Computerworld - Mergers and acquisitions can be tricky from a security standpoint. In a way, that's because they tend to be rare, and so they present us with situations we don't encounter week to week in our work as security managers.
Then there's my job.
Acquisitions are fairly common at my company. In our industry, it's often easier to acquire a company that has a product we're interested in than it is to develop something ourselves. Sometimes we want to capture a customer base or increase our competitiveness in a market.
One thing all these acquisitions have in common is that I find out about them the same time as the rest of the world, during the public announcement. There was one the other day. This time, we're acquiring a company whose headquarters and data center are in Europe. It also has major operations in China and Hong Kong.
I've been told that the employees of the acquired company need to be connected to our network on Day One -- the day both companies sign all binding agreements. But it's the joining of networks, of course, that's perilous.
Full integration of our networks would require careful study of the target company's environment. Unfortunately, the target has been reluctant to provide information, and it won't let anyone from our IT department do an on-site assessment. This is somewhat understandable, since we haven't inked the deal yet. But if we're going to provide access on Day One, something's got to give.
I always start off with a security questionnaire. The responses help focus my efforts during the security assessment, but they aren't a replacement for a thorough review. In fact, the one time I let a network integration go ahead based entirely on the answers to a questionnaire, we ended up with a major virus and worm outbreak that affected several thousand desktops and dozens of servers. I'll never do that again.
The questionnaire primarily focuses on things like patch management, antivirus efforts, firewalls, remote access, third-party relationships, security policies, wireless practices, history of security incidents and intellectual property protection. There are more than 50 questions -- enough to give me a feel for how serious a company is when it comes to security.
This target's responses, though, didn't give me any real sense of its security posture. So I can't approve Day One integration.
Now the question becomes, just what kind of connectivity are we talking about? Will the new employees need access to engineering labs and source-code repositories? Or are we talking about e-ail and human resources materials? As it turns out, what is actually needed on Day One is access to e-mail accounts and our intranet page with benefits information.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
