Aujas US

An IDG Ventures Company

Information Risk Management and M+As Part 2

M+A and business data accessPart 2 Implications- Unavailability of business critical applications preventing access to business data.

Approach

Organizations undergoing merger face challenges during integration in managing costs and risks and in providing long-term business value. Failure to address risks and appropriate control around IT security may escalate costs and incur higher risks.

To ensure that organizations achieve the maximum benefit during systems integration, an effective approach is to:

  • Involve IT security, audit and compliance professionals early in the integration planning along with the business owners. Our experience is that this generally a reactive effort.
  • Create an Integration team that involves people with prior M&A experience working closely with the IT Integration, IT Security and Compliance teams.
  • Focus early on IT security, risk and control along with IT integration to save cost and time while minimizing risk.

The multidisciplinary team will be better equipped to make informed decisions and move towards realistic targets of integrating people, processes and technology and minimize risk.

Though from an SOX compliance perspective , the SEC does allow organizations acquiring a company to take advantage of a one-year waiver to assess the internal control of the acquiring company, early focus on compliance while integrating IT systems, processes and people will help the combined entity to reduce the cost of compliance and minimize risk.

For the four challenges identified above, this is our approach:

1.      To address compliance requirements and establish effective and efficient internal control and risk environment for the combined entity 

  • Identify key risk and control owners for the combined entity.
  • Engage experienced finance and audit personnel for maintaining compliance during transition
  • Perform a top-down risk assessment to identify the risk profile of the combined entity and gaps existing in the risk and control environment
  • Develop a remediation work stream to fix deficiencies
  • Determine which entity’s compliance processes are the most efficient, or what needs to be modified to form a new compliance process
  • As units, functions, geographies, and processes merge, remove redundant controls, while keeping key controls to address the risks
  • Develop risk-based test plans that direct effort and resources to the controls that are related to the highest levels of risks

 

2.      To manage access rights for employees, customers, affiliates and third parties in an integrated environment

From an access management perspective, a merger brings multiple users, applications and legacy systems to be integrated for simple, faster and secure access to data. During a merger, various applications are consolidated, restructured or rebuilt and managing appropriate access to the information resource is a challenge. Security issues related to unauthorized access to data, information leakage, and regulatory requirements for protecting privacy of personnel information, need appropriate access management:

  • Inventory all regulatory requirements for access control and normalize them to get the common regulatory requirements for data access
  • Derive access policy for employees, customers, affiliates, and third parties for the combined entity
  • Identify all the applications that need to be consolidated on Day One (e.g., ERP, email system, customer portal, payroll) and the access requirements for the data in the respective applications
  • Ensure a common account termination process is in place as rogue accounts pose serious risks to business data
  • Plan and implement the unified strategy for the combined entity for data access during transition and after Day One

 

3.      Addressing privacy requirements of the combined entity 

  • Develop an integrated privacy compliance strategy for the combined entity
  • Evaluate business processes for potential high risk privacy areas
  • Develop and implement the privacy program strategy, components, policies, standards and procedures
  • Design and establish a privacy organization to govern privacy program operations
  • Develop and deploy a set of rationalized privacy controls and privacy operational processes
  • Establish privacy training, communication and awareness processes

 

4.      To manage business continuity during transition phase while integrating different IT systems, operations and people  

  • Identify the business critical applications and data for both the entities
  • Develop change control and fallback procedures for the business critical applications
  • Create an incident response plan
  • Identify people involved in change management, incident response and emergency changes and ensure their availability as per the plan with contact details.
  • Develop a communication plan

 Conclusion

In today’s environment of public scrutiny, companies cannot afford non-compliance with privacy and regulatory requirements, nor to have an event because of inappropriate access. While some companies have included compliance in their 10K as a key risk after M&A transactions, there are ways to avoid public scrutiny and minimize risk of non-compliance.

So, how do you know that the M&A process includes all the right steps to address Compliance, Risk and IT Security?

  • Plan early
  • Execute as standard post-merger integration activities
  • Address all components of Risk, Security and Control
  • Monitor and evaluate throughout the process
Advertisements

November 22, 2010 Posted by | Mergers and Acquisitions | , , | Leave a comment

Identity and Access Management – This must be your project, not your partners’!

Lessons Learned

Identity and Access RiskHaving been through numerous Identity and Access Management (IAM) implementations, we see two common denominators in terms of customer expectations that rear their ugly heads rather frequently:

  1. Let’s integrate everything that we have, and
  2. Let’s do it all at once

One can understand the excitement we all go through when we contemplate having a solution that allows us link so many applications, streamline processes with workflow automation and synchronize attributes across the board. While that excitement is infectious and contagious, the sound voice of reason must be heard and listened to.

It is natural for you to want to do as much as you can with a product, and it is human to want all of it done yesterday. Hence, the onus lies on the domain experts to work closely with customers (as partners, not vendors) and plan out a deployment that gives the customers the most results as soon as possible and additional benefits over subsequent phases.

The “good” partner helps the customer prioritize their needs and requirements, and establish plans to achieve those objectives over phases. Strong project management and planning are the keys to a successful IAM program. The products from various vendors are unlike those of 5 years ago, they are now mature, stable and scale exceptionally well, unless hacked to death to fulfil a few exotic requirements.

We cannot lose sight of the top benefits of having a robust IAM program toa company:

  1. IT systems and applications are constantly compliant with a variety of regulations, there are few gaps in access recertification
  2. Processes and access governance have been streamlined – business demands, business approves, and business gets – with minimal or no IT intervention
  3. Password reset is automated and secure, and helpdesk costs are under control
  4. Peace of mind

 

So next time you want to know whose side the “partner” is on, throw a plan too ambitious at them. While most will try to give you what you demand, you will know during the course of their approach whose interests they have in mind, yours or their own.  After all, it is your project and responsibility.

November 22, 2010 Posted by | identity and access management, Identity Theft, IT security, Risk management | , , , | Leave a comment

Vulnerability Management – Have You Thought about It Lately?

Vulnerability ManagementTo some of our customers, the first thing that comes to mind when we mention vulnerability management is compliance, or vulnerability scanning. But we like to encourage our customers to take a holistic approach as well and be thinking beyond a tool-based approach. We use a people and process-based approach to vulnerability management, because vulnerabilities exist in networks, applications, physical security, people (i.e., social engineering) and in the processes.

The Aujas approach provides a framework that you may want to use in creating a sustainable and organic vulnerability management program. It includes four phases: diagnose, analyze, transform, and sustain.

Diagnose. We look at the current state of the program, and then compare it to the desired future state. This involves looking at root causes for the program not working.  One example is a lack of a vulnerability rating system that does not allow prioritization based on the risk appetite of the company. This same issue then appears under incident response because the vulnerability rating system should be incorporated into the incident response program so that standardization of language and meaning happens across business units.

Analyze. In this phase we work with the client to develop key performance indicators to measure the program maturity and successes. Then we allocate resources to fixing the root cause issues and highlight where focus needs to be to properly implement a customized vulnerability program. In this phase the metrics are defined, the KPIs and collection methods associated with those metrics created. This phase highlights the issues and gaps between the current state and future state desired by the company.

Transform. In this phase, there is actual creation, rework or deletion of business processes that are inhibiting the company’s vulnerability management. An example of this is the customer’s patch response cycle: how does it change over time? Is it slow because of configuration management, etc.? Is there too much of a division of responsibility between the corporate program and implementation of patches at the division level? Perhaps there needs to be clearer delineation of responsibilities to improve the patch response cycle.

Sustain. The objective of this phase is constant measurement of program implementation and maturity. It is a culmination of all the work done in the previous phases and ensures that a metrics program is in place to identify issues and lead the company back through the methodology of identifying, analyzing, creating, reworking, and or deleting business processes, technology or positions that do not add value to the vulnerability management program.

Aujas has outlined a no nonsense approach to helping clients build a strong vulnerability management program.  Are you positioned will for the coming year with a sound program?  Asking Santa might be nice, but in reality, the elves at Aujas are more suited to deliver this present!

November 22, 2010 Posted by | IT security, Risk management, Vulnerabiliy managment | , | Leave a comment