Security Basics mailing list archives
Re: Information Security in Mergers and Acquisition
From: ddidier () netsecureia com
Date: Fri, 18 Jul 2008 03:24:41 -0600
Alfred, Haven't I seen you in some splendid mysteries? :) While I can't provide you with a complete overview of this process, I will provide some valuable insight. Recently we had a very similar situation and the topic of legal liability over licensing came into question (Any hardware / software licensing). While some may argue that this isn't information security / assurance, I think that it fits very well into our bailiwick as it can present great financial and legal liability. To make a long story short, when acquiring an organization, liability is also acquired. If the target organization does not have sufficient licensing for the hardware and especially software they are using, you will assume this liability if not properly addressed before the acquisition. This should be carefully reviewed as part of the overall IT security assessment. If it is found that licensing is out of compliance, this must be rectified as it could lead to HUGE fines from the Business Software Alliance (BSA) - the potential for financial damage is simply tremendous. Be careful! To more specifically address your question about how to handle infosec in mergers and acquisition, I would suggest you start at the top and work your way down. This means first and foremost reviewing both organizations information security policies; do they match (heck, do they even exist?), are they at opposite extremes? Can either organization assume the risk of the other without changes to the policy (most likely, no), what does your team think about the overall policy differences? The next step would be to see how effective the policies are; Does the policy have active procedures, are there monitoring, auditing, and enforcement mechanisms? Is the policy integrated into the business process, or is it simply there because they have a requirement to have one? Once you quantify the effectiveness of the policies and to what level infosec is integrated into the business, you can then start looking at the nuts and bolts. Perhaps this could happen in unison with the security policy review. *Side note - I'm assuming you are on the acquiring side, is this true? If so, you'll be the one driving this and need to ensure the target organization is up to your level of security. You'll need to identify gaps, and most likely produce a plan to identify what has to happen, how long, and how much to bring them up to your specification. As I was saying, I believe you'll need to do a business risk assessment and a subsequent technology assessment. Perhaps you'll even want to employ some type of overall network security review that can then be related back to the business and technology risk assessment. I hope my thoughts help with your task at hand. Let me know what you think and if I can be of more assistance. Dan http://www.NetSecureIA.com
Current thread:
- Information Security in Mergers and Acquisition alfredhitchcock_007 (Jul 18)
- RE: Information Security in Mergers and Acquisition Lubrano di Ciccone, Christophe (DEF BFS) (Jul 18)
- Re: Information Security in Mergers and Acquisition Meenal Mukadam (Jul 18)
- RE: Information Security in Mergers and Acquisition Daniel I. Didier (Jul 18)
- RE: Information Security in Mergers and Acquisition Ido Ganor (Jul 21)
- Re: Information Security in Mergers and Acquisition Dan Anderson (Jul 22)
- RE: Information Security in Mergers and Acquisition Ido Ganor (Jul 21)
- <Possible follow-ups>
- Re: Information Security in Mergers and Acquisition ddidier (Jul 21)
- Re: Re: Information Security in Mergers and Acquisition iganor (Jul 21)