Cybersecurity System Security Report for Successful Acquisition

Cybersecurity System Security Report for Successful Acquisition

Executive Summary

The merging and acquisition (M&A) process presents security issues for the organizations involved in the M&A. These security issues can result in a cyber-attack occurring during and after the M&A activities. To address these security issues, a policy gap analysis is required. The policy gap analysis notes the differences that exist in the policies of both organizations and defines new policies that address the operation activities of the merged organization. Since one of the organizations involved in the M&A is a media streaming company that accepts payments from customers using credit cards, the definition of PCI DSS requirements is necessary. The definition of the PCI DSS requirements ensures that the organization adheres to the defined measures involved in the protection of user information and credit card transactions. Security issues might also occur in the organization following the acquisition of the media streaming company due to the protocols used for streaming services in the company. Therefore, a review of these protocols is necessary to consider the various vulnerabilities in the protocols.

Are you looking for an original version of Cybersecurity System Security Report for Successful Acquisition? We’re available to assist.

The organizations involved in the M&A might have different infrastructures. This might present challenges when merging the infrastructures of the organizations. Hence, an assessment of the merged network infrastructure should be conducted. The assessment of the merged network infrastructure should include the identification of security measures such as firewalls and demilitarized zones (DMZs). Wireless and bring-your-own-device (BYOD) policies should also be considered. This involves reviewing the security challenges posed by wireless and BYOD policies and proposing security measures to address them. Similar approaches should also be adopted to review the supply chain risks and the vulnerability management definition. Since the employees of the merged organization are from both organizations, a user education program should be defined to address the various responsibilities of the employees as well as the security issues that affect the employees.

Policy Gap Analysis

The implementation of a merger and acquisitions in a media streaming company presents vulnerabilities that attackers can exploit to conduct cyber attackers targeting the organizations in question. Various cybersecurity policies may not be effectively implemented during a merger and acquisition. Therefore, this presents the necessity to conduct a policy gap analysis to identify the vulnerabilities that attackers can exploit. The aim of the policy gap analysis should be to ensure data confidentiality, availability, and integrity in the data from both organizations. The implementation of the merger should take into consideration the various risks likely to affect the organizations during the merger and define policies that prevent the risks from occurring (Jardine, 2014).

Organizations should consider various aspects during the merger. One of the aspects is maintaining the confidentiality of the M&A activities. The initial action of the cyber kill chain involves attackers identifying potential victims. The M&A activities present an opportunity for attackers to initiate attacks that can compromise the security of the organization. By keeping the M&A activities confidential, the organizations reduce the possibility of the attackers being aware of the merger, reducing the possibility of attackers initiating attacks during the M&A. Another aspect that the organizations should consider is the implementation of the various required policies. One of the policies is the compliance policy. The organizations should ensure that they comply with the various defined policies by the industry or the federal and state governments. Additionally, organizations should implement security policies that address the internal and external threats that are likely to occur in the organization.

One of the activities that the organization involved in the M&A activities should take into consideration is conducting risk assessment in the organization. The risk assessment identifies and prioritizes the various risks that can occur as the organizations undergo M&A activities. The possible security measures that can be implemented to prevent the occurrence of the risks in the organization are then recommended. The policy gap analysis should include the risk assessment conducted in the organizations.

Apart from addressing the risks likely to occur in the organization, the policy gap analysis should also take into consideration the various policies already defined in the organizations involved in the M&A. This can include the policies that define the physical accessibility of the organizations, the policies that define the network security of the organizations’ networks, as well as the policies that address the issue of network users in the organizations. The policy gap analysis should consolidate the different policies in the different identified sectors to ensure that the best policies are adopted following the completion of the M&A (Mikoluk, 2013).

Another crucial component of the policy gap analysis is the consideration of the various standards that protect the financial records and activities as well as the legal aspects of the organizations. This includes the organizations taking into consideration the security measures that can be implemented to protect the personal identifiable information (PII) of the users of the organizations. The media streaming company being acquired consists of 150000 customers who pay an average of $14.99 monthly. One of the aspects to consider while merging and acquiring this company is the privacy of the PII of the customers as well as their credit card information. This can be achieved by adhering to the guidelines provided by the Health Insurance Portability and Accountability Act, which aims at protecting the PII of the customers. Additionally, since the organization allows customers to use credit cards to pay for their services, the Payment Card Industry Data Security Standard (PCI DSS) requirements should be implemented in the organization.

The requirements defined by the PCI DSS aim to provide a framework that organizations can implement to protect the credit card data and the PII. One of the PCI DSS requirements is ensuring the data at rest, including the PII and credit card data, is protected. Additionally, the data in transit should also be protected from unauthorized access. Protecting data in transit can be achieved through the implementation of data encryption algorithms. The organization should also implement antivirus and antimalware software to protect the organization from malware and virus attacks. The antivirus and antimalware software implemented in the organization should be updated regularly. Access to credit card information should also be restricted using various access control measures. The execution of firewalls and access control lists can also increase the security of credit card information and PII. Also, the organization should implement network monitoring tools to keep track of the network users that access the credit card information and the PII. Network users are crucial in maintaining the security of credit card data and PII. Therefore, the organization should conduct security awareness training for the employees to ensure they are aware of the various vulnerabilities that attackers can exploit and the appropriate measures to implement to protect the data in the organization. The media streaming company being acquired should also be reviewed to ensure it adheres to the various PCI DSS requirements (Ryan Technical Services, n.d).

Protocols for Streaming Services

Since the organization is acquiring a media streaming company, it is essential to address the various protocols media streaming organizations use to deliver their services to their customers. One of the protocols used in the media streaming company is the Real-Time Streaming Protocol (RTSP). The RTSP is responsible for creating and managing sessions between the clients and the servers of the media streaming company. The management services offered by RTSP can include playing, pausing, skipping, and rewinding. The responsibility of the RTSP stops at establishing and managing sessions between the clients and servers. Other protocols address the responsibilities of media transfer. One such protocol is the Real-Time Transport Protocol (RTP). RTP makes use of the User Datagram Protocol (UDP) to deliver video and audio from a server to a client. The use of UDP by RTP increases the transmission speeds of the RTP since UDP is a connectionless protocol. While the responsibility of delivering the video and audio to the clients rests on the RTP, the responsibility of sending the control packets rests on the Real-Time Transport Control Protocol (RTCP). The RTCP is responsible for addressing the quality of service involved in the media transmission conducted by the RTP. Since RTP uses connectionless UDP, some packets might be lost or delayed during the transmission. The RTCP is involved in providing information about lost or delayed packets (Hao & Dong, 2002).

Different vulnerabilities can affect the efficiency of the various protocols used by media streaming companies to facilitate the media streaming services offered. One of the vulnerabilities is the software defects that can be present in the media streaming company. Various software is involved in media streaming services, including the software that facilitates the interaction between the clients and the servers or even the software that is involved in facilitating the transfer of video and audio data to the customers. Any defects in this software present the opportunity for the attackers to compromise the security of the organization. The M&A presents an opportunity for attackers to identify the possible defects that exist in the various software used by the media streaming company. Therefore, extra security measures should be taken into consideration to prevent the defects identified in the software from being exploited by attackers. Another vulnerability that can occur in the media streaming company is physical access to the system. During the M&A, various new individuals from the organization acquiring the media streaming company can visit the media streaming company. An attacker can forge the credentials of the organization and use them to gain access to the media streaming company. This physical access to the media streaming company makes it possible for the attacker to initiate an attack, such as installing sniffers in the open ports in the company. Additionally, poorly defined configurations in the organization make it possible for attackers to gain unauthorized access to the company’s system.

The media streaming company can mitigate the various identified vulnerabilities that attacks can exploit, and this prevents the risks involved from being inherited by the organization acquiring the media streaming company. An example of security measures used to mitigate the vulnerabilities is implementing intrusion detection systems (IDS) and intrusion prevention systems (IPS) as well as network monitoring tools that can identify unauthorized devices connected to the company’s network. Additionally, conducting risk assessments in the organization can be useful in identifying the defects in the software used by the company as well as the poor security configurations in the network. Therefore, the media streaming company should address the identified vulnerabilities before the M&A activities.

Merged Network Infrastructure Assessment

The execution of the M&A involving the media streaming company can present issues in the merger due to the network infrastructures used in both organizations. These issues can arise due to the possibility of both organizations having different infrastructures, such as different deployment methods where one organization might have deployed its infrastructure in a cloud environment. Additionally, the software used in the media streaming company might be different from the other organization. Therefore, an assessment of the network infrastructure and a proposal that will define the merged network infrastructure should be considered.

A crucial component to address the merged network infrastructure is the hardware and software supporting the various business activities of both organizations. The merged network infrastructure should be able to address the business needs of the organization acquiring the media streaming company as well as the business needs of the media streaming company. The merged network infrastructure should incorporate the hardware and software used in both organizations. Suppose any incompatibility issues arise during the definition of the merged network infrastructure. In that case, any organization can change its platform to ensure its hardware and software are compatible with those of the other organization.

The assessment of the merged network infrastructure should also involve the various policies defined in both organizations. Before the M&A, both organizations had implemented policies and guidelines. These policies and guidelines might differ since the organizations might be in different sectors. Therefore, the incorporation of the policies and guidelines defined in both organizations is essential while conducting the merged network infrastructure assessment. Similarly, both organizations might have implemented different security measures to protect the organizations from cyber-attacks. Therefore, the assessment should address the security measures for both organizations and ensure they are addressed in the merged network infrastructure.

Addressing the security policies defined in both organizations should note the various security systems used. These security measures can include firewalls, demilitarized zones (DMZs), and even intrusion detection systems (IDS) and intrusion prevention systems (IPS). The various devices used to protect the organization’s network can differ. Hence, the merged network infrastructure should note which devices from both organizations would be essential in ensuring the merged organization is protected from cyber-attacks. In both organizations, various employees might have been given varying authorizations. The authorization given to the employees allowed them as well as restricted them from access to various data. The implementation of access control in the merged network infrastructure is also crucial in ensuring the security of the merged company. Therefore, the individuals involved in addressing the information systems part of the M&A and the chief information security officer (CISO) should consider the various policies defined in both organizations involving access control and define new policies that will apply to the employees of the merged company.

Wireless and BYOD Policies

Over the years, the capabilities of mobile devices such as smartphones, tablets, and laptops have increased. The increase in capabilities, as well as their flexibility, increases the advantages that they provide in organizations. Therefore, the organization intending to acquire the media streaming company has already implemented the use of wireless networking but also allowed the implementation of bring-your-own-device policies in the organization. The wireless network in the organization enables employees to use mobile devices anywhere in the organization. The BYOD policy allows employees to use their own devices to access the wireless network in the organization. Implementing wireless and BYOD policies in any organization presents various vulnerabilities that attackers can exploit to compromise the security of the organization. Therefore, while the M&A presents an opportunity for the merged organization to implement the wireless and BYOD policies, the organization should also implement security measures to address the vulnerabilities presented by the defined policies.

One of the security measures that the organization should implement is securing wireless networks. This can be done by changing the default passwords of the wireless access points and implementing a strong password that makes it difficult for the attackers to guess and use the access points to access the organization’s network. The wireless network can also be secured using the Wireless Protected Access (WPA) security standard. Since the WPA offers better data encryption and authentication than its predecessor, the Wired Equivalent Privacy (WEP), the use of WAP is recommended. Additional security can be achieved by using the WPA2 security standard, which addresses the shortcomings noted in the WPA standard (Noor & Hassan, 2013).

The BYOD policy presents a larger security vulnerability than wireless networking. This is because attackers can gain access to the information stored in the devices or use the devices to access the organization’s network after compromising BYOD devices. Additionally, the communication between the BYOD devices and the organization’s network can be compromised, allowing the attacker to gain access to the data in transit. The process of compromising the security of mobile devices can involve the execution of malware or virus in the devices. Therefore, the organization should ensure that antimalware and antivirus applications are installed on the mobile devices used by the employees. In addition, the organization should ensure that they conduct mobile device management. Mobile device management involves monitoring and managing the devices used by the employees. While implementing mobile device management, the organization should take into consideration various policies that address the privacy of the organization’s employees. The security of the data in transit in the wireless networks can be implemented through data encryption protocols and virtual private networks (VPNs) to secure remote communication. The virtual private network creates a secure tunnel between the remote mobile devices and the organization’s network, making it difficult for attackers to access the transmitted data. Some encryption algorithms that can be implemented in the organization include the Advanced Encryption Protocol and the Data Encryption Standard. Therefore, the implementation of these security measures allows the new company to meet the goals of the BYOD policy (Noor & Hassan, 2013).

Data Protection Plan

The implementation of a single security measure in the organization does not provide full protection against the various types of attacks that can occur in the organization. Therefore, to address the different types of attacks that are likely to occur, the acquired company should implement other security measures in addition to the defined wireless and BYOD policies. The acquired company consists of various devices that might contain crucial data in them. Full disk encryption is one of the recommended security mechanisms that can be implemented to protect the data in the various devices used in the organization. The implementation of full-disk encryption can involve the use of BitLocker software. Full disk encryption encrypts the contents of a disk and requires the user to provide a decryption key before being allowed to access the data on the disk. The use of full disk encryption prevents individuals without the decryption key, which might mean they are unauthorized, from accessing the contents of the disk. Data encryption is a crucial component of the security measures that can be implemented in an organization. Encryption can prevent unauthorized individuals from accessing the various data available in the organization. This can include the data at rest, in transit, or in use. Since the media streaming company uses credit cards as modes of payments, data encryption is required to adhere to the guidelines defined by the PCI DSS.

The data protection plan of the organization can also include the use of the Trusted Platform Module (TPM). In addition to the full disk encryption security method, the organization can also adopt the TPM. The TPM involves a microcontroller that is used to provide additional encryption measures in the organization. One of the uses of TPM is to ensure that the various devices and software used in the organization maintain their integrity. In most cases, the presence of malicious software in a system changes the operation of the devices and software. Therefore, using the TPM notifies the system administrator when the system is not performing as specified. Another use of TPM is the protection of keys used in the encryption and decryption of the data. An example of this is the BitLocker software, which can use the TPM to protect the various keys used in implementing full disk encryption in a system. Another use of TPM is the provision of password protection. By implementing password protection, TPM gives a user a defined number of password tries and protects the system from attackers that might try to guess the user’s password (Bajikar, 2002).

Supply Chain Risks

The acquisition of a company means that the acquiring company is going to inherit the different technologies and systems used in the acquired company. Similarly, the acquiring company is also going to acquire the various risks associated with the supply chain from the acquired company. Various supply chain risks can occur in an organization. The various supply chain risks occur in an organization following the involvement of third parties and vendors in the various activities performed by the organization. One of the areas to consider when inheriting the various supply chain risks is the provision of devices, software, and services that have hidden malicious intentions. The implementation of these devices, software, and services in the organization can lead to the occurrence of cyber-attacks. An example of this is when a vendor supplies a network device, and in the network device, they define a backdoor. This allows the vendor to gain unauthorized access to the organization network. Another risk that the organization is likely to inherit is the provision of counterfeit products from third parties. Counterfeit products are often of poor quality when compared to original products. Therefore, the poor quality of the counterfeit products presents the risk of the devices failing or lacking adequate security measures, allowing attackers to access the organization’s network (Boyens et al., 2015).

There are various ways that an organization can avoid various supply chain risks. One of the ways of doing so is conducting thorough reputation checks of the vendors and third parties inherited from the acquired company. Additionally, the organization can use the trusted vendors and third parties that they used before acquiring the other organization. Another measure of mitigating supply chain risks is defining new contracts with the third parties involved with the acquired company. The identification of counterfeit products can include testing the products before using them in the organization. Testing can reveal any vulnerabilities present in the products as well as their authenticity.

Vulnerability Management Program

In an organization, there can exist different vulnerabilities that attackers can exploit to conduct cyber-attacks in the organization. The vulnerability management program involves identifying and implementing measures to mitigate the various identified risks. Attackers are constantly defining new methods to implement cyber-attacks in organizations. The continuous development of new methods to implement cyber-attacks in the organization presents the possibility of new vulnerabilities being identified in an organization’s security system. Therefore, the organization should conduct vulnerability management regularly.

Either third parties or the organization’s employees can conduct the organization’s vulnerability management program. The initial process of the vulnerability management program includes identifying the various vulnerabilities present in the organization. The identification of vulnerabilities in the organization can include the use of a vulnerability scanner. The identified vulnerabilities are then prioritized, with the vulnerability likely to cause the highest impact is highly prioritized. Security measures to address the prioritized risks are then recommended.

The vulnerability management program should then define how the proposed security measures would be implemented. Implementing security measures to address the vulnerabilities can include installing patches in the system (Souppaya & Scarfone, 2013). Additionally, it can include changing vulnerable system configurations. Similarly, the vulnerability management program also includes the definition of additional security measures. After the execution of security measures to address vulnerabilities in the system, the organization has to assess the security measures to identify the effectiveness of the implemented measures. The assessment also provides an opportunity for the organization to identify other vulnerabilities that were not initially identified.

User Education

Following an M&A, the various employees of either organization might have difficulty understanding the extent of their roles in the new company and the different policies and guidelines defined in the new company. Therefore, to ensure a smooth transition occurs for the employees, conducting user education is essential to the process. One of the aspects of the new organization that the employees have to be educated on is the various policies and guidelines defined in the new organization. This can include the various services and the operations of the new organization. Some services might not have been implemented in one of the merged organizations, so the employees should be educated on these services. The access control requirements of the employees, as well as the extent of the employees’ responsibilities, are also defined in user education.

During the process of conducting a vulnerability assessment, one of the aspects identified that facilitate the occurrence of attacks in an organization is the network users. The employees of the organization are vulnerable to social engineering cyber-attacks that target ignorant employees. To prevent attacks in the organization that employees facilitate, the user education and training program is an effective platform to educate the employees on the various vulnerabilities and security issues they pose to the organization’s security. Teaching the employees of the various ways that cyber-attacks can occur in the organization should also involve an explanation of the security measures that they can employ. This can include the use of strong passwords or the use of multifactor authentication measures. Since the organization will implement wireless and BYOD policies, an explanation of the requirements for implementing the policies should be done. This can include making the employees aware that their mobile devices will be monitored and can be managed by the CISO. The security measures should also define how the employees would be responsible for securing the credit card information of the organization’s customers.

Related Articles and Resources: https://eminencepapers.com/mba-reflection/

References

Bajikar, S. (2002). Trusted platform module (TPM) based security on notebook pcs-white paper. Mobile Platforms Group Intel Corporation, 1, 20.

Boyens, J., Paulsen, C., Moorthy, R., Bartol, N., & Shankles, S. A. (2015). Supply chain risk management practices for federal information systems and organizations. NIST Special Publication, 800(161), 1.

Hao, L. I. U., & Dong, H. U. (2002). The Video Technology on Internet Based on RTP/RTCP [J]. Application Research of Computers, 10.

Jardine, J. (2014, July 22). Policy gap analysis: Filling the gaps [Blog post]. https://blog.secureideas.com/2014/07/policy-gap-analysis-filling-gaps.html

Mikoluk, K. (2013, July 23). Gap analysis template: The 3 key elements of effective gap analysis [Blog post]. https://blog.udemy.com/gap-analysis-template/

Noor, M. M., & Hassan, W. H. (2013). Wireless networks: developments, threats and countermeasures. International Journal of Digital Information and Wireless Communications (IJDIWC), 3(1), 125-140.

Ryan Technical Services (n.d.). PCI DSS compliance. http://ryantech.com/pci-dss-compliance

Souppaya, M., & Scarfone, K. (2013). Guide To Enterprise Patch Management Technologies. NIST Special Publication, 800, 40.

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

---

Project 3

Businesses involved in mergers and acquisitions must exercise due diligence in ensuring that the technology environment of the future organization is robust and adequately protects their information assets and intellectual property. Such an effort requires time and open sharing to understand the physical locations, computing environment, and any gaps to address. Lack of information sharing can lead to a problematic systems integration and hamper the building of a cohesive enterprise security posture for the merged organization.

Often the urgency of companies undergoing a merger and acquisition (M&A) impedes comprehensive due diligence, especially in cybersecurity. This creates greater challenges for the cybersecurity engineering architect, who typically leads the cybersecurity assessment effort and creates the roadmap for the new enterprise security solution for the future organization. However, the business interest and urgency in completing the merger can also represent an opportunity for CISOs to leverage additional resources and executive attention on strategic security matters.

In this project, you will create a report on system security issues during an M&A. The details of your report, which will also include an executive briefing and summary, can be found in the final step of the project.

Step 1: Conduct a Policy Gap Analysis

As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions, keep in mind that the networks of companies going through an M&A can be subject to cyberattack. As you work through this step and the others, keep these questions in mind:

• Are companies going through an M&A prone to more attacks or more focused attacks?
• If so, what is the appropriate course of action?
• Should the M&A activities be kept confidential?

Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.

Conduct a policy gap analysis to ensure the target company’s security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies.  This step would also identify what, if any, laws and regulations the target company is subject to. If those are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:

• How would you identify the differences?
• How would you learn about the relevant laws and regulations?
• How would you ensure compliance with those laws and regulations?

The streaming company that is being acquired has a current customer base of 150,000 users, who on average pay $14.99 in monthly fees. Based on the overall income, use PCI Standards DSS 12 requirements, and the PCI DSS Quick Reference Guide to identify a secure strategy, and operating system protections to protect the credit card data.

Select at least two appropriate requirements from the PCI Standards DSS 12 set of requirements and explain how the controls should be implemented, how they will change the current network, and any costs associated with implementing the change.

In the next step, you will review the streaming protocols that the companies are using.

Step 2: Review Protocols for Streaming Services

After reviewing the policies from the company and the policy gap analysis, the M&A leader asks you about the protocols used by the streaming company. He wants to know if the protocols used would affect the current state of cybersecurity within the current company environment. For this section, review the protocols, explain how they work along with any known vulnerabilities, and how to secure the company from cyberattacks. Start with researching the commonly known streaming protocols and the vulnerabilities of those protocols. Some examples are the Real-Time Streaming Protocol (RTSP), Real-Time Transport Protocol (RTP) and the Real-Time Transport Control Protocol (RTCP).

Additionally, the leadership wants to know if any vulnerabilities identified would or could lead to a no-go on the M&A.

In other words:

1. You need to identify what streaming the companies are doing and the specific technology they are leveraging.
2. What are the technical vulnerabilities associated with the protocols involved?
3. Have those been mitigated? And to what extent (i.e., has the risk been reduced to zero, reduced somewhat, shifted to a third party, etc.)?
4. What residual risk to the target company’s assets and IP remain?
5. Would those risks extend to the current (takeover) company after the merger?
   a. Would that be bad enough to cancel the M&A?
6. If the response to #5 is yes, then, what should the target company do to further mitigate the risk? How should the takeover company mitigate the risk?
7. What are the costs associated to the target company (implementing the appropriate mitigation)? If the takeover firm has to take additional measures, identify those costs as well.

After assessing and reviewing the streaming protocols, move to the next step, where you will assess the infrastructure of the merged network.

Step 3: Assess the Merged Network Infrastructure

You’ve just reviewed the streaming services of the companies, and now you will assess the infrastructure of the new network. The networks of the two companies could be configured differently, or they could use the same hardware and software, or completely different hardware and software.

The purpose of this section is to understand what tools the company is using, the benefits and shortcomings of those tools, and the gaps within the network. Explain what tactics, techniques, and procedures you would use to understand the network. You should identify firewalls, DMZ(s), other network systems, and the status of those devices.

When your assessment of the infrastructure is complete, move to the next step, where you will assess any existing policies for wireless and bring your own device (BYOD) within the companies.

Step 4: Review the Wireless and BYOD Policies

Within Project 2, you learned about and discussed wireless networks. An M&A provides an opportunity for both companies to review their wireless networks. Within your report, explain the media company’s current stance on wireless devices and BYOD. However, the company that is being acquired does not have a BYOD policy. Explain to the managers of the acquisition what needs to be done for the new company to meet the goals of the BYOD policy.

When the review of the wireless and BYOD policies is complete, move to the next step: developing a data protection plan.

Step 5: Develop a Data Protection Plan

You’ve completed the review of the wireless and BYOD policies. In this step, you will develop the recommendations portion of your report in which you will suggest additional mechanisms for data protection at different levels of the acquired company’s architecture.

Include the benefits, implementation activities required for protection and defense measures such as full disk encryption, BitLocker, and platform identity keys. You also want to convey to your leadership the importance of system integrity and an overall trusted computing base, environment, and support. Describe what this would entail and include Trusted Platform Module (TPM) components and drivers. How are these mechanisms employed in an authentication and authorization system? Include this in the report and whether the merging company has this.

In the next step, you will assess any risks with the supply chain of the acquired company.

Step 6: Review Supply Chain Risk

The data protection plan is ready. In this step, you will take a look at risks to the supply chain. Acquiring a new company also means inheriting the risks associated with its supply chain and those firm’s systems and technologies. Include supply chain risks and list the security measures in place to mitigate those risks. Use the NIST Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations to explain the areas that need to be addressed.

After your supply chain review is complete, move to the next step, where you will create a vulnerability management program.

Step 7: Build a Vulnerability Management Program

After your supply chain review, you conduct an interview with the company’s current cybersecurity team about vulnerability management. The team members explain to you that they never scanned or had the time to build a vulnerability management program. So, you need to build one. Use NIST Special Publication 800-40 Guide to Enterprise Patch Management Technologies to develop a program to meet the missing need.

Explain to the managers how to implement this change, why it is needed, and any costs involved.

The next step is a key one that should not be overlooked — the need to educate users from both companies of the changes being made.

Step 8: Educate Users

You’ve completed your vulnerability management program, but it’s important to educate all the users of the network about the changes. During the process of acquiring a company, policies, processes, and other aspects are often updated. The last step in the process is to inform the users for the new and old company of the changes. Within your report, explain to the acquisition managers the requirements for training the workforce.

When you’ve completed this step, move to the final section of this project, in which you will prepare and submit your final report.

Step 9: Prepare and Submit Your Report, Executive Briefing, and Executive Summary

You’re ready now for the final step, in which you will compile and deliver the Cybersecurity for a Successful Acquisition report for the company leaders to enable them to understand the required cybersecurity strategy.

Again, keep in mind that companies undergoing an acquisition or merger are more prone to cyberattacks. The purpose of this paper is to analyze the security posture of both companies and to develop a plan to reduce the possibility of an attack.

The assignments for this project are as follows:

1. Executive briefing: This is a three- to five-slide visual presentation for business executives and board members.
2. Executive summary: This is a one-page summary at the beginning of your report.
3. Cybersecurity System Security Report for Successful Acquisition: Your report should be a minimum 12-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations.

Submit all three components to the assignment folder.

Deliverables: Cybersecurity for a Successful Acquisition, Slides to Support Executive Briefing

Check Your Evaluation Criteria

Before you submit your assignment, review the competencies below, which your instructor will use to evaluate your work. A good practice would be to use each competency as a self-check to confirm you have incorporated all of them. To view the complete grading rubric, click My Tools, select Assignments from the drop-down menu, and then click the project title.

1.1: Organize document or presentation in a manner that promotes understanding and meets the requirements of the assignment.

1.2: Develop coherent paragraphs or points to be internally unified and function as part of the whole document or presentation.

1.3: Provide sufficient, correctly cited support that substantiates the writer’s ideas.

1.4: Tailor communications to the audience.

1.5: Use sentence structure appropriate to the task, message and audience.

1.6: Follow conventions of Standard Written English.

1.7: Create neat and professional looking documents appropriate for the project.

1.8: Create clear oral messages.

2.1: Identify and clearly explain the issue, question, or problem under critical consideration.

2.2: Locate and access sufficient information to investigate the issue or problem.

2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.

2.4: Consider and analyze information in context to the issue or problem.

2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.

5.9: Manages and administers integrated methods, enabling the organization to identify, capture, catalog, classify, retrieve, and share intellectual capital and information content.

7.3: Knowledge of methods and tools used for risk management and mitigation of risk.

8.7: Provide theoretical basis and practical assistance for all aspects of digital investigation and the use of computer evidence in forensics and law enforcement.