2 hours 23 minutes
Hello and welcome to this. I t Security policy training on side Bury. This is part of module three. The acquisition policy is what we're gonna cover today,
and it's being taught by Troy Lemaire.
So the learning objective for today we're gonna look a really just two basic areas, the general area. And then what are the requirements for the acquisition
And if we actually look at the policy, this is another sands template policy that is out there called the acquisition Assessment Policy.
If we look at the overview, basically it's saying that this policy is to integrate a newly acquired company that has that can't have a drastic impact on security posture of either the parent company or the child company.
So basically, what happens is whenever you require company,
you know what your security posture is, but you don't know what their security posture is. And so you want to try to do things that will make sure that their security posture meets yours or that yours meets there if they have a higher standard of a security posture.
And this is the Brant things like.
company doesn't have a good antivirus policy, and so that that will allow the company to possibly be breached in some way through malware a ransomware, something like that. And you wouldn't want that then spread into your network once you do connect the networks of the two companies, so it's just the way to make sure that you can protect
yourself in your organization. That's what let's protect the company that is being required from being breached in any way.
So again, the goal. The security acquisition assessment and integration process includes assessing the company's security landscape, protecting the company and the choir company from AKI. Increased security risk
educate acquired company about policies and standards adopted, implement the security policies and standards,
integrated the acquired company and continuous monitoring an oddity of the acquisition.
So basically, you're going to do this assessment to make sure that they are in line with what you're looking for in regards to security posture.
The purpose of the policy is to establish responsibilities regarding corporate acquisition and find the minimum security requirements
for acquisition assessment.
The scope is applying to the company that is acquired and pertains to all their systems, networks and everything else that you acquire from that company.
So if we look at the general area,
an acquisition assessment should be conducted to ensure that a company being acquired does not pose a security risk to carpet networks.
The implicit team's gonna provide personnel to serve as active members of the acquisition team throughout the entire acquisition process.
And the role is to detect and evaluate information security, risk developing remediation plan with the affected parties for identified risk.
So we hear things in the news, often times where a company will be acquired. And the bigger company
say, six months to a year after the acquisition has to report that there has been a breach. And usually whenever this occurs, they talk about how the company that was acquired was the source of the breach. And again, this policy is something that's there to try to prevent that from happening.
So if we're looking at the requirements of the policy, all hosts gonna replace a re imaged
with a standard image
business. Critical production servers cannot be replaced or image must be audited, and a waiver granted by the security team
and all PCS will require approved virus protection before network connection
Network devices devices will be replaced. A re imaged
wireless network. Access points will be reconfigured to the
while Internet connections will be terminated. And the reason for that is you don't want a rogue Internet coming into that network. That then connects into your network that you don't know nothing about and might not be protected to the standard that standards that you want,
all remote access should be terminated,
and remote access to the correction network is gonna be provided by your company instead of by the company that was acquired again. You want to make sure that there is no rogue remote access into a system that you don't know about
that will allow that to be breached or for somebody to be able to connect in a non approved wait
Different organizations have certain lab or non production systems that they put out there, and what this is saying is that the lab equipment needs to be physically separated and secured from
non lab servers.
Basically, production and non production service should not be talking to each other in this type of situation
and in the choir networking computer systems being connected to the corporate network fail to meet these requirements. The c i o r. Whoever's your executive in charge of your organization and fortress for security and I t they must acknowledge that improve the risk to the company's network because sometimes you just can't make everything mesh together. So that's okay,
But you want to make sure it gets to the highest level of organization that knows the risk that is associated with it. And they have approved for this too.
And as always, you have your policy compliance saying that we're gonna bear the security team's gonna verify compliance and various methods
and then anyone found to have violated policy could be some disciplinary actions up to including termination of employment.
So in summary, today's brief lecture we talked about the acquisition policy and gave some general information and then set for the requirements. And again, these requirements most probably be modified inside of your organizations to fit what you have going going. So if you have no remote access, there is no reason to have remote access listed as part of the policy.
You're gonna take it and modify it to where
you have what you need for this policy
So a policy re *** question acquisition assessment start conducted. Ensure the company being acquired does not pose a
That is a security risk.
Another recap question. If the acquired company does not meet the requirements, who must acknowledge improve of the associative risk?
That would be the C i. O R. Executive management again, you wanted to be at the highest level, the organization that you can get it.
So in the next lecture, we're gonna continue on with network policies, and we're gonna cover the B Y o d. Or bring your own device policy.
You have questions or a needing. Clarification has always reach me on side. Very message.
I use her name. Is that Troy Lemaire and thank you for attending this cyber retraining.