Upload File

assessing it security and compliance risk for acquisitions and mergers

  • Home
  • Documents
  • Assessing IT Security and Compliance Risk for Acquisitions and Mergers
16
Assessing Security and Compliance Risk for Acquisitions and Mergers June 22, 2011

Upload: melanie-brandt

Post on 18-Nov-2014

1.371 views

Category:

Documents


0 download

Report

DESCRIPTION

 

TRANSCRIPT

Page 1: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Assessing Security and ComplianceRisk for Acquisitions and Mergers

June 22, 2011

Page 2: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Agenda

2

• EarthLink Recent History

• Risk Evaluation Opportunities

• Planning Activities

• Prioritizing Risk Review – Compliance, BC and DR, IT security

• IT Compliance

• Business Continuity and Disaster Recovery

• IT Risk Assessment

• Risk Action Plan

• Lessons Learned

Confidential

Page 3: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Recent History

3

Q2 2010…• ~1.5M consumer customers • 80% of revenue coming from broadband/dial subs, 20% from business• Declining business – 3% monthly churn• Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010

Last Six Months…Nearly $1B in M&A Activity!• ITC DeltaCom - 12/8/2010 • STS Telecom- 3/2/2010• One Communications - 4/1/2011• Logical Solutions – 5/17/2011

Today…• ~60% of revenue coming from business (excluding One/Logical Acquisitions)• Employee from ~900 to 3,300+• Physical locations from 4 to 100+

Confidential

Page 4: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

The New EarthLink

4

Products and Services• IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3 • Voice – VOIP, Local, Long Distance, Mobile• Cloud Services – Cloud Hosting, Web Hosting, Security• Managed Services – Voice, Router, Email, Data Center Collocation

Confidential

Page 5: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Implications

5 Confidential

Page 6: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Risk Evaluation Opportunities

6

• Pre-acquisition – Initial reviews - Learning• Is this the right deal at the right valuation?

• Pre-acquisition – Post announcement – Planning (Gap analysis)• What IT processes are in place?• What IT compliance programs are in place? Is there a gap?• Is there a business continuity program? Disaster recovery?

• Post Acquisition – Integration – Execution• Deep dives – compliance, BC/DR, IT risk • Remediation roadmaps• Continuous improvement audits

Confidential

Page 7: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Planning Activities

7

Suggested activities:• Identify evaluation framework – COBIT, ISO 27K, etc.• Begin assessing risk – Interviews, review documentation• What are the expected interim and long term integration initiatives? (AD trust,

finance, HR, email, calendar, etc) • Prioritize risk management

• IT compliance (PCI, SOX, other, new?)• Business continuity and disaster recovery• Risk management

Confidential

Page 8: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

IT Compliance

8

SOX - COBIT• Program requirements – Identify materiality, controls and systems • Gap analysis • Deficiencies list – Focus on material weaknesses and significant deficiencies

first

PCI - DSS• Merchant or service provider level• Audit schedule• Auditor

Identify new regulatory requirements: • Gramm–Leach–Bliley Act?• HIPAA?• CPNI?

Confidential

Page 9: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Business Continuity and Disaster Recovery

9

Business Continuity• Integrated Crisis Management Plan• Identify key business leaders• Business Impact Analysis – Identify key processes• Develop BCP plans

Disaster Recovery• Inventory system availability requirements and recovery capabilities• Prepositioned equipment • Identification of seasoned, tactical leaders• Employee safety, wellness

Confidential

Page 10: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Disaster Strikes

10 Confidential

Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center

April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site

Page 11: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Confidential11

IT Risk Evaluation

•Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire

• Information gathering - Identify key areas for investigation (AV,

network topography, network intrusion, patch management, SDLC,

web application vulnerability, firewall management, change control,

etc) •Align team/resources

–Develop a prioritized remediation roadmap–Architecture – evaluate integration initiatives–Compliance – develop/integrate compliance program

•Determine audience/output for communication plan - How does your culture manage risk?

•Recruit allies (CIO, other major stakeholders)

Page 12: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Evaluating Defenses and Processes

12 Confidential

Network Application Infrastructure Data Policies &Process

Awareness

Evaluate:• Network architecture/segmentation• Firewall• Intrusion Prevention• Denial of Service protection • Intrusion monitoring via event

coorelation • Bandwidth utilization monitoring• VPN authentication

Evaluate:• Vulnerability assessments and

remediation • Build standards • Physical security standards• Host Intrusion Detection • Anti-virus• Content filtering• End point encryption

Evaluate:• IT Security Policy• Incident Response - Rapid

Breach Response Team • eBCM • Crisis Management• User Management• Change Control

Evaluate:• Load balancing • Vulnerability assessments and

remediation • Application development security

framework aka AppSec • Centralized digital certificate

management • Web application firewall • Web application log monitoring

Evaluate:• Data security standards • Database firewall • Data discovery or breach analysis• Mobile device management/security

Evaluate:• Tech awareness - ex.application development security training • End user awareness training podcasts

Page 13: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Qualifying Risk

13 Confidential

Page 14: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Confidential14

Risk Action Plan

•Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.

•Align with integration efforts where possible (AD migration, billing system integration, etc)

•Develop Remediation Roadmap–Quick hits - patching servers, fixing web apps, etc–Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)

–Long term - system standardization, integration projects, cultural change•Adopt standard processes, protections, guidelines, metrics

Page 15: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Measuring Success and Trends

15 Confidential

Operational Security

Infrastructure Vulnerabilities Web Application Vulnerabilities Virus Quarantines Intrusion Attempts DOS Attempts % of Infrastructure Protected Security Incidents Security Event Investigations

Index####%##

Policy/Awareness

Quarterly Threat Assessment IT Security Policy Updated Incident Response Plan Update Completed Users who have completed awareness training

Yes/NoYes/NoYes/No#

Compliance

SOX Deficiencies, Significant Deficiencies, Material Weaknesses PCI Audit Findings CPNI Audit Findings

###

BC/DR

BIA Complete Business Continuity Plans Complete Business Continuity Plans Tested Disaster Recover Plans Complete Disaster Recovery Plans Tested

Yes/No####

Page 16: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Confidential16

Lessons Learned

• Ignorance is not bliss - get in the game early

• Right-size your risk management plan - Communicate early and often

• Balance business with security

• Standardize the process


MERGERS & ACQUISITIONS REVIEW - Thomson Reutersdmi.thomsonreuters.com/Content/Files/1Q2014_Global_MandA_Financi… · MERGERS & ACQUISITIONS REVIEW. ... and portfolio company acquisitions

Mergers Acquisitions

The Mergers & Acquisitions Review - pbplaw.com fileThe Mergers & Acquisitions Review The Mergers & Acquisitions Review Reproduced with permission from Law Business Research Ltd.

The Mergers & Acquisitions Reviewscholar.cu.edu.eg/?q=mohamedoweis/files/egypt.pdf · ThE MERgERS and acquiSiTionS REviEw ThE RESTRucTuRing REviEw ... of The Mergers & Acquisitions

MERGERS AND ACQUISITIONS: AN OVERVIEWcatdir.loc.gov/catdir/samples/wiley031/2001045451.pdf · MERGERS AND ACQUISITIONS: AN OVERVIEW1 Patrick A. Gaughan, ... Mergers and acquisitions

Dermatology Practice Mergers, Acquisitions, Divestitures ...media.straffordpub.com/products/dermatology-practice-mergers... · Dermatology Practice Mergers, Acquisitions, Divestitures

FCPA Due Diligence in Mergers & Acquisitionsmedia.straffordpub.com/products/fcpa-due-diligence-in-mergers-and... · FCPA Due Diligence in Mergers & Acquisitions Assessing and Avoiding

mergers & acquisitions review mergers & acquisitions review

MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS REVIEWdmi.thomsonreuters.com/Content/Files/Global_MA_ Financial_Review.pdf · mergers & acquisitions reviewmergers & acquisitions

Mergers & Acquisitions Review - Afridi & Angellafridi-angell.com/items/limg/c_335The Mergers and Acquisitions Revi… · Mergers & Acquisitions Review Twelfth Edition Editor Mark

Mergers & Acquisitions - Squarespacestatic1.squarespace.com/static/552bab84e4b0d2b32afc6292/t/57751e... · Mergers & Acquisitions Mergers & Acquisitions ... Nadia Kettani Kettani

Mergers and acquisitions

ASSESSING INTERNATIONAL MERGERS AND ACQUISITIONS AS …econwpa.repec.org/eps/if/papers/0404/0404009.pdf · ASSESSING INTERNATIONAL MERGERS AND ACQUISITIONS AS A MODE OF FOREIGN DIRECT

Mergers and Acquisitions - Treasuryfsi.treasury.gov.au/content/downloads/DiscussionPaper/chapt06.pdf · Mergers and Acquisitions ... mergers and acquisitions in the financial services

Assessing market attractiveness for mergers and ... · Assessing market attractiveness for mergers and acquisitions: The MARC M&A maturity index 1 Introduction With the economic slowdown

MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS REVIEWdmi.thomsonreuters.com/Content/Files/Q12013_MA_Global_FA_Review… · MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS

Mergers & acquisitions

Mergers and acquisitions Basics - doaei.comdoaei.com/Books/22-Mergers-Acquisitions-2011.pdf · Mergers, acquisitions, business alliances, and corporate restructuring activi- ties

Assessing market attractiveness for mergers and … ANNUAL MEETINGS/2011...1 Assessing market attractiveness for mergers and acquisitions: The MARC M&A maturity index 1 Introduction

Mergers & Acquisitions (and Divestitures)people.stern.nyu.edu/igiddy/corpfin/Singapore/simmergers.pdf · Mergers & Acquisitions (and Divestitures) ... Goal of Acquisitions and Mergers

Mergers & Acquisitions (2)

P Mergers & Acquisitions Report 2018 - CCPC · P Mergers & Acquisitions Report 2018 Details of the mergers and acquisitions in Ireland examined by ... Mergers & Acquisitions Report

MERGERS, ACQUISITIONS, NAME CHANGES 155 Mergers

Shareholder Litigation in Mergers and Acquisitions · 2013-08-12 · Shareholder Litigation in Mergers and Acquisitions ... Shareholder Litigation in Mergers and Acquisitions