First and foremost, keep in mind that until the merger is complete you can only make recommendations to the company being acquired. After the merger, you can start mandating activities. In the meantime, the best thing to do is sit down with security personnel and executives at the other company and create your own baseline assessment of their security position by learning as much about their systems as the lawyers allow. Useful data to collect includes system configurations, patch levels, network diagrams and their existing policies, procedures and organization charts. At the same time, educate them about your company's processes, policies and procedures because they will eventually have to comply with them.
During your discussions with the other company's personnel, also establish a rapport by helping them feel engaged and empowered through the acquisition process, which will ease the transition pain for everyone.
The quiet period before the acquisition is a prime opportunity to take the data you gathered from these meetings and assemble a project team to build out a plan for bringing the acquired company into compliance. This is a great opportunity for management to set expectations for timelines and appoint a person in the final organization who will have the final decision on guidelines that require interpretation. This plan should include a schedule for any necessary patching, as well as reconfiguration and scheduling the necessary audits with the QSAs.
Once the plan is in place and the merger is complete, you can impress the executives by meeting the scheduled deadlines. Doing this will also make life much easier for your auditors, and that's never a bad thing.
- Going through a merger? Check out the Corporate Mergers and Acquisitions learning guide: A collection of expert tips on the merger process.
- Learn about Visa's Payment Application Best Practices for PCI DSS compliance.
This was first published in November 2008