Re: Information Security in Mergers and Acquisition

["Meenal Mukadam" <meenal.mukadam () gmail com>]

Hello Alfred,

You are very correct. Addressing security does start at the pre-merger
and is equally critical till the post-merger! I have researched on
this topic and have come up with a frame work and guidelines.

For success of a M&A first one has to understand the 'Driver for that
M&A'. It could be getting new technology, gaining competitive
advantage, expansion, etc.... Along with the Driver all the Threat
factors have to be analyzed and shortlisted. Once this is done the
next task is deciding upon common Principles! (Y? because if not M&A
would fail!) I have shortlisted a few Principles in my guidelines.They
are:
1) Awareness
2) Deciding on Security  Appetite
3) Responsibility
4) Response
5) Ethics
6) Democracy
7) Risk Assessment
8) Security design and implementation
9) Security management
10) Reassessment

I am sharing the generic guidelines with you. They are as follows:
1)      Make sure Information security is on the board agenda.
2)      Guide management by helping align Information security initiatives
with real business needs and ensure that it appreciates the potential
impact on the business of IT-related risks.
3)      Form an Information Security Steering Committee who will undertake
the work for setting up of Information Security measures for the
organizations undergoing Mergers or Acquisitions.
4)      The Committee formed should study the organization structure of the
new organization after a Merger or an Acquisition and also its
processes.
5)      The Committee should then take into account and check if Security
Policy Documents are previously in place and if yes they should be
studied/reviewed thoroughly.
6)      If Information Security is not in place then Critical Success
Factors and the Information Assets of the new organization should be
identified & documented.
7)      An appropriate set of procedures for information labelling and
handling should be developed and implemented in accordance with the
classification scheme adopted by the organization.
8)      The ownership rights on assets should be clearly defined and agreed upon.
9)      Then Roles and Responsibilities have to be redefined for the
employees of the new organisation and boundaries have to be drawn.
10)      Conduct Risk Assessment for identifying the risks. (For this
consider the Previous history and patterns of performance of both the
organizations, Current IT organisational factors, Complexity and
size/scope of the new IT environment, Inherent vulnerability of the
new IT environment, Nature of the IT initiatives being considered,
e.g., new projects, outsourcing considerations, architectural changes,
etc.)
11)      Ensure that organization complies with legal requirements and
that their practices.
12)      Aligning of Information security objectives with business
objectives has to be done. (For this Return on Investment is an
effective method. This decision should be based on the potential
benefit, ease of implementation and with a focus on important
processes and core competencies)
13)      A procedure has to be framed for handling, storage and exchange
of information, which should address issues such as information
protection from unauthorised disclosure or misuse.
14)      Confidentiality agreements should be taken into consideration to
ensure the level of confidentiality of information that needs to be
maintained at different levels has to be agreed upon by both the
parties.
15)     There should be some formal authorisation process in place for the
information to be made publicly available. Such as approval from
Change Control which includes Business, Application owner etc.
16)     The business requirements for access control should be defined and
documented. The Access control policy should address the rules and
rights for each user or a group of user.
17)      Make sure that review is conducted to verify users access rights
at regular intervals. Example: Special privilege review every 3
months, normal privileges every 6 months.
18)      Strict controls should be in place for users to access program
source libraries. This is to reduce the potential for corruption of
computer programs.
19)      Sensitive systems should be provided with isolated computing
environment such as running on a dedicated computer, share resources
only with trusted application systems, etc.
20)      Antivirus software should be installed on the computers to check
and isolate or remove any viruses from computer and media.
21)      Network controls should be in place for user authentication for
external connections, Virtual Private Networks, encryption standards
followed if any, etc.
22)      For secure disposal of information the security team  needs to
decide if a storage device containing sensitive information  needs to
be physically destroyed or securely overwritten and corresponding
procedures have to made.
23)     The system manual and the system configurations details
documentations should be protected from unauthorised access. The
access list for the system documentation should be kept to minimum and
authorised by the application owner.
24)      Operational staffs should be encouraged to maintain a log of
their activities such as logs of errors and the corrective action
taken, etc., Operator logs should be checked on regular basis against
the Operating procedures.
25)     Business Continuity plan, if in place, should be tested,
maintained and reassessed.
26)     Reporting of Information security events needs to be encouraged
and faults need to be reported and well managed. (This includes
guiding the employee to report a security incidence if any to the
security team. Security team then has to process the fault and then
document it and corrective action taken to rectify that fault.)
27)     Then the new organization should then frame Common Security Policy
& Procedures Documents on the basis of Information security practices
as mentioned above and Management Commitment of the new organization.
28)     The Committee has to then get that Common Security Policy Document
approved by the management.
29)     After the Approval the Common Information Security Policy
Documents needs to be published and communicated to concerned
Employee.
30)     Information Security Awareness & Training has to be imparted to
ensure that the people in the organization are made aware of the
Information Security focus and culture of the newly formed
organization.

I have then developed a framework for ensuring that Information
Security requirements are met at each and every stage of the M&A. Its
a four point framework which is required to understand the need for
Infosec at each and every stage of a M&A. To understand what is
required to be done and what are the possible pitfalls that one can
face....

1) At the start:
To avoid costly and unfocused implementations of standards and best
practices, organizations need to priorities where and how to use these
guidelines. The organization needs an effective action plan that suits
its particular circumstances and needs. First, it is important for the
board to take ownership of IT governance and set the direction
management should follow. Making sure that the board operates with
Information security in mind. The board should:
•       Make sure Information security is on the board agenda
•       Challenge management's activities with regard to Information
security issues and to make sure Information security issues are
uncovered
•       Guide management by helping align Information security initiatives
with real business needs and ensure that it appreciates the potential
impact on the business of IT-related risks
•       Insist that Information security performance be measured and
reported to the board
•       Establish an Information security steering group or IT governing
council with responsibility for communicating IT issues between the
board and management
•       Insist that there be a management framework for Information Security

2) Tailoring:
The newly formed organization needs to tailor the use of standards and
practices to suit its individual requirements. And this has to be done
so as to:
•       Provide a management policy and control framework
•       Enabling process ownership, clear responsibility and accountability
for Information Security activities
•       Aligning Information Security objectives with business objectives,
setting priorities and allocating resources
•       Ensuring return on investments and optimizing costs
•       Making sure significant risks have been identified and are
transparent to management, responsibility for risk management has been
assigned and embedded in the organization, and assurance has been
provided to management that effective controls are in place
•       Ensuring resources have been efficiently organized and sufficient
capability (technical infrastructure, process and skills) exists to
execute the Information security strategy
•       Making sure critical IT activities can be monitored and measured, so
problems can be identified and corrective action can be taken
•       Setting clear, business-related Information objectives and metrics
•       To verify provider capability or demonstrate competence to the
market by Internal and Independent third-party assessments
•       To facilitate continuous improvement by Maturity assessments, Gap
analysis, Benchmarking, Improvement planning

3) Foundation work:
With this mandate and direction in place, management then can initiate
and put into action an implementation approach. To help management
decide where to begin and to ensure that the implementation process
delivers positive results where they are needed most, the following
steps are suggested:
1.      Set up an organizational framework (ideally as part of an overall
Information Security initiative) with clear responsibilities and
objectives and participation from all interested parties that will
take implementation forward and own it as an initiative.
2.      Align Information Security strategy with business goals (the
objective behind merger or an acquisition). Obtain a good
understanding of the business environment, risk appetite and business
strategy as they relate to Information security.
3.      Understand and define the risks. Given the business objectives,
what are the risks relating to IT's ability to deliver against these
objectives? Consider:
a.      Previous history and patterns of performance of both the organizations
b.      Current IT organizational factors
c.      Complexity and size/scope of the new IT environment
d.      Inherent vulnerability of the new IT environment
e.      Nature of the IT initiatives being considered, e.g., new systems
projects, outsourcing considerations, architectural changes, etc.
4.      Define target areas and identify the process areas in IT that are
critical to managing these risk areas.
5.      Analyze current capability and identify gaps. Perform a maturity
capability assessment to find out where improvements are needed most.
6.      Develop improvement strategies, and decide the highest priority
projects that will help improve the Information security. This
decision should be based on the potential benefit, ease of
implementation and with a focus on important IT processes and core
competencies. Specific Information security improvement projects as
part of a continuous improvement initiative should be outlined.(Ex.
Information Security awareness training program)
7.      Measure results, establish a scorecard mechanism for measuring
current performance and monitor the results of new improvements
considering, as a minimum, the following key considerations:
a.      Will the organizational structure support strategy implementation?
b.      Are responsibilities for risk management embedded in the organization?
c.      Do infrastructures exist that will facilitate and support the
creation and sharing of vital business information?
d.      Have strategies and goals been communicated effectively to everyone
who needs to know within the organization?
8.      Repeat steps 2 through 7 on a regular basis.

4) Avoiding Hinderences:
There are also some obvious, but pragmatic, rules that management
ought to follow:
•       Treat the Information security guidelines implementation initiative
as a project activity with a series of phases rather than a 'one-off'
step.
•       Remember that implementation involves cultural change as well as new
processes. Therefore, a key success factor is the enablement and
motivation of these changes.
•       Make sure there is a clear understanding of the objectives of the guidelines.
•       Manage expectations. In most enterprises, achieving successful
oversight of IT takes time and is a continuous improvement process.
•       Focus first on those information security areas which are critical
and having high priority to make changes, deliver improvements and
build from there one step at a time.
•       Avoid the initiative becoming perceived as a purely bureaucratic exercise.
•       Avoid the guidelines being used in an unfocused and checklist type approach.
•       Avoid the cultural difference between the two organizations becoming
a major hindrance for the successful implementation of the Information
security Guidelines.


Hope this answers your questions. If you want more or if you didn't
get any point do let me know....


Kind Regards,

Meenal A. Mukadam




On Thu, Jul 17, 2008 at 6:58 PM,  <alfredhitchcock_007 () yahoo com> wrote:
> Hi,
> I have been tasked to develop a competency in "Information Security in Mergers and Acquisition". I do not know where 
> to start. Since addressing security would start at pre-merger till the analysis of post merger. Here I would like to 
> have everybody's opinion on how to we go about addressing Information Security in Mergers and Acquisition
>
> Thanks,
> Alfred





-- 
Meenal A. Mukadam

-------------------------------------------------------------
Far away there in the sunshine
are my highest aspirations.
I may/maynot reach them,
but I can look up and see their beauty,
believe in them and try to follow
where they lead
-------------------------------------------------------------