Your SlideShare is downloading. ×
Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Assessing IT Security and Compliance Risk for Acquisitions and Mergers

1,029
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,029
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Assessing Security and ComplianceRisk for Acquisitions and Mergers
    June 22, 2011
  • 2. Agenda
    • EarthLink Recent History
    • 3. Risk Evaluation Opportunities
    • 4. Planning Activities
    • 5. Prioritizing Risk Review – Compliance, BC and DR, IT security
    • 6. IT Compliance
    • 7. Business Continuity and Disaster Recovery
    • 8. IT Risk Assessment
    • 9. Risk Action Plan
    • 10. Lessons Learned
    2
    Confidential
  • 11. Recent History
    Q2 2010…
    • ~1.5M consumer customers
    • 12. 80% of revenue coming from broadband/dial subs, 20% from business
    • 13. Declining business – 3% monthly churn
    • 14. Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010
    Last Six Months…Nearly $1B in M&A Activity!
    • ITC DeltaCom - 12/8/2010
    • 15. STS Telecom- 3/2/2010
    • 16. One Communications - 4/1/2011
    • 17. Logical Solutions – 5/17/2011
    Today…
    • ~60% of revenue coming from business (excluding One/Logical Acquisitions)
    • 18. Employee from ~900 to 3,300+
    • 19. Physical locations from 4 to 100+
    3
    Confidential
  • 20. The New EarthLink
    Products and Services
    • IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3
    • 21. Voice – VOIP, Local, Long Distance, Mobile
    • 22. Cloud Services – Cloud Hosting, Web Hosting, Security
    • 23. Managed Services – Voice, Router, Email, Data Center Collocation
    4
    Confidential
  • 24. Implications
    5
    Confidential
  • 25. Risk Evaluation Opportunities
    • Pre-acquisition – Initial reviews - Learning
    • 26. Is this the right deal at the right valuation?
    • 27. Pre-acquisition – Post announcement – Planning (Gap analysis)
    • 28. What IT processes are in place?
    • 29. What IT compliance programs are in place? Is there a gap?
    • 30. Is there a business continuity program? Disaster recovery?
    • 31. Post Acquisition – Integration – Execution
    • 32. Deep dives – compliance, BC/DR, IT risk
    • 33. Remediation roadmaps
    • 34. Continuous improvement audits
    6
    Confidential
  • 35. Planning Activities
    Suggested activities:
    • Identify evaluation framework – COBIT, ISO 27K, etc.
    • 36. Begin assessing risk – Interviews, review documentation
    • 37. What are the expected interim and long term integration initiatives? (AD trust, finance, HR, email, calendar, etc)
    • 38. Prioritize risk management
    • 39. IT compliance (PCI, SOX, other, new?)
    • 40. Business continuity and disaster recovery
    • 41. Risk management
    7
    Confidential
  • 42. IT Compliance
    SOX - COBIT
    • Program requirements – Identify materiality, controls and systems
    • 43. Gap analysis
    • 44. Deficiencies list – Focus on material weaknesses and significant deficiencies first
    PCI - DSS
    • Merchant or service provider level
    • 45. Audit schedule
    • 46. Auditor
    Identify new regulatory requirements:
    8
    Confidential
  • 49. Business Continuity and Disaster Recovery
    Business Continuity
    • Integrated Crisis Management Plan
    • 50. Identify key business leaders
    • 51. Business Impact Analysis – Identify key processes
    • 52. Develop BCP plans
    Disaster Recovery
    • Inventory system availability requirements and recovery capabilities
    • 53. Prepositioned equipment
    • 54. Identification of seasoned, tactical leaders
    • 55. Employee safety, wellness
    9
    Confidential
  • 56. Disaster Strikes
    April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site
    Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center
    10
    Confidential
  • 57. IT Risk Evaluation
    Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire
    Information gathering - Identify key areas for investigation (AV,
    network topography, network intrusion, patch management, SDLC,
    web application vulnerability, firewall management, change control,
    etc)
    Align team/resources
    Develop a prioritized remediation roadmap
    Architecture – evaluate integration initiatives
    Compliance – develop/integrate compliance program
    Determine audience/output for communication plan - How does your culture manage risk?
    Recruit allies (CIO, other major stakeholders)
    Confidential
    11
  • 58. Evaluating Defenses and Processes
    Evaluate:
    • Network architecture/segmentation
    • 59. Firewall
    • 60. Intrusion Prevention
    • 61. Denial of Service protection
    • 62. Intrusion monitoring via event coorelation
    • 63. Bandwidth utilization monitoring
    • 64. VPN authentication
    Evaluate:
    • Vulnerability assessments and remediation
    • 65. Build standards
    • 66. Physical security standards
    • 67. Host Intrusion Detection
    • 68. Anti-virus
    • 69. Content filtering
    • 70. End point encryption
    Evaluate:
    • IT Security Policy
    • 71. Incident Response - Rapid Breach Response Team
    • 72. eBCM
    • 73. Crisis Management
    • 74. User Management
    • 75. Change Control
    Evaluate:
    • Load balancing
    • 76. Vulnerability assessments and remediation
    • 77. Application development security framework aka AppSec
    • 78. Centralized digital certificate management
    • 79. Web application firewall
    • 80. Web application log monitoring
    Evaluate:
    • Data security standards
    • 81. Database firewall
    • 82. Data discovery or breach
    analysis
    • Mobile device management/security
    Evaluate:
    • Tech awareness - ex.
    application development
    security training
    • End user awareness
    training podcasts
    12
    Confidential
  • 83. Qualifying Risk
    13
    Confidential
  • 84. Risk Action Plan
    Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.
    Align with integration efforts where possible (AD migration, billing system integration, etc)
    Develop Remediation Roadmap
    Quick hits - patching servers, fixing web apps, etc
    Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)
    Long term - system standardization, integration projects, cultural change
    Adopt standard processes, protections, guidelines, metrics
    Confidential
    14
  • 85. Measuring Success and Trends
    15
    Confidential
  • 86. Lessons Learned
    Ignorance is not bliss - get in the game early
    Right-size your risk management plan - Communicate early and often
    Balance business with security
    Standardize the process
    Confidential
    16