"Change one": Migration

At this stage, Company F's IT assets were migrated to the transitional security domain for "break-in", which properly handled information security and some application-layer problems, and basically implemented smooth migration in the first stage. In the transitional security domain, we all use the IP address of Company S. In addition, according to the information security policies of S companies, we have formulated firewall security policies and rules:

First, enable port-level access control between the specified host in the transitional security domain and the specified host in the s security domain. Second, enable port-level access control between the specified host in the f security domain and the specified host in the transitional security domain as needed. Third, deny access to any data from the f security domain to the s security domain, audit and tracking when rejected. At the same time, according to these rules, we have designed the security policies on the S firewall in detail.

Phase 2: Transitional Security Domain → S Security Domain

The second phase of work will be much easier, because with the normal use of the transitional security domain, the next thing to do is to migrate IT assets from the transitional security domain to the s security domain. In fact, this part is not difficult as the reorganization process accelerates.

As the business integration of the two companies continues to deepen, it integration is also carried out in depth. After a period of work in the first phase, 95% of assets in the f security domain have been migrated to the transitional security domain. It is the best time to enter the second phase.

Note that the IP address of Company S has been used in the transitional security domain, so the migration work in this phase can be completely transparent to the user's PC and various upper-layer applications. In other words, IT personnel only need to change the security policies and a small number of IP routes on the S firewall.

At the end of the second stage, with the system integration and migration of the company's headquarters, the work in China can be completed gradually. What it personnel should do at this stage is to completely transform the IT system of the migrated company into a part of the merger.

After the completion of the second phase, 99% of the IT assets of Company F in China have been migrated to the company s intranet. The most important thing is that the IT migration and integration of the two companies at the headquarters of G country have also reached a certain level, and the businesses involving the China region are all from the original Intranet network of Company F, migrate to Company F's China region through S's intranet.

Based on this, we can completely transform the IT system of Company F in China into part of company S's Intranet in this phase. The first thing it personnel need to do is to cancel the WAN egress of Company F in China, and all outbound traffic will go through the intranet of Company S. In this way, the firewall of Company F can also be canceled.

Phase X: core experience

It is called stage X because a lot of content runs through the entire basic and migration process. For domestic enterprise users, information security in mergers is not achieved overnight. Its complexity and difficulty are often reflected in project control.

First, ensure good communication

Compared with the "turnkey" Project Integrated by general IT systems, the information security project poses more challenges in terms of management and security concepts of different organizations.

Most of the information security-related matters within an enterprise are mandatory and cannot be compromised, and the security cost investment will not be immediate, it is not easy for various business departments or even senior managers to accept and actively follow the instructions. In the face of the weakest link in information security-IT system users, including internal employees and production and business departments, how to make all employees, especially the management, truly accept, fully supporting information security construction and implementation in Enterprise Resource Allocation and enterprise it macro policies is a key factor for the successful implementation of information security within the enterprise.

Among the information security projects related to enterprise mergers, the most challenging thing is to communicate with the IT department of the merged party, and obtain the understanding and cooperation of the other party and full support from the human resources.

The merger of the two company's IT systems may lead to changes in the original IT management process, or even changes in the positions of former IT Department staff, directly hitting the interests of some departments and individuals, these affect the attitude and strength of the other party's support for information security projects.

Therefore, the successful implementation of an information security project depends on the design of the technical solution, the management of the security project, and the cooperation with the Parties. Good communication is crucial.

As the head of the network of the project, in addition to profound technical background and excellent communication skills, it is able to seek the necessary cooperation in the turbulent internal change environment of the merged company, such as the accurate and complete it asset Configuration Management archive database of Company F, this greatly reduces the project implementation cycle and cost.

In addition, because it staff of Company F in China do not have the permission to manage the local network system, it will not directly participate in the change of specific equipment configuration during the IT migration implementation phase, we also need to communicate with the IT administrator of G country to get the cooperation of Company F's global route change and firewall policy adjustment.

Second, full testing

Since the IT system merger solution in China is the first step for the global IT system merger of the two companies, we set up a simulation environment for testing at the technical level before the implementation of the above project phase, for example, simulate the establishment of a trust relationship between the two companies' Windows Domain Controller DC on both sides of S's firewall.

In addition, we did not completely copy Company S's mature information security policies to the project, but introduced them to different stages of the project to adapt to the needs of different periods, this is also reflected in functional tests at the technical level, that is, through tests at the technical level, to test the feasibility of the information security policy of company s in different stages of the project, therefore, appropriate technical solutions can be adjusted to comply with information security policies.

During the implementation of the project, when each new and old phases alternate, we should perform a phased overall test to ensure that the production network business is not affected and the transparency to users.

Third, user security training

Information security during the IT system migration period is not only a technical issue, but also a management issue. It is not only necessary to manage equipment and technology, but also to reduce security vulnerabilities of information users-users and employees.

In the information security field, internal staff are the weakest link. During the management handover between the new and old companies, it is particularly important to train staff of Company F on information security. It is necessary to prevent the occurrence of events that unconsciously endanger information security by users, such as unauthorized access of private computers to the enterprise production network.

In addition, some employees may inevitably have negative emotions during the merger process. Some employees may have information security threats, such as stealing sensitive production data. Through information security education and training, we need employees of Company F to familiarize themselves with and understand important information security policies in the new work environment as soon as possible, and actively abide by the information security policy of Company S, sensitive to events that endanger information security.

Fourth, cost control

Enterprise Merger requires a huge cost. Therefore, the management usually requires a high level of cost control for the migration and merger of IT systems. Any purchase of equipment should be justified, and the necessity of the existence of the device after merger should be considered. Make full use of existing resources, make full use of existing network equipment and network security equipment, and minimize construction costs.

Because there are some transitional phases in the project, some IT devices involved, such as the S company firewall, will be shut down after it migration is complete, it is a temporary device. Therefore, when purchasing equipment, we must evaluate the user requirements to determine the performance of the required firewall.

For example, Company F has used a large number of newly purchased Ethernet switches and must be fully utilized. In the first phase of risk assessment and project migration, these switches are required to support both the f security domain and the transitional security domain. We have created several L2 VLANs on these switches, which correspond to two security domains respectively. The IP addresses of the gateways in each VLAN are the E3 and E2 interfaces of the S firewall. This not only complies with the information security policy, but also makes full use of the existing devices. In the second stage, you only need to set the IP address of the Gateway in the VLAN of the transitional security domain from the E2 interface of the S firewall to the s security domain, you can achieve smooth migration of applications and users ..