Mergers and Acquisitions - Securing the Union
Gideon T. Rasmussen - CISSP, CISM, CFSO, SCSA
and acquisitions are sensitive matters that must be handled
with the utmost care and due diligence. A great deal of
complexity arises out of combining two organizations. With
complexity comes the potential for chaos and disorder.
security personnel should be involved from start of the
merger/acquisition process. Information pertaining to the
merger must be kept confidential, since premature disclosure
can jeopardize the outcome. During the early discovery stages,
consider the sensitivity of information carefully before
disclosing anything to the outside organization. After all,
there is the potential that the merger will not occur.
a review as early as possible. Determine the security posture
of the outside organization and the implications of merging
with them. Mergers will affect people, process and technology.
Parachute in, hit the ground running and gather as much
information as you can.
teams must adjust to fit the scale of the organization.
Both teams should combine as soon as the merger is official.
Consider the organization's security culture. If the culture
is poor, take the appropriate steps to improve it (e.g.
implement a security awareness program to reinforce policy).
the two entities merge, reorganization is necessary to increase
efficiency and eliminate duplicate functions. Areas typically
affected are executive staff, human resources and occasionally
accounting. In the event that layoffs occur due to redundant
personnel, every effort should be made to ensure that terminated
employees are treated with care and consideration. Sensitive
interaction helps prevent disgruntled employees. Ensure
that policies and procedures exist to ensure systematic
removal of accesses.
accounting departments will need to integrate seamlessly
in a very short span of time. Financial reporting must be
accurate and on time. If the Sarbanes Oxley Act applies,
assign that responsibility to someone right away.
whether fundamental security objectives are being met. Assign
accesses by the concept of "least privilege."
Make certain that separation of duties is in place. Distribute
sensitive information only to those with a business-related
need-to-know. Password policies should be signed off by
employees and enforced by operating systems and applications.
Send backups to a secure off-site facility each morning.
Routinely update and test business continuity and disaster
recovery plans. The System Development Life Cycle should
be followed to include separate build environments, strict
change control and security built in from the design phase.
office space should comply with best practices as well.
Look for sensitive information that is posted or left out
in the open. Sensitive documents should be encrypted or
kept under lock and key. Workstations should be configured
to lock with a password-protected screen saver after a period
of inactivity. Look for single points of failure in people
and process. Ask how the organization disposes of sensitive
documents and hard drives.
the general security policy. Determine whether departmental
policies exist. Departmental policies clarify how the general
policy applies in that functional area. Security policies
must be updated to include changes such as multiple sites
and local security regulations. Every employee should sign
off on the new policies.
that incident response procedures exist. Test physical security.
Try breaching the lobby with another person during a high
traffic period. As you walk by, shake your head and say,
"We're going to be here all night."
organizations will need network connectivity to communicate
effectively. Evaluate the security of the outside organization's
external perimeter before establishing network connectivity.
Minimum documentation should include a diagram of the external
perimeter. Understand how remote access and partner connections
are secured. Next test the controls in place with a comprehensive
penetration test. Finally, limit traffic flow between the
two organizations with granular firewall rules. In passing
take note of operating system hardening, patch levels, anti-virus
definitions, critical applications, the works. Ensure that
systems are monitored for intrusion and availability. Confidential
information must be encrypted and secured with proper authentication.
the organizations combine, capacity issues may immerge.
Carefully monitor any system affected by the merger (e.g.
mail and file servers). Ensure that licensing is adequate
for the new enterprise and take advantage of volume discount
most cases, the initial review will be somewhat limited
due to time and resource constraints. Attempt to cover the
breadth of information security, gathering as much information
as possible. Schedule follow-up audits of infrastructure,
security, development, human resources and accounting. Prepare
a formal report and work against the findings with a project
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission