Enterprise Network Security
Identify the differences between the laws and regulations the acquiring company is subject to.
Project Goal: You will develop a cybersecurity report for a successful acquisition report during an M&A that details the cybersecurity posture of the target company, trusted mechanisms to incorporate, and remedies to implement, to prevent threats and exploits. You suspect that the streaming company may be using older unsupported versions of Microsoft Windows and Adobe Acrobat. Another challenge, you know that your media and entertainment company doesn’t have the staff, with the technical know how, to assess the security of a technology-oriented streaming company. Make sure that these are also addressed in your report.
Deliverables: Cybersecurity System Security Report for Successful Acquisition with Executive Summary.
Step 1: Conduct a Policy Gap Analysis
“Policy Gap Analysis” section
● Find actual or think about fictional security policies of a media streaming company.
● Identify what, if any, laws and regulations the target company is subject to.
● Identify the differences between the laws and regulations the acquiring company is subject to.
● Use PCI Standards DSS 12 requirements, and the PCI DSS Quick Reference Guide to identify a secure strategy, and operating system protections to protect the credit card data.
● Select at least two appropriate requirements from the PCI Standards DSS 12 set of requirements and explain
○ how the controls should be implemented,
○ how they will change the current network, and
○ any costs associated with implementing the change.
● Explain how would you ensure that the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies.
Step 2: Review Protocols for Streaming Services
“Protocols for Streaming Services” section
● Find and identify if any of the existing vulnerabilities would or could lead to a no-go on the M&A.
● Review common streaming protocols,
○ explain how they work,
○ describe any known vulnerabilities,
○ explain how to secure the new company from cyber attacks.
● M&A related questions.
○ What are the technical vulnerabilities associated with the protocols involved the target company is leveraging?
○ Have those been mitigated? And to what extent (i.e., has the risk been reduced to zero, reduced somewhat, shifted to a third party, etc.)?
○ What residual risk to the target company’s assets and IP remain?
○ Would those risks extend to the current (takeover) company after the merger, and would that be bad enough to cancel the M&A? If yes, then, what should the target company do to further mitigate the risk? How should the takeover company mitigate the risk?
○ What are the costs associated to the target company (implementing the appropriate mitigation)? If the takeover firm has to take additional measures, identify those costs as well.
Step 3: Assess the Merged Network Infrastructure
“Merged Network Infrastructure” section
● Describe the network infrastructure of the target company.
● Understand what tools the company is using, the benefits and shortcomings of those tools, and the gaps within the network.
● Describe what tactics, techniques, and procedures you would use to understand their network.
○ Make sure that you identify critical assets on the network, such as firewalls, DMZ(s) and other physical or logical subnetworks, other critical network components such as servers, databases, IDS, IPS devices, and the status of those components.
Step 4: Review the Wireless and BYOD Policies
“Wireless and BYOD Policies” section
● Explain the media company’s current stance on wireless devices and BYOD.
● Since the company that is being acquired does not have a BYOD policy, explain to the managers of the acquisition what needs to be done for the new company to meet the goals of the BYOD policy.
Step 5: Develop a Data Protection Plan
“Data Protection Plan” section
● Develop the recommendations portion of your report, suggest additional mechanisms for data protection at different levels of the acquired company’s architecture.
● Describe the benefits, implementation activities required for protection and defense measures such as
○ full disk encryption,
○ BitLocker, and
○ platform identity keys,
○ the importance of system integrity,
○ an overall trusted computing base, environment, and support.
■ Describe what this would entail and include Trusted Platform Module (TPM) components and drivers.
● How are these mechanisms employed in an authentication and authorization system?
○ Describe whether the merging company has these, if not, why?
Step 6: Review Supply Chain Risk
“Supply Chain Risk” section
● Describe the supply chain risks associated with the target company and list the security measures in place to mitigate those risks.
● Explain the areas that need to be addressed.
Step 7: Build a Vulnerability Management Program
“Vulnerability Management Program” section
● Use NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies to develop a vulnerability management program to meet the missing need.
● Explain to the managers
○ how to implement this change,
○ why it is needed, and
○ any costs involved.
Step 8: Educate Users
“Training requirements” section
● Inform the users of the new and old company of the necessary changes.
○ Describe what policies, procedures, processes, standards and other areas that you reviewed must be updated.
● Explain to the acquisition managers the requirements for training the workforce.
Step 9: Prepare the Report and Executive Summary
● Executive summary: This is a one-page summary at the beginning of your report.
● Cybersecurity System Security Report for Successful Acquisition: Your report should be a minimum 12-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations.
Answer preview Identify the differences between the laws and regulations the acquiring company is subject to.