Financial due diligence is expected as part of purchasing another company. How do you avoid “buying a breach” or at a minimum, get the technical information your IT team needs to address before the new company is integrated into your current environment.
RubinBrown's Cyber Security Services team has developed a highly repeatable, very efficient and flexible approach to consistently gathering critical information about an environment, so management level reports can be quickly developed and technical details can be provided to the IT team even faster.
Our framework is a flexible playbook we customize to an organizations requirements and we continuously update it as part of later projects to keep it tuned in to current specific needs. Compliance (e.g., privacy laws, PCI DSS, HIPAA, or other industry specific) requirements can be included to give insight into strengths and weaknesses in the compliance management, or it can be kept strictly technical – all depending on the organization.
The playbook typically includes:
- External/Internet Security Checks – vulnerability and/or external penetration testing, internet design and firewall rule set reviews.
- Internal Network Security Checks – vulnerability and/or penetration testing, authenticated internal network scans and privileged user reviews.
- Network Design and Performance – inventory of network connected devices, review of the network design and review of known performance issues.
- Security Operations – covering policies, processes, and existing technology solutions on everything from asset management to authentication, backup and recovery to business continuity, and physical security to logical access controls. The security operations component gathers high level information about the people, processes and technology used in the environment to protect the environment.
- Compliance Requirements – compliance requirements identified prior to the assessment will include the requested level of detailed feedback, compliance requirements identified during the assessment will be noted with feedback on meeting the basic requirements.
The results can be integrated with financial due diligence on costs impacts and the technical results are ready for the IT team to use to prepare the new company for integration.