Even in the best of circumstances, mergers and acquisitions can be painful for the parties involved. They may be logical for the business, but trying to knit together two disparate systems can be a nightmare for its IT staff. In particular, for the IT security team, which is typically responsible for any compliance problems.
If assembling two IT security infrastructures seems daunting, imagine putting together two companies at different stages of the compliance process. Thankfully, it may not be as bad as it seems. The two key factors determining the difficulty of meshing compliance efforts are the industries of the partners, and the specifics of the particular compliance provisions they must meet. Creating a unified compliance team, consisting of compliance staff from both companies, is an effective way to ease the process.
Inside the industry
An organization's compliance mandates are often driven by the industry in which it operates. Financial companies are required to meet the provisions of the Sarbanes-Oxley Act (SOX) and Gramm-Leach-Bliley Act (GLBA). Those in the health care and medical fields must meet the standards of the Health Insurance Portability and Accountability Act (HIPAA), and companies issuing or using credit cards have to meet the Payment Card Industry (PCI) Data Security Standard.
Obviously, mergers aside, there is often overlap even for individual companies. A bank issuing credit cards might have to meet SOX, GLB and the PCI Data Security Standard. A large health care company, if publicly traded or part of a financial group, might be required to meet SOX standards, in addition to its usual HIPAA requirements.
In regard to each of the commonly applicable regulations mentioned above, the most critical issues to consider are access management, information security policies, protection of customer data and monitoring and testing.
SOX Section 404 is the provision affecting IT security. This section calls for controls on IT systems that access sensitive customer and financial data. It's vague about how to implement those controls, but it basically looks for documentation covering access management, encryption, firewalls and malware protection. In addition, a solid information security policy outlining implementation of these items must be in place.
From a merger perspective, SOX auditors and regulators will look for reports on access management controls. Before the auditors arrive though, there are some key questions security pros should ask to ensure both companies are on a level playing field: What types of access management systems do the two companies use? Are they both on Active Directory, or is one using LDAP while the other uses something else? What's the current state of audits of accounts at both companies?
HIPAA governs protection of patient information for companies in the medical industry. The focus here, like with GLBA, is protecting customer -- in this case, patient -- information. In a merger, the two companies have to compare notes about their controls over customer information, and then produce common documentation for regulators.
SOX, GLB and HIPAA are all government regulations backed by law. PCI, on the other hand, is an industry standard backed by a consortium of the five largest credit card companies: Visa, MasterCard, Discover, American Express and JCB. PCI is a comprehensive standard with 12 requirements covering protection of customer data, encryption, network security and firewalls, access management controls, information security policies and monitoring and testing of network security. It covers multiple areas where security practices may differ, resulting in a headache for merging companies.
All about data and access
Even though all of the regulations are targeted at the same basic items -- access controls, protection of customer data and monitoring network security – be sure to observe the specific requirements of each. The regulations similar mandates don't mean that compliance with one will translate into compliance with another.
In an effort to make the entire process easier, newly acquired companies must create a compliance point person for the melded organization. That person should come from one of the two merger partners, and be able to work directly with compliance people from both organizations to achieve compliance harmony.
Corporate Mergers and Acquisitions Security Learning Guide
M&A: Merging network security policies
Best practices for compliance during a merger
Ensuring Web application security when companies merge
Mergers and acquisitions: Building up security after an M&A
About the author
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.