Computerworld - During the past few weeks, almost all of my time has been devoted to creating security standards in order to comply with the requirements of the Sarbanes-Oxley Act. That changed this week after a sudden acquisition led to a frantic, last-minute security audit.
Prior to this interruption, I had made quite a bit of progress. My standards document is now up to about 70 pages. I've tried to keep it short and sweet, but it's difficult to do that and be comprehensive. The hardest aspect of creating robust security standards is ensuring that they're meaningful. Sure, I can do research and create a document. But the resulting policy may not be applicable to my company's way of doing business or to the way it deploys a particular technology.
To ensure that my standards are relevant, I'll have to meet with each group to which each standard applies, review what the group is doing and compare that with my best practices. Then I'll have to change my standards to balance the company's security needs with what each department is doing. If I create a standard that forces a group to change how it conducts business, users simply won't comply.
But all this went on the back burner today when my company announced the acquisition. The IT security group was given just three days to complete a merger-and-acquisition due-diligence report -- far short of the two to three weeks we usually have to complete such an assessment. Luckily, the company we're acquiring has fewer than 40 employees and only one office.
When we acquire a company, we need to understand the security controls around what we're acquiring, whether it's people, a product or a customer base. We can't just assume that the company is doing business in a secure manner -- especially since this one is a start-up. We also need to identify security issues quickly.
I was once in a situation where an employee of an acquired company, fearing a layoff, copied the entire customer database, compressed it and stored it on a Universal Serial Bus flash memory disk. Fortunately, he then forgot the disk in a conference room. We discovered the data only when someone decided to plug the device into his USB port to figure out who owned it. The staffer, who ironically hadn't been targeted for a layoff, was let go after we found him roaming the halls asking if anyone had seen his USB disk.
For this acquisition, we're interested in the company's software. In this case,
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
