Managing security during acquisition: A merger integration checklist

Security must be carefully managed before and during an acquisition. Mike Cobb proposes a merger integration checklist for security.

When the announcement of a company takeover hits the headlines, most of the attention focuses on the financial...

aspects of the deal, but it’s just as important to pay attention to the information security implications.

Planning for the transfer of personal and sensitive data should begin as soon as possible, with an individual at board level taking overall responsibility.

For the acquiring company to maximise the potential of the merger, it is essential that ownership and responsibility of the acquired company's data and systems are transferred securely. Without careful planning and execution of the merger, customer dissatisfaction and loss of reputation are just one incorrectly addressed invoice away. Worse still, compliance and legal obligations can be breached. A merger integration checklist can help both companies maintain the security of their information assets during and after the merger.

In this article, we will discuss the following 12-step checklist for securely transferring ownership of an acquired company’s information assets to the acquiring company.

Merger integration checklist

  1. Appoint overall responsibility for the transfer to one board-level individual.
  2. Identify all information assets of the acquired company.
  3. Assign an owner to be responsible for the transfer of each asset.
  4. Assess the risks that may be encountered during the transition.
  5. Conduct a continuity impact assessment for the transition timeframe.
  6. Capture knowledge of data and policies from staff at both companies.
  7. Back up and mark all records prior to the transfer.
  8. Conduct background checks on new users who will have high-level privileges.
  9. Transfer ownership of information assets in a gradual or parallel manner.
  10. Increase monitoring and user training during transition.
  11. Integrate acquired assets into existing disaster recovery plan.
  12. Update risk profiles for acquired assets.

Planning for security during the merger
Planning for the transfer of personal and sensitive data should begin as soon as possible, with an individual at board level taking overall responsibility. Key tasks will include identifying all of the acquired company’s information assets, mapping and managing the risks, and ensuring the transfer is compliant with legislation such as the Data Protection Act and Freedom of Information Act. If the acquired company has already mapped its assets, the acquiring company should still review and validate the findings, as the two organisations' risk ratings paradigms may be quite different. The acquirer must also conduct a continuity impact assessment so any problems can be handled with the least amount of disruption possible.

Once the acquired company’s information assets have been identified, named individuals at the acquiring company should be assigned responsibility for each asset. Information asset owners from both organisations can then work together to decide how best to manage the transfer, and how and when responsibility and accountability for the risks are to be formally transferred. It may help if some staff from the acquired company are transferred early to the acquiring company to help with integration planning, as they will be familiar with their own in-house systems. This will help the organisation making the purchase better understand any particular technical risks that need to be addressed. A formal knowledge capture exercise to document specialised knowledge of departing employees of the acquired company is also helpful.

When deciding which hardware to transfer, legacy and proprietary systems must be given special consideration. They can’t be scrapped simply because they are old. They may provide critical business services, so sufficient time should be planned to allow any necessary data conversion or transformation in case the acquiring company’s systems can’t access or read proprietary or obsolete data formats.

Security tasks during the merger
The acquiring company must ensure its infrastructure has the capacity and security controls to store and handle the newly acquired data before the transfer of any such data takes place. Data aggregation or accumulation issues may raise the level of risk, requiring additional protection. Data should be backed up prior to being moved and security markings such as asset tags and classification labels should be used during transfer so information and equipment are handled appropriately. The acquiring company’s system configuration records should be up to date prior to the transfer so a known good state can be used as a baseline for post-transfer audits.

The transfer process may create additional threats, which will require additional physical security measures. Wherever possible, try to avoid the use of removable media, particularly when transferring personal information. If it is necessary to use removable media, then ensure all records are encrypted. The individual responsible for the data should handle it personally and not delegate the task of transferring it, keeping in mind the data transferred should be the minimum necessary to achieve the business purpose. Any data or media that isn’t going to be transferred needs to be securely sanitised and disposed of to prevent its accidental release. Of course, business continuity and disaster recovery plans will need to be in place for all services being transferred. Once the transfer is complete, there will be quite a task to integrate all the new assets into existing business continuity and disaster recovery plans.

The transfer of assets and services will likely lead to changes in the risk profile of the departments taking over responsibility, in which case a new risk assessment will be necessary. Most standards require a new risk assessment on accredited systems whenever there is a significant change, as new security measures may be required. Make sure there is time to make systems compliant if standards need to be met, keeping in mind there may be a need for reaccreditation. If transferring personal information a Privacy Impact Assessment may also be required.

Attempting to move everything at once could result in some critical services failing altogether. It may be feasible that some less essential services can be temporarily discontinued or reduced until the transfer is completed. Another option is to run a parallel service until the transfer is complete. Some services such as payroll probably won’t need to be transferred as human resources at the acquiring company will take them on. Contracts and service-level agreements (SLAs) with third parties should be reviewed and transferred where they relate to equipment or software support. Policies covering remote working and external connections by third parties will also need to be checked to see if they are still appropriate.

As a result of the acquisition, departments within the acquiring company, such as human resources, finance and customer support, may grow or shrink, and employees from both organisations will need support in dealing with changes to processes and working practices. IT administration and support teams will need help coping with the increase in network users, and there could be a risk to data and equipment from disaffected staff. An increase in protective monitoring should be considered, and clearances and access rights updated according to people’s new roles and responsibilities. Employee background checks on employees of the acquired company who are being given high-level privileges may be necessary.

If the new data is more sensitive than the acquiring company is accustomed to handling, its overall security culture will need to be improved, with employees made aware of the need to adapt to potential new or different threats. Effective communication is crucial and key roles and responsibilities should be quickly established and communicated to staff. Identify training requirements as soon as possible, such as learning new systems or procedures. Data transfer is not just about preventing and managing a compromise or interruption to services. You need to identify customers and stakeholders and understand their concerns. Above all, make sure your new customers know you’re looking after them and their data.

About the author:
Michael Cobb, CISSP-ISSAP is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.

Read more on IT risk management