• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
 

Assessing IT Security and Compliance Risk for Acquisitions and Mergers

on

  • 1,180 views

 

Statistics

Views

Total Views
1,180
Views on SlideShare
1,169
Embed Views
11

Actions

Likes
0
Downloads
24
Comments
0

1 Embed 11

http://tagthink.com 11

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Assessing IT Security and Compliance Risk for Acquisitions and Mergers Assessing IT Security and Compliance Risk for Acquisitions and Mergers Presentation Transcript

    • Assessing Security and ComplianceRisk for Acquisitions and Mergers
      June 22, 2011
    • Agenda
      • EarthLink Recent History
      • Risk Evaluation Opportunities
      • Planning Activities
      • Prioritizing Risk Review – Compliance, BC and DR, IT security
      • IT Compliance
      • Business Continuity and Disaster Recovery
      • IT Risk Assessment
      • Risk Action Plan
      • Lessons Learned
      2
      Confidential
    • Recent History
      Q2 2010…
      • ~1.5M consumer customers
      • 80% of revenue coming from broadband/dial subs, 20% from business
      • Declining business – 3% monthly churn
      • Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010
      Last Six Months…Nearly $1B in M&A Activity!
      • ITC DeltaCom - 12/8/2010
      • STS Telecom- 3/2/2010
      • One Communications - 4/1/2011
      • Logical Solutions – 5/17/2011
      Today…
      • ~60% of revenue coming from business (excluding One/Logical Acquisitions)
      • Employee from ~900 to 3,300+
      • Physical locations from 4 to 100+
      3
      Confidential
    • The New EarthLink
      Products and Services
      • IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3
      • Voice – VOIP, Local, Long Distance, Mobile
      • Cloud Services – Cloud Hosting, Web Hosting, Security
      • Managed Services – Voice, Router, Email, Data Center Collocation
      4
      Confidential
    • Implications
      5
      Confidential
    • Risk Evaluation Opportunities
      • Pre-acquisition – Initial reviews - Learning
      • Is this the right deal at the right valuation?
      • Pre-acquisition – Post announcement – Planning (Gap analysis)
      • What IT processes are in place?
      • What IT compliance programs are in place? Is there a gap?
      • Is there a business continuity program? Disaster recovery?
      • Post Acquisition – Integration – Execution
      • Deep dives – compliance, BC/DR, IT risk
      • Remediation roadmaps
      • Continuous improvement audits
      6
      Confidential
    • Planning Activities
      Suggested activities:
      • Identify evaluation framework – COBIT, ISO 27K, etc.
      • Begin assessing risk – Interviews, review documentation
      • What are the expected interim and long term integration initiatives? (AD trust, finance, HR, email, calendar, etc)
      • Prioritize risk management
      • IT compliance (PCI, SOX, other, new?)
      • Business continuity and disaster recovery
      • Risk management
      7
      Confidential
    • IT Compliance
      SOX - COBIT
      • Program requirements – Identify materiality, controls and systems
      • Gap analysis
      • Deficiencies list – Focus on material weaknesses and significant deficiencies first
      PCI - DSS
      • Merchant or service provider level
      • Audit schedule
      • Auditor
      Identify new regulatory requirements:
      • Gramm–Leach–Bliley Act?
      • HIPAA?
      • CPNI?
      8
      Confidential
    • Business Continuity and Disaster Recovery
      Business Continuity
      • Integrated Crisis Management Plan
      • Identify key business leaders
      • Business Impact Analysis – Identify key processes
      • Develop BCP plans
      Disaster Recovery
      • Inventory system availability requirements and recovery capabilities
      • Prepositioned equipment
      • Identification of seasoned, tactical leaders
      • Employee safety, wellness
      9
      Confidential
    • Disaster Strikes
      April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site
      Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center
      10
      Confidential
    • IT Risk Evaluation
      Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire
      Information gathering - Identify key areas for investigation (AV,
      network topography, network intrusion, patch management, SDLC,
      web application vulnerability, firewall management, change control,
      etc)
      Align team/resources
      Develop a prioritized remediation roadmap
      Architecture – evaluate integration initiatives
      Compliance – develop/integrate compliance program
      Determine audience/output for communication plan - How does your culture manage risk?
      Recruit allies (CIO, other major stakeholders)
      Confidential
      11
    • Evaluating Defenses and Processes
      Evaluate:
      • Network architecture/segmentation
      • Firewall
      • Intrusion Prevention
      • Denial of Service protection
      • Intrusion monitoring via event coorelation
      • Bandwidth utilization monitoring
      • VPN authentication
      Evaluate:
      • Vulnerability assessments and remediation
      • Build standards
      • Physical security standards
      • Host Intrusion Detection
      • Anti-virus
      • Content filtering
      • End point encryption
      Evaluate:
      • IT Security Policy
      • Incident Response - Rapid Breach Response Team
      • eBCM
      • Crisis Management
      • User Management
      • Change Control
      Evaluate:
      • Load balancing
      • Vulnerability assessments and remediation
      • Application development security framework aka AppSec
      • Centralized digital certificate management
      • Web application firewall
      • Web application log monitoring
      Evaluate:
      • Data security standards
      • Database firewall
      • Data discovery or breach
      analysis
      • Mobile device management/security
      Evaluate:
      • Tech awareness - ex.
      application development
      security training
      • End user awareness
      training podcasts
      12
      Confidential
    • Qualifying Risk
      13
      Confidential
    • Risk Action Plan
      Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.
      Align with integration efforts where possible (AD migration, billing system integration, etc)
      Develop Remediation Roadmap
      Quick hits - patching servers, fixing web apps, etc
      Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)
      Long term - system standardization, integration projects, cultural change
      Adopt standard processes, protections, guidelines, metrics
      Confidential
      14
    • Measuring Success and Trends
      15
      Confidential
    • Lessons Learned
      Ignorance is not bliss - get in the game early
      Right-size your risk management plan - Communicate early and often
      Balance business with security
      Standardize the process
      Confidential
      16