SlideShare a Scribd company logo

Mergers and Acquisition Security - Areas of Interest

Matthew Rosenquist
Matthew Rosenquist

This document provides guidance on areas of interest (AOI) to evaluate for mergers and acquisitions from an information security perspective. It identifies 22 strategic AOIs that security must scope to understand high risk areas, including application and access management, network/DMZ security, host security, data security and privacy, security policies and training, and security operations. Each AOI includes examples of specific areas to examine to identify strengths needing no attention or areas requiring intervention. The goal is to scope projects to understand risks across a broad scope from an information security standpoint.

Technology
1 of 28
Download to read offline
M&A Information Security Areas of Interest (AOI’s) Matthew Rosenquist Cybersecurity Strategist Intel Corp
2 Security does not happen by default. Mergers and Acquisitions represent a significant risk to organizations as integration and data sharing can expose assets to confidentiality, integrity, and availability threats. Security must identify the risks across a broad scope of areas. This guide is a starting point for M&A security evaluation.
Areas of Interest (AOI) Information security is as pervasive as information systems. Security aspects are chained together to form a posture, which is only as strong as the weakest link. M&A InfoSec must scope projects to understand high risk areas, including those which may conflict with ethical and regulatory expectations Determining information security AOI’s is an exercise to: 1. Identify areas which are likely strong and need no further immediate attention 2. Identify areas which will require intervention, attention, or further scrutiny
Strategic Areas of Interest 1. Application, Identity, and Access Management Security 2. Network/DMZ Security 3. Host Security (client, server, PDA, Mid, phone) 4. Data Security and Privacy 5. Security Policy and Training (behavioral security) 6. Security Operations and Support 7. Security Investigations 8. Outsourcing and 3rd Party Security (extranets, etc.) 9. Legal Discovery and Corporate Retentions 10. Crisis Response and BCDR 11. Risk and Threat Analysis 12. Security Business Management and Metrics 13. Information Security Legal 14. HR & Corporate Legal Security 15. Internal Audit 16. Physical Security (corporate/off- site/facilities) 17. External Product Security Design and Incident Response 18. Export Control and Controlled Country Technology Security 19. Security Engineering and Integration 20. Behavioral Security Controls 21. Security Architecture and Strategy 22. Security Regulatory Compliance
Application, Identity, and Access Management Security Access management is the backbone to controlling authorized users to access systems and locations. Critical systems and areas should be controlled for both physical and logic access. Poor access management is nearly as detrimental as no access control. Example areas: • Security controls (C/I/A) for critical and sensitive applications • Number of persons accessing, internally and externally, local and remotely • Identity (Authentication) for access to systems (formal/informal, automated/manual, etc.) • Access (Authorization) for access to systems • Integration with physical access systems (proximity badges)
Network/DMZ Security Securing communications connectivity between systems on the intranet and internet is the first line of defense in isolating the spread of malicious activity. Integration of the Internet exposes the organization to a plethora of threats. Example areas: • Defense in Depth security (predict, prevent, detect, respond) • Recent and historical security breaches • Technical controls – firewalls, proxies, filters, honeypots, etc. • Update capability, monitoring, and configuration control
Host Security (client, server, PDA, Mid, phone) The value of computer networks resides on the hosts. This includes both the value of data as well as the services they operate for their owners. Compromise of hosts leads to confidentiality, integrity, and availability. Example areas: • Number and type of hosts • Defense in Depth security controls (predict, prevent, detect, respond) • Recent and historical security breaches? • Standard host builds (OS, apps, data, usage model, etc.)
Data Security and Privacy Data can be exposed, altered, stolen, moved or deleted. Critical and sensitive data must be secured. This includes personal private data, intellectual property, and trade secrets. Various regulations mandate or restrict how data is stored, transmitted, shared/reported, and deleted. Additional requirements may require notification to end users and regulatory agencies. In most cases security controls must be well documented and assurance mechanisms in place Example areas: • Defense in Depth security (predict, prevent, detect, respond) • Data Destruction policies – reasonable, gaps, defined, communicated, monitored/audited, actualized • Recent and historical security breaches?
Security Policy and Training Policy and training lends itself to behavioral security, insurance against liability actions, and in some cases proof of regulatory compliance. One of the best practices in the industry and considered a first step to any mature security program Example areas: • Policies well documented and current • Owner for policies, maintenance/care • Marketing plans for policy dissemination • Measurements for absorption • Mandatory end-user training/participation
Security Operations and Support Security systems must be maintained and issues addressed in support of end users and system administrators. Operations and support insure controls stay current with the threats and the system maintains the capability of detection and response. Example areas: • Service overview for capabilities and access of systems • Service Level Agreements • Scope and roles defined • Incident volume and resolution • Issue tracking and reporting capabilities
Security Investigations Virtually every organization is at risk of compromise, theft, and abuse. The capability to investigate issues is both a preventative (deterrence) as well as responsive control. Investigation capability may be successfully outsourced if the proper engagement triggers are in play. Example areas: • History of investigations (areas, numbers, impacts) • Scope and capability of team • Proper documentation and investigation techniques • Awareness of local, national, and international regulations
Outsourcing and 3rd Party Security (extranets, ICC’s, etc.) Outsourcing to 3rd party services (examples: HR, IT, CRM, etc.) are popular, but connectivity and data sharing to such organizations represents a massive risk. The home network may easily be compromised, the data left insecure or tampered without the knowledge or ownership by either party Example areas: • What services and data are outsourced • Have service providers been audited (SAS70 Type II) • Do service providers use standard security models • Do systems connect directly or via bastion/proxy systems in the DMZ
Legal Discovery and Corporate Retentions Litigation is rapidly evolving to incorporate IT systems into evidence discovery edicts. IT represents a well of discoverable data for civil lawsuits and criminal investigations. Companies must be able to properly respond to LEHN’s and provide data in a satisfactory and consistent manner Example areas: • What capability to process eDiscovery requests (legal hold orders) • What capability to gather data across the organization • Current LEHN’s and disposition • Designation of persons/team responsible
Crisis Response and BCDR Everything can be broken. For an information security crisis, it may purposely be a complex failure where normal operating procedures lack in response. Survivability in these situations depend heavily on an effective crisis response and Business Continuity Disaster Recovery (BCDR) capability Example areas: • Documented BCDR processes • Client/Server backups • Crisis response teams • Offsite backup data storage • Fail-over/secondary redundant systems • Critical system hot-swap/warm backups • Key recovery capabilities
Risk and Threat Analysis Predicting weakness, what will be targeted, and who is the gravest threat is paramount in distilling the massive cloud of threats down to the most likely risks. Advanced organizations will maintain this capability in- house, while smaller companies may rely on vendors, service providers, or FUD principle Example areas: • Risk assessment methodology (OCTAVE, etc.) • Designated risk evaluation/management group • Published risk assessments • Indicators and metrics • Identified areas of greatest exposure
Security Business Managements and Metrics Organizations with complex, costly, or well managed security will have some capacity for indicators, measures, and metrics. They should be aligned to critical business capability. If present, these represent key pain points and areas where security is typically focused Example areas: • Published security metrics • Responsible group/person to manage and analyze data • Measurable goals and objectives for security • ROI, ROSI, or value assessments for security projects
Information Security Legal Legal counsel is strongly recommended for many different regulatory, and litigation areas. Lack of counsel, either internal or external, reflects on the level of maturity of the security organization. This is becoming a specialty field Example areas: • Designated information security attorney • Regular process to review incidents, contracts, and security plans • Integration with the security team and established communication expectations • Data destruction guidelines
HR & Corporate Legal Security Human Resources and Legal departments have their own longstanding set of legal issues and security requirements. Specialty fields which should be represented either internally or outsourced. Example areas: • Employment law alignment and best practices (disgruntled employees, terminations, LDO) • IP and Trade Secret protections • Secure data handling and storage • Data request guidelines and alignment • Data retention guidelines
Internal Audit Independent auditing functions are a requirement for some types of businesses and regulations. Lack of a properly represented IA may be a concern. If present, past IA findings and where they chose to audit can be very telling as to both the security state and capability of the organization Example areas: • Existence of an independent IA group • Past audit areas and finding • Response to past findings and resolutions • Documentation and quality of audits • Certifications and associations of auditors
Physical Security (corporate/off-site location/facilities) As the saying goes “physical security trumps logical security”. Physical security must be aligned to support information security. The greatest infosec controls may be undermined by poor physical security. This includes site, facilities, communications, personnel, systems, and data areas. Example areas: • Co-location sites, trade shows, vendor/customer meetings, product demo’s, etc. • Proximity of competitors • Health/Life Safety computing controlled risks • Physical security of offices, labs, telecom/network and DCs • Behavioral controls for physical security • Historical physical security issues/incidents
External Product Security Design and Incident Response Product security is gaining more attention and can pull resources from internal security as they are leveraged for content expertise. Understanding the general security of products may translate into impacts of internal resources. Example areas: • Product number, type, and industry • Past commit for internal resources • Known exposures of current products • Crisis response for newly discovered vulnerabilities • Integration with necessary internal/external researchers
Export Control and Controlled Country Technology Security For companies doing business in Controlled Countries or High Performance Computing restricted countries, the US Export Regulations must be actively applied. Business in embargoed countries is forbidden. Ownership must be established and controls taken Example areas: • Designated responsible parties for export control compliance • Internal communication and training dissemination • Listing of controlled/HPC products related to the organization • Listing of countries where business is being conducted • Tracking of CC employees • Technical controls limiting information transfer
Security Engineering and Integration Security controls rarely apply out-of-the-box for anything but the smallest organization. For larger or complex environments some level of customization and engineering is required. This is especially true when legacy systems must be sustained. Example areas: • Designated engineering group for security • What custom security solutions exist • What customization of COTS has been done • Have external organizations been employed, if so what access did they have?
Behavioral Security Controls People tend to be the weakest link in any system and have the creativity and permissions to go outside the controls limiting a computer. A security savvy user base is one of the strongest controls. A user base which is lacking security competencies may represent the single largest threat vector. Example areas: • Defense in Depth controls (predict, prevent, detect, respond) • Documented policies and mandatory training • Absorption and adherence to policy • Communications programs • Deterrence, as part of preventative controls, utilized • Reinforcement of good security practices, and how they benefit the end-user
Security Architecture and Strategy Large, regulated, or complex organizations need to have a solid strategy and supporting architecture to manage security. Example areas: • Designated architecture/strategy team or person • Published designs and strategies for different aspects of security and regulation adherence • Measures and Metrics to track maturity and performance
Security Regulatory Compliance Information security related regulatory compliance must be confirmed for different types of acquisitions. Information security is being pulled into more areas where data must be assured, kept confidential, and available Example areas: • PCI DSS – Payment Card Industry Data Security Standard • HIPAA – Health Insurance Portability and Accountability Act • SOX – Sarbanes-Oxley Act • Privacy – PII, PHI, Web Privacy Policy, COPPA, etc. • eDiscovery litigation – LEHN – Legal Event Hold Notice • Export Control Compliance – CC, HPC, Embargoed countries • Human Resources • GINA – Genetic Information Nondiscrimination Act • ADA - American Disabilities Act
Information security is a burgeoning industry. As information technology leaps forward, so matches the velocity of information security. Think strategic. Act competitive. Be secure.
28

Recommended

Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
Robert Kloots
 
Itil 4 34 Management Practices
Itil 4 34 Management PracticesItil 4 34 Management Practices
Itil 4 34 Management Practices
Peter Palme 高 彼特
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
Provectus
 
The IT Financial Management Cost Transparency Journey
The IT Financial Management Cost Transparency JourneyThe IT Financial Management Cost Transparency Journey
The IT Financial Management Cost Transparency Journey
Pete Hidalgo
 
ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...
ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...
ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...
Ivana Nissen
 
ITSM Presentation
ITSM PresentationITSM Presentation
ITSM Presentation
itsm_at_hanover
 
OBASHI
OBASHIOBASHI
OBASHI
Pearcemayfield
 

Recommended

Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
Robert Kloots
 
Itil 4 34 Management Practices
Itil 4 34 Management PracticesItil 4 34 Management Practices
Itil 4 34 Management Practices
Peter Palme 高 彼特
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
Intelligent Document Processing in Healthcare. Choosing the Right Solutions.
Provectus
 
The IT Financial Management Cost Transparency Journey
The IT Financial Management Cost Transparency JourneyThe IT Financial Management Cost Transparency Journey
The IT Financial Management Cost Transparency Journey
Pete Hidalgo
 
ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...
ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...
ITIL : Service Lifecycle - Poster ( More ITIL Posters on: https://flevy.com/a...
Ivana Nissen
 
ITSM Presentation
ITSM PresentationITSM Presentation
ITSM Presentation
itsm_at_hanover
 
OBASHI
OBASHIOBASHI
OBASHI
Pearcemayfield
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
Mufaddal Nullwala
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
➲ Stella Bridges
 
The ITFM Tool Journey
The ITFM Tool JourneyThe ITFM Tool Journey
The ITFM Tool Journey
Pete Hidalgo
 
ITIL PPT
ITIL PPTITIL PPT
ITIL PPT
Vikas Aryan
 
IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).
Rob Akershoek
 
ITIL Foundation in IT Service Management
ITIL Foundation in IT Service Management ITIL Foundation in IT Service Management
ITIL Foundation in IT Service Management
Alkesh Mishra
 
Understanding employee privacy
Understanding employee privacyUnderstanding employee privacy
Understanding employee privacy
G&A Partners
 
The IT Service Definition Journey
The IT Service Definition JourneyThe IT Service Definition Journey
The IT Service Definition Journey
Pete Hidalgo
 
Configuration Management Maturity
Configuration Management MaturityConfiguration Management Maturity
Configuration Management Maturity
Michaël Danys
 
Unlocking the ROI and Long-Term Benefits of SD-WAN
Unlocking the ROI and Long-Term Benefits of SD-WANUnlocking the ROI and Long-Term Benefits of SD-WAN
Unlocking the ROI and Long-Term Benefits of SD-WAN
Enterprise Management Associates
 
10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization
PECB
 
Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...
Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...
Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...
CA Technologies
 
Transforming An Organisations IT Service Management
Transforming An Organisations IT Service ManagementTransforming An Organisations IT Service Management
Transforming An Organisations IT Service Management
Michael Moyal
 
Governance of Outsourcing
Governance of OutsourcingGovernance of Outsourcing
Governance of Outsourcing
Vishal Sharma
 
Information classification
Information classificationInformation classification
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Defining Services for a Service Catalog
Defining Services for a Service CatalogDefining Services for a Service Catalog
Defining Services for a Service Catalog
Axios Systems
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
Corporater
 
Managed Services Presentation
Managed Services PresentationManaged Services Presentation
Managed Services Presentation
Scott Gombar
 
How to build the business case for Service Catalog
How to build the business case for Service CatalogHow to build the business case for Service Catalog
How to build the business case for Service Catalog
Axios Systems
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
M&A Framework for Success - short
M&A Framework for Success - shortM&A Framework for Success - short
M&A Framework for Success - short
Steve Coote
 

More Related Content

What's hot

Configuration Management Maturity
Configuration Management MaturityConfiguration Management Maturity
Configuration Management Maturity
Michaël Danys
 
10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization
PECB
 
Governance of Outsourcing
Governance of OutsourcingGovernance of Outsourcing
Governance of Outsourcing
Vishal Sharma
 

What's hot (20)

IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
 
The ITFM Tool Journey
The ITFM Tool JourneyThe ITFM Tool Journey
The ITFM Tool Journey
 
ITIL PPT
ITIL PPTITIL PPT
ITIL PPT
 
IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).
 
ITIL Foundation in IT Service Management
ITIL Foundation in IT Service Management ITIL Foundation in IT Service Management
ITIL Foundation in IT Service Management
 
Understanding employee privacy
Understanding employee privacyUnderstanding employee privacy
Understanding employee privacy
 
The IT Service Definition Journey
The IT Service Definition JourneyThe IT Service Definition Journey
The IT Service Definition Journey
 
Configuration Management Maturity
Configuration Management MaturityConfiguration Management Maturity
Configuration Management Maturity
 
Unlocking the ROI and Long-Term Benefits of SD-WAN
Unlocking the ROI and Long-Term Benefits of SD-WANUnlocking the ROI and Long-Term Benefits of SD-WAN
Unlocking the ROI and Long-Term Benefits of SD-WAN
 
10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization10 Benefits of Implementing ISO/IEC 20000 in an Organization
10 Benefits of Implementing ISO/IEC 20000 in an Organization
 
Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...
Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...
Digital Assurance: Develop a Comprehensive Testing Strategy for Digital Trans...
 
Transforming An Organisations IT Service Management
Transforming An Organisations IT Service ManagementTransforming An Organisations IT Service Management
Transforming An Organisations IT Service Management
 
Governance of Outsourcing
Governance of OutsourcingGovernance of Outsourcing
Governance of Outsourcing
 
Information classification
Information classificationInformation classification
Information classification
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
 
Defining Services for a Service Catalog
Defining Services for a Service CatalogDefining Services for a Service Catalog
Defining Services for a Service Catalog
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
 
Managed Services Presentation
Managed Services PresentationManaged Services Presentation
Managed Services Presentation
 
How to build the business case for Service Catalog
How to build the business case for Service CatalogHow to build the business case for Service Catalog
How to build the business case for Service Catalog
 

Viewers also liked

Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
Post-acquisition integration (cross-border case)
Post-acquisition integration (cross-border case)Post-acquisition integration (cross-border case)
Post-acquisition integration (cross-border case)
Virgilijus Dadonas
 

Viewers also liked (11)

Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
M&A Framework for Success - short
M&A Framework for Success - shortM&A Framework for Success - short
M&A Framework for Success - short
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisition
 
Merger & Acquisition integration
Merger & Acquisition integrationMerger & Acquisition integration
Merger & Acquisition integration
 
Mergers & Acquisitions in High Tech Industry
Mergers & Acquisitions in High Tech IndustryMergers & Acquisitions in High Tech Industry
Mergers & Acquisitions in High Tech Industry
 
Post-acquisition integration (cross-border case)
Post-acquisition integration (cross-border case)Post-acquisition integration (cross-border case)
Post-acquisition integration (cross-border case)
 
Due Diligence Best Practices and Pitfalls
Due Diligence Best Practices and PitfallsDue Diligence Best Practices and Pitfalls
Due Diligence Best Practices and Pitfalls
 
Due Diligence for Merger & Acquisition, Corporate Restructuring and Takeover
Due Diligence for Merger & Acquisition, Corporate Restructuring and TakeoverDue Diligence for Merger & Acquisition, Corporate Restructuring and Takeover
Due Diligence for Merger & Acquisition, Corporate Restructuring and Takeover
 
Creating A Due Diligence Framework
Creating A Due Diligence Framework Creating A Due Diligence Framework
Creating A Due Diligence Framework
 
P&G’s Acquisition of Gillette
P&G’s Acquisition of GilletteP&G’s Acquisition of Gillette
P&G’s Acquisition of Gillette
 

Similar to Mergers and Acquisition Security - Areas of Interest

Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
TechSoup Canada
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdf
Surendhar57
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security background
Nicholas Davis
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Priyank Hada
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 

Similar to Mergers and Acquisition Security - Areas of Interest (20)

Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
 
f6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdff6_cyber_security_and_your_agency.pdf
f6_cyber_security_and_your_agency.pdf
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Topic11
Topic11Topic11
Topic11
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Information Security
Information SecurityInformation Security
Information Security
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 

More from Matthew Rosenquist

Improving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security BudgetsImproving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security Budgets
Matthew Rosenquist
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Matthew Rosenquist
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
Matthew Rosenquist
 
2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report
Matthew Rosenquist
 

More from Matthew Rosenquist (20)

Improving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security BudgetsImproving Healthcare Risk Assessments to Maximize Security Budgets
Improving Healthcare Risk Assessments to Maximize Security Budgets
 
Six Scenarios How Russia May Use Nukes.pdf
Six Scenarios How Russia May Use Nukes.pdfSix Scenarios How Russia May Use Nukes.pdf
Six Scenarios How Russia May Use Nukes.pdf
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity Predictions
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
Cybersecurity Curricula Guidelines for Post-Secondary Degree Programs
Cybersecurity Curricula Guidelines for Post-Secondary Degree ProgramsCybersecurity Curricula Guidelines for Post-Secondary Degree Programs
Cybersecurity Curricula Guidelines for Post-Secondary Degree Programs
 
How Cyber Attacks are Changing Security - CSE ISCWest 2017 - Matthew Rosenqui...
How Cyber Attacks are Changing Security - CSE ISCWest 2017 - Matthew Rosenqui...How Cyber Attacks are Changing Security - CSE ISCWest 2017 - Matthew Rosenqui...
How Cyber Attacks are Changing Security - CSE ISCWest 2017 - Matthew Rosenqui...
 
Cybersecurity Risks and Recommendations - PSA TEC 2017 - Matthew Rosenquist
Cybersecurity Risks and Recommendations - PSA TEC 2017 - Matthew RosenquistCybersecurity Risks and Recommendations - PSA TEC 2017 - Matthew Rosenquist
Cybersecurity Risks and Recommendations - PSA TEC 2017 - Matthew Rosenquist
 
2019 Keynote at the Techno Security and Digital Forensics Conference - The Ve...
2019 Keynote at the Techno Security and Digital Forensics Conference - The Ve...2019 Keynote at the Techno Security and Digital Forensics Conference - The Ve...
2019 Keynote at the Techno Security and Digital Forensics Conference - The Ve...
 
Preparing for the Next Evolutions of Ransomware - Matthew Rosenquist 2018
Preparing for the Next Evolutions of Ransomware - Matthew Rosenquist 2018Preparing for the Next Evolutions of Ransomware - Matthew Rosenquist 2018
Preparing for the Next Evolutions of Ransomware - Matthew Rosenquist 2018
 
2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist2017 K12 Educators Security Briefing - Matthew Rosenquist
2017 K12 Educators Security Briefing - Matthew Rosenquist
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
 
2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist2017 InfraGard Atlanta Conference - Matthew Rosenquist
2017 InfraGard Atlanta Conference - Matthew Rosenquist
 
Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016Securing the Cloud by Matthew Rosenquist 2016
Securing the Cloud by Matthew Rosenquist 2016
 
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew RosenquistTop 10 cybersecurity predictions for 2016 by Matthew Rosenquist
Top 10 cybersecurity predictions for 2016 by Matthew Rosenquist
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew Rosenquist
 
True Cost of Data Breaches
True Cost of Data BreachesTrue Cost of Data Breaches
True Cost of Data Breaches
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
 
Diversity in Cybersecurity Education - 2016 ICT keynote - M.Rosenquist
Diversity in Cybersecurity Education - 2016 ICT keynote - M.RosenquistDiversity in Cybersecurity Education - 2016 ICT keynote - M.Rosenquist
Diversity in Cybersecurity Education - 2016 ICT keynote - M.Rosenquist
 
2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report2015 August - Intel Security McAfee Labs Quarterly Threat Report
2015 August - Intel Security McAfee Labs Quarterly Threat Report
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Mergers and Acquisition Security - Areas of Interest

  • 1. M&A Information Security Areas of Interest (AOI’s) Matthew Rosenquist Cybersecurity Strategist Intel Corp
  • 2. 2 Security does not happen by default. Mergers and Acquisitions represent a significant risk to organizations as integration and data sharing can expose assets to confidentiality, integrity, and availability threats. Security must identify the risks across a broad scope of areas. This guide is a starting point for M&A security evaluation.
  • 3. Areas of Interest (AOI) Information security is as pervasive as information systems. Security aspects are chained together to form a posture, which is only as strong as the weakest link. M&A InfoSec must scope projects to understand high risk areas, including those which may conflict with ethical and regulatory expectations Determining information security AOI’s is an exercise to: 1. Identify areas which are likely strong and need no further immediate attention 2. Identify areas which will require intervention, attention, or further scrutiny
  • 4. Strategic Areas of Interest 1. Application, Identity, and Access Management Security 2. Network/DMZ Security 3. Host Security (client, server, PDA, Mid, phone) 4. Data Security and Privacy 5. Security Policy and Training (behavioral security) 6. Security Operations and Support 7. Security Investigations 8. Outsourcing and 3rd Party Security (extranets, etc.) 9. Legal Discovery and Corporate Retentions 10. Crisis Response and BCDR 11. Risk and Threat Analysis 12. Security Business Management and Metrics 13. Information Security Legal 14. HR & Corporate Legal Security 15. Internal Audit 16. Physical Security (corporate/off- site/facilities) 17. External Product Security Design and Incident Response 18. Export Control and Controlled Country Technology Security 19. Security Engineering and Integration 20. Behavioral Security Controls 21. Security Architecture and Strategy 22. Security Regulatory Compliance
  • 5. Application, Identity, and Access Management Security Access management is the backbone to controlling authorized users to access systems and locations. Critical systems and areas should be controlled for both physical and logic access. Poor access management is nearly as detrimental as no access control. Example areas: • Security controls (C/I/A) for critical and sensitive applications • Number of persons accessing, internally and externally, local and remotely • Identity (Authentication) for access to systems (formal/informal, automated/manual, etc.) • Access (Authorization) for access to systems • Integration with physical access systems (proximity badges)
  • 6. Network/DMZ Security Securing communications connectivity between systems on the intranet and internet is the first line of defense in isolating the spread of malicious activity. Integration of the Internet exposes the organization to a plethora of threats. Example areas: • Defense in Depth security (predict, prevent, detect, respond) • Recent and historical security breaches • Technical controls – firewalls, proxies, filters, honeypots, etc. • Update capability, monitoring, and configuration control
  • 7. Host Security (client, server, PDA, Mid, phone) The value of computer networks resides on the hosts. This includes both the value of data as well as the services they operate for their owners. Compromise of hosts leads to confidentiality, integrity, and availability. Example areas: • Number and type of hosts • Defense in Depth security controls (predict, prevent, detect, respond) • Recent and historical security breaches? • Standard host builds (OS, apps, data, usage model, etc.)
  • 8. Data Security and Privacy Data can be exposed, altered, stolen, moved or deleted. Critical and sensitive data must be secured. This includes personal private data, intellectual property, and trade secrets. Various regulations mandate or restrict how data is stored, transmitted, shared/reported, and deleted. Additional requirements may require notification to end users and regulatory agencies. In most cases security controls must be well documented and assurance mechanisms in place Example areas: • Defense in Depth security (predict, prevent, detect, respond) • Data Destruction policies – reasonable, gaps, defined, communicated, monitored/audited, actualized • Recent and historical security breaches?
  • 9. Security Policy and Training Policy and training lends itself to behavioral security, insurance against liability actions, and in some cases proof of regulatory compliance. One of the best practices in the industry and considered a first step to any mature security program Example areas: • Policies well documented and current • Owner for policies, maintenance/care • Marketing plans for policy dissemination • Measurements for absorption • Mandatory end-user training/participation
  • 10. Security Operations and Support Security systems must be maintained and issues addressed in support of end users and system administrators. Operations and support insure controls stay current with the threats and the system maintains the capability of detection and response. Example areas: • Service overview for capabilities and access of systems • Service Level Agreements • Scope and roles defined • Incident volume and resolution • Issue tracking and reporting capabilities
  • 11. Security Investigations Virtually every organization is at risk of compromise, theft, and abuse. The capability to investigate issues is both a preventative (deterrence) as well as responsive control. Investigation capability may be successfully outsourced if the proper engagement triggers are in play. Example areas: • History of investigations (areas, numbers, impacts) • Scope and capability of team • Proper documentation and investigation techniques • Awareness of local, national, and international regulations
  • 12. Outsourcing and 3rd Party Security (extranets, ICC’s, etc.) Outsourcing to 3rd party services (examples: HR, IT, CRM, etc.) are popular, but connectivity and data sharing to such organizations represents a massive risk. The home network may easily be compromised, the data left insecure or tampered without the knowledge or ownership by either party Example areas: • What services and data are outsourced • Have service providers been audited (SAS70 Type II) • Do service providers use standard security models • Do systems connect directly or via bastion/proxy systems in the DMZ
  • 13. Legal Discovery and Corporate Retentions Litigation is rapidly evolving to incorporate IT systems into evidence discovery edicts. IT represents a well of discoverable data for civil lawsuits and criminal investigations. Companies must be able to properly respond to LEHN’s and provide data in a satisfactory and consistent manner Example areas: • What capability to process eDiscovery requests (legal hold orders) • What capability to gather data across the organization • Current LEHN’s and disposition • Designation of persons/team responsible
  • 14. Crisis Response and BCDR Everything can be broken. For an information security crisis, it may purposely be a complex failure where normal operating procedures lack in response. Survivability in these situations depend heavily on an effective crisis response and Business Continuity Disaster Recovery (BCDR) capability Example areas: • Documented BCDR processes • Client/Server backups • Crisis response teams • Offsite backup data storage • Fail-over/secondary redundant systems • Critical system hot-swap/warm backups • Key recovery capabilities
  • 15. Risk and Threat Analysis Predicting weakness, what will be targeted, and who is the gravest threat is paramount in distilling the massive cloud of threats down to the most likely risks. Advanced organizations will maintain this capability in- house, while smaller companies may rely on vendors, service providers, or FUD principle Example areas: • Risk assessment methodology (OCTAVE, etc.) • Designated risk evaluation/management group • Published risk assessments • Indicators and metrics • Identified areas of greatest exposure
  • 16. Security Business Managements and Metrics Organizations with complex, costly, or well managed security will have some capacity for indicators, measures, and metrics. They should be aligned to critical business capability. If present, these represent key pain points and areas where security is typically focused Example areas: • Published security metrics • Responsible group/person to manage and analyze data • Measurable goals and objectives for security • ROI, ROSI, or value assessments for security projects
  • 17. Information Security Legal Legal counsel is strongly recommended for many different regulatory, and litigation areas. Lack of counsel, either internal or external, reflects on the level of maturity of the security organization. This is becoming a specialty field Example areas: • Designated information security attorney • Regular process to review incidents, contracts, and security plans • Integration with the security team and established communication expectations • Data destruction guidelines
  • 18. HR & Corporate Legal Security Human Resources and Legal departments have their own longstanding set of legal issues and security requirements. Specialty fields which should be represented either internally or outsourced. Example areas: • Employment law alignment and best practices (disgruntled employees, terminations, LDO) • IP and Trade Secret protections • Secure data handling and storage • Data request guidelines and alignment • Data retention guidelines
  • 19. Internal Audit Independent auditing functions are a requirement for some types of businesses and regulations. Lack of a properly represented IA may be a concern. If present, past IA findings and where they chose to audit can be very telling as to both the security state and capability of the organization Example areas: • Existence of an independent IA group • Past audit areas and finding • Response to past findings and resolutions • Documentation and quality of audits • Certifications and associations of auditors
  • 20. Physical Security (corporate/off-site location/facilities) As the saying goes “physical security trumps logical security”. Physical security must be aligned to support information security. The greatest infosec controls may be undermined by poor physical security. This includes site, facilities, communications, personnel, systems, and data areas. Example areas: • Co-location sites, trade shows, vendor/customer meetings, product demo’s, etc. • Proximity of competitors • Health/Life Safety computing controlled risks • Physical security of offices, labs, telecom/network and DCs • Behavioral controls for physical security • Historical physical security issues/incidents
  • 21. External Product Security Design and Incident Response Product security is gaining more attention and can pull resources from internal security as they are leveraged for content expertise. Understanding the general security of products may translate into impacts of internal resources. Example areas: • Product number, type, and industry • Past commit for internal resources • Known exposures of current products • Crisis response for newly discovered vulnerabilities • Integration with necessary internal/external researchers
  • 22. Export Control and Controlled Country Technology Security For companies doing business in Controlled Countries or High Performance Computing restricted countries, the US Export Regulations must be actively applied. Business in embargoed countries is forbidden. Ownership must be established and controls taken Example areas: • Designated responsible parties for export control compliance • Internal communication and training dissemination • Listing of controlled/HPC products related to the organization • Listing of countries where business is being conducted • Tracking of CC employees • Technical controls limiting information transfer
  • 23. Security Engineering and Integration Security controls rarely apply out-of-the-box for anything but the smallest organization. For larger or complex environments some level of customization and engineering is required. This is especially true when legacy systems must be sustained. Example areas: • Designated engineering group for security • What custom security solutions exist • What customization of COTS has been done • Have external organizations been employed, if so what access did they have?
  • 24. Behavioral Security Controls People tend to be the weakest link in any system and have the creativity and permissions to go outside the controls limiting a computer. A security savvy user base is one of the strongest controls. A user base which is lacking security competencies may represent the single largest threat vector. Example areas: • Defense in Depth controls (predict, prevent, detect, respond) • Documented policies and mandatory training • Absorption and adherence to policy • Communications programs • Deterrence, as part of preventative controls, utilized • Reinforcement of good security practices, and how they benefit the end-user
  • 25. Security Architecture and Strategy Large, regulated, or complex organizations need to have a solid strategy and supporting architecture to manage security. Example areas: • Designated architecture/strategy team or person • Published designs and strategies for different aspects of security and regulation adherence • Measures and Metrics to track maturity and performance
  • 26. Security Regulatory Compliance Information security related regulatory compliance must be confirmed for different types of acquisitions. Information security is being pulled into more areas where data must be assured, kept confidential, and available Example areas: • PCI DSS – Payment Card Industry Data Security Standard • HIPAA – Health Insurance Portability and Accountability Act • SOX – Sarbanes-Oxley Act • Privacy – PII, PHI, Web Privacy Policy, COPPA, etc. • eDiscovery litigation – LEHN – Legal Event Hold Notice • Export Control Compliance – CC, HPC, Embargoed countries • Human Resources • GINA – Genetic Information Nondiscrimination Act • ADA - American Disabilities Act
  • 27. Information security is a burgeoning industry. As information technology leaps forward, so matches the velocity of information security. Think strategic. Act competitive. Be secure.
  • 28. 28