1. Cybersecurity For A Successful Acquisition Report: (12 page min) w/ Executive Summary
Conduct a Policy Gap Analysis
Executive summary: This is a one-page summary at the beginning of your report.
Are companies going through an M&A prone to more attacks or more focused attacks?
If so, what is the appropriate course of action?
Should the M&A activities be kept confidential?
explain to the executives that before any systems are integrated, their security policies will need to be reviewed
Conduct a policy gap analysis to ensure the target company’s security policies follow relevant industry standards as well as local, state, and national laws and regulations.
Identify what, if any, laws and regulations the target company is subject to.
How would you identify the differences?
How would you learn about the relevant laws and regulations?
How would you ensure compliance with those laws and regulations?
Use PCI standards to identify a secure strategy, and operating system protections to protect the credit card data
Select at least two appropriate requirements from the PCI Standards DSS 12 set of requirements and explain how the controls should be implemented, how they will change the current network, and any costs associated with implementing the change.
Review Protocols for Streaming Services
review the protocols, explain how they work along with any known vulnerabilities, and how to secure the company from cyberattacks.
Identify what streaming the companies are doing and the specific technology they are leveraging.
What are the technical vulnerabilities associated with the protocols involved?
Have those been mitigated? And to what extent (i.e., has the risk been reduced to zero, reduced somewhat, shifted to a third party, etc.)?
What residual risk to the target company’s assets and IP remain?
Would those risks extend to the current (takeover) company after the merger?
a. Would that be bad enough to cancel the M&A?
If the response to #5 is yes, then, what should the target company do to further mitigate the risk? How should the takeover company mitigate the risk?
What are the costs associated to the target company (implementing the appropriate mitigation)? If the takeover firm has to take additional measures, identify those costs as well.
Assess the Merged Network Infrastructure
Explain what tactics, techniques, and procedures you would use to understand the network.
identify firewalls, DMZ(s), other network systems, and the status of those devices.
Review the Wireless and BYOD Policies
Explain the media company’s current stance on wireless devices and BYOD.
Explain to the managers of the acquisition what needs to be done for the new company to meet the goals of the BYOD policy.
Develop a Data Protection Plan
Include the benefits, implementation activities required for protection and defense measures such as full disk encryption, BitLocker, and platform identity keys.
Convey to your leadership the importance of system integrity and an overall trusted computing base, environment, and support
Describe what this would entail and include Trusted Platform Module (TPM) components and drivers.
How are these mechanisms employed in an authentication and authorization system?
Review Supply Chain Risk
Include supply chain risks and list the security measures in place to mitigate those risks.
Use the NIST Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations to explain the areas that need to be addressed.
Build a Vulnerability Management Program
Use NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies to develop a program to scan and build a vulnerability management program
Explain to the managers how to implement this change, why it is needed, and any costs involved.
Educate Users
Inform the users for the new and old company of the changes, including policies, processes, and other aspects that were updated
Explain to the acquisition managers the requirements for training the workforce.