There are many texts explaining how information security can be affected by company mergers. But what happens when part of your organisation is being sold off, or spun off as a separate company? Michael Pike, CISSP, an information security consultant with experience in the financial and public sectors, explains how to get it right.
I've been involved at the sharp end of both mergers and de-mergers, with responsibility for ensuring that data is kept secure. In such complex situations, its often difficult knowing how or where to start, so what follows are my suggestions about what to consider.
First, when is the new company due to launch? This isn't necessarily a deadline for cutting off IT services, because one company may continue to provide some IT services to the other. However, the new company will be a separate legal entity, and so you should plan to put relevant security boundaries in place before the start date.
I recently saw one de-merged company that needed continued access to a shared database, because separating and exporting the data couldn't be completed by the start date. That was fine, but both companies needed to decide who owned the data, what data could be shared, who supported the database, and whose security policy took precedence. Only then could they start drawing boundaries and decide on appropriate access controls.
One way to help resolve such situations is to get senior management from both sides to formally agree the responsibilities for information security well in advance. Once this is agreed, you can get other staff around the table to sort out lower-level details like security boundaries, access controls and exporting data securely.
If you're a permanent staff member you may already know the staff in the new company. Unfortunately, you cannot automatically trust the new company on this basis, and this is one of those business situations where you have to put personal issues to one side.
For example, if the new company hires temporary IT staff who end up accidentally deleting your data, you may have little recourse other than legal action. Unless you've carried out a due diligence exercise on the new company - similar to how you would with a new supplier - you won't know what background checks they will carry out on new staff, or how they will secure their side of the network. Don't assume they will adopt your existing policies! However, it's easier to deal with this situation if you already have a rapport with the staff.
Consider physical assets too. Staff ID cards should be handed back, or if not, the access that they grant should be reviewed. Devices such as PCs and mobile phones are sometimes transferred to the new company along with the staff who use them, but should the data stored on the device be transferred too? Finally, don't forget to cancel login IDs and remote access as soon as practical.
Just imagine that the new company could be bought up by your biggest competitor the very next day. Although this is unlikely to happen, it should focus your attention on establishing boundaries, agreeing responsibilities, and ensuring that access controls are robust.
De-mergers are rarely simple or straightforward, but they can be far less painful once the correct foundations are in place.
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)².