Your company is growing sharply. Buying out a prominent partner is an initiative of its growth strategy. As a CISO, which of the following should be conducted before the acquisition?
A. Security audits
B. Risk treatment
C. Due care to avoid negligence
D. Preemptive or proactive investigations
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Preemptive or proactive investigations.
Due diligence can be part of the risk assessment process. People typically exercise due diligence, as a preemptive or proactive measure, by checking things out or conducting investigations to inform risk-based decision making.
- A security audit is one form of security assessment, part of due diligence.
- Risk treatment can only be conducted after a risk assessment has been done.
- Due care to avoid negligence makes sense, but it implies the acquisition decision has been made and emphasizes the acquisition should be conducted with due care.
There are few standards of due diligence defined across sectors or industries. Instead, generally-accepted practices are conducted. In practice, it’s more common for people to interpret due diligence as “preemptive or proactive investigations” to inform decision making. It’s typically done before a decision is made.
Due care means “the degree of care that a prudent and competent person engaged in the same line of business or endeavor would exercise under similar circumstances. Due care does not permit willful ignorance.” (16 CFR § 1107.2)
- detailed assessment of one or more business processes or production lines, culture, assets, liabilities, intellectual property, judicial and financial situation in order to make the outsourcing decisions. (ISO 37500:2014)
- detailed assessment conducted by an economic operator to evaluate a supplier’s compliance with the guidance principles.
Note 1 to entry: In the context of the guidance principles, due diligence is conducted through second-party audits or third-party audits and, wherever feasible, regularly monitored through government inspections and oversight. (ISO/IWA 19:2017)
- comprehensive, proactive process to identify the actual and potential negative social, environmental and economic impacts of an organization’s decisions and activities over the entire life cycle of a project or organizational activity, with the aim of avoiding and mitigating negative impacts. (ISO 26000:2010)
- process through which organizations proactively identify, assess, prevent, mitigate and account for how they address their actual and potential adverse impacts as an integral part of decision-making and risk management. (ISO 20400:2017)
- compilation, comprehensive appraisal and validation of information of an organization required for assessing accuracy, commercial integrity, financial stability and functional competence integrity at the appropriate stage of the agreement sourcing process (ISO 41011:2017)
- process to further assess the nature and extent of the bribery risk and help organizations make decisions in relation to specific transactions, projects, activities, business associates and personnel. (ISO 37001:2016)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
貴公司發展迅速。 收購傑出的合作夥伴是其增長戰略的一項舉措。 作為CISO，在收購前應進行以下哪項操作？
C. 適當注意(due care)以避免疏忽