It does not have an ISO standard. NIST barely mentions it. Despite hundreds of publications, no dedicated book is in sight. Enterprise Risk Management frameworks barely touch on it - if they even do. A chapter in Tipton's book dating 2007, proprietary solutions and sparse articles is all we have. In 2007 there was no Cloud yet - and that can be both a big help or a major issue in the process. Mergers & Acquisition is a matter left to Business Administration professionals, who don't like thinking about Information Security risks anyway. Information Security for Mergers & Acquisition is often an afterthought and rarely a deciding factor in due diligence exercises - but when your company acquires a new firm every quarter, you need to start thinking about something. This session will propose a simple framework and you will walk away with an actionable material you can start using tomorrow.
Learning Objectives:
- Understand information security risks and threats connected with merger and acquisition activities, which include months of often precarious IT migrations, a Cloud mess, and legacy services left exposed for months or years.
- Understand how Cloud Computing affects information security risks and threats during a merger and acquisition activities, as well as the positive opportunities they can offer.
- Why it is important that Information Security is involved in the early phases of due diligence, including during the phases in which the deal is structured and evaluated, and the acquisition model is defined.
- Walk home with a simple framework and actionable material they can start using the day after.
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Solutions.Information Security During Mergers & Acquisitions:
Issues, Safety Measures, and Need-to-Know Solutions.
Information security risks and threats connected with mergers and acquisitions, which can include months of often precarious IT migrations and legacy services left exposed; how Cloud computing affects information security risks and threats during merger and acquisition activities, as well as the positive opportunities that they can offer; why Information Security should be involved in the early phases of due diligence, including the phases during which the deal is structured and the acquisition model is defined; a simple framework and actionable material.
Information Security assessment of companies in Germany, Austria and Switzerland, February 2015.
Every day critical security incidents show the drastic extent of "successful" cyber attacks for organizations in terms of monetary and material loss. With increasing use of digital technologies and the growing spread of mobile and IoT cyber security is becoming a key factor for companies’ successful digital transformation. To analyze current challenges, trends and maturity of companies state of information security, Capgemini Consulting DACH conducted a survey in Germany, Austria and Switzerland. The 2014 Information Security Benchmarking Study shows that information security is insufficiently embedded in most companies‘ business strategy and operations to effectively safeguard organizations against current cyber threats.
https://www.de.capgemini-consulting.com/resources/information-security-benchmarking
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
the Defense Department and General Services Administration report on improving cyber security and resilience through acquisition. This report, developed as part of the President’s Executive Order on Cyber Security, forms the baseline for a fundamental shift in federal procurement policy. In short, going forward cyber security is going to be a core consideration in federal procurements. Contractors will likely find cyber security obligations embedded in their contracts, and may even find themselves excluded from the procurement process if certain cyber security benchmarks are not met.
The report spells out six key recommendations:
1) Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
2) Address Cybersecurity in Relevant Training
3) Develop Common Cybersecurity Definitions for Federal Acquisitions
4) Institute a Federal Acquisition Cyber Risk Management Strategy
5) Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions
6) Increase Government Accountability for Cyber Risk Management
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
Learn about Sogeti’s journey of creating a new Security Operation Center, and how and why we leveraged QRadar solutions. We explore the full program lifecycle, from strategic choices to technical analysis and benchmarking on the product. We explain how QRadar accelerates the go-to-market of the SOC, and how we embed IBM Security Intelligence offerings in our solution. Having a strong collaboration between different IBM stakeholders such as Software Group, Global Technology Services, as well as the Labs, was key to client satisfaction and operational effectiveness. We also show the value of integrating new QRadar features in our SOC roadmap, in order to constantly stay ahead in the cyber security game.
Identifying Code Risks in Software M&AMatt Tortora
Strategic fit and table stakes KPIs aren't the only things acquirers evaluate during the software M&A process. A software code review is one of the many components that is often overlooked by sellers.
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
Protecting the Crown Jewels – Enlist the Beefeaters
In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
Only 20% of mergers succeed. Many assumptions are made during the due diligence phase, and many things go wrong during execution. Our method helps you maximise your chances of success, and mitigate most of the classical risks during the first 100 days especially.
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
Information Security
1.Why the need to think about it?
2.What exactly are we talking about?
3.How do we go about doing something about it?
4.Is there a one-size-fits-all framework?
the Defense Department and General Services Administration report on improving cyber security and resilience through acquisition. This report, developed as part of the President’s Executive Order on Cyber Security, forms the baseline for a fundamental shift in federal procurement policy. In short, going forward cyber security is going to be a core consideration in federal procurements. Contractors will likely find cyber security obligations embedded in their contracts, and may even find themselves excluded from the procurement process if certain cyber security benchmarks are not met.
The report spells out six key recommendations:
1) Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
2) Address Cybersecurity in Relevant Training
3) Develop Common Cybersecurity Definitions for Federal Acquisitions
4) Institute a Federal Acquisition Cyber Risk Management Strategy
5) Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions
6) Increase Government Accountability for Cyber Risk Management
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
Learn about Sogeti’s journey of creating a new Security Operation Center, and how and why we leveraged QRadar solutions. We explore the full program lifecycle, from strategic choices to technical analysis and benchmarking on the product. We explain how QRadar accelerates the go-to-market of the SOC, and how we embed IBM Security Intelligence offerings in our solution. Having a strong collaboration between different IBM stakeholders such as Software Group, Global Technology Services, as well as the Labs, was key to client satisfaction and operational effectiveness. We also show the value of integrating new QRadar features in our SOC roadmap, in order to constantly stay ahead in the cyber security game.
Identifying Code Risks in Software M&AMatt Tortora
Strategic fit and table stakes KPIs aren't the only things acquirers evaluate during the software M&A process. A software code review is one of the many components that is often overlooked by sellers.
Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson
Protecting the Crown Jewels – Enlist the Beefeaters
In the wake of a constant stream of high-profile breaches, data is not only becoming a highly valued commodity, it’s becoming an organization’s crown jewels. Who better to protect your crown jewels than the Beefeaters? Tapping into the iconic London Guard’s reputation, Jack Nichelson, with the support of the FBI and PwC, has developed an elite force to defend his organization’s most valuable assets from even trusted insiders. Providing insights into his companies data identification, classification and security initiative, sharing best practices for creating consensus, and engaging and aligning multiple business units to better protect the organization's crown jewels.
Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership
Presentation: How do we Protect our Systems and Meet Compliance in a Rapidly Changing Environment
Presenter: Sean McCloskey, Program Manager, Cyber Security Evaluations Program, DHS
Description: With all the constant innovation in cyber, what is “cutting edge”? What constraints hinder innovation? How is technology being used to address the Executive Orders, comply to standards, and other meet other mandates? What areas still need resources, ideas and innovation? Join us to hear advances in cyber security technology and ways to protect and monitor systems that will provide for resilient infrastructures and incorporate new solutions.
The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
Only 20% of mergers succeed. Many assumptions are made during the due diligence phase, and many things go wrong during execution. Our method helps you maximise your chances of success, and mitigate most of the classical risks during the first 100 days especially.
Watch full webinar here: http://www.firmex.com/Due-Diligence-Best-Practices-and-Pitfalls-sign-up/
LOIs and NDAs signed. Now art meets science with the legal, financial and strategic review of the business. How do you test the value proposition and identify potential risks? Select the best tools to streamline the process? And prepare for regulatory and legal compliance issues arising from legislation like FCPA? Learn what it takes to avoid pitfalls that plague even the most experienced due diligence experts.
This presentation gives an in-depth look at the comprehensive due diligence process. It covers the framework for due diligence, its purpose, and types. This presentation is incrediably valuable for anyone doing or looking to do transactional work.
In moving towards cloud services, security concerns are often cited as reasons to delay or even abandon the transition. This presentation highlights some basic steps to take to analyse and assess what risk might exist and how to mitigate this. In short, the security concerns regarding cloud deployments will exist in your privately managed data centre environments as well. Outsourcing your service to a Cloud provider does not mean you pass on your liability to your own customers nor responsibility of managing your systems and services.
Charting Your Path to Enterprise Key ManagementSafeNet
The increasingly prevalent use of data protection mechanisms in today’s enterprises
has posed significant implications. One of the most profound challenges relates to key
management, and its associated complexity and cost. Written for business leadership and
security architects, this paper looks at the past, present, and future of key management,
revealing how emerging trends and approaches will ultimately enable enterprises to optimize
both efficiency and security in the management of key materials.
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
This presentation will bring insights into how the Zero Trust framework can help organizations improve their cybersecurity posture and resilience and what the organizational challenges are.
Nothing strikes fear into the heart of an engineer more than the installation of a firewall to achieve the laudable goal of defense-in-depth through network segmentation. Security teams demand the implementation of firewalls telling everyone, “It’s for compliance!” But the addition of firewalls and other security appliances (aka chokepoints) into an infrastructure infuriates network engineers who design to optimize speed and minimize latency. Sysadmins and DBAs are equally frustrated, because of the increased complexity in building and troubleshooting applications. So it’s down the rabbit hole we go trying to achieve the unachievable with everyone waxing rhapsodic for those bygone days when the end-to-end principle ruled the Internet. Is it really possible to have security coexist with operational efficiency? Organizations seem happy to throw money at technology and operations, but when it comes to policies and procedures, they fail miserably. This is the biggest problem with building a layered design. As engineers, if we don’t have clear policies as a set of requirements, how will we determine the appropriate network segmentation and protections to put in place? The answer lies in aligning network segmentation with an organizational data classification matrix and understanding that while compliance and security often overlap, they’re not the same.
To tell that - IT environment has shifted, and this would be a huge understatement. We just see this happening around us. Yet to say, the transition is not necessarily a bad thing. Like in other technology organizations, Identity governance is in the process of change. We can see that this can be a positive transformation; as the way it allows us to be more flexible and stronger.
Visit : https://techdemocracy.com
The crown jewels of any IT environment is the valuable information you manage. This session will explore techniques and Microsoft technologies that can ensure documents are well-managed, secured, and only available to approved individuals in your organization. We will also look at advanced ediscovery and data governance approaches and technologies that can support these.
With the increasing number of data breaches and cyber attacks, it's becoming clear that traditional security measures are no longer sufficient. Zero Trust security is an approach that assumes no user, device, or network is trustworthy by default. This seminar will explore the concept of Zero Trust and its application to data security.
During this seminar, we will cover a range of topics related to Zero Trust and data security, including the history and evolution of Zero Trust, the key principles of Zero Trust, and the different applications of Zero Trust in data security. We will also discuss the impact of Zero Trust on the job market and the skills required to work effectively with this approach.
Through a combination of lectures, case studies, and interactive discussions, attendees will gain a comprehensive understanding of the potential benefits of implementing a Zero Trust approach to data security. They will leave the seminar with practical insights and strategies to effectively leverage Zero Trust to protect their organization's data.
Learning Objectives:
Upon completion of this seminar, participants will be able to:
1. Understand the history and evolution of Zero Trust and its application to data security.
2. Gain insights into the key principles of Zero Trust and the different applications of this approach in data security.
3. Learn about the potential benefits and challenges of implementing a Zero Trust approach to data security.
4. Develop practical strategies for effectively leveraging Zero Trust to protect their organization's data.
5. Network with other industry professionals to share insights and best practices.
Blockchain: everyone wants to sell me that - but is that really right for my ...EQS Group
Another day, another article praising blockchain’s untapped potential: it will start a new era, revolution the financial system, disrupt every industry and will change the world. Or will it not? and is that really what I need for my next project?
After this presentation, you will be able to:
- Understand the basic of blockchains as compared to other traditional (both centralized and distributed) technologies such as relational databases and identity management systems.
- Identify the characteristics of a potentially successful blockchain project, versus one that should be tackled with "traditional" technology.
- What are the main factors that tell an initiative is or is not a good candidate for a blockchain project, and how to find a topic which may be a good candidate within your organization.
- How to answer the excessive counter-critiques, such as that there is no good use for blockchains at all. This is obviously not true and there are very good examples of successful projects, from which we can learn the essentials.
Impact of GDPR on Third Party and M&A SecurityEQS Group
GDPR impact has been dissected and examined to death - however, M&A activities, as well as third-party security posture, can be greatly affected as well, and this aspect has not been very often pursued. This session hopes to be useful for that.
Best practices in NIPS - IDC Sofia - March 2010EQS Group
They were called "Network Intrusion Detection Systems" first - today we call them "Network Intrusion Prevention Systems". Those tools have been around for several years, and are now experiencing a second youth once they are part of new compliance requirements and helps in meet your mitigation measures and policies. But are those systems really useful and provide an effective security tool? Many says, that if not implemented correctly, they can be easily bypassed. Is that true? and so, how should I implement them? Is my current deployment really optimal? Are NIPS really worth their (high) cost? This presentation aims at shredding some light - or at least, to give some tool, to start looking at NIPS from a more realistic point of view, out of the vendors' hype.
Best practices in NIPS - Brighttalk - January 2010EQS Group
Marco Ermini, Network Security Manager will discuss his best practices of Network Intrusion Detection and Prevention and deployment of the overall NIDS/NIPS infrastructure and network vulnerability.
Modern Database Management 12th Global Edition by Hoffer solution manual.docxssuserf63bd7
https://qidiantiku.com/solution-manual-for-modern-database-management-12th-global-edition-by-hoffer.shtml
name:Solution manual for Modern Database Management 12th Global Edition by Hoffer
Edition:12th Global Edition
author:by Hoffer
ISBN:ISBN 10: 0133544613 / ISBN 13: 9780133544619
type:solution manual
format:word/zip
All chapter include
Focusing on what leading database practitioners say are the most important aspects to database development, Modern Database Management presents sound pedagogy, and topics that are critical for the practical success of database professionals. The 12th Edition further facilitates learning with illustrations that clarify important concepts and new media resources that make some of the more challenging material more engaging. Also included are general updates and expanded material in the areas undergoing rapid change due to improved managerial practices, database design tools and methodologies, and database technology.
The Team Member and Guest Experience - Lead and Take Care of your restaurant team. They are the people closest to and delivering Hospitality to your paying Guests!
Make the call, and we can assist you.
408-784-7371
Foodservice Consulting + Design
Artificial intelligence (AI) offers new opportunities to radically reinvent the way we do business. This study explores how CEOs and top decision makers around the world are responding to the transformative potential of AI.
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...CIOWomenMagazine
This person is none other than Oprah Winfrey, a highly influential figure whose impact extends beyond television. This article will delve into the remarkable life and lasting legacy of Oprah. Her story serves as a reminder of the importance of perseverance, compassion, and firm determination.
2. Security in M&A: The Forgotten
Son of Information Security
Marco Ermini, 2017
3. Agenda
» Why M&A need Cyber Security support?
» Aren’t they just ordinary business transactions?
» They seem to occur nearly every day, so what is
so special about them that they require special
security support, or any security support at all?
» What value does a security professional bring to
the team?
4. The Academic Minute…
» Black’s Law Dictionary defines mergers and
acquisitions as the following:
• Merger: The union of two or more corporations by the
transfer of property of all, to one of them, which
continues in existence, the others being swallowed up
or merged therein…
• Acquisition: The act of becoming the owner of a
certain property…
• Divestiture: to deprive; to take away; to withdraw
5. The Academic Minute…
» Acquisition of Total Assets
• Liquidate
• Break up and sell
• Integrate
» Acquisition
» Merger
» Divestiture
6. The Academic Minute…
» It is all about…
1. Costs Control,
2. Market Share,
3. Regulatory Landscape
4. Others…
8. Why M&A Fail?
» The acquiring company does not properly assess the value of the
target company
» Inability of the acquiring company to successfully integrate the
target company that leads to a failed acquisition
“It is well known in the M&A community that most acquisitions fail to
create shareholder value, that is, they end up as a negative sum after
paying acquisition premium and banker fees, impossible to get
synergies to make up loss. The acquisitions that do create value are
either a version of corporate venture capital (large company scooping
tiny team), or mid-cap industrials buying a supplier. Few and far
between…“
13. Scoping the Threats
» Special Interest Groups – gain from the Operation
• Financial Criminals
• Competitors
• Acquisition / Merger Company
• Disgruntled Employees
» General Interest Groups – gain from Impact
• Script Kiddies / Hackers
• Hacktivists / Terrorists
• Spies
14. Scoping the Risks
» Publicity, raising profile — your interest gets attacker’s interest!
» Impact on:
• Resources
• Technologies
• Infrastructure
» Disgruntled Employees
» Change in threat and risk model
» Absorbing unknown / Confusion
» Creating new attack vectors and window of opportunity
» Business drivers can force this the Security Manager very quickly
» Are we all really equipped for change?
16. The Role of a Security Manager
» Protecting the effort itself
• Confidentiality of the total effort
• Confidentiality of the team’s work
» Evaluating the security condition of the target company
• Impact on the deal’s value
• Asking the right questions
» Providing subject matter expertise
• Identify Security Requirements for the New Company
• Controlling Rumors
• Managing Global/International Aspects
• “Team Consultant”
• Low Hanging Fruits
17. Importance of Confidentiality
» Premature Disclosure of Intent
• Loss of key employees
• Bidding wars
• SEC Liability
• Loss of Initiative
• Loss of Goodwill
- Target Company
- 3rd Parties relationships
- Customer relationships
18. Protecting the operation
» Unintended Release
» Unauthorized Release
» Protection from competitive intelligence
efforts
» Documents Control
19. The Security Manager in action
» Preliminary background investigations
• Collection of Open-Source information
» Due diligence
• More in-depth look
• Estimation of Costs of Cyber Security
» Operations security
• Protect operational activities
• Develop and implement protective measures
• Appropriate for each phase of the acquisition
21. How can I verify an M&A Target candidate?
» You cannot explicitly test your acquisition’s
candidate
» You cannot simply ask them for their vulnerability
assessments’ results
» Not all companies have a structured and mature
security program
» You cannot silently test them either
26. “Capture” of Security Controls
» 13 Domains to verify
1. Digital Identities
2. Admin Accounts
3. Endpoints/Client Systems
4. Servers
5. Networks
6. Hosting
7. Email
8. Data Recovery
9. Boundary Defenses
10. Assets Inventory
11. Operational Security
12. Physical Security
13. Wireless Networks
27. Example of Policy Requirement
Domain Verification How-to Objectives Minimum Acceptable Level
Digital Identities Verify status of identities in main
identity store (use of unique IDs,
generic accounts, password policy,
Groups’ usage, GPOs, Federations, etc.).
Verify if anything is outside of the main
identity store (e.g. VPN accounts, Cloud
accounts, supplier accounts, etc.).
Interview with IT
admins from Target.
Snapshot of information
from AD/LDAP.
Interview with business
units which manage
other tools (Cloud etc.),
to understand how this
is managed
Ensure appropriate controls
are in place to protect Target
environment and data
Get an idea of the complexity of
the DI structure of the Target.
Understand usage of Cloud
applications and identities.
Understand how restriction of
access to information happens
in Target.
There is a Directory Service
Unique IDs are used
Permissions are assigned via
Groups in the Directory Service
Service and Cloud accounts are
gathered, minimized, and under
control
Sensitive files are shared in a
secure way
Admin Accounts Verify status of admin account
management in main identity store, if
managed there.
Verify if anything is outside of the main
identity store (e.g. VPN accounts, Cloud
accounts, supplier accounts, etc.)
Interview with IT
admins from Target.
Snapshot of information
from AD/LDAP and
other tools.
Ensure admin account
controls are defined,
implemented and reviewed to
protect systems and data
Understand how IT
administrative actions are
performed, what the
procedures and practices are,
and who has the ownership
and responsibility.
Admin accounts are managed
under a Directory Service
Admin accounts are unique for
each admin
Central ownership of who gets
appropriate rights
Process for removing rights as
appropriate
28. Example of Interview Questions
Domain Minimum Acceptable Level Key Topics for Discussion
Digital Identities Directory Services of any kind are used
Unique IDs are used
Permissions are assigned via Groups in the
Directory Service
There is an adequate password policy in place
Service and Cloud accounts are gathered,
minimized, and under control
Sensitive files are shared in a secure way
How many people are present in the company? Get overview of employees’ org
chart/roles, and how many people are in IT and Security.
How old is the company? Get brief history, acquisitions, etc.
Which DS is used? (AD, which version?)
Get overview of Groups, GPOs, shared accounts, shared mailboxes, federated
services, password policy (for AD, request screenshots).
Is every system and device connected to DS and follow password policy, or there
are systems which have their own passwords (e.g. Wi-Fi, network devices, etc.)?
What is the process by which Group ownership, permissions and accesses to
systems and applications are granted?
Get overview of Cloud services used and how accounts are managed, if SSO is used
and how, especially concerning files and documents sharing with third parties.
Is Cloud Sharing such as Box, Dropbox etc. being used?
Admin Accounts Admin accounts are managed under a Directory
Service
Admin accounts are unique for each admin
Central ownership of who gets appropriate rights
Process for removing rights as appropriate
Get overview of how administration is performed, if AD Groups and GPOs are used,
if shared accounts and/or shared mailboxes are used for admin accounts
Understand how permissions are granted and removed from users as their work
and function changes in the company
29. Risk Assessment
» Management Summary with a
clear status
» Clearly indicate the area that
will need additional attention
» Especially indicate where the
additional costs will incur (e.g.
new wireless equipment, re-
imaging of the endpoints,
reimplementation of firewall,
etc.)
30. Impact Assessment
» Indicate the kind of impact:
• Security
• Processes
• Costs
» Indicate expected
remediation, aligned with IT
» If not possible to estimate
costs immediately, indicate
how they should be calculated
(e.g. need to provision new
firewall cluster)
34. Starting to work in Clear Sight
» The news is out
» Information Completeness is paramount
» An Integration Plan is proposed
• Technical Integration
- Networks, PCs, applications, data centers, hosting…
• Business Processes and Systems
• Timing
» The Integration Plan must also negotiate from an “as-
is” to a “to-be” state for the Target
36. Target Characteristics Security Guidelines SLAs
SMALL
➤ Small employee base (< 200 employees)
➤ Low complexity
➤ Private ownership
➤ Little to no geographical diversity
➤ No separate legal entities
➤ No/limited need to keep the same facilities
➤ No/limited to keep the existing technologies
➤ Purchased for limited product portfolio, technology, talent, or local presence
➤ Baseline security controls
Target is fully absorbed into
IT infrastructure
➤ All IT labor is absorbed into IT
global business units
➤ Security controls established or
confirmed in less than 100 days
MEDIUM
➤ Similar to previous kind, but Target has certain identifiable complexities that
require specific sensitivity during integration
➤ Fewer than 500 employees
➤ Needs to be stand-alone for a certain period of time
➤ During stand-alone time, Target maintains defined non-compliances
➤ Supports its own IT infrastructure during the stand-alone phase
➤ Integration of Target may be
full, hybrid, or standalone
➤ All IT labor is absorbed into IT
global business units
➤ Operation integration of some
IT infrastructure may take +180
days
➤ Processes may take 3 to 9
months
LARGE
➤ More than 500 employees
➤ Relatively large operations
➤ Significant multinational presence and subsidiaries
➤ Target contains certain identifiable complexities that require specific
sensitivity during integration
➤ Integration of Target may be
full, hybrid, or standalone
➤ IT labor can stay funded by
Target company
➤ Operation integration of some
IT infrastructure may take +180
days
➤ Customized integration plan
➤ IT Support is shared
➤ Processes take more than 12
months
37. Combining the two companies
» Resources, staffing, processes, and systems are combined
» Business processes are as much as possible leveled
» IT tools are unified
» Active Directory merging strategy is key!
» The Target company has comparable / same security
» Exceptions are documented and signed off by leadership
(executives, CISO)
» Agreed-upon designs are implemented
» Operations — including InfoSec – are turned to standard support
» Weekly or recurring meetings can be setup to assess progresses
38. Planning the Active Directory Integration
» Training for the technicians performing the migration
» Scheduled outages
» Companies’ cultural differences such as who's allowed
access to AD and Exchange, or how file system security
is set
» Network differences between the two sites
» Network, AD, or Exchange anomalies
» Customer and employee communication
39. Pain Points in Active Directory Integration
» Deciding the strategy
• Integrate the Target into the Acquiring
• Build a new, combined AD
• Migrate legacy objects into a new AD
» One Company, One Email!
• Free/Busy Information
• Exchange/Lync/Office/AD versions
• Office 365?
» External Federations/Partners/ADFS?
» DNS configuration/forwarding
» SID history/filtering
» Evaluate purchase of a dedicated AD migration/upgrade tool
41. Merging Policies
» Safeguards against disgruntled employees
» New employee contracts
• Are existing Policies still relevant?
• Are we “dumbing down” their security?
» Existing employee contracts
• Do they protect you?
• Do they meet new relationship?
» Identify key policies — yours vs theirs
• Work with Legal Departments
43. The New Security Department
» Cost/Budgeting
• Pre-merger: OpEx
• Merger: CapEx, Processes
• Post-merger: Optimization
» Communications
44. What if I am on the weak side?
1. Identify specific strengths that can be useful in the merging
• Experience from security incidents
• Technological implementations
• Local knowledge and compliance
2. Be prepared to learn
• What is the current Cyber Security philosophy?
• Who is taking security-related decisions?
3. Don’t rush your career decisions
• Can bring new opportunities
• Meet the new management
48. Moving to a Cloud-Based ERP or Email Solution
» Traditional M&A dogma is “transition, then transform”
» Companies however are leveraging migration to key technologies to
the Cloud during the M&A process as an enabler
» Can simultaneously replace aging, capital-intensive technology with
a subscription-based operating model
» Ideal also for divestitures
» Boarding is considerably faster and cheaper than traditional on
premise solutions (Accenture estimates 30% for both)
» Ultimate flexibility during a post-deal transition
51. Open Source Intelligence
» Collection of free tools and
source of information
» They divide into
• Tools which can run locally
• Search Engine “dorking” (e.g.
Google hacking)
• Semi-closed sources
• Exploitation of sites which have
originally other purposes (e.g.
social networks, dating sites…)
51
70. censys.io (semi-free)
» Parsing and collection of various
publically-available information
» Example: certificates
• SSLVPN in France and Munich
• Date Center presence in Munich,
San Diego, Sydney
• Demo-site of Hybrid (e-commerce
technology)
• Using Akamai services in Sydney
70
88. Bibliography
» “Mergers and Acquisitions Security – Corporate Restructuring and Security Management” (E.P. Halibozek, Dr. G.L. Kovacich), Elsevier, 2005
» “Information Security in Mergers & Acquisitions” (C. Conacher), Black Hat 2004
» “Handling mergers and acquisitions: Career success tips for infosec pros”, searchsecurity.techtarget.com
» “Using Open Source Reconnaissance Tools for Business Partner Vulnerability Assessment” (SANS Institute InfoSec Reading Room), 2014
» “Why people integration continues to dominate M&A challenges”, PWC, 2012
» “Plan and Execute an Active Directory Merger”, windowsitpro.com, 2009
» “The Three Steps to Consolidate the Active Directory Environments of Merging Organizations”, binarytree.com, 2015
» “Collaborations, mergers, acquisitions, and security policy conflict analysis” (V. Subramanian, R. Seker, J. Bian, N. Kanaskar, acm.org, 2011
» “Alignment of the IS Organization: the Special Case of Corporate Acquisitions” (C.V. Brown, J.S. Renwick), 1996
» “M&A loves the cloud”, “M&A Trends”, Deloitte, 2016
» “Driving growth and competitiveness: Can the power of cloud lift M&A value into the stratosphere?”, Accenture, 2016
» “Lifecycle of a Technology Company – Step-by-step legal background and practical guide from start-up to sale”, E.L. Miller Jr., John Wiley & Sons,
2008
» “Mergers and Acquisitions from A to Z” 3rd ed., A.J. Sherman, AMACOM, 2011
» “Digging for Disclosure – Tactics for Protecting Your Firm’s Assets from Swindlers, Scammers, and Imposters”, K.S. Springer and J. Scott, Pearson
Education, 2011
» “Mergers & Acquisitions For Dummies Cheat Sheet” – dummies.com
» “The Complete Guide to Mergers & Acquisitions: Process Tools to Support M & A Integration at Every Level, Third Edition”, T.J. Galpin, Wiley, 2014
88