Embarking on a merger/acquisition with another company doesn’t have to be a messy process, so long as you do your due diligence and conduct a proper investigation into the target’s information security. It’s of paramount importance that you request key security documents as early as possible.
Review key documentation, such as:
- Asset Inventory: Knowing what assets currently exist enables you to determine what security protocols to maintain or institute if they were lacking at the acquisition’s end. Every piece of networked equipment, from copiers, printers, fax machines, employee desktops, laptops, tablets and smartphones through Internet Of Things or IoT devices.
- Software Inventory: Is the company using the best versions of all software on the premises? Perhaps some applications are hopelessly out of date, representing a severe security issue. Or, there is software that would be incompatible with other applications that your company considers to be core.
Allowing the merger to go through without thoroughly investigating the physical assets and software could be a recipe of disaster, such as if the target has poor quality security that could cause problems with your equipment.
Change Management Procedures
You’ll want to know whether the target has a process to review, approve and keep track of changes to its critical systems. Without a policy to do this, it will be up to your team to create change management procedures that everyone can follow, going forward.
Information Security Policies and Procedures
The most pressing question that should be weighing on your mind now, is “How will you align your information security policies and procedures?” after the merger. Basically, you have three options to consider:
- Start over from scratch: This is drastic, but it might be the best approach, since you won’t have to waste time hunting down problems and substituting a safer security option.
- Choose one set over the other: Here, your IT professionals may have to swallow their pride. If the other company has a better set of policies and procedures, you’ll have to admit the truth and then select theirs.
- Consolidate the policies: If compromise is an overriding goal in your company’s culture, you may prefer to just consolidate the policies of both entities’ information security departments.
Business Continuity Plans, Business Impact Analysis and Disaster Recovery Procedures
Understanding the security implications of what the acquisition would do in the event of a disaster will prompt you to either accept their plan or to force them to adopt what you have been working from.
It’s time to list the critical business processes and systems for analysis in terms of security risk. Is the new company prepared for disruptions that would prompt them to dust off their business continuity plan?
At this point, it’s worth asking what kind of backup process they use. If they don’t rely on automated backups, this is an area where you will need to bring them up to speed with your security protocols. Assuming the target does maintain backups, find out if they are stored locally on their own servers or if they have outsourced this to a cloud computing services company. How do they store them? Is everything encrypted, or are files easily read and written?
In anticipation of a potential disaster, you will want to see if the acquisition has documented the recovery processes for all critical systems.
Regarding your disaster recovery procedures, it’s not enough to read about them. You’ll need to actually conduct a real world test to see how the system fares. After all, it’s better to experience a failure now, so you can learn and apply the lessons, rather than go through an actual disaster with no indication about how your team will react.
Learn how often the acquisition completes routine risk assessments. Then, determine if their findings are remediated and if they are well documented. Keep in mind that this documentation will be at the heart of your information security system after the merger.
Following industry best practices, you would document, review and update your risk assessment documentation at least once every year.
Consult With Information Technology Security Professionals Before You Get Into a Merger/Acquisition
At Intrinium, our professional information technology experts have years of experience helping organizations as they go through complex mergers and acquisitions, with a focus on the security aspects of the union. We are standing by to assist companies in their merger / acquisition activities, to ensure that they maintain if not increase their security.
Stay tuned for Part 3 of this series, in which we will cover the basics of reviewing the physical security of the target of your acquisition.