Re: Information Security in Mergers and Acquisition

It's probably been covered to some degree, especially in Meenal A.
Mukadam's great response, but I wanted to call it out specifically:

During the pre-merger "due diligence" phase it is critical (IMO) to do
a gap analysis between the regulatory compliance posture of the merger
candidate and the acquiring organization. As was mentioned before,
with respect to IP licensing, you also acquire liability. The board
must be made aware of any possible regulatory compliance issues (PCI,
SOX, etc) as early in the process as possible.

Getting this right can expose and hopefully decrease the financial and
legal risks of the transaction and is an area where the security
organization can show some significant value.


On Sat, Jul 19, 2008 at 4:57 AM, Ido Ganor <iganor@xxxxxxxxxxxxxxx> wrote:

I would start with:
1) A gap analysis document between buyer's and acquirer's security
2) For each of the organizations - a gap analysis between "actual"
policies and procedures and the "written" security policies.
3) Based on the above documents (and management input) put a "new"
security policy and get management sign-off.
4) Put a plan of what's required to be done for each "organization" to
adopt the merged security policy.

Obviously it is easy said than done!


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Daniel I. Didier
Sent: Friday, July 18, 2008 5:05 PM
To: alfredhitchcock_007@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Information Security in Mergers and Acquisition

Haven't I seen you in some splendid mysteries? :)

While I can't provide you with a complete overview of this process, I
will provide some valuable insight. Recently we had a very similar
situation and the topic of legal liability over licensing came into
question (Any hardware / software licensing). While some may argue that
this isn't information security / assurance, I think that it fits very
well into our bailiwick as it can present great financial and legal

To make a long story short, when acquiring an organization, liability is
also acquired. If the target organization does not have sufficient
licensing for the hardware and especially software they are using, you
will assume this liability if not properly addressed before the
acquisition. This should be carefully reviewed as part of the overall
IT security assessment. If it is found that licensing is out of
compliance, this must be rectified as it could lead to HUGE fines from
the Business Software Alliance (BSA) - the potential for financial
damage is simply tremendous. Be careful!

To more specifically address your question about how to handle infosec
in mergers and acquisition, I would suggest you start at the top and
work your way down. This means first and foremost reviewing both
organizations information security policies; do they match (heck, do
they even exist?), are they at opposite extremes? Can either
organization assume the risk of the other without changes to the policy
(most likely, no), what does your team think about the overall policy

The next step would be to see how effective the policies are; Does the
policy have active procedures, are there monitoring, auditing, and
enforcement mechanisms? Is the policy integrated into the business
process, or is it simply there because they have a requirement to have

Once you quantify the effectiveness of the policies and to what level
infosec is integrated into the business, you can then start looking at
the nuts and bolts. Perhaps this could happen in unison with the
security policy review.

*Side note - I'm assuming you are on the acquiring side, is this true?
If so, you'll be the one driving this and need to ensure the target
organization is up to your level of security. You'll need to identify
gaps, and most likely produce a plan to identify what has to happen, how
long, and how much to bring them up to your specification.

As I was saying, I believe you'll need to do a business risk assessment
and a subsequent technology assessment. Perhaps you'll even want to
employ some type of overall network security review that can then be
related back to the business and technology risk assessment.

I hope my thoughts help with your task at hand. Let me know what you
think and if I can be of more assistance.


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
On Behalf Of alfredhitchcock_007@xxxxxxxxx
Sent: Thursday, July 17, 2008 9:28 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Information Security in Mergers and Acquisition


I have been tasked to develop a competency in "Information Security in
Mergers and Acquisition". I do not know where to start. Since
security would start at pre-merger till the analysis of post merger.
I would like to have everybody's opinion on how to we go about
Information Security in Mergers and Acquisition



__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3281 (20080718) __________

The message was checked by ESET NOD32 Antivirus.

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3281 (20080718) __________

The message was checked by ESET NOD32 Antivirus.

Relevant Pages

  • Re: Least User Priviledges for Network Administrators
    ... It makes sense to have a chain of command and approval policy to keep things ... the computer use policies, software purchasing policies, security ... upper management--both within the Network Technology group, ... driving the process of tightening down security. ...
  • RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
    ... All NetScreen appliances rely on custom-designed ASICs (Application ... Specific Integrated Circuits) for security policy enforcement. ... supports a finite number of "rules" or "policies". ...
  • RE: Mass Distribution of Security Policies
    ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
  • Re: Question for Roger Abell
    ... may have been one about how to imprint the same local policy ... Notice that "local security ... I notice that my Local Security Policy contains Account Policies, ... The security template only contains Account Policies (which ...
  • Re: releasing confidential docs
    ... Security Policy, Data Classification Policy, Data Retention Policy, ... Policy, Business Continuity Plan Summary, Disaster Recovery Plan ... My opinion on whether or not a NDA would protect your ...