Assessing IT Security and Compliance Risk for Acquisitions and Mergers
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Assessing IT Security and Compliance Risk for Acquisitions and Mergers

on

  • 1,341 views

 

Statistics

Views

Total Views
1,341
Views on SlideShare
1,330
Embed Views
11

Actions

Likes
0
Downloads
26
Comments
0

1 Embed 11

http://tagthink.com 11

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Assessing IT Security and Compliance Risk for Acquisitions and Mergers Presentation Transcript

  • 1. Assessing Security and ComplianceRisk for Acquisitions and Mergers
    June 22, 2011
  • 2. Agenda
    • EarthLink Recent History
    • 3. Risk Evaluation Opportunities
    • 4. Planning Activities
    • 5. Prioritizing Risk Review – Compliance, BC and DR, IT security
    • 6. IT Compliance
    • 7. Business Continuity and Disaster Recovery
    • 8. IT Risk Assessment
    • 9. Risk Action Plan
    • 10. Lessons Learned
    2
    Confidential
  • 11. Recent History
    Q2 2010…
    • ~1.5M consumer customers
    • 12. 80% of revenue coming from broadband/dial subs, 20% from business
    • 13. Declining business – 3% monthly churn
    • 14. Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010
    Last Six Months…Nearly $1B in M&A Activity!
    • ITC DeltaCom - 12/8/2010
    • 15. STS Telecom- 3/2/2010
    • 16. One Communications - 4/1/2011
    • 17. Logical Solutions – 5/17/2011
    Today…
    • ~60% of revenue coming from business (excluding One/Logical Acquisitions)
    • 18. Employee from ~900 to 3,300+
    • 19. Physical locations from 4 to 100+
    3
    Confidential
  • 20. The New EarthLink
    Products and Services
    • IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3
    • 21. Voice – VOIP, Local, Long Distance, Mobile
    • 22. Cloud Services – Cloud Hosting, Web Hosting, Security
    • 23. Managed Services – Voice, Router, Email, Data Center Collocation
    4
    Confidential
  • 24. Implications
    5
    Confidential
  • 25. Risk Evaluation Opportunities
    • Pre-acquisition – Initial reviews - Learning
    • 26. Is this the right deal at the right valuation?
    • 27. Pre-acquisition – Post announcement – Planning (Gap analysis)
    • 28. What IT processes are in place?
    • 29. What IT compliance programs are in place? Is there a gap?
    • 30. Is there a business continuity program? Disaster recovery?
    • 31. Post Acquisition – Integration – Execution
    • 32. Deep dives – compliance, BC/DR, IT risk
    • 33. Remediation roadmaps
    • 34. Continuous improvement audits
    6
    Confidential
  • 35. Planning Activities
    Suggested activities:
    • Identify evaluation framework – COBIT, ISO 27K, etc.
    • 36. Begin assessing risk – Interviews, review documentation
    • 37. What are the expected interim and long term integration initiatives? (AD trust, finance, HR, email, calendar, etc)
    • 38. Prioritize risk management
    • 39. IT compliance (PCI, SOX, other, new?)
    • 40. Business continuity and disaster recovery
    • 41. Risk management
    7
    Confidential
  • 42. IT Compliance
    SOX - COBIT
    • Program requirements – Identify materiality, controls and systems
    • 43. Gap analysis
    • 44. Deficiencies list – Focus on material weaknesses and significant deficiencies first
    PCI - DSS
    • Merchant or service provider level
    • 45. Audit schedule
    • 46. Auditor
    Identify new regulatory requirements:
    • Gramm–Leach–Bliley Act?
    • 47. HIPAA?
    • 48. CPNI?
    8
    Confidential
  • 49. Business Continuity and Disaster Recovery
    Business Continuity
    • Integrated Crisis Management Plan
    • 50. Identify key business leaders
    • 51. Business Impact Analysis – Identify key processes
    • 52. Develop BCP plans
    Disaster Recovery
    • Inventory system availability requirements and recovery capabilities
    • 53. Prepositioned equipment
    • 54. Identification of seasoned, tactical leaders
    • 55. Employee safety, wellness
    9
    Confidential
  • 56. Disaster Strikes
    April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site
    Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center
    10
    Confidential
  • 57. IT Risk Evaluation
    Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire
    Information gathering - Identify key areas for investigation (AV,
    network topography, network intrusion, patch management, SDLC,
    web application vulnerability, firewall management, change control,
    etc)
    Align team/resources
    Develop a prioritized remediation roadmap
    Architecture – evaluate integration initiatives
    Compliance – develop/integrate compliance program
    Determine audience/output for communication plan - How does your culture manage risk?
    Recruit allies (CIO, other major stakeholders)
    Confidential
    11
  • 58. Evaluating Defenses and Processes
    Evaluate:
    • Network architecture/segmentation
    • 59. Firewall
    • 60. Intrusion Prevention
    • 61. Denial of Service protection
    • 62. Intrusion monitoring via event coorelation
    • 63. Bandwidth utilization monitoring
    • 64. VPN authentication
    Evaluate:
    • Vulnerability assessments and remediation
    • 65. Build standards
    • 66. Physical security standards
    • 67. Host Intrusion Detection
    • 68. Anti-virus
    • 69. Content filtering
    • 70. End point encryption
    Evaluate:
    • IT Security Policy
    • 71. Incident Response - Rapid Breach Response Team
    • 72. eBCM
    • 73. Crisis Management
    • 74. User Management
    • 75. Change Control
    Evaluate:
    • Load balancing
    • 76. Vulnerability assessments and remediation
    • 77. Application development security framework aka AppSec
    • 78. Centralized digital certificate management
    • 79. Web application firewall
    • 80. Web application log monitoring
    Evaluate:
    • Data security standards
    • 81. Database firewall
    • 82. Data discovery or breach
    analysis
    • Mobile device management/security
    Evaluate:
    • Tech awareness - ex.
    application development
    security training
    • End user awareness
    training podcasts
    12
    Confidential
  • 83. Qualifying Risk
    13
    Confidential
  • 84. Risk Action Plan
    Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.
    Align with integration efforts where possible (AD migration, billing system integration, etc)
    Develop Remediation Roadmap
    Quick hits - patching servers, fixing web apps, etc
    Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)
    Long term - system standardization, integration projects, cultural change
    Adopt standard processes, protections, guidelines, metrics
    Confidential
    14
  • 85. Measuring Success and Trends
    15
    Confidential
  • 86. Lessons Learned
    Ignorance is not bliss - get in the game early
    Right-size your risk management plan - Communicate early and often
    Balance business with security
    Standardize the process
    Confidential
    16