Assessing Security and ComplianceRisk for Acquisitions and Mergers<br />June 22, 2011<br />
Agenda<br /><ul><li>EarthLink Recent History
Risk Evaluation Opportunities
Planning Activities
Prioritizing Risk Review – Compliance, BC and DR, IT security
IT Compliance
Business Continuity and Disaster Recovery
IT Risk Assessment
Risk Action Plan
Lessons Learned</li></ul>2<br />Confidential<br />
Recent History<br />Q2 2010…<br /><ul><li>~1.5M consumer customers
80% of revenue coming from broadband/dial subs, 20% from business
Declining business – 3% monthly churn
Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010</li></ul>Last Six Months…Nearly $1B in M&A Activity...
STS Telecom- 3/2/2010
One Communications - 4/1/2011
Upcoming SlideShare
Loading in...5
×

Assessing IT Security and Compliance Risk for Acquisitions and Mergers

1,110

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,110
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
41
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Assessing IT Security and Compliance Risk for Acquisitions and Mergers

  1. 1. Assessing Security and ComplianceRisk for Acquisitions and Mergers<br />June 22, 2011<br />
  2. 2. Agenda<br /><ul><li>EarthLink Recent History
  3. 3. Risk Evaluation Opportunities
  4. 4. Planning Activities
  5. 5. Prioritizing Risk Review – Compliance, BC and DR, IT security
  6. 6. IT Compliance
  7. 7. Business Continuity and Disaster Recovery
  8. 8. IT Risk Assessment
  9. 9. Risk Action Plan
  10. 10. Lessons Learned</li></ul>2<br />Confidential<br />
  11. 11. Recent History<br />Q2 2010…<br /><ul><li>~1.5M consumer customers
  12. 12. 80% of revenue coming from broadband/dial subs, 20% from business
  13. 13. Declining business – 3% monthly churn
  14. 14. Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010</li></ul>Last Six Months…Nearly $1B in M&A Activity!<br /><ul><li>ITC DeltaCom - 12/8/2010
  15. 15. STS Telecom- 3/2/2010
  16. 16. One Communications - 4/1/2011
  17. 17. Logical Solutions – 5/17/2011</li></ul>Today…<br /><ul><li>~60% of revenue coming from business (excluding One/Logical Acquisitions)
  18. 18. Employee from ~900 to 3,300+
  19. 19. Physical locations from 4 to 100+</li></ul>3<br />Confidential<br />
  20. 20. The New EarthLink<br />Products and Services<br /><ul><li>IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3
  21. 21. Voice – VOIP, Local, Long Distance, Mobile
  22. 22. Cloud Services – Cloud Hosting, Web Hosting, Security
  23. 23. Managed Services – Voice, Router, Email, Data Center Collocation</li></ul>4<br />Confidential<br />
  24. 24. Implications<br />5<br />Confidential<br />
  25. 25. Risk Evaluation Opportunities<br /><ul><li>Pre-acquisition – Initial reviews - Learning
  26. 26. Is this the right deal at the right valuation?
  27. 27. Pre-acquisition – Post announcement – Planning (Gap analysis)
  28. 28. What IT processes are in place?
  29. 29. What IT compliance programs are in place? Is there a gap?
  30. 30. Is there a business continuity program? Disaster recovery?
  31. 31. Post Acquisition – Integration – Execution
  32. 32. Deep dives – compliance, BC/DR, IT risk
  33. 33. Remediation roadmaps
  34. 34. Continuous improvement audits</li></ul>6<br />Confidential<br />
  35. 35. Planning Activities<br />Suggested activities:<br /><ul><li>Identify evaluation framework – COBIT, ISO 27K, etc.
  36. 36. Begin assessing risk – Interviews, review documentation
  37. 37. What are the expected interim and long term integration initiatives? (AD trust, finance, HR, email, calendar, etc)
  38. 38. Prioritize risk management
  39. 39. IT compliance (PCI, SOX, other, new?)
  40. 40. Business continuity and disaster recovery
  41. 41. Risk management</li></ul>7<br />Confidential<br />
  42. 42. IT Compliance<br />SOX - COBIT<br /><ul><li>Program requirements – Identify materiality, controls and systems
  43. 43. Gap analysis
  44. 44. Deficiencies list – Focus on material weaknesses and significant deficiencies first</li></ul>PCI - DSS<br /><ul><li>Merchant or service provider level
  45. 45. Audit schedule
  46. 46. Auditor</li></ul>Identify new regulatory requirements: <br /><ul><li>Gramm–Leach–Bliley Act?
  47. 47. HIPAA?
  48. 48. CPNI?</li></ul>8<br />Confidential<br />
  49. 49. Business Continuity and Disaster Recovery<br />Business Continuity<br /><ul><li>Integrated Crisis Management Plan
  50. 50. Identify key business leaders
  51. 51. Business Impact Analysis – Identify key processes
  52. 52. Develop BCP plans</li></ul>Disaster Recovery<br /><ul><li>Inventory system availability requirements and recovery capabilities
  53. 53. Prepositioned equipment
  54. 54. Identification of seasoned, tactical leaders
  55. 55. Employee safety, wellness</li></ul>9<br />Confidential<br />
  56. 56. Disaster Strikes<br />April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site<br />Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center<br />10<br />Confidential<br />
  57. 57. IT Risk Evaluation<br />Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire<br />Information gathering - Identify key areas for investigation (AV,<br />network topography, network intrusion, patch management, SDLC,<br />web application vulnerability, firewall management, change control,<br />etc) <br />Align team/resources<br />Develop a prioritized remediation roadmap<br />Architecture – evaluate integration initiatives<br />Compliance – develop/integrate compliance program<br />Determine audience/output for communication plan - How does your culture manage risk?<br />Recruit allies (CIO, other major stakeholders)<br />Confidential<br />11<br />
  58. 58. Evaluating Defenses and Processes<br />Evaluate:<br /><ul><li>Network architecture/segmentation
  59. 59. Firewall
  60. 60. Intrusion Prevention
  61. 61. Denial of Service protection
  62. 62. Intrusion monitoring via event coorelation
  63. 63. Bandwidth utilization monitoring
  64. 64. VPN authentication </li></ul>Evaluate:<br /><ul><li>Vulnerability assessments and remediation
  65. 65. Build standards
  66. 66. Physical security standards
  67. 67. Host Intrusion Detection
  68. 68. Anti-virus
  69. 69. Content filtering
  70. 70. End point encryption</li></ul>Evaluate:<br /><ul><li>IT Security Policy
  71. 71. Incident Response - Rapid Breach Response Team
  72. 72. eBCM
  73. 73. Crisis Management
  74. 74. User Management
  75. 75. Change Control</li></ul>Evaluate:<br /><ul><li>Load balancing
  76. 76. Vulnerability assessments and remediation
  77. 77. Application development security framework aka AppSec
  78. 78. Centralized digital certificate management
  79. 79. Web application firewall
  80. 80. Web application log monitoring </li></ul>Evaluate:<br /><ul><li>Data security standards
  81. 81. Database firewall
  82. 82. Data discovery or breach </li></ul>analysis<br /><ul><li>Mobile device management/security</li></ul>Evaluate:<br /><ul><li>Tech awareness - ex.</li></ul>application development <br />security training <br /><ul><li>End user awareness </li></ul>training podcasts <br />12<br />Confidential<br />
  83. 83. Qualifying Risk<br />13<br />Confidential<br />
  84. 84. Risk Action Plan<br />Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.<br />Align with integration efforts where possible (AD migration, billing system integration, etc)<br />Develop Remediation Roadmap<br />Quick hits - patching servers, fixing web apps, etc<br />Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)<br />Long term - system standardization, integration projects, cultural change<br />Adopt standard processes, protections, guidelines, metrics <br />Confidential<br />14<br />
  85. 85. Measuring Success and Trends<br />15<br />Confidential<br />
  86. 86. Lessons Learned<br />Ignorance is not bliss - get in the game early<br />Right-size your risk management plan - Communicate early and often<br />Balance business with security<br />Standardize the process<br />Confidential<br />16<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×