You are the CISO of a global company and participating in an executive meeting with an agenda to acquire a company as part of the corporate growth strategy. The CEO is concerned with the compliance of due diligence in this acquisition. As a CISO, which of the following is the best for you to contribute to this project?
A. Review the acquisition contract and identify potential contractual risks
B. Build a tiger team to conduct security testing to identify potential vulnerabilities and threats.
C. Train and educate the security staff of the acquired company about corporate security policies.
D. Conduct a comprehensive security assessment and identify the gap between corporate security policies.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Conduct a comprehensive security assessment and identify the gap between corporate security policies.

Merger and Acquisition (M&A)

10-Step M&A Checklist

Due Diligence

Due diligence is reasonable steps taken by a person to avoid committing a tort or offense. (Google Definition)

Due diligence in the context of merger and acquisition (M&A) is a comprehensive appraisal of a business undertaken by a prospective buyer, especially to establish its assets and liabilities and evaluate its commercial potential. (Google Definition)

One of the most important steps for mitigating risk and increasing the chances of a successful purchase is to conduct detailed and thorough due diligence on the company you intend to buy.

Here are the three most important types of due diligence to consider before progressing past the Letter of Intent and signing any binding documents.

• Financial Due Diligence
• Operational Due Diligence
• Legal Due Diligence

Source: 3 Types of Due Diligence to Mitigate M&A Risk

Security Due diligence

Security due diligence is no longer an option in today’s world.

In November 2018, Marriott International disclosed a data breach affecting approximately 500 million customers. An investigation of the incident revealed that a guest registration database for its Starwood properties had been compromised in 2014 — two years before Marriott’s $13 billion acquisition of the company. The hack remained undetected for four years before the company discovered that someone had copied and encrypted customer information and attempted to exfiltrate it.

Source: Do You Do Security Due Diligence Before A Merger Or Acquisition?

Human Rights Due Diligence

International norms, such as the United Nations Guiding Principles on Business and Human Rights, recognize that companies should undertake “human rights due diligence” measures to ensure their operations respect human rights and do not contribute to human rights abuses. Human rights due diligence includes steps to assess actual and potential human rights risks, take effective measures to mitigate those risks, and act to end abuses and ensure remedy for any that occur in spite of those efforts. Companies should also be fully transparent about these efforts.

Source: Human Rights in Supply Chains – A Call for a Binding Global Standard on Due Diligence

SECURITY ASSESSMENT

NIST CSRC GLOSSARY

A security assessment is the testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

NIST SP 800-115

An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives.

Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing.

• Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
• Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
• Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence. Assessment results are used to support the determination of security control
  effectiveness over time.

Suggested Readings

• Overview of the M&A Process
• The Ultimate Guide to the M&A Process for Buyers and Sellers
• Mergers and Acquisitions: A Complete Guide

Summary

• Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing. Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
• Both reviewing the acquisition contract and conducting security testing are part of the security assessment.
• Conducting a comprehensive security assessment implies testing, examination, and interviewing.
• “Conduct” doesn’t have to mean doing technical things in person. According to the Google definition, “Conduct” means:
  1. organize and carry out.
  2. lead or guide (someone) to or around a particular place.