Mergers and Acquisitions - Securing the Union
Gideon T. Rasmussen - CISSP, CISM, CFSO, SCSA

Mergers and acquisitions are sensitive matters that must be handled with the utmost care and due diligence. A great deal of complexity arises out of combining two organizations. With complexity comes the potential for chaos and disorder.

Information security personnel should be involved from start of the merger/acquisition process. Information pertaining to the merger must be kept confidential, since premature disclosure can jeopardize the outcome. During the early discovery stages, consider the sensitivity of information carefully before disclosing anything to the outside organization. After all, there is the potential that the merger will not occur.

Conduct a review as early as possible. Determine the security posture of the outside organization and the implications of merging with them. Mergers will affect people, process and technology. Parachute in, hit the ground running and gather as much information as you can.


Security teams must adjust to fit the scale of the organization. Both teams should combine as soon as the merger is official. Consider the organization's security culture. If the culture is poor, take the appropriate steps to improve it (e.g. implement a security awareness program to reinforce policy).

As the two entities merge, reorganization is necessary to increase efficiency and eliminate duplicate functions. Areas typically affected are executive staff, human resources and occasionally accounting. In the event that layoffs occur due to redundant personnel, every effort should be made to ensure that terminated employees are treated with care and consideration. Sensitive interaction helps prevent disgruntled employees. Ensure that policies and procedures exist to ensure systematic removal of accesses.

Both accounting departments will need to integrate seamlessly in a very short span of time. Financial reporting must be accurate and on time. If the Sarbanes Oxley Act applies, assign that responsibility to someone right away.


Determine whether fundamental security objectives are being met. Assign accesses by the concept of "least privilege." Make certain that separation of duties is in place. Distribute sensitive information only to those with a business-related need-to-know. Password policies should be signed off by employees and enforced by operating systems and applications. Send backups to a secure off-site facility each morning. Routinely update and test business continuity and disaster recovery plans. The System Development Life Cycle should be followed to include separate build environments, strict change control and security built in from the design phase.

The office space should comply with best practices as well. Look for sensitive information that is posted or left out in the open. Sensitive documents should be encrypted or kept under lock and key. Workstations should be configured to lock with a password-protected screen saver after a period of inactivity. Look for single points of failure in people and process. Ask how the organization disposes of sensitive documents and hard drives.

Review the general security policy. Determine whether departmental policies exist. Departmental policies clarify how the general policy applies in that functional area. Security policies must be updated to include changes such as multiple sites and local security regulations. Every employee should sign off on the new policies.

Ensure that incident response procedures exist. Test physical security. Try breaching the lobby with another person during a high traffic period. As you walk by, shake your head and say, "We're going to be here all night."


Both organizations will need network connectivity to communicate effectively. Evaluate the security of the outside organization's external perimeter before establishing network connectivity. Minimum documentation should include a diagram of the external perimeter. Understand how remote access and partner connections are secured. Next test the controls in place with a comprehensive penetration test. Finally, limit traffic flow between the two organizations with granular firewall rules. In passing take note of operating system hardening, patch levels, anti-virus definitions, critical applications, the works. Ensure that systems are monitored for intrusion and availability. Confidential information must be encrypted and secured with proper authentication.

As the organizations combine, capacity issues may immerge. Carefully monitor any system affected by the merger (e.g. mail and file servers). Ensure that licensing is adequate for the new enterprise and take advantage of volume discount opportunities.

In most cases, the initial review will be somewhat limited due to time and resource constraints. Attempt to cover the breadth of information security, gathering as much information as possible. Schedule follow-up audits of infrastructure, security, development, human resources and accounting. Prepare a formal report and work against the findings with a project plan.

Copyright 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission