Part 2 takes a closer look at security risk analysis as a complement to IT due diligence.
As a complement to the IT assessment summary, a security risk analysis will provide a comprehensive evaluation of threats, vulnerabilities and impacts. The objective is to understand the following:
- What are the critical information assets (data)?
- Where do these assets reside (systems)?
- How are they protected?
Security vulnerabilities are among the most commonly overlooked problem areas discovered in the due diligence process. Medium-size and smaller companies often don’t realize how much authority and access some of their IT personnel may have – access that could enable them to create massive problems for the company. Such vulnerabilities can expose the company to lawsuits if left unaddressed.
Malware embedded deeply within various software systems is also a serious threat. In many cases, even companies with good anti-virus software have it configured incorrectly, allowing malware to penetrate into the company’s systems. The potential for such malware to steal credit card numbers, human resources data, intellectual property, passwords and more is significant.
Disaster prevention and recovery should also be addressed. And we’re not just talking about huge natural disasters. Does the company you are buying have a server room just below a kitchen, for example? If, say, the dishwasher leaks, can you afford to have your servers destroyed? Do you have an adequate backup plan to make sure you can recover critical data quickly enough to keep the company operating? The cost of moving the kitchen or the servers is a cost you should account for up front.
These security threats are not something anyone wants to find out after the fact when the damage is already done. The cost of addressing these problem areas should be factored into the total cost of ownership from the very beginning.
Finally, a compliance dashboard should be provided to capture the compliance status of the IT organization for applicable regulatory requirements such as SOX, HIPAA, SAS-7-, etc.
Stay tuned for Part 3, which discusses a case study.