Security Basics mailing list archives
Re: Information Security in Mergers and Acquisition
From: "Meenal Mukadam" <meenal.mukadam () gmail com>
Date: Fri, 18 Jul 2008 20:03:04 +0530
Hello Alfred, You are very correct. Addressing security does start at the pre-merger and is equally critical till the post-merger! I have researched on this topic and have come up with a frame work and guidelines. For success of a M&A first one has to understand the 'Driver for that M&A'. It could be getting new technology, gaining competitive advantage, expansion, etc.... Along with the Driver all the Threat factors have to be analyzed and shortlisted. Once this is done the next task is deciding upon common Principles! (Y? because if not M&A would fail!) I have shortlisted a few Principles in my guidelines.They are: 1) Awareness 2) Deciding on Security Appetite 3) Responsibility 4) Response 5) Ethics 6) Democracy 7) Risk Assessment 8) Security design and implementation 9) Security management 10) Reassessment I am sharing the generic guidelines with you. They are as follows: 1) Make sure Information security is on the board agenda. 2) Guide management by helping align Information security initiatives with real business needs and ensure that it appreciates the potential impact on the business of IT-related risks. 3) Form an Information Security Steering Committee who will undertake the work for setting up of Information Security measures for the organizations undergoing Mergers or Acquisitions. 4) The Committee formed should study the organization structure of the new organization after a Merger or an Acquisition and also its processes. 5) The Committee should then take into account and check if Security Policy Documents are previously in place and if yes they should be studied/reviewed thoroughly. 6) If Information Security is not in place then Critical Success Factors and the Information Assets of the new organization should be identified & documented. 7) An appropriate set of procedures for information labelling and handling should be developed and implemented in accordance with the classification scheme adopted by the organization. 8) The ownership rights on assets should be clearly defined and agreed upon. 9) Then Roles and Responsibilities have to be redefined for the employees of the new organisation and boundaries have to be drawn. 10) Conduct Risk Assessment for identifying the risks. (For this consider the Previous history and patterns of performance of both the organizations, Current IT organisational factors, Complexity and size/scope of the new IT environment, Inherent vulnerability of the new IT environment, Nature of the IT initiatives being considered, e.g., new projects, outsourcing considerations, architectural changes, etc.) 11) Ensure that organization complies with legal requirements and that their practices. 12) Aligning of Information security objectives with business objectives has to be done. (For this Return on Investment is an effective method. This decision should be based on the potential benefit, ease of implementation and with a focus on important processes and core competencies) 13) A procedure has to be framed for handling, storage and exchange of information, which should address issues such as information protection from unauthorised disclosure or misuse. 14) Confidentiality agreements should be taken into consideration to ensure the level of confidentiality of information that needs to be maintained at different levels has to be agreed upon by both the parties. 15) There should be some formal authorisation process in place for the information to be made publicly available. Such as approval from Change Control which includes Business, Application owner etc. 16) The business requirements for access control should be defined and documented. The Access control policy should address the rules and rights for each user or a group of user. 17) Make sure that review is conducted to verify users access rights at regular intervals. Example: Special privilege review every 3 months, normal privileges every 6 months. 18) Strict controls should be in place for users to access program source libraries. This is to reduce the potential for corruption of computer programs. 19) Sensitive systems should be provided with isolated computing environment such as running on a dedicated computer, share resources only with trusted application systems, etc. 20) Antivirus software should be installed on the computers to check and isolate or remove any viruses from computer and media. 21) Network controls should be in place for user authentication for external connections, Virtual Private Networks, encryption standards followed if any, etc. 22) For secure disposal of information the security team needs to decide if a storage device containing sensitive information needs to be physically destroyed or securely overwritten and corresponding procedures have to made. 23) The system manual and the system configurations details documentations should be protected from unauthorised access. The access list for the system documentation should be kept to minimum and authorised by the application owner. 24) Operational staffs should be encouraged to maintain a log of their activities such as logs of errors and the corrective action taken, etc., Operator logs should be checked on regular basis against the Operating procedures. 25) Business Continuity plan, if in place, should be tested, maintained and reassessed. 26) Reporting of Information security events needs to be encouraged and faults need to be reported and well managed. (This includes guiding the employee to report a security incidence if any to the security team. Security team then has to process the fault and then document it and corrective action taken to rectify that fault.) 27) Then the new organization should then frame Common Security Policy & Procedures Documents on the basis of Information security practices as mentioned above and Management Commitment of the new organization. 28) The Committee has to then get that Common Security Policy Document approved by the management. 29) After the Approval the Common Information Security Policy Documents needs to be published and communicated to concerned Employee. 30) Information Security Awareness & Training has to be imparted to ensure that the people in the organization are made aware of the Information Security focus and culture of the newly formed organization. I have then developed a framework for ensuring that Information Security requirements are met at each and every stage of the M&A. Its a four point framework which is required to understand the need for Infosec at each and every stage of a M&A. To understand what is required to be done and what are the possible pitfalls that one can face.... 1) At the start: To avoid costly and unfocused implementations of standards and best practices, organizations need to priorities where and how to use these guidelines. The organization needs an effective action plan that suits its particular circumstances and needs. First, it is important for the board to take ownership of IT governance and set the direction management should follow. Making sure that the board operates with Information security in mind. The board should: • Make sure Information security is on the board agenda • Challenge management's activities with regard to Information security issues and to make sure Information security issues are uncovered • Guide management by helping align Information security initiatives with real business needs and ensure that it appreciates the potential impact on the business of IT-related risks • Insist that Information security performance be measured and reported to the board • Establish an Information security steering group or IT governing council with responsibility for communicating IT issues between the board and management • Insist that there be a management framework for Information Security 2) Tailoring: The newly formed organization needs to tailor the use of standards and practices to suit its individual requirements. And this has to be done so as to: • Provide a management policy and control framework • Enabling process ownership, clear responsibility and accountability for Information Security activities • Aligning Information Security objectives with business objectives, setting priorities and allocating resources • Ensuring return on investments and optimizing costs • Making sure significant risks have been identified and are transparent to management, responsibility for risk management has been assigned and embedded in the organization, and assurance has been provided to management that effective controls are in place • Ensuring resources have been efficiently organized and sufficient capability (technical infrastructure, process and skills) exists to execute the Information security strategy • Making sure critical IT activities can be monitored and measured, so problems can be identified and corrective action can be taken • Setting clear, business-related Information objectives and metrics • To verify provider capability or demonstrate competence to the market by Internal and Independent third-party assessments • To facilitate continuous improvement by Maturity assessments, Gap analysis, Benchmarking, Improvement planning 3) Foundation work: With this mandate and direction in place, management then can initiate and put into action an implementation approach. To help management decide where to begin and to ensure that the implementation process delivers positive results where they are needed most, the following steps are suggested: 1. Set up an organizational framework (ideally as part of an overall Information Security initiative) with clear responsibilities and objectives and participation from all interested parties that will take implementation forward and own it as an initiative. 2. Align Information Security strategy with business goals (the objective behind merger or an acquisition). Obtain a good understanding of the business environment, risk appetite and business strategy as they relate to Information security. 3. Understand and define the risks. Given the business objectives, what are the risks relating to IT's ability to deliver against these objectives? Consider: a. Previous history and patterns of performance of both the organizations b. Current IT organizational factors c. Complexity and size/scope of the new IT environment d. Inherent vulnerability of the new IT environment e. Nature of the IT initiatives being considered, e.g., new systems projects, outsourcing considerations, architectural changes, etc. 4. Define target areas and identify the process areas in IT that are critical to managing these risk areas. 5. Analyze current capability and identify gaps. Perform a maturity capability assessment to find out where improvements are needed most. 6. Develop improvement strategies, and decide the highest priority projects that will help improve the Information security. This decision should be based on the potential benefit, ease of implementation and with a focus on important IT processes and core competencies. Specific Information security improvement projects as part of a continuous improvement initiative should be outlined.(Ex. Information Security awareness training program) 7. Measure results, establish a scorecard mechanism for measuring current performance and monitor the results of new improvements considering, as a minimum, the following key considerations: a. Will the organizational structure support strategy implementation? b. Are responsibilities for risk management embedded in the organization? c. Do infrastructures exist that will facilitate and support the creation and sharing of vital business information? d. Have strategies and goals been communicated effectively to everyone who needs to know within the organization? 8. Repeat steps 2 through 7 on a regular basis. 4) Avoiding Hinderences: There are also some obvious, but pragmatic, rules that management ought to follow: • Treat the Information security guidelines implementation initiative as a project activity with a series of phases rather than a 'one-off' step. • Remember that implementation involves cultural change as well as new processes. Therefore, a key success factor is the enablement and motivation of these changes. • Make sure there is a clear understanding of the objectives of the guidelines. • Manage expectations. In most enterprises, achieving successful oversight of IT takes time and is a continuous improvement process. • Focus first on those information security areas which are critical and having high priority to make changes, deliver improvements and build from there one step at a time. • Avoid the initiative becoming perceived as a purely bureaucratic exercise. • Avoid the guidelines being used in an unfocused and checklist type approach. • Avoid the cultural difference between the two organizations becoming a major hindrance for the successful implementation of the Information security Guidelines. Hope this answers your questions. If you want more or if you didn't get any point do let me know.... Kind Regards, Meenal A. Mukadam On Thu, Jul 17, 2008 at 6:58 PM, <alfredhitchcock_007 () yahoo com> wrote:
Hi, I have been tasked to develop a competency in "Information Security in Mergers and Acquisition". I do not know where to start. Since addressing security would start at pre-merger till the analysis of post merger. Here I would like to have everybody's opinion on how to we go about addressing Information Security in Mergers and Acquisition Thanks, Alfred
-- Meenal A. Mukadam ------------------------------------------------------------- Far away there in the sunshine are my highest aspirations. I may/maynot reach them, but I can look up and see their beauty, believe in them and try to follow where they lead -------------------------------------------------------------
Current thread:
- Information Security in Mergers and Acquisition alfredhitchcock_007 (Jul 18)
- RE: Information Security in Mergers and Acquisition Lubrano di Ciccone, Christophe (DEF BFS) (Jul 18)
- Re: Information Security in Mergers and Acquisition Meenal Mukadam (Jul 18)
- RE: Information Security in Mergers and Acquisition Daniel I. Didier (Jul 18)
- RE: Information Security in Mergers and Acquisition Ido Ganor (Jul 21)
- Re: Information Security in Mergers and Acquisition Dan Anderson (Jul 22)
- RE: Information Security in Mergers and Acquisition Ido Ganor (Jul 21)
- <Possible follow-ups>
- Re: Information Security in Mergers and Acquisition ddidier (Jul 21)
- Re: Re: Information Security in Mergers and Acquisition iganor (Jul 21)