《巫山师培中心师范教育教师教学常规》由会员分享,可在线阅读,更多相关《巫山师培中心师范教育教师教学常规(37页珍藏版)》请在金锄头文库上搜索。
1、Information Security in Mergers & AcquisitionsIntroductionChris Conacher BAE Systems BAE Systems, Airbus Intel Corporation KPMG LLP Black Hat CKey Learning Objectives Provide an understanding of critical Information Security risks within the Mergers & Acquisitions (M&A) process Provide an understand
2、ing of the need for Information Security in managing those risks Provide an approach that identifies key actions at various stages within the M&A process General Learning Objectives Specific IS risks as they relate to M&A: Risk to your and the target organizations Risk in relation to phases of the M
3、&A process Role of IS in managing risks: Preparation and development required Key questions IS should answer Key actions at key stages of the M&A process The different Phases in the M&A processRelevance Sudden Change Profile Threat Model Form Sudden Impact Resources Mergers Acquisitions Spin Offs /
4、Ventures / New Business InitiativesBusiness Drivers Confidentiality Speed Business as usual Zero Impact Informed Business Decision on RiskRiskThreat in M&A Special Interest Groups gain from M&A Financial Criminals Competitors Acquisition / Merger Company Disgruntled Employees General Interest Groups
5、 gain from impact Everyone Else Script Kiddies Hackers / Crackers Hacktivists Terrorists Spies Your interest gets attackers interestRisk Publicity and Profile Known Target due to impact on: Resources Technologies Infrastructure Confusion Absorption of “Soft Target” Disgruntled Employees One of the f
6、ew times an Organization is really “shaken up”Risk to You Change in threat model Change in risk model Impacting resources Absorbing unknown Disgruntled employees Creating new attack vectors Creating window of opportunity Business drivers can force this upon you very quicklyAre you equipped for chang
7、e? Major overnight change in Threat Model Multi-site / Global Foreign Nationals Different technologies Different skill requirements Upgrade of data classification Ownership of intellectual property Ownership of controlled technologies Significant change in number of employees Legislative liabilities
8、 GLB, HIPAA, CA customers, etc. Do you know about the change?Risk to Acquisition Change in threat model Change in risk model Impacting resources Absorbing unknown Disgruntled employees Creating new attack vectors Creating window of opportunity Business drivers can force this upon them very quickly A
9、re they equipped for change Your interest gets Attackers interest!Decisions Impacting Security Integration approach Absorption Complete protection against external threat Zero protection against internal threat Access Centralizing systems Integration deadlines Integrating custom applications Integra
10、ting new technologies Anything that annoys employees Re-LocationImportance of ConfidentialityPremature Disclosure of Intent Loss of Key employees Bidding wars SEC Liability Loss of Initiative Loss of Goodwill Target Company 3rd Parties relationships Customer relationshipsImportance of AvailabilityLo
11、ss of Goodwill Loss of Reputation Customers 3rd Parties EmployeesRisk ManagementRole of InfoSec in M&A Allow informed business decisions Risk & Risk Management Target Company value / cost / impact Protect Acquisition process confidentiality Protect your Organization from External threat using proces
12、s impact Internal Target Company threat Protect Target Company from External threat using process impact Internal Target Company threat Protect Target Company assets Enable secure integration Minimize cultural impact Long Term securityInfoSec Negative ImpactProblems Time Cost Scares / Annoys Employe
13、es Feared Cultural Impact Solutions Preparation Early Involvement Clear distinction between Long & Short term solutions Costs may be tax write-off EducationInfoSec Positive Impact Protects your negotiation position Protects liability (SEC) Protects what you are buying Additional skill-set in Due Dil
14、igence Liability - Legal Infrastructure cost IT, Facilities Risk Information Security Information Asset Confidentiality / Integrity Audit depth Skeletons 3rd party involvement Assess additional long term costsBasic Security Strategies Current backups of all critical data and verify before sign-off S
15、anitize the environment Treat target company as 3rd party Separate and secure all critical data Separate and secure all critical systems Migrate custom applications to COTS Identify key employees Mitigate risk through contracts Contract short term staffNon-Compete Agreements 10 year Date of leaving Identify key individuals and require them to sign on the spot make it a deal breaker Sign up whole family if necessary Make employee non-competes unde
