Assessing IT Security and Compliance Risk for Acquisitions and Mergers

16
Assessing Security and Compliance Risk for Acquisitions and Mergers June 22, 2011

description

 

Transcript of Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Page 1: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Assessing Security and ComplianceRisk for Acquisitions and Mergers

June 22, 2011

Page 2: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Agenda

2

• EarthLink Recent History

• Risk Evaluation Opportunities

• Planning Activities

• Prioritizing Risk Review – Compliance, BC and DR, IT security

• IT Compliance

• Business Continuity and Disaster Recovery

• IT Risk Assessment

• Risk Action Plan

• Lessons Learned

Confidential

Page 3: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Recent History

3

Q2 2010…• ~1.5M consumer customers • 80% of revenue coming from broadband/dial subs, 20% from business• Declining business – 3% monthly churn• Generated $811M+ in cash between 6/2007 and 9/2010 -35% margin in 2010

Last Six Months…Nearly $1B in M&A Activity!• ITC DeltaCom - 12/8/2010 • STS Telecom- 3/2/2010• One Communications - 4/1/2011• Logical Solutions – 5/17/2011

Today…• ~60% of revenue coming from business (excluding One/Logical Acquisitions)• Employee from ~900 to 3,300+• Physical locations from 4 to 100+

Confidential

Page 4: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

The New EarthLink

4

Products and Services• IP network Services – Nationwide network – MPLS, T1/DS1, T3/DS3 • Voice – VOIP, Local, Long Distance, Mobile• Cloud Services – Cloud Hosting, Web Hosting, Security• Managed Services – Voice, Router, Email, Data Center Collocation

Confidential

Page 5: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Implications

5 Confidential

Page 6: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Risk Evaluation Opportunities

6

• Pre-acquisition – Initial reviews - Learning• Is this the right deal at the right valuation?

• Pre-acquisition – Post announcement – Planning (Gap analysis)• What IT processes are in place?• What IT compliance programs are in place? Is there a gap?• Is there a business continuity program? Disaster recovery?

• Post Acquisition – Integration – Execution• Deep dives – compliance, BC/DR, IT risk • Remediation roadmaps• Continuous improvement audits

Confidential

Page 7: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Planning Activities

7

Suggested activities:• Identify evaluation framework – COBIT, ISO 27K, etc.• Begin assessing risk – Interviews, review documentation• What are the expected interim and long term integration initiatives? (AD trust,

finance, HR, email, calendar, etc) • Prioritize risk management

• IT compliance (PCI, SOX, other, new?)• Business continuity and disaster recovery• Risk management

Confidential

Page 8: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

IT Compliance

8

SOX - COBIT• Program requirements – Identify materiality, controls and systems • Gap analysis • Deficiencies list – Focus on material weaknesses and significant deficiencies

first

PCI - DSS• Merchant or service provider level• Audit schedule• Auditor

Identify new regulatory requirements: • Gramm–Leach–Bliley Act?• HIPAA?• CPNI?

Confidential

Page 9: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Business Continuity and Disaster Recovery

9

Business Continuity• Integrated Crisis Management Plan• Identify key business leaders• Business Impact Analysis – Identify key processes• Develop BCP plans

Disaster Recovery• Inventory system availability requirements and recovery capabilities• Prepositioned equipment • Identification of seasoned, tactical leaders• Employee safety, wellness

Confidential

Page 10: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Disaster Strikes

10 Confidential

Tornado destroyed Jet Pep gas station on US 231, approximately .2 a mile from our local operations center

April 27th - F4 tornado struck operations centers in Arab, AL and Huntsville, AL - hundreds of employees on site

Page 11: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Confidential11

IT Risk Evaluation

•Structured evaluation – Align evaluation with 27001/27002, COBIT, Shared Assessment Questionnaire

• Information gathering - Identify key areas for investigation (AV,

network topography, network intrusion, patch management, SDLC,

web application vulnerability, firewall management, change control,

etc) •Align team/resources

–Develop a prioritized remediation roadmap–Architecture – evaluate integration initiatives–Compliance – develop/integrate compliance program

•Determine audience/output for communication plan - How does your culture manage risk?

•Recruit allies (CIO, other major stakeholders)

Page 12: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Evaluating Defenses and Processes

12 Confidential

Network Application Infrastructure Data Policies &Process

Awareness

Evaluate:• Network architecture/segmentation• Firewall• Intrusion Prevention• Denial of Service protection • Intrusion monitoring via event

coorelation • Bandwidth utilization monitoring• VPN authentication

Evaluate:• Vulnerability assessments and

remediation • Build standards • Physical security standards• Host Intrusion Detection • Anti-virus• Content filtering• End point encryption

Evaluate:• IT Security Policy• Incident Response - Rapid

Breach Response Team • eBCM • Crisis Management• User Management• Change Control

Evaluate:• Load balancing • Vulnerability assessments and

remediation • Application development security

framework aka AppSec • Centralized digital certificate

management • Web application firewall • Web application log monitoring

Evaluate:• Data security standards • Database firewall • Data discovery or breach analysis• Mobile device management/security

Evaluate:• Tech awareness - ex.application development security training • End user awareness training podcasts

Page 13: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Qualifying Risk

13 Confidential

Page 14: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Confidential14

Risk Action Plan

•Synthesize information into actionable items – patch servers, fix app vulnerabilities, etc.

•Align with integration efforts where possible (AD migration, billing system integration, etc)

•Develop Remediation Roadmap–Quick hits - patching servers, fixing web apps, etc–Interim hits - risk reduction initiatives (prioritized risk reduction target system upgrades for key users, IPS, SIEM monitoring, process improvements ex. AV)

–Long term - system standardization, integration projects, cultural change•Adopt standard processes, protections, guidelines, metrics

Page 15: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Measuring Success and Trends

15 Confidential

Operational Security

Infrastructure Vulnerabilities Web Application Vulnerabilities Virus Quarantines Intrusion Attempts DOS Attempts % of Infrastructure Protected Security Incidents Security Event Investigations

Index####%##

Policy/Awareness

Quarterly Threat Assessment IT Security Policy Updated Incident Response Plan Update Completed Users who have completed awareness training

Yes/NoYes/NoYes/No#

Compliance

SOX Deficiencies, Significant Deficiencies, Material Weaknesses PCI Audit Findings CPNI Audit Findings

###

BC/DR

BIA Complete Business Continuity Plans Complete Business Continuity Plans Tested Disaster Recover Plans Complete Disaster Recovery Plans Tested

Yes/No####

Page 16: Assessing IT Security and Compliance Risk for Acquisitions and Mergers

Confidential16

Lessons Learned

• Ignorance is not bliss - get in the game early

• Right-size your risk management plan - Communicate early and often

• Balance business with security

• Standardize the process


Dermatology Practice Mergers, Acquisitions, Divestitures ...media.straffordpub.com/products/dermatology-practice-mergers... · Dermatology Practice Mergers, Acquisitions, Divestitures

Dermatology Practice Mergers, Acquisitions, Divestitures ...media.straffordpub.com/products/dermatology-practice-mergers... · Dermatology Practice Mergers, Acquisitions, Divestitures

Mergers & Acquisitions - Squarespacestatic1.squarespace.com/static/552bab84e4b0d2b32afc6292/t/57751e... · Mergers & Acquisitions Mergers & Acquisitions ... Nadia Kettani Kettani

Mergers & Acquisitions - Squarespacestatic1.squarespace.com/static/552bab84e4b0d2b32afc6292/t/57751e... · Mergers & Acquisitions Mergers & Acquisitions ... Nadia Kettani Kettani

MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS REVIEWdmi.thomsonreuters.com/Content/Files/Global_MA_ Financial_Review.pdf · mergers & acquisitions reviewmergers & acquisitions

MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS REVIEWdmi.thomsonreuters.com/Content/Files/Global_MA_ Financial_Review.pdf · mergers & acquisitions reviewmergers & acquisitions

FCPA Due Diligence in Mergers & Acquisitionsmedia.straffordpub.com/products/fcpa-due-diligence-in-mergers-and... · FCPA Due Diligence in Mergers & Acquisitions Assessing and Avoiding

FCPA Due Diligence in Mergers & Acquisitionsmedia.straffordpub.com/products/fcpa-due-diligence-in-mergers-and... · FCPA Due Diligence in Mergers & Acquisitions Assessing and Avoiding

MERGERS, ACQUISITIONS, NAME CHANGES 155 Mergers ...

MERGERS, ACQUISITIONS, NAME CHANGES 155 Mergers ...

mergers & acquisitions review mergers & acquisitions review

mergers & acquisitions review mergers & acquisitions review

MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS REVIEWdmi.thomsonreuters.com/Content/Files/Q12013_MA_Global_FA_Review… · MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS

MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS REVIEWdmi.thomsonreuters.com/Content/Files/Q12013_MA_Global_FA_Review… · MERGERS & ACQUISITIONS REVIEWMERGERS & ACQUISITIONS

MERGERS & ACQUISITIONS REVIEW - Thomson Reutersdmi.thomsonreuters.com/Content/Files/1Q2014_Global_MandA_Financi… · MERGERS & ACQUISITIONS REVIEW. ... and portfolio company acquisitions

MERGERS & ACQUISITIONS REVIEW - Thomson Reutersdmi.thomsonreuters.com/Content/Files/1Q2014_Global_MandA_Financi… · MERGERS & ACQUISITIONS REVIEW. ... and portfolio company acquisitions

ASSESSING INTERNATIONAL MERGERS AND ACQUISITIONS AS …econwpa.repec.org/eps/if/papers/0404/0404009.pdf · ASSESSING INTERNATIONAL MERGERS AND ACQUISITIONS AS A MODE OF FOREIGN DIRECT

ASSESSING INTERNATIONAL MERGERS AND ACQUISITIONS AS …econwpa.repec.org/eps/if/papers/0404/0404009.pdf · ASSESSING INTERNATIONAL MERGERS AND ACQUISITIONS AS A MODE OF FOREIGN DIRECT

The Mergers & Acquisitions Reviewscholar.cu.edu.eg/?q=mohamedoweis/files/egypt.pdf · ThE MERgERS and acquiSiTionS REviEw ThE RESTRucTuRing REviEw ... of The Mergers & Acquisitions

The Mergers & Acquisitions Reviewscholar.cu.edu.eg/?q=mohamedoweis/files/egypt.pdf · ThE MERgERS and acquiSiTionS REviEw ThE RESTRucTuRing REviEw ... of The Mergers & Acquisitions

Assessing market attractiveness for mergers and … ANNUAL MEETINGS/2011...1 Assessing market attractiveness for mergers and acquisitions: The MARC M&A maturity index 1 Introduction

Assessing market attractiveness for mergers and … ANNUAL MEETINGS/2011...1 Assessing market attractiveness for mergers and acquisitions: The MARC M&A maturity index 1 Introduction

Mergers & Acquisitions

Mergers & Acquisitions

Mergers acquisitions the_role_of_hrm

Mergers acquisitions the_role_of_hrm

Mergers & Acquisitions (and Divestitures)people.stern.nyu.edu/igiddy/corpfin/Singapore/simmergers.pdf · Mergers & Acquisitions (and Divestitures) ... Goal of Acquisitions and Mergers

Mergers & Acquisitions (and Divestitures)people.stern.nyu.edu/igiddy/corpfin/Singapore/simmergers.pdf · Mergers & Acquisitions (and Divestitures) ... Goal of Acquisitions and Mergers

Assessing market attractiveness for mergers and ... · Assessing market attractiveness for mergers and acquisitions: The MARC M&A maturity index 1 Introduction With the economic slowdown

Assessing market attractiveness for mergers and ... · Assessing market attractiveness for mergers and acquisitions: The MARC M&A maturity index 1 Introduction With the economic slowdown

P Mergers & Acquisitions Report 2018 - CCPC · P Mergers & Acquisitions Report 2018 Details of the mergers and acquisitions in Ireland examined by ... Mergers & Acquisitions Report

P Mergers & Acquisitions Report 2018 - CCPC · P Mergers & Acquisitions Report 2018 Details of the mergers and acquisitions in Ireland examined by ... Mergers & Acquisitions Report

Mergers n Acquisitions

Mergers n Acquisitions

Mergers and acquisitions

Mergers and acquisitions

Mergers and acquisitions Basics - doaei.comdoaei.com/Books/22-Mergers-Acquisitions-2011.pdf · Mergers, acquisitions, business alliances, and corporate restructuring activi- ties

Mergers and acquisitions Basics - doaei.comdoaei.com/Books/22-Mergers-Acquisitions-2011.pdf · Mergers, acquisitions, business alliances, and corporate restructuring activi- ties

Mergers & Acquisitions Review - Afridi & Angellafridi-angell.com/items/limg/c_335The Mergers and Acquisitions Revi… · Mergers & Acquisitions Review Twelfth Edition Editor Mark

Mergers & Acquisitions Review - Afridi & Angellafridi-angell.com/items/limg/c_335The Mergers and Acquisitions Revi… · Mergers & Acquisitions Review Twelfth Edition Editor Mark