Re: Information Security in Mergers and Acquisition

["Dan Anderson" <dan-anderson () cox net>]

It's probably been covered to some degree, especially in Meenal A.
Mukadam's great response, but I wanted to call it out specifically:

During the pre-merger "due diligence" phase it is critical (IMO) to do
a gap analysis between the regulatory compliance posture of the merger
candidate and the acquiring organization.  As was mentioned before,
with respect to IP licensing, you also acquire liability.  The board
must be made aware of any possible regulatory compliance issues (PCI,
SOX, etc) as early in the process as possible.

Getting this right can expose and hopefully decrease the financial and
legal risks of the transaction and is an area where the security
organization can show some significant value.

Dan

On Sat, Jul 19, 2008 at 4:57 AM, Ido Ganor <iganor () ipvsecurity com> wrote:
> Alfred,
>
> I would start with:
> 1) A gap analysis document between buyer's and acquirer's security
> policies.
> 2) For each of the organizations - a gap analysis between "actual"
> policies and procedures and the "written" security policies.
> 3) Based on the above documents (and management input) put a "new"
> security policy and get management sign-off.
> 4) Put a plan of what's required to be done for each "organization" to
> adopt the merged security policy.
>
> Obviously it is easy said than done!
>
> Ido
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Daniel I. Didier
> Sent: Friday, July 18, 2008 5:05 PM
> To: alfredhitchcock_007 () yahoo com; security-basics () securityfocus com
> Subject: RE: Information Security in Mergers and Acquisition
>
> Alfred,
> Haven't I seen you in some splendid mysteries? :)
>
> While I can't provide you with a complete overview of this process, I
> will provide some valuable insight.  Recently we had a very similar
> situation and the topic of legal liability over licensing came into
> question (Any hardware / software licensing).  While some may argue that
> this isn't information security / assurance, I think that it fits very
> well into our bailiwick as it can present great financial and legal
> liability.
>
> To make a long story short, when acquiring an organization, liability is
> also acquired.  If the target organization does not have sufficient
> licensing for the hardware and especially software they are using, you
> will assume this liability if not properly addressed before the
> acquisition.  This should be carefully reviewed as part of the overall
> IT security assessment.  If it is found that licensing is out of
> compliance, this must be rectified as it could lead to HUGE fines from
> the Business Software Alliance (BSA) - the potential for financial
> damage is simply tremendous.  Be careful!
>
> To more specifically address your question about how to handle infosec
> in mergers and acquisition, I would suggest you start at the top and
> work your way down.  This means first and foremost reviewing both
> organizations information security policies; do they match (heck, do
> they even exist?), are they at opposite extremes?  Can either
> organization assume the risk of the other without changes to the policy
> (most likely, no), what does your team think about the overall policy
> differences?
>
> The next step would be to see how effective the policies are; Does the
> policy have active procedures, are there monitoring, auditing, and
> enforcement mechanisms?  Is the policy integrated into the business
> process, or is it simply there because they have a requirement to have
> one?
>
> Once you quantify the effectiveness of the policies and to what level
> infosec is integrated into the business, you can then start looking at
> the nuts and bolts.  Perhaps this could happen in unison with the
> security policy review.
>
> *Side note - I'm assuming you are on the acquiring side, is this true?
> If so, you'll be the one driving this and need to ensure the target
> organization is up to your level of security.  You'll need to identify
> gaps, and most likely produce a plan to identify what has to happen, how
> long, and how much to bring them up to your specification.
>
> As I was saying, I believe you'll need to do a business risk assessment
> and a subsequent technology assessment.  Perhaps you'll even want to
> employ some type of overall network security review that can then be
> related back to the business and technology risk assessment.
>
> I hope my thoughts help with your task at hand.  Let me know what you
> think and if I can be of more assistance.
>
> Dan
> http://www.NetSecureIA.com
>
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> > On Behalf Of alfredhitchcock_007 () yahoo com
> > Sent: Thursday, July 17, 2008 9:28 AM
> > To: security-basics () securityfocus com
> > Subject: Information Security in Mergers and Acquisition
> >
> > Hi,
> >
> > I have been tasked to develop a competency in "Information Security in
> > Mergers and Acquisition". I do not know where to start. Since
> addressing
> > security would start at pre-merger till the analysis of post merger.
> Here
> > I would like to have everybody's opinion on how to we go about
> addressing
> > Information Security in Mergers and Acquisition
> >
> >
> >
> > Thanks,
> >
> > Alfred
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 3281 (20080718) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 3281 (20080718) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com