SlideShare a Scribd company logo

Secure M&A with Gap Analysis

M
Miriam L

The document discusses security challenges in mergers and acquisitions. It notes that acquired companies or divisions often have weaker security than the parent company. Attackers seek to exploit these weaker links to gain access to the larger company's systems. The document recommends starting security planning early in the M&A process through due diligence. It also suggests conducting a security gap analysis and network segmentation when integrating an acquired company. Establishing security ownership and developing an M&A security playbook can help mature security practices for mergers and acquisitions over time.

Technology
1 of 24
Security in Mergers and Acquisitions (M&A) Going After the Weak Link November 29, 2017 Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 Miriam Levenstein
© 2017 NTT Security 1. Introduction 2. The Challenge of M&A 3. Weak Branches Bring Down a Strong Tree 4. Solution Approach 5. Maturing the Process November 29, 2017Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.02 Contents
© 2017 NTT Security Miriam Levenstein, Senior Consultant, Professional Services NTT Security Miriam.Levenstein@nttsecurity.com 3 Introduction Expertise Governance, Risk and Compliance, Privacy, Mergers & Acquisitions, Business Continuity Major Assignments • Engaged on M&A due diligence and integration projects for global corporations. • Perform security assessments and privacy impact assessments (PIA) based on NIST 800-53 framework for state healthcare agencies. • Conduct Capabilities Maturity Model (CMM) assessment based on the Cyber Security Framework. Certifications • Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • PCI Qualified Security Assessor (PCI-QSA) • Certified Information Systems Auditor (CISA) Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security4 The Challenge of M&A Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security Although not always recognized as such, Information Security Governance, Risk and Compliance (GRC) principles are critical in M&A processes of: • Due diligence • Integration of acquired companies • Divestiture and transitioning services These principles apply to any program to integrate one entity (agency, division or company) with another. 5 Secure M&A Processes are Key Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security6 Going After the Weak Link Attackers know that a company is only as strong as its weakest link. • When seeking access to valuable company data, such as intellectual property, credit card data or health information, attackers will try to infiltrate email, network shared drives, and other resources. • In order to control core IT services, they often find that an indirect route is the most successful. • A large company typically will have strong cybersecurity defences at its corporate headquarters, but security may be lax at the company's acquired divisions. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security7 Attackers Get Inside An attacker will look for acquisitions and subsidiaries in order to find insecure perimeters, such as firewalls that allow Telnet or Remote Desktop access directly to the internal network. • Once inside the acquired company's network, the attacker then seeks connectors into the central corporation through Active Directory federation or connectivity put in place for databases and applications. • If the attacker finds a link, that opening is used to gain a foothold inside the well- secured corporate network. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security8 How They Find You • Many acquisitions are publicly announced in press releases and noted in industry journals and news feeds. • Additionally, public companies include the list of their subsidiaries in SEC filings, which can be searched online at www.sec.gov. • Most organizations also release Annual Reports online, with merger and acquisition information included to demonstrate the company's strategy for growth. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security9 Weak Branches Bring Down A Strong Tree Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security10 Why Aren’t Acquisitions More Secure? It is initially difficult to understand why an organization would not secure its acquired divisions. However, this is often a management decision based on business priorities. • For example, consider an international manufacturer (Acme) that has purchased a small start-up (Genius). The start-up, which has developed a unique technology, consists of just eleven people -- ten engineers and one office manager. • When Acme first bought this start-up, a key engineer threatened to walk off his job if he was restrained in any way by new policies and procedures. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security11 The Tale of Acme & Genius Acme assumed that over time Genius would adapt to the parent company’s culture, policies and procedures. • But the engineers at Genius took pride in being able to work around the information security that Acme tried (at times) to impose. • When Acme’s corporate security put a firewall between the development lab and the production network, the chief engineer walked into the wiring closet and unplugged the firewall. "Honey badger don't care," he said. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security12 Where Is the Oversight? • The engineering team at Genius found ways around Acme’s corporate requirements, installing rogue access points, routers and switches. • Internal audit performed a site visit, and these problems were reported back to corporate. • However, the issues were given low priority because they were found on an "acquisition network.” • There was no clearly defined OWNERSHIP and responsibility for the acquisition’s network, data and systems. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security13 Why It Matters: The Attack Eventually, hackers discovered this small division of Acme where users were domain administrators and developers had access to production systems; where there was no network segmentation between development, test and production. • Numerous avenues for infiltration had been left open. VNC, without encryption, was the remote access protocol in use. • Once inside, the hackers found the golden key – the small shop's Active Directory was integrated into the main corporate Active Directory. • They gained access to the corporate Active Directory, email and network shared drives, using a compromised administrative account. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security14 Solution Approach Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security15 Start at the Start: Due Diligence In due diligence, the acquiring company reviews documentation from the "target,” the company it may buy. The acquirer should ask for and review: • Information security and privacy policies and procedures, • Security training programs • Audit reports, • Vulnerability scan and pen test results • Network maps • Any other relevant administrative and technical documents. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security16 Security and Compliance Gap Analysis The security program at the target company should be reviewed in light of the existing security framework used by the acquiring (parent) company. • The parent company may comply with PCI DSS, HIPAA or other regulations. • How does the security at the target company compare? What are the gaps? • This gap analysis will provide a baseline to understand how the acquired company differs from the main corporation. • Be aware that the acquisition may bring with it new compliance requirements, especially in the case of international deals. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security17 Network Architecture and Technical Security Implement technology and network architecture to secure the network while allowing connectivity that is needed. • Initial connectivity for Day One may be limited to a secure portal or virtual desktops. • When network connectivity is established for integration, carefully review firewall access control lists. Intrusion prevention controls and network monitoring should be enabled. • Evaluate risk and apply technical solutions, including data loss prevention (DLP), user behavior analytics (UBA), and multi-factor authentication (MFA). • Include acquisition systems in vulnerability and compliance scans, penetration testing, and other security tests. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security18 Incident Response and Handling Develop and document an incident response procedure that clearly states responsibilities of team members at the acquisition site and the corporate headquarters. • Perform incident response testing to validate response to incidents at acquisition sites. • Consider forming a team with representatives from all branches and acquired companies in order to coordinate enterprise response to widespread issues. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017 https://xkcd.com/1354/
© 2017 NTT Security19 Don’t Forget the Human Factor The security of data depends on employees who understand and carry out their role in protecting information. • Security awareness and training should be extended to acquired companies as soon as possible. • Training should be enjoyable, interesting, and tailored to the audience. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security20 Maturing the Process Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security21 Develop an M&A Playbook Document the processes and procedures for Information Security activities in Mergers and Acquisition, from Due Diligence through Integration. • Develop a Playbook and maintain it as a living document, reviewed frequently. • Build security in from the start. • Include architecture diagrams and technical solutions for integration and network connectivity. • Address all phases of Mergers, Acquisitions and Divestitures. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security22 Establish Ownership for Information Security Clearly state who is responsible for information security at acquisition sites. • Clarify funding, lines of reporting, and shared responsibilities. • Coordinate with Internal Audit, Legal, HR and governance councils on compliance and enforcement. • Input findings from security assessments into a Risk Register and/or Plan of Actions & Milestones (POAM). • Include M&A security in the organization’s overarching information security risk management program. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security23 Mergers and acquisitions drive business growth, but bring a multitude of risks. Cyber security risk is part of that. By addressing security governance at the beginning, at due diligence, and tracking risks throughout the integration process, companies can gain control over the information security and compliance risks in mergers and acquisitions. In Conclusion Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
© 2017 NTT Security Thank You! 24 Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017

Recommended

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
Defense In-Depth
Defense In-DepthDefense In-Depth
Defense In-DepthWill Kelly
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 

Recommended

Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsFull Cybersecurity Regulations Overview for DoD Prime and Subcontractors
Full Cybersecurity Regulations Overview for DoD Prime and SubcontractorsIgnyte Assurance Platform
 
Defense In-Depth
Defense In-DepthDefense In-Depth
Defense In-DepthWill Kelly
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
IANS-2008
IANS-2008IANS-2008
IANS-2008Bob Radvanovsky
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRPECB
 
CIO Review - Top 20 CyberSecurity
CIO Review - Top 20 CyberSecurityCIO Review - Top 20 CyberSecurity
CIO Review - Top 20 CyberSecurityBob Guimarin
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 

More Related Content

What's hot

Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Education & Training Boards
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliancerhanna11
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueRapidValue
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRPECB
 
CIO Review - Top 20 CyberSecurity
CIO Review - Top 20 CyberSecurityCIO Review - Top 20 CyberSecurity
CIO Review - Top 20 CyberSecurityBob Guimarin
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

What's hot (20)

Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
Denis Hackett M.Sc. - IDC Presentation Sept 2014 Croke Park Sept25 - Denis Ha...
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
IANS-2008
IANS-2008IANS-2008
IANS-2008
 
IT Risk Management & Compliance
IT Risk Management & ComplianceIT Risk Management & Compliance
IT Risk Management & Compliance
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
How to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValueHow to Secure your Fintech Solution - A Whitepaper by RapidValue
How to Secure your Fintech Solution - A Whitepaper by RapidValue
 
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPRHow an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
How an ISO/IEC 27001 Based ISMS Will Support the EU GDPR
 
CIO Review - Top 20 CyberSecurity
CIO Review - Top 20 CyberSecurityCIO Review - Top 20 CyberSecurity
CIO Review - Top 20 CyberSecurity
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 

Similar to Secure M&A with Gap Analysis

10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITYRazorpoint Security
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Successaccenture
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
 
Strategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itStrategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itAvancercorp
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric SecuritySeclore
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceMirantis
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Security Architecture Principles
Security Architecture PrinciplesSecurity Architecture Principles
Security Architecture PrinciplesRichard Dempers
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service PresentationWilliam McBorrough
 
Six Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsSix Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsBomgar
 
Feb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementFeb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementTrustArc
 

Similar to Secure M&A with Gap Analysis (20)

10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec StakeholdersIvanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
Ivanti Webinar - How to Win Budget and Influence Non-InfoSec Stakeholders
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Strategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itStrategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid it
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
 
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
 
SIEM Buyer's Guide
SIEM Buyer's GuideSIEM Buyer's Guide
SIEM Buyer's Guide
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security Compliance
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key Management
 
Security Architecture Principles
Security Architecture PrinciplesSecurity Architecture Principles
Security Architecture Principles
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
Six Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & VendorsSix Steps to Secure Access for Privileged Insiders & Vendors
Six Steps to Secure Access for Privileged Insiders & Vendors
 
Feb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementFeb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor Management
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

Secure M&A with Gap Analysis

  • 1. Security in Mergers and Acquisitions (M&A) Going After the Weak Link November 29, 2017 Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 Miriam Levenstein
  • 2. © 2017 NTT Security 1. Introduction 2. The Challenge of M&A 3. Weak Branches Bring Down a Strong Tree 4. Solution Approach 5. Maturing the Process November 29, 2017Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.02 Contents
  • 3. © 2017 NTT Security Miriam Levenstein, Senior Consultant, Professional Services NTT Security Miriam.Levenstein@nttsecurity.com 3 Introduction Expertise Governance, Risk and Compliance, Privacy, Mergers & Acquisitions, Business Continuity Major Assignments • Engaged on M&A due diligence and integration projects for global corporations. • Perform security assessments and privacy impact assessments (PIA) based on NIST 800-53 framework for state healthcare agencies. • Conduct Capabilities Maturity Model (CMM) assessment based on the Cyber Security Framework. Certifications • Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) • PCI Qualified Security Assessor (PCI-QSA) • Certified Information Systems Auditor (CISA) Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 4. © 2017 NTT Security4 The Challenge of M&A Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 5. © 2017 NTT Security Although not always recognized as such, Information Security Governance, Risk and Compliance (GRC) principles are critical in M&A processes of: • Due diligence • Integration of acquired companies • Divestiture and transitioning services These principles apply to any program to integrate one entity (agency, division or company) with another. 5 Secure M&A Processes are Key Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 6. © 2017 NTT Security6 Going After the Weak Link Attackers know that a company is only as strong as its weakest link. • When seeking access to valuable company data, such as intellectual property, credit card data or health information, attackers will try to infiltrate email, network shared drives, and other resources. • In order to control core IT services, they often find that an indirect route is the most successful. • A large company typically will have strong cybersecurity defences at its corporate headquarters, but security may be lax at the company's acquired divisions. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 7. © 2017 NTT Security7 Attackers Get Inside An attacker will look for acquisitions and subsidiaries in order to find insecure perimeters, such as firewalls that allow Telnet or Remote Desktop access directly to the internal network. • Once inside the acquired company's network, the attacker then seeks connectors into the central corporation through Active Directory federation or connectivity put in place for databases and applications. • If the attacker finds a link, that opening is used to gain a foothold inside the well- secured corporate network. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 8. © 2017 NTT Security8 How They Find You • Many acquisitions are publicly announced in press releases and noted in industry journals and news feeds. • Additionally, public companies include the list of their subsidiaries in SEC filings, which can be searched online at www.sec.gov. • Most organizations also release Annual Reports online, with merger and acquisition information included to demonstrate the company's strategy for growth. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 9. © 2017 NTT Security9 Weak Branches Bring Down A Strong Tree Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 10. © 2017 NTT Security10 Why Aren’t Acquisitions More Secure? It is initially difficult to understand why an organization would not secure its acquired divisions. However, this is often a management decision based on business priorities. • For example, consider an international manufacturer (Acme) that has purchased a small start-up (Genius). The start-up, which has developed a unique technology, consists of just eleven people -- ten engineers and one office manager. • When Acme first bought this start-up, a key engineer threatened to walk off his job if he was restrained in any way by new policies and procedures. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 11. © 2017 NTT Security11 The Tale of Acme & Genius Acme assumed that over time Genius would adapt to the parent company’s culture, policies and procedures. • But the engineers at Genius took pride in being able to work around the information security that Acme tried (at times) to impose. • When Acme’s corporate security put a firewall between the development lab and the production network, the chief engineer walked into the wiring closet and unplugged the firewall. "Honey badger don't care," he said. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 12. © 2017 NTT Security12 Where Is the Oversight? • The engineering team at Genius found ways around Acme’s corporate requirements, installing rogue access points, routers and switches. • Internal audit performed a site visit, and these problems were reported back to corporate. • However, the issues were given low priority because they were found on an "acquisition network.” • There was no clearly defined OWNERSHIP and responsibility for the acquisition’s network, data and systems. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 13. © 2017 NTT Security13 Why It Matters: The Attack Eventually, hackers discovered this small division of Acme where users were domain administrators and developers had access to production systems; where there was no network segmentation between development, test and production. • Numerous avenues for infiltration had been left open. VNC, without encryption, was the remote access protocol in use. • Once inside, the hackers found the golden key – the small shop's Active Directory was integrated into the main corporate Active Directory. • They gained access to the corporate Active Directory, email and network shared drives, using a compromised administrative account. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 14. © 2017 NTT Security14 Solution Approach Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 15. © 2017 NTT Security15 Start at the Start: Due Diligence In due diligence, the acquiring company reviews documentation from the "target,” the company it may buy. The acquirer should ask for and review: • Information security and privacy policies and procedures, • Security training programs • Audit reports, • Vulnerability scan and pen test results • Network maps • Any other relevant administrative and technical documents. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 16. © 2017 NTT Security16 Security and Compliance Gap Analysis The security program at the target company should be reviewed in light of the existing security framework used by the acquiring (parent) company. • The parent company may comply with PCI DSS, HIPAA or other regulations. • How does the security at the target company compare? What are the gaps? • This gap analysis will provide a baseline to understand how the acquired company differs from the main corporation. • Be aware that the acquisition may bring with it new compliance requirements, especially in the case of international deals. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 17. © 2017 NTT Security17 Network Architecture and Technical Security Implement technology and network architecture to secure the network while allowing connectivity that is needed. • Initial connectivity for Day One may be limited to a secure portal or virtual desktops. • When network connectivity is established for integration, carefully review firewall access control lists. Intrusion prevention controls and network monitoring should be enabled. • Evaluate risk and apply technical solutions, including data loss prevention (DLP), user behavior analytics (UBA), and multi-factor authentication (MFA). • Include acquisition systems in vulnerability and compliance scans, penetration testing, and other security tests. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 18. © 2017 NTT Security18 Incident Response and Handling Develop and document an incident response procedure that clearly states responsibilities of team members at the acquisition site and the corporate headquarters. • Perform incident response testing to validate response to incidents at acquisition sites. • Consider forming a team with representatives from all branches and acquired companies in order to coordinate enterprise response to widespread issues. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017 https://xkcd.com/1354/
  • 19. © 2017 NTT Security19 Don’t Forget the Human Factor The security of data depends on employees who understand and carry out their role in protecting information. • Security awareness and training should be extended to acquired companies as soon as possible. • Training should be enjoyable, interesting, and tailored to the audience. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 20. © 2017 NTT Security20 Maturing the Process Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 21. © 2017 NTT Security21 Develop an M&A Playbook Document the processes and procedures for Information Security activities in Mergers and Acquisition, from Due Diligence through Integration. • Develop a Playbook and maintain it as a living document, reviewed frequently. • Build security in from the start. • Include architecture diagrams and technical solutions for integration and network connectivity. • Address all phases of Mergers, Acquisitions and Divestitures. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 22. © 2017 NTT Security22 Establish Ownership for Information Security Clearly state who is responsible for information security at acquisition sites. • Clarify funding, lines of reporting, and shared responsibilities. • Coordinate with Internal Audit, Legal, HR and governance councils on compliance and enforcement. • Input findings from security assessments into a Risk Register and/or Plan of Actions & Milestones (POAM). • Include M&A security in the organization’s overarching information security risk management program. Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 23. © 2017 NTT Security23 Mergers and acquisitions drive business growth, but bring a multitude of risks. Cyber security risk is part of that. By addressing security governance at the beginning, at due diligence, and tracking risks throughout the integration process, companies can gain control over the information security and compliance risks in mergers and acquisitions. In Conclusion Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017
  • 24. © 2017 NTT Security Thank You! 24 Security in Mergers and Acquisitions - Unclassified – External – Approved. V.2.0 November 29, 2017