RE: Information Security in Mergers and Acquisition



Alfred,

I would start with:
1) A gap analysis document between buyer's and acquirer's security
policies.
2) For each of the organizations - a gap analysis between "actual"
policies and procedures and the "written" security policies.
3) Based on the above documents (and management input) put a "new"
security policy and get management sign-off.
4) Put a plan of what's required to be done for each "organization" to
adopt the merged security policy.

Obviously it is easy said than done!

Ido

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Daniel I. Didier
Sent: Friday, July 18, 2008 5:05 PM
To: alfredhitchcock_007@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Information Security in Mergers and Acquisition

Alfred,
Haven't I seen you in some splendid mysteries? :)

While I can't provide you with a complete overview of this process, I
will provide some valuable insight. Recently we had a very similar
situation and the topic of legal liability over licensing came into
question (Any hardware / software licensing). While some may argue that
this isn't information security / assurance, I think that it fits very
well into our bailiwick as it can present great financial and legal
liability.

To make a long story short, when acquiring an organization, liability is
also acquired. If the target organization does not have sufficient
licensing for the hardware and especially software they are using, you
will assume this liability if not properly addressed before the
acquisition. This should be carefully reviewed as part of the overall
IT security assessment. If it is found that licensing is out of
compliance, this must be rectified as it could lead to HUGE fines from
the Business Software Alliance (BSA) - the potential for financial
damage is simply tremendous. Be careful!

To more specifically address your question about how to handle infosec
in mergers and acquisition, I would suggest you start at the top and
work your way down. This means first and foremost reviewing both
organizations information security policies; do they match (heck, do
they even exist?), are they at opposite extremes? Can either
organization assume the risk of the other without changes to the policy
(most likely, no), what does your team think about the overall policy
differences?

The next step would be to see how effective the policies are; Does the
policy have active procedures, are there monitoring, auditing, and
enforcement mechanisms? Is the policy integrated into the business
process, or is it simply there because they have a requirement to have
one?

Once you quantify the effectiveness of the policies and to what level
infosec is integrated into the business, you can then start looking at
the nuts and bolts. Perhaps this could happen in unison with the
security policy review.

*Side note - I'm assuming you are on the acquiring side, is this true?
If so, you'll be the one driving this and need to ensure the target
organization is up to your level of security. You'll need to identify
gaps, and most likely produce a plan to identify what has to happen, how
long, and how much to bring them up to your specification.

As I was saying, I believe you'll need to do a business risk assessment
and a subsequent technology assessment. Perhaps you'll even want to
employ some type of overall network security review that can then be
related back to the business and technology risk assessment.

I hope my thoughts help with your task at hand. Let me know what you
think and if I can be of more assistance.

Dan
http://www.NetSecureIA.com


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of alfredhitchcock_007@xxxxxxxxx
Sent: Thursday, July 17, 2008 9:28 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Information Security in Mergers and Acquisition

Hi,

I have been tasked to develop a competency in "Information Security in
Mergers and Acquisition". I do not know where to start. Since
addressing
security would start at pre-merger till the analysis of post merger.
Here
I would like to have everybody's opinion on how to we go about
addressing
Information Security in Mergers and Acquisition



Thanks,

Alfred



__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3281 (20080718) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3281 (20080718) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com