1 / 12

Acquisitions: Your Latest Zero Day

Acquisitions: Your Latest Zero Day. Presented by: Mitch Greenfield, CISA, CEH, LPT @ ghctim Scott MacArthur, CISSP, CISA, CEH, LPT. Agenda. Phases of the Review Review Goals – Why are we doing this? Minimum Necessary Technical Testing Interviewing Reporting Wrap-up Integration

zeal
Download Presentation

Acquisitions: Your Latest Zero Day

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Acquisitions: Your Latest Zero Day Presented by: Mitch Greenfield, CISA, CEH, LPT @ghctim Scott MacArthur, CISSP, CISA, CEH, LPT

  2. Agenda Phases of the Review Review Goals – Why are we doing this? Minimum Necessary Technical Testing Interviewing Reporting Wrap-up Integration Compliance Risks Value to the Business

  3. Goals for the Review • Understand the risk • Articulate the risk(s) to the business • Develop an integration strategy • Technologies • Process • People • Timeline (Integration speed vs. Risk) • Understanding compliance with regulating bodies (PCI, SOX, HIPAA, etc.)

  4. Phases of the Review • Pre-close / diligence (quiet period) • Who is “under the tent” • Diligence Trip(s) • Budgeting • Planning for day/week 1 • Pre-assessment requirements (network diagrams, org charts, interview targets, etc.) • Communication Strategy • Post-Close • Week 1 • Month 1 • Integration

  5. Minimum Necessary Phases – week 1, month 1, everything else Separate but equal Moving to common security technology platforms When is it appropriate to start opening connections What is acceptable risk Communication Strategy Our Experience

  6. Technical Testing Goals Scoping / When is it enough? Value of the data QA vs. Production Network / OS vulnerability Scanning Databases Websites Communication Strategy Our Experience

  7. Interviewing Audit programs Are all acquisitions treated equally? Payer / Provider / Tire store Audit.net CSF OCR CoBIT Auditing against your own internal security framework Communication Strategy Our Experience

  8. Reporting Report writing Peer review Audience Tracking issues Risk Acceptance Communication Strategy Our Experience

  9. Integration Risks of integration Risks of not integrating Costs associated with both Process integration Value of an integrated security program Communication Strategy Our Experience

  10. Compliance Risks PCI – When should a QSA be used for a pre-audit HIPAA – OCR audit protocol SOX – Internal Audit to perform a review Our Experience

  11. Value to the business Understanding risk Understanding costs associated with integration

  12. Questions

More Related