120 likes | 220 Views
Acquisitions: Your Latest Zero Day. Presented by: Mitch Greenfield, CISA, CEH, LPT @ ghctim Scott MacArthur, CISSP, CISA, CEH, LPT. Agenda. Phases of the Review Review Goals – Why are we doing this? Minimum Necessary Technical Testing Interviewing Reporting Wrap-up Integration
E N D
Acquisitions: Your Latest Zero Day Presented by: Mitch Greenfield, CISA, CEH, LPT @ghctim Scott MacArthur, CISSP, CISA, CEH, LPT
Agenda Phases of the Review Review Goals – Why are we doing this? Minimum Necessary Technical Testing Interviewing Reporting Wrap-up Integration Compliance Risks Value to the Business
Goals for the Review • Understand the risk • Articulate the risk(s) to the business • Develop an integration strategy • Technologies • Process • People • Timeline (Integration speed vs. Risk) • Understanding compliance with regulating bodies (PCI, SOX, HIPAA, etc.)
Phases of the Review • Pre-close / diligence (quiet period) • Who is “under the tent” • Diligence Trip(s) • Budgeting • Planning for day/week 1 • Pre-assessment requirements (network diagrams, org charts, interview targets, etc.) • Communication Strategy • Post-Close • Week 1 • Month 1 • Integration
Minimum Necessary Phases – week 1, month 1, everything else Separate but equal Moving to common security technology platforms When is it appropriate to start opening connections What is acceptable risk Communication Strategy Our Experience
Technical Testing Goals Scoping / When is it enough? Value of the data QA vs. Production Network / OS vulnerability Scanning Databases Websites Communication Strategy Our Experience
Interviewing Audit programs Are all acquisitions treated equally? Payer / Provider / Tire store Audit.net CSF OCR CoBIT Auditing against your own internal security framework Communication Strategy Our Experience
Reporting Report writing Peer review Audience Tracking issues Risk Acceptance Communication Strategy Our Experience
Integration Risks of integration Risks of not integrating Costs associated with both Process integration Value of an integrated security program Communication Strategy Our Experience
Compliance Risks PCI – When should a QSA be used for a pre-audit HIPAA – OCR audit protocol SOX – Internal Audit to perform a review Our Experience
Value to the business Understanding risk Understanding costs associated with integration