Merger Interrupts Sarb-Ox Project

Computerworld - The first e-mail I got this week was a meeting invite with the subject line "Emergency discussion of merger and acquisition items for recent acquisition." Once again, the company made an acquisition and informed the IT organization only after the deal was signed.
We understand that these deals need to be kept under wraps for legal reasons. The problem is that if we discover an issue that might affect the deal, it's difficult to go back and change the agreement. And dealing with issues related to the acquisition meant we had to temporarily stop working on our Sarbanes-Oxley compliance project.
Griping aside, we took part in the conference call and learned that the acquired firm has fewer than 50 employees, all of whom work in one location, and it does no software development outside the country. This definitely made life a lot easier for me.
The most important order of business was to get the new employees configured so they could access our intranet, use e-mail and sign up for benefits and payroll. From a security perspective, before we provided VPN client software or created a point-to-point VPN tunnel, we had to make sure that we wouldn't be introducing malicious code or activity from their environment into ours. We accomplished this by reviewing desktop configurations, ensuring that they were using antivirus software and conducting a scan of the desktop IP address space.
We had only a few hours to conduct our work, so I prioritized and started on the network scans. I got a listing of their IP address space and used Nessus, a freely available port scanner, to run a scan of the corporate desktop addresses.
The results were of some concern. Most Windows desktops hadn't been patched in almost nine months -- an eternity for Windows systems. In addition, several Linux desktops were running vulnerable versions of applications like Secure Shell and Sendmail. And some users were running Telnet, an insecure remote-access utility. Since we were short on time, we gave the company's IT manager our Linux security guidelines and a copy of the assessment report.

For the Windows desktops, we had users install the latest patches and our corporate antivirus software. Our other immediate goal was to identify and take control of critical assets. This included a content versioning system repository containing the company's source code, a workstation housing the company's financials and HR files, and backup tapes, which were being stored at an employee's home.
In general, the acquisition assessment went well. Other than the desktop