Your SlideShare is downloading. ×
0
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Assessing IT Security and Compliance Risk for Acquisitions and Mergers

1,086

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,086
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Assessing Security and ComplianceRisk for Acquisitions and Mergers<br />June 22, 2011<br />
  • 2. Agenda<br /><ul><li>EarthLink Recent History
  • 3. Risk Evaluation Opportunities
  • 4. Planning Activities
  • 5. Prioritizing Risk Review – Compliance, BC and DR, IT security
  • 6. IT Compliance
  • 7. Business Continuity and Disaster Recovery
  • 8. IT Risk Assessment
  • 9. Risk Action Plan
  • 10. Lessons Learned</li></ul>2<br />Confidential<br />
  • 11. Recent History<br />Q2 2010…<br /><ul><li>~1.5M consumer customers
  • 12. 80% of revenue coming from broadband/dial subs, 20% from business
  • 13. Declining business – 3% monthly churn
  • 14. Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010</li></ul>Last Six Months…Nearly $1B in M&A Activity!<br /><ul><li>ITC DeltaCom - 12/8/2010
  • 15. STS Telecom- 3/2/2010
  • 16. One Communications - 4/1/2011
  • 17. Logical Solutions – 5/17/2011</li></ul>Today…<br /><ul><li>~60% of revenue coming from business (excluding One/Logical Acquisitions)
  • 18. Employee from ~900 to 3,300+
  • 19. Physical locations from 4 to 100+</li></ul>3<br />Confidential<br />
  • 20. The New EarthLink<br />Products and Services<br /><ul><li>IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3
  • 21. Voice – VOIP, Local, Long Distance, Mobile
  • 22. Cloud Services – Cloud Hosting, Web Hosting, Security
  • 23. Managed Services – Voice, Router, Email, Data Center Collocation</li></ul>4<br />Confidential<br />
  • 24. Implications<br />5<br />Confidential<br />
  • 25. Risk Evaluation Opportunities<br /><ul><li>Pre-acquisition – Initial reviews - Learning
  • 26. Is this the right deal at the right valuation?
  • 27. Pre-acquisition – Post announcement – Planning (Gap analysis)
  • 28. What IT processes are in place?
  • 29. What IT compliance programs are in place? Is there a gap?
  • 30. Is there a business continuity program? Disaster recovery?
  • 31. Post Acquisition – Integration – Execution
  • 32. Deep dives – compliance, BC/DR, IT risk
  • 33. Remediation roadmaps
  • 34. Continuous improvement audits</li></ul>6<br />Confidential<br />
  • 35. Planning Activities<br />Suggested activities:<br /><ul><li>Identify evaluation framework – COBIT, ISO 27K, etc.
  • 36. Begin assessing risk – Interviews, review documentation
  • 37. What are the expected interim and long term integration initiatives? (AD trust, finance, HR, email, calendar, etc)
  • 38. Prioritize risk management
  • 39. IT compliance (PCI, SOX, other, new?)
  • 40. Business continuity and disaster recovery
  • 41. Risk management</li></ul>7<br />Confidential<br />
  • 42. IT Compliance<br />SOX - COBIT<br /><ul><li>Program requirements – Identify materiality, controls and systems
  • 43. Gap analysis
  • 44. Deficiencies list – Focus on material weaknesses and significant deficiencies first</li></ul>PCI - DSS<br /><ul><li>Merchant or service provider level
  • 45. Audit schedule
  • 46. Auditor</li></ul>Identify new regulatory requirements: <br /><ul><li>Gramm–Leach–Bliley Act?
  • 47. HIPAA?
  • 48. CPNI?</li></ul>8<br />Confidential<br />
  • 49. Business Continuity and Disaster Recovery<br />Business Continuity<br /><ul><li>Integrated Crisis Management Plan
  • 50. Identify key business leaders
  • 51. Business Impact Analysis – Identify key processes
  • 52. Develop BCP plans</li></ul>Disaster Recovery<br /><ul><li>Inventory system availability requirements and recovery capabilities
  • 53. Prepositioned equipment
  • 54. Identification of seasoned, tactical leaders
  • 55. Employee safety, wellness</li></ul>9<br />Confidential<br />
  • 56. Disaster Strikes<br />April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site<br />Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center<br />10<br />Confidential<br />
  • 57. IT Risk Evaluation<br />Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire<br />Information gathering - Identify key areas for investigation (AV,<br />network topography, network intrusion, patch management, SDLC,<br />web application vulnerability, firewall management, change control,<br />etc) <br />Align team/resources<br />Develop a prioritized remediation roadmap<br />Architecture – evaluate integration initiatives<br />Compliance – develop/integrate compliance program<br />Determine audience/output for communication plan - How does your culture manage risk?<br />Recruit allies (CIO, other major stakeholders)<br />Confidential<br />11<br />
  • 58. Evaluating Defenses and Processes<br />Evaluate:<br /><ul><li>Network architecture/segmentation
  • 59. Firewall
  • 60. Intrusion Prevention
  • 61. Denial of Service protection
  • 62. Intrusion monitoring via event coorelation
  • 63. Bandwidth utilization monitoring
  • 64. VPN authentication </li></ul>Evaluate:<br /><ul><li>Vulnerability assessments and remediation
  • 65. Build standards
  • 66. Physical security standards
  • 67. Host Intrusion Detection
  • 68. Anti-virus
  • 69. Content filtering
  • 70. End point encryption</li></ul>Evaluate:<br /><ul><li>IT Security Policy
  • 71. Incident Response - Rapid Breach Response Team
  • 72. eBCM
  • 73. Crisis Management
  • 74. User Management
  • 75. Change Control</li></ul>Evaluate:<br /><ul><li>Load balancing
  • 76. Vulnerability assessments and remediation
  • 77. Application development security framework aka AppSec
  • 78. Centralized digital certificate management
  • 79. Web application firewall
  • 80. Web application log monitoring </li></ul>Evaluate:<br /><ul><li>Data security standards
  • 81. Database firewall
  • 82. Data discovery or breach </li></ul>analysis<br /><ul><li>Mobile device management/security</li></ul>Evaluate:<br /><ul><li>Tech awareness - ex.</li></ul>application development <br />security training <br /><ul><li>End user awareness </li></ul>training podcasts <br />12<br />Confidential<br />
  • 83. Qualifying Risk<br />13<br />Confidential<br />
  • 84. Risk Action Plan<br />Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.<br />Align with integration efforts where possible (AD migration, billing system integration, etc)<br />Develop Remediation Roadmap<br />Quick hits - patching servers, fixing web apps, etc<br />Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)<br />Long term - system standardization, integration projects, cultural change<br />Adopt standard processes, protections, guidelines, metrics <br />Confidential<br />14<br />
  • 85. Measuring Success and Trends<br />15<br />Confidential<br />
  • 86. Lessons Learned<br />Ignorance is not bliss - get in the game early<br />Right-size your risk management plan - Communicate early and often<br />Balance business with security<br />Standardize the process<br />Confidential<br />16<br />

×