assessing it security and compliance risk for acquisitions and mergers
DESCRIPTION
TRANSCRIPT
Assessing Security and ComplianceRisk for Acquisitions and Mergers
June 22, 2011
Agenda
2
• EarthLink Recent History
• Risk Evaluation Opportunities
• Planning Activities
• Prioritizing Risk Review – Compliance, BC and DR, IT security
• IT Compliance
• Business Continuity and Disaster Recovery
• IT Risk Assessment
• Risk Action Plan
• Lessons Learned
Confidential
Recent History
3
Q2 2010…• ~1.5M consumer customers • 80% of revenue coming from broadband/dial subs, 20% from business• Declining business – 3% monthly churn• Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010
Last Six Months…Nearly $1B in M&A Activity!• ITC DeltaCom - 12/8/2010 • STS Telecom- 3/2/2010• One Communications - 4/1/2011• Logical Solutions – 5/17/2011
Today…• ~60% of revenue coming from business (excluding One/Logical Acquisitions)• Employee from ~900 to 3,300+• Physical locations from 4 to 100+
Confidential
The New EarthLink
4
Products and Services• IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3 • Voice – VOIP, Local, Long Distance, Mobile• Cloud Services – Cloud Hosting, Web Hosting, Security• Managed Services – Voice, Router, Email, Data Center Collocation
Confidential
Implications
5 Confidential
Risk Evaluation Opportunities
6
• Pre-acquisition – Initial reviews - Learning• Is this the right deal at the right valuation?
• Pre-acquisition – Post announcement – Planning (Gap analysis)• What IT processes are in place?• What IT compliance programs are in place? Is there a gap?• Is there a business continuity program? Disaster recovery?
• Post Acquisition – Integration – Execution• Deep dives – compliance, BC/DR, IT risk • Remediation roadmaps• Continuous improvement audits
Confidential
Planning Activities
7
Suggested activities:• Identify evaluation framework – COBIT, ISO 27K, etc.• Begin assessing risk – Interviews, review documentation• What are the expected interim and long term integration initiatives? (AD trust,
finance, HR, email, calendar, etc) • Prioritize risk management
• IT compliance (PCI, SOX, other, new?)• Business continuity and disaster recovery• Risk management
Confidential
IT Compliance
8
SOX - COBIT• Program requirements – Identify materiality, controls and systems • Gap analysis • Deficiencies list – Focus on material weaknesses and significant deficiencies
first
PCI - DSS• Merchant or service provider level• Audit schedule• Auditor
Identify new regulatory requirements: • Gramm–Leach–Bliley Act?• HIPAA?• CPNI?
Confidential
Business Continuity and Disaster Recovery
9
Business Continuity• Integrated Crisis Management Plan• Identify key business leaders• Business Impact Analysis – Identify key processes• Develop BCP plans
Disaster Recovery• Inventory system availability requirements and recovery capabilities• Prepositioned equipment • Identification of seasoned, tactical leaders• Employee safety, wellness
Confidential
Disaster Strikes
10 Confidential
Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center
April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site
Confidential11
IT Risk Evaluation
•Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire
• Information gathering - Identify key areas for investigation (AV,
network topography, network intrusion, patch management, SDLC,
web application vulnerability, firewall management, change control,
etc) •Align team/resources
–Develop a prioritized remediation roadmap–Architecture – evaluate integration initiatives–Compliance – develop/integrate compliance program
•Determine audience/output for communication plan - How does your culture manage risk?
•Recruit allies (CIO, other major stakeholders)
Evaluating Defenses and Processes
12 Confidential
Network Application Infrastructure Data Policies &Process
Awareness
Evaluate:• Network architecture/segmentation• Firewall• Intrusion Prevention• Denial of Service protection • Intrusion monitoring via event
coorelation • Bandwidth utilization monitoring• VPN authentication
Evaluate:• Vulnerability assessments and
remediation • Build standards • Physical security standards• Host Intrusion Detection • Anti-virus• Content filtering• End point encryption
Evaluate:• IT Security Policy• Incident Response - Rapid
Breach Response Team • eBCM • Crisis Management• User Management• Change Control
Evaluate:• Load balancing • Vulnerability assessments and
remediation • Application development security
framework aka AppSec • Centralized digital certificate
management • Web application firewall • Web application log monitoring
Evaluate:• Data security standards • Database firewall • Data discovery or breach analysis• Mobile device management/security
Evaluate:• Tech awareness - ex.application development security training • End user awareness training podcasts
Qualifying Risk
13 Confidential
Confidential14
Risk Action Plan
•Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.
•Align with integration efforts where possible (AD migration, billing system integration, etc)
•Develop Remediation Roadmap–Quick hits - patching servers, fixing web apps, etc–Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)
–Long term - system standardization, integration projects, cultural change•Adopt standard processes, protections, guidelines, metrics
Measuring Success and Trends
15 Confidential
Operational Security
Infrastructure Vulnerabilities Web Application Vulnerabilities Virus Quarantines Intrusion Attempts DOS Attempts % of Infrastructure Protected Security Incidents Security Event Investigations
Index####%##
Policy/Awareness
Quarterly Threat Assessment IT Security Policy Updated Incident Response Plan Update Completed Users who have completed awareness training
Yes/NoYes/NoYes/No#
Compliance
SOX Deficiencies, Significant Deficiencies, Material Weaknesses PCI Audit Findings CPNI Audit Findings
###
BC/DR
BIA Complete Business Continuity Plans Complete Business Continuity Plans Tested Disaster Recover Plans Complete Disaster Recovery Plans Tested
Yes/No####
Confidential16
Lessons Learned
• Ignorance is not bliss - get in the game early
• Right-size your risk management plan - Communicate early and often
• Balance business with security
• Standardize the process