Security Basics mailing list archives
Re: Information Security in Mergers and Acquisition
From: "Dan Anderson" <dan-anderson () cox net>
Date: Mon, 21 Jul 2008 17:49:54 -0500
It's probably been covered to some degree, especially in Meenal A. Mukadam's great response, but I wanted to call it out specifically: During the pre-merger "due diligence" phase it is critical (IMO) to do a gap analysis between the regulatory compliance posture of the merger candidate and the acquiring organization. As was mentioned before, with respect to IP licensing, you also acquire liability. The board must be made aware of any possible regulatory compliance issues (PCI, SOX, etc) as early in the process as possible. Getting this right can expose and hopefully decrease the financial and legal risks of the transaction and is an area where the security organization can show some significant value. Dan On Sat, Jul 19, 2008 at 4:57 AM, Ido Ganor <iganor () ipvsecurity com> wrote:
Alfred, I would start with: 1) A gap analysis document between buyer's and acquirer's security policies. 2) For each of the organizations - a gap analysis between "actual" policies and procedures and the "written" security policies. 3) Based on the above documents (and management input) put a "new" security policy and get management sign-off. 4) Put a plan of what's required to be done for each "organization" to adopt the merged security policy. Obviously it is easy said than done! Ido -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Daniel I. Didier Sent: Friday, July 18, 2008 5:05 PM To: alfredhitchcock_007 () yahoo com; security-basics () securityfocus com Subject: RE: Information Security in Mergers and Acquisition Alfred, Haven't I seen you in some splendid mysteries? :) While I can't provide you with a complete overview of this process, I will provide some valuable insight. Recently we had a very similar situation and the topic of legal liability over licensing came into question (Any hardware / software licensing). While some may argue that this isn't information security / assurance, I think that it fits very well into our bailiwick as it can present great financial and legal liability. To make a long story short, when acquiring an organization, liability is also acquired. If the target organization does not have sufficient licensing for the hardware and especially software they are using, you will assume this liability if not properly addressed before the acquisition. This should be carefully reviewed as part of the overall IT security assessment. If it is found that licensing is out of compliance, this must be rectified as it could lead to HUGE fines from the Business Software Alliance (BSA) - the potential for financial damage is simply tremendous. Be careful! To more specifically address your question about how to handle infosec in mergers and acquisition, I would suggest you start at the top and work your way down. This means first and foremost reviewing both organizations information security policies; do they match (heck, do they even exist?), are they at opposite extremes? Can either organization assume the risk of the other without changes to the policy (most likely, no), what does your team think about the overall policy differences? The next step would be to see how effective the policies are; Does the policy have active procedures, are there monitoring, auditing, and enforcement mechanisms? Is the policy integrated into the business process, or is it simply there because they have a requirement to have one? Once you quantify the effectiveness of the policies and to what level infosec is integrated into the business, you can then start looking at the nuts and bolts. Perhaps this could happen in unison with the security policy review. *Side note - I'm assuming you are on the acquiring side, is this true? If so, you'll be the one driving this and need to ensure the target organization is up to your level of security. You'll need to identify gaps, and most likely produce a plan to identify what has to happen, how long, and how much to bring them up to your specification. As I was saying, I believe you'll need to do a business risk assessment and a subsequent technology assessment. Perhaps you'll even want to employ some type of overall network security review that can then be related back to the business and technology risk assessment. I hope my thoughts help with your task at hand. Let me know what you think and if I can be of more assistance. Dan http://www.NetSecureIA.com-----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of alfredhitchcock_007 () yahoo com Sent: Thursday, July 17, 2008 9:28 AM To: security-basics () securityfocus com Subject: Information Security in Mergers and Acquisition Hi, I have been tasked to develop a competency in "Information Security in Mergers and Acquisition". I do not know where to start. Sinceaddressingsecurity would start at pre-merger till the analysis of post merger.HereI would like to have everybody's opinion on how to we go aboutaddressingInformation Security in Mergers and Acquisition Thanks, Alfred__________ Information from ESET NOD32 Antivirus, version of virus signature database 3281 (20080718) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3281 (20080718) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Current thread:
- Information Security in Mergers and Acquisition alfredhitchcock_007 (Jul 18)
- RE: Information Security in Mergers and Acquisition Lubrano di Ciccone, Christophe (DEF BFS) (Jul 18)
- Re: Information Security in Mergers and Acquisition Meenal Mukadam (Jul 18)
- RE: Information Security in Mergers and Acquisition Daniel I. Didier (Jul 18)
- RE: Information Security in Mergers and Acquisition Ido Ganor (Jul 21)
- Re: Information Security in Mergers and Acquisition Dan Anderson (Jul 22)
- RE: Information Security in Mergers and Acquisition Ido Ganor (Jul 21)
- <Possible follow-ups>
- Re: Information Security in Mergers and Acquisition ddidier (Jul 21)
- Re: Re: Information Security in Mergers and Acquisition iganor (Jul 21)