Integrity Blog

Secure Iowa Conference 2017 Keynote Speaker Lieutenant Colonel Robert J. Darling United States Marine Corps (Ret.)

Iowa’s Largest Information Security Conference Lands One of Its Most Exciting Speakers to Date

Date: Tuesday, October 3, 2017

Location: FFA Enrichment Center, 1055 SW Prairie Trail Parkway, Ankeny, Iowa 50023

Secure Iowa Conference, the annual Iowa-based information security conference hosted by ISSA Des Moines and presented by Integrity, has announced that its 2017 keynote speaker will be Lieutenant Colonel Robert J. Darling United States Marine Corps (Ret.), author of 24 Hours Inside the President's Bunker. Lieutenant Colonel Darling is the White House Airlift Operations Officer who, during the attack on America on 9/11/01, responded to the underground White House Bunker Complex and stood shoulder to shoulder with America’s highest leaders as they made unprecedented crisis leadership decisions on behalf of all Americans.

In his keynote presentation September 11, 2001 - The White House, A Crisis Leadership Presentation, Retired Lieutenant Colonel Robert Darling will discuss his experiences on September 11, 2001 inside the White House bunker, where he worked alongside Vice President Dick Cheney and National Security Advisor Condoleezza Rice. His presentation is designed to ensure we, as a nation, never forget the events of 9/11/01, and to inspire all leaders to take the necessary steps within their power to protect and safeguard their employees, their organizations and their communities.

Secure Iowa Sessions

Lieutenant Colonel Darling will undoubtedly deliver an inspiring presentation, but he is only the beginning of an exciting day filled with continuing education in the areas of information security, IT risk management, compliance and privacy. The following is a list of session tracks, which will feature various speakers throughout the day. Attendees may attend any of the presentations. Selecting a track is not necessary… tracks are simply created to help guide attendees in their selection process.

SESSION TRACKS
  • Application and Infrastructure Security
  • Security Testing and Investigation
  • IT Risk Management and Audit
  • Executive and Legal

This a unique opportunity for security, privacy and audit professionals in Iowa to gather for a time of education and networking. For more information, visit SecureIowaConference.com.

Register for FREE

Make sure to register soon, spots are filling fast.
IT Controls Gap Analysis

When someone says they are getting ready to do a gap analysis of an IT systems, what’s the first thing that comes to mind? Compliance, SOX, HIPAA, log management, change control, identity management? While all of these are valid considerations, they should not be the first.

The Importance of Processes

Process should be the starting point for every review. Without a process, systems are worthless. For instance, if you have a log management system but no process that defines who reviews logs, what they should look for and what actions to take, the technology is useless. Priority should be placed on the maturity of the process. This includes policy, procedures and overall documentation.

It happens time and time again. An outage occurs because a simple procedure was not followed. Perhaps the procedure wasn’t documented or wasn’t documented well. Maybe the procedure exists but nobody knows about it. These types of issues display a lack of maturity, which no amount of technology can fix. Organizations should begin to place more importance, and thus resources, on improving their process.

Technology will only take you so far with security and compliance. In fact, at times technology will mask poor processes, which may complicate problems in the future.

5 Questions to Ask During a Gap Analysis

If you are a CIO, CTO, VP, Director or Manager of a technology group, I implore you to sit down as a leadership team and review the following 5 items.

  • Do we have a policy which dictates the design, implementation, management and review of our systems?
  • Do we have a repository of procedures and associated documentation to carry out this policy?
  • Are team members well educated in the existence, importance and location of this information?
  • Is someone responsible for managing this repository and performing periodic reviews as our technology and business process evolves?
  • Is there a system in place to identify and correct actions not in line with our process?

If more of this activity were to take place, I’d venture to bet companies would spend less time trying to fit various security technologies into their organization and more time finding technology that complements their existing way of doing business.

Mergers and Acquisitions (M&A) IT Due Diligence Assessments

There has been a surge in Mergers and Acquisitions (M&A) over the past couple years, and those numbers will continue to rise. So, what should companies be looking for as part of their due diligence? For years this answer has looked something like this: “Check the financials, legal and intellectual property...” But now, cyber security practices and technologies are at the forefront of these same conversations.

The thought of acquiring a company can be very exciting. An acquisition can help a company gain a stronger foothold in a familiar market or branch out into new geographic regions. In other instances an acquisition will enable a company to add complementary products/services to diversify their portfolio. Regardless of the strategy, the goal of an acquisition is to improve the acquirer’s current state. And the target company can be seen as a means to that end.

The Impact Cyber Security Practices Can Have On Financials

If, however, a company limits itself to only focus on the target’s financials, it may become blinded by seemingly strong financial statements while overlooking cyber security risk, even though the risks posed by an existing or potential security breach could significantly impact financials far into the future. So, what does this mean to an acquiring company? Limiting the due diligence process in a way that neglects security practices and technologies could greatly overvalue the target company and pose significant risk. Without a cyber security assessment, it can take several months or even years for an organization to discover that it has experienced a security breach. If proper action isn’t taken to evaluate and assess the target’s security posture, the acquisition could become a serious failure and cost the acquiring company millions of dollars.

Cyber security and IT issues are a major risk factor for any acquisition. Buyers should engage technology / security experts to determine these risks and quantify the effect on the target’s operations, which can be significant.

Paul Juffer, CPA Managing Partner - LWBJ

Valuating a Company Based on Complete Information

It is imperative to ask the right questions and perform an appropriate cyber security assessment prior to landing a deal. From the outside, the target company may look healthy, but in reality the target’s information could be compromised, leaving only a matter of time before client data is being sold on the dark web or intellectual property is being copied and produced overseas. As the purchaser, if cyber security risk is discovered, you can use the information gained in the due diligence process to value the company at a discounted rate or you can decide to walk away entirely. Of course, it will depend on the severity of the risk. Unfortunately, if this discovery occurs after the close of the acquisition, the acquiring company will be left picking up the pieces. This is why it is so important to perform an assessment early in the process.

IT Due Diligence Assessment

An IT Assessment will consist of assessing the controls and operational effectiveness and efficiency. It is important to perform an internal assessment of IT infrastructure to assess the confidentiality, integrity and availability capabilities of connected systems. The specific areas tested should include the following:

  • Network, server, and device security, including event monitoring
  • Disaster Recovery Plans, Data Backup and Restore, and Business Continuity Plans
  • Encryption of sensitive data
  • Segregation of duties, minimal access, and other Role Based Access Controls (RBAC)
  • Physical security controls (cameras, locks, lighting, etc.)

Performing an assessment of security and risk management policies to ensure adequate controls are used to ensure information security is also a critical portion of the IT due diligence assessment. Policies to be reviewed should include:

Technology
  • IT Risk Management Program
  • Policies, Procedures, and Standards
  • Change Management
  • Vulnerability Management and Incident Response Plans
  • Vendor Management
Human Resources
  • Employee Background Check and Onboarding Checklists
  • Employee Security Awareness Training
  • Employee Transfer and Off-boarding Checklists

If you are considering acquiring a company, make sure you consider all of the factors that impact valuation, including cyber security practices and technologies. And, if you are looking to sell your company, make sure to have your own IT Due Diligence Assessment performed. This will enable you to take appropriate steps to reduce your company’s IT risk and improve the valuation of your business prior to negotiations with a suitor.

Need help with cyber security and IT due diligence?
We can help.
Get our blog posts delivered to your inbox: