Framework, client expectations and regulatory requirements. The compliance programme provides for evaluating control
compliance and effectiveness to meet the ISP Framework as well as legal or regulatory and contractual requirements. The
internal PwC information security compliance programme should produce transparency on the overall sufficiency and
effectiveness of the information security environment.

ISO 27001

The PwC network information security compliance team has maintained an ISO certification covering their audit
programme which is subject to annual audits by independent practitioners.

PwC | ISP Security Statement - Public 17

A printed copy of this security statement is considered outdated
Appendix A – Common terms
and definitions
Term Definition

Critical A classification applied to information, technology, software or physical assets that if disrupted,
disabled or significantly impacted for more than four hours would impact on the ability of the
business unit and/or member firm to conduct business.

PwC Personnel Partners, principals, staff, secondees, and third-party labour (including, without limitation,
contractors, consultants and temporary employees) of all PwC member firms, including
affiliates and subsidiaries.

Endpoint Computer hardware device that can access information on the PwC network. Computer
hardware devices include desktop computers, laptops, smartphones, tablets, thin clients,
printers and voice over IP telephony devices.

External connections Remote users or computers used to connect to the internal PwC network through the use of
private network, modem, Internet and other network connections that facilitate internal PwC
network activity from a location outside a member firm facility.

Personal data Any information about a person or from which a person can be identified. Personal data need
not be tied to a name and can include public data. If a person cannot be identified or
re-identified from the data, the data is not personal data.

Privileged access,
Privileged user
Privileged users have higher levels of access than general users. Privileged users are granted
access to network devices, systems, applications and/or data from elevated (read-only) up to
administrative (read/write) permissions. These permissions may allow access to change or
delete data, data structure, user access, access models, application/system configuration
and/or application code.

PwC PwC refers to the PwC network and/or one or more of its member firms, each of which is a
separate legal entity. Please see pwc.com/structure for further details.

Security incident
An act or event that violates information security policies, controls, standards or relevant local
laws and regulations. Security incidents can be triggered by a single event such as a virus
outbreak or network breach. Often, security incidents are a combination of several seemingly
innocuous events which if not identified, contained and eradicated in a timely manner, can lead
to larger events that pose greater risk to an entire organisation.

Third party An organisation or person that is not a member of the PwC network.

PwC | ISP Security Statement - Public 18

A printed copy of this security statement is considered outdated
Thank you

pwc.com

PwC | ISP Security Statement - Public 19

A printed copy of this security statement is considered outdated