IT integration and security standardization during M&A

Integration of IT and security during mergers and acquisitions comes with its own baggage. Manish Dave of Essar sheds light on simplifying the process.

Mergers and acquisitions are usually secretive affairs conducted by small teams. In such times, seasoned IT managers also know that their IT integration headaches are just beginning.

In a perfect world, the IT and acquisitions team works seamlessly with IT to share all relevant details like the geographical location, requirements and so on for IT integration. In real world conditions, this is a pipe dream. What is feasible is that IT shares its integration plans as part of the ongoing acquisition/merger. Even if the integration team gets just the IT infrastructure’s details, it will go a long way in the preparations for a proposed merger. So the IT team should begin by outlining requirements.

Integration strategy and challenges

Define a clear strategy about the organization’s openness towards adoption of new processes during IT integration. Establish a process to deal with product differences in basic infrastructural checkboxes like antivirus and DLP, as well as marriage of these technologies (if necessary).

It’s essential to maintain clarity on decisions like robust processes or need for central administration. Detail what to do in situations where hardware and versions are superior to the existing standard, but not covered under company policy. In most cases, migration is outsourced in its entirety for all business aspects, including IT. Formulation of the IT integration strategy rests solely with the parent company.

During IT integrations, the typical starting point involves measures like on-boarding of employees to the organization’s Active Directory (in Microsoft environments). Here execution is the key—is it through a federated arrangement or involve migration of all users into the parent organization’s domain? Further issues may be about merging of Internet facing servers with existing company websites.

Today you have the option to move non-critical systems to the cloud. This facilitates access to existing data for both entities. Access to core applications can be through federation using services like Microsoft Active Directory Federation Services (ADFS) in Microsoft environments, which can be used for LDAP based cross-domain authentication.

Data laws of the land also play a role at this stage, as classification of information and intellectual property laws differ across countries. In order to support the new entity from a central hub, legal implications should be closely studied during integration. For example, what might be described as sensitive in the UK might not be so in India. Appropriate mapping and classification of data taking this difference into account should be performed during a cross-border acquisition.

Preserving organizational culture against disruption is another challenge that exists during mergers and acquisitions. While rectification of major gaps requires significant changes, apply process-level fine tuning wherever possible to avoid disruption of existing frameworks.

Ensure smooth security integration and standardization

Policy alignment largely depends on the terms of acquisition. In a 100 % takeover, this can be dictated by the parent organization.

Pushing infosec policies across global locations is not easy. So adapt and align local policies to the parent company’s policies during IT integration rather than blanket restructuring. Parent/apex policies are meant to be considered as guidelines in these situations. At times, the purpose mentioned in security policies might be achieved in a different manner using controls elsewhere. Existence of compensatory controls should justify how the associated processes are deemed as aligned to the parent policies.

To extend existing organizational compliance and certifications to newly acquired entities in an IT integration exercise, a set of baseline security practices is essential. The focus can be on controls rather than a particular company or product. Controls like the latest anti-virus engine/definitions or updating platforms to a certain version (Windows 7 or similar) and Ethernet connectivity can be defined as a basic requirement. A gap assessment audit can be performed to determine missing aspects. A blind scramble to extend compliance without defining need or a reference point will prove expensive.

Consider the following steps to securely integrate an entity’s infrastructure with your existing setup.

  1. Take full backups of existing systems before initiating IT integration. Existing backups can be used, provided the infrastructure and support to restore exists (for example, aspects like technology, type of tape devices and applications).
  2. Sanitize the environment to be brought on board before you begin IT integration.
  3. Initially treat the company being acquired as a third party or outsider accessing your systems. Enforce strict controls during initial integration. These controls can be relaxed in a phased manner.
  4. Secure all critical systems and data for both companies, and keep them separate. Initially look at migration of non-critical applications and data. Once the acquisition reaches a certain level of maturity, consider core apps and data for migration.
  5. Application experts must carefully assess custom/in-house applications to determine requirements to bring them into the parent organization’s IT environment. Put these apps through customary VA/PT exercises prior to integration.
  6. Take adequate safety measures against disgruntled employees. Review employee contracts—which may be of several types in certain countries—to determine your area of highest risk in the initial phase. Although not directly related to IT systems, it is essential for information security.

About the author: Manish Dave is Group CISO at Essar Group. Read his full profile here.

(As told to Varun Haran)



Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.