Upload
theodore-fisher
View
221
Download
6
Embed Size (px)
Citation preview
1
Acquisitions: Your Latest Zero Day
Presented by:Mitch Greenfield, CISA, CEH, LPT @ghctimScott MacArthur, CISSP, CISA, CEH, LPT
2
Agenda
• Phases of the Review• Review Goals – Why are we doing this?• Minimum Necessary• Technical Testing• Interviewing• Reporting• Wrap-up• Integration• Compliance Risks• Value to the Business
3
Goals for the Review
• Understand the risk• Articulate the risk(s) to the business• Develop an integration strategy– Technologies– Process– People– Timeline (Integration speed vs. Risk)
• Understanding compliance with regulating bodies (PCI, SOX, HIPAA, etc.)
4
Phases of the Review
• Pre-close / diligence (quiet period)– Who is “under the tent”– Diligence Trip(s)– Budgeting– Planning for day/week 1– Pre-assessment requirements (network diagrams, org charts, interview targets,
etc.)– Communication Strategy
• Post-Close– Week 1– Month 1– Integration
5
Minimum Necessary
• Phases – week 1, month 1, everything else• Separate but equal• Moving to common security technology platforms• When is it appropriate to start opening connections• What is acceptable risk• Communication Strategy• Our Experience
6
Technical Testing
• Goals• Scoping / When is it enough?• Value of the data• QA vs. Production• Network / OS vulnerability Scanning• Databases• Websites• Communication Strategy• Our Experience
7
Interviewing
• Audit programs• Are all acquisitions treated equally? Payer / Provider / Tire store• Audit.net• CSF• OCR• CoBIT• Auditing against your own internal security framework• Communication Strategy• Our Experience
8
Reporting
• Report writing• Peer review• Audience• Tracking issues• Risk Acceptance• Communication Strategy• Our Experience
9
Integration
• Risks of integration• Risks of not integrating• Costs associated with both• Process integration• Value of an integrated security program• Communication Strategy• Our Experience
10
Compliance Risks
• PCI – When should a QSA be used for a pre-audit• HIPAA – OCR audit protocol• SOX – Internal Audit to perform a review• Our Experience
11
Value to the business
• Understanding risk• Understanding costs associated with integration