Security Manager's Journal: M&A network integration calls for a frame approach

Top Stories

Related

• Clues point to Jan. 13 release of Windows 7 beta
• Microsoft releases Vista SP2 beta
• Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
• IBM wants info from Apple execs in Papermaster case
• License server glitch exposes SonicWall users to e-mail security threats
• Report: Former AOL chief exec tries to raise funds to buy Yahoo

• Moving to a start-up? Fasten your seatbelt
• License server glitch exposes SonicWall users to e-mail security threats
• Clues point to Jan. 13 release of Windows 7 beta
• Chinese city requires Net cafes to use legitimate software
• U.S. Report: Major terror attack by 2013

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

May 5, 2008 (Computerworld) Mergers and acquisitions can be tricky from a security standpoint. In a way, that's because they tend to be rare, and so they present us with situations we don't encounter week to week in our work as security managers.

Then there's my job.

Acquisitions are fairly common at my company. In our industry, it's often easier to acquire a company that has a product we're interested in than it is to develop something ourselves. Sometimes we want to capture a customer base or increase our competitiveness in a market.

One thing all these acquisitions have in common is that I find out about them the same time as the rest of the world, during the public announcement. There was one the other day. This time, we're acquiring a company whose headquarters and data center are in Europe. It also has major operations in China and Hong Kong.

I've been told that the employees of the acquired company need to be connected to our network on Day One -- the day both companies sign all binding agreements. But it's the joining of networks, of course, that's perilous.

Full integration of our networks would require careful study of the target company's environment. Unfortunately, the target has been reluctant to provide information, and it won't let anyone from our IT department do an on-site assessment. This is somewhat understandable, since we haven't inked the deal yet. But if we're going to provide access on Day One, something's got to give.

I always start off with a security questionnaire. The responses help focus my efforts during the security assessment, but they aren't a replacement for a thorough review. In fact, the one time I let a network integration go ahead based entirely on the answers to a questionnaire, we ended up with a major virus and worm outbreak that affected several thousand desktops and dozens of servers. I'll never do that again.

The questionnaire primarily focuses on things like patch management, antivirus efforts, firewalls, remote access, third-party relationships, security policies, wireless practices, history of security incidents and intellectual property protection. There are more than 50 questions -- enough to give me a feel for how serious a company is when it comes to security.

No Go

This target's responses, though, didn't give me any real sense of its security posture. So I can't approve Day One integration.

Now the question becomes, just what kind of connectivity are we talking about? Will the new employees need access to engineering labs and source-code repositories? Or are we talking about e-ail and human resources materials? As it turns out, what is actually needed on Day One is access to e-mail accounts and our intranet page with benefits information.