CST 630 UMUC Cybersecurity Security for Successful Acquisition Discussion
Project 3: Enterprise Network Security Start HereBusinesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.Often, the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the road map for the new enterprise security solution in the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to use additional resources and executive attention on strategic security matters.In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive summary, can be found in the final step of the project.There are nine steps to the project. The project as a whole should take two weeks to complete. Begin with the workplace scenario and then continue to Step 1.DeliverablesCybersecurity System Security Report for Successful Acquisition: Your report should be a minimum 12-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.Executive summary: This is a one-page summary at the beginning of your report.CompetenciesYour work will be evaluated using the competencies listed below.2.1: Identify and clearly explain the issue, question, or problem under critical consideration.5.9: Manages and administers integrated methods, enabling the organization to identify, capture, catalog, classify, retrieve, and share intellectual capital and information content. The methods may include utilizing processes and tools (e.g., databases, documents, policies, procedures) and expertise pertaining to the organization.7.3: Knowledge of methods and tools used for risk management and mitigation of risk.8.7: Provide theoretical basis and practical assistance for all aspects of digital investigation and the use of computer evidence in forensics and law enforcement.Step 2: Review Protocols for Streaming Services After reviewing the policies from the company and the policy gap analysis, the M&A leader asks you about the protocols used by the streaming company. He wants to know if the protocols used would affect the current state of cybersecurity within the current company environment. For this section of the report, review the protocols, explain how they work along with any known vulnerabilities, and how to secure the company from cyberattacks. Start with researching the commonly known streaming protocols and the vulnerabilities of those protocols. Some examples are the Real-Time Streaming Protocol (RTSP), Real-Time Transport Protocol (RTP), and the Real-Time Transport Control Protocol (RTCP).Additionally, the leadership wants to know if any vulnerabilities identified would or could lead to a no-go on the M&A.In other words:You need to identify the kind of streaming that such companies might be doing and the specific technology they would be using.What are the technical vulnerabilities associated with the protocols involved?Have those been mitigated? And to what extent (i.e., has the risk been reduced to zero, reduced somewhat, shifted to a third party, etc.)?What residual risk to the target company's assets and IP remain?Would those risks extend to the current (takeover) company after the merger? Would that be bad enough to cancel the M&A?If the response to the last question is yes, then what should the target company do to further mitigate the risk? How should the takeover company mitigate the risk?What are the costs associated to the target company (implementing the appropriate mitigation)? If the takeover firm has to take additional measures, identify those costs as well.After assessing and reviewing the streaming protocols, move to the next step, where you will assess the infrastructure of the merged network.Step 3: Assess the Merged Network Infrastructure You’ve just reviewed the streaming services of the companies, and now you will assess the infrastructure of the new network. The networks of the two companies could be configured differently, or they could use the same hardware and software, or completely different hardware and software.You need to understand what tools the company is using, the benefits and shortcomings of those tools, and the gaps within the network. Explain in your security report what tactics, techniques, and procedures you would use to understand the network. You should identify firewalls, DMZ(s), other network systems, and the status of those devices.When your assessment of the infrastructure is complete, move to the next step, where you will assess any existing policies for wireless and bring your own device (BYOD) within the companies.Step 4: Review the Wireless and BYOD Policies Within Project 2, you learned about and discussed wireless networks. An M&A provides an opportunity for both companies to review their wireless networks. Within your report, explain the media company's current stance on wireless devices and BYOD. However, the company that is being acquired does not have a BYOD policy. Explain to the managers of the acquisition what needs to be done for the new company to meet the goals of the BYOD policy.When the review of the wireless and BYOD policies is complete, move to the next step: developing a data protection plan.Step 5: Develop a Data Protection Plan You’ve completed the review of the wireless and BYOD policies. In this step, you will develop the recommendations portion of your report in which you will suggest additional mechanisms for data protection at different levels of the acquired company’s architecture.Include the benefits of defense measures such as full disk encryption (BitLocker is an example) and platform identity keys as well as the required implementation activities. You also want to convey to your leadership the importance of system integrity and an overall trusted computing base, environment, and support. Describe what this would entail and include Trusted Platform Module (TPM) components and drivers. How are these mechanisms employed in an authentication and authorization system? Include this in the report and whether the merging company has this.In the next step, you will assess any risks with the supply chain of the acquired company.Step 6: Review Supply Chain Risk The data protection plan is ready. In this step, you will take a look at risks to the supply chain. Acquiring a new company also means inheriting the risks associated with its supply chain and those firm's systems and technologies. Include in your report the supply chain risks and list the security measures in place to mitigate those risks. Use the NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, to explain the areas that need to be addressed.After your supply chain review is complete, move to the next step, where you will create a vulnerability management program.Step 7: Build a Vulnerability Management Program After your supply chain review, you conduct an interview with the company's current cybersecurity team about vulnerability management. The team members explain to you that they never scanned or had the time to build a vulnerability management program. So, you need to build one. Use the NIST Guide to Enterprise Patch Management Technologies, Special Publication 800-40, to develop a program to meet the missing need.Explain to the managers how to implement this change, why it is needed, and any costs involved.The next step is a key one that should not be overlooked—the need to educate users from both companies of the changes being made.Step 8: Educate Users You’ve completed your vulnerability management program, but it’s important to educate all the users of the network about the changes. During the process of acquiring a company, policies, processes, and other aspects are often updated. So the last step in the process is to inform users in both the parent company and the acquired company of the changes. Within your report, explain to the acquisition managers the requirements for training the workforce.When you’ve completed this step, move to the final section of this project, in which you will prepare and submit your final report.Step 9: Prepare and Submit Your Report and Executive Summary You’re ready now for the final step, in which you will compile and deliver the Cybersecurity System Security Report for a Successful Acquisition for the company leaders to enable them to understand the required cybersecurity strategy.Again, keep in mind that companies undergoing an acquisition or merger are more prone to cyberattacks. The purpose of this paper is to analyze the security posture of both companies and to develop a plan to reduce the possibility of an attack.The assignments for this project are as follows:Cybersecurity System Security Report for Successful Acquisition: Your report should be a minimum 12-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.Executive summary: This is a one-page summary at the beginning of your report.Submit both components to the assignment folder.