M&A Information SecurityAreas of Interest (AOI’s)

Matthew RosenquistCybersecurity StrategistIntel Corp

2

Security does not happen by default.

Mergers and Acquisitions represent a significant risk to

organizations as integration and data sharing can expose assets

to confidentiality, integrity, and availability threats. Security must

identify the risks across a broad scope of areas. This guide is a

starting point for M&A security evaluation.

Areas of Interest (AOI)

Information security is as pervasive as information systems. Security aspects are chained together to form a posture, which is only as strong as the weakest link.

M&A InfoSec must scope projects to understand high risk areas, including those which may conflict with ethical and regulatory expectations

Determining information security AOI’s is an exercise to:

1. Identify areas which are likely strong and need no further immediate attention

2. Identify areas which will require intervention, attention, or further scrutiny

Strategic Areas of Interest

1. Application, Identity, and Access Management Security

2. Network/DMZ Security

3. Host Security (client, server, PDA, Mid, phone)

4. Data Security and Privacy

5. Security Policy and Training (behavioral security)

6. Security Operations and Support

7. Security Investigations

8. Outsourcing and 3rd Party Security (extranets, etc.)

9. Legal Discovery and Corporate Retentions

10. Crisis Response and BCDR

11. Risk and Threat Analysis

12. Security Business Management and Metrics

13. Information Security Legal

14. HR & Corporate Legal Security

15. Internal Audit

16. Physical Security (corporate/off-site/facilities)

17. External Product Security Design and Incident Response

18. Export Control and Controlled Country Technology Security

19. Security Engineering and Integration

20. Behavioral Security Controls

21. Security Architecture and Strategy

22. Security Regulatory Compliance

Application, Identity, and Access Management Security

Access management is the backbone to controlling authorized users to access systems and locations. Critical systems and areas should be controlled for both physical and logic access. Poor access management is nearly as detrimental as no access control.

Example areas:

• Security controls (C/I/A) for critical and sensitive applications

• Number of persons accessing, internally and externally, local and remotely

• Identity (Authentication) for access to systems (formal/informal, automated/manual, etc.)

• Access (Authorization) for access to systems

• Integration with physical access systems (proximity badges)

Network/DMZ Security

Securing communications connectivity between systems on the intranet and internet is the first line of defense in isolating the spread of malicious activity. Integration of the Internet exposes the organization to a plethora of threats.

Example areas:

• Defense in Depth security (predict, prevent, detect, respond)

• Recent and historical security breaches

• Technical controls – firewalls, proxies, filters, honeypots, etc.

• Update capability, monitoring, and configuration control

Host Security (client, server, PDA, Mid, phone)

The value of computer networks resides on the hosts. This includes both the value of data as well as the services they operate for their owners. Compromise of hosts leads to confidentiality, integrity, and availability.

Example areas:

• Number and type of hosts

• Defense in Depth security controls (predict, prevent, detect, respond)

• Recent and historical security breaches?

• Standard host builds (OS, apps, data, usage model, etc.)

Data Security and Privacy

Data can be exposed, altered, stolen, moved or deleted. Critical and sensitive data must be secured. This includes personal private data, intellectual property, and trade secrets. Various regulations mandate or restrict how data is stored, transmitted, shared/reported, and deleted. Additional requirements may require notification to end users and regulatory agencies. In most cases security controls must be well documented and assurance mechanisms in place

Example areas:

• Defense in Depth security (predict, prevent, detect, respond)

• Data Destruction policies – reasonable, gaps, defined, communicated, monitored/audited, actualized

• Recent and historical security breaches?

Security Policy and Training

Policy and training lends itself to behavioral security, insurance against liability actions, and in some cases proof of regulatory compliance. One of the best practices in the industry and considered a first step to any mature security program

Example areas:

• Policies well documented and current

• Owner for policies, maintenance/care

• Marketing plans for policy dissemination

• Measurements for absorption

• Mandatory end-user training/participation

Security Operations and Support

Security systems must be maintained and issues addressed in support of end users and system administrators. Operations and support insure controls stay current with the threats and the system maintains the capability of detection and response.

Example areas:

• Service overview for capabilities and access of systems

• Service Level Agreements

• Scope and roles defined

• Incident volume and resolution

• Issue tracking and reporting capabilities

Security Investigations

Virtually every organization is at risk of compromise, theft, and abuse. The capability to investigate issues is both a preventative (deterrence) as well as responsive control. Investigation capability may be successfully outsourced if the proper engagement triggers are in play.

Example areas:

• History of investigations (areas, numbers, impacts)

• Scope and capability of team

• Proper documentation and investigation techniques

• Awareness of local, national, and international regulations

Outsourcing and 3rd Party Security (extranets, ICC’s, etc.)

Outsourcing to 3rd party services (examples: HR, IT, CRM, etc.) are popular, but connectivity and data sharing to such organizations represents a massive risk. The home network may easily be compromised, the data left insecure or tampered without the knowledge or ownership by either party

Example areas:

• What services and data are outsourced

• Have service providers been audited (SAS70 Type II)

• Do service providers use standard security models

• Do systems connect directly or via bastion/proxy systems in the DMZ

Legal Discovery and Corporate Retentions

Litigation is rapidly evolving to incorporate IT systems into evidence discovery edicts. IT represents a well of discoverable data for civil lawsuits and criminal investigations. Companies must be able to properly respond to LEHN’s and provide data in a satisfactory and consistent manner

Example areas:

• What capability to process eDiscovery requests (legal hold orders)

• What capability to gather data across the organization

• Current LEHN’s and disposition

• Designation of persons/team responsible

Crisis Response and BCDR

Everything can be broken. For an information security crisis, it may purposely be a complex failure where normal operating procedures lack in response. Survivability in these situations depend heavily on an effective crisis response and Business Continuity Disaster Recovery (BCDR) capability

Example areas:• Documented BCDR processes

• Client/Server backups

• Crisis response teams

• Offsite backup data storage

• Fail-over/secondary redundant systems

• Critical system hot-swap/warm backups

• Key recovery capabilities

Risk and Threat Analysis

Predicting weakness, what will be targeted, and who is the gravest threat is paramount in distilling the massive cloud of threats down to the most likely risks. Advanced organizations will maintain this capability in-house, while smaller companies may rely on vendors, service providers, or FUD principle

Example areas:

• Risk assessment methodology (OCTAVE, etc.)

• Designated risk evaluation/management group

• Published risk assessments

• Indicators and metrics

• Identified areas of greatest exposure

Security Business Managements and Metrics

Organizations with complex, costly, or well managed security will have some capacity for indicators, measures, and metrics. They should be aligned to critical business capability. If present, these represent key pain points and areas where security is typically focused

Example areas:

• Published security metrics

• Responsible group/person to manage and analyze data

• Measurable goals and objectives for security

• ROI, ROSI, or value assessments for security projects

Information Security Legal

Legal counsel is strongly recommended for many different regulatory, and litigation areas. Lack of counsel, either internal or external, reflects on the level of maturity of the security organization. This is becoming a specialty field

Example areas:

• Designated information security attorney

• Regular process to review incidents, contracts, and security plans

• Integration with the security team and established communication expectations

• Data destruction guidelines

HR & Corporate Legal Security

Human Resources and Legal departments have their own longstanding set of legal issues and security requirements. Specialty fields which should be represented either internally or outsourced.

Example areas:• Employment law alignment and best practices (disgruntled

employees, terminations, LDO)

• IP and Trade Secret protections

• Secure data handling and storage

• Data request guidelines and alignment

• Data retention guidelines

Internal Audit

Independent auditing functions are a requirement for some types of businesses and regulations. Lack of a properly represented IA may be a concern. If present, past IA findings and where they chose to audit can be very telling as to both the security state and capability of the organization

Example areas:

• Existence of an independent IA group

• Past audit areas and finding

• Response to past findings and resolutions

• Documentation and quality of audits

• Certifications and associations of auditors

Physical Security(corporate/off-site location/facilities)

As the saying goes “physical security trumps logical security”. Physical security must be aligned to support information security. The greatest infosec controls may be undermined by poor physical security. This includes site, facilities, communications, personnel, systems, and data areas.

Example areas:• Co-location sites, trade shows, vendor/customer meetings,

product demo’s, etc.

• Proximity of competitors

• Health/Life Safety computing controlled risks

• Physical security of offices, labs, telecom/network and DCs

• Behavioral controls for physical security

• Historical physical security issues/incidents

External Product Security Design and Incident Response

Product security is gaining more attention and can pull resources from internal security as they are leveraged for content expertise. Understanding the general security of products may translate into impacts of internal resources.

Example areas:

• Product number, type, and industry

• Past commit for internal resources

• Known exposures of current products

• Crisis response for newly discovered vulnerabilities

• Integration with necessary internal/external researchers

Export Control and Controlled Country Technology Security

For companies doing business in Controlled Countries or High Performance Computing restricted countries, the US Export Regulations must be actively applied. Business in embargoed countries is forbidden. Ownership must be established and controls taken

Example areas:• Designated responsible parties for export control compliance

• Internal communication and training dissemination

• Listing of controlled/HPC products related to the organization

• Listing of countries where business is being conducted

• Tracking of CC employees

• Technical controls limiting information transfer

Security Engineering and Integration

Security controls rarely apply out-of-the-box for anything but the smallest organization. For larger or complex environments some level of customization and engineering is required. This is especially true when legacy systems must be sustained.

Example areas:

• Designated engineering group for security

• What custom security solutions exist

• What customization of COTS has been done

• Have external organizations been employed, if so what access did they have?

Behavioral Security Controls

People tend to be the weakest link in any system and have the creativity and permissions to go outside the controls limiting a computer. A security savvy user base is one of the strongest controls. A user base which is lacking security competencies may represent the single largest threat vector.

Example areas:• Defense in Depth controls (predict, prevent, detect, respond)

• Documented policies and mandatory training

• Absorption and adherence to policy

• Communications programs

• Deterrence, as part of preventative controls, utilized

• Reinforcement of good security practices, and how they benefit the end-user

Security Architecture and Strategy

Large, regulated, or complex organizations need to have a solid strategy and supporting architecture to manage security.

Example areas:

• Designated architecture/strategy team or person

• Published designs and strategies for different aspects of security and regulation adherence

• Measures and Metrics to track maturity and performance

Security Regulatory Compliance

Information security related regulatory compliance must be confirmed for different types of acquisitions. Information security is being pulled into more areas where data must be assured, kept confidential, and available

Example areas:• PCI DSS – Payment Card Industry Data Security Standard

• HIPAA – Health Insurance Portability and Accountability Act

• SOX – Sarbanes-Oxley Act

• Privacy – PII, PHI, Web Privacy Policy, COPPA, etc.

• eDiscovery litigation – LEHN – Legal Event Hold Notice

• Export Control Compliance – CC, HPC, Embargoed countries

• Human Resources • GINA – Genetic Information Nondiscrimination Act

• ADA - American Disabilities Act

Information security is a burgeoning industry. As information technology leaps forward, so matches the velocity of information security.

Think strategic. Act competitive. Be secure.

28