This document provides guidance on areas of interest (AOI) to evaluate for mergers and acquisitions from an information security perspective. It identifies 22 strategic AOIs that security must scope to understand high risk areas, including application and access management, network/DMZ security, host security, data security and privacy, security policies and training, and security operations. Each AOI includes examples of specific areas to examine to identify strengths needing no attention or areas requiring intervention. The goal is to scope projects to understand risks across a broad scope from an information security standpoint.

1. M&A Information Security
Areas of Interest (AOI’s)
Matthew Rosenquist
Cybersecurity Strategist
Intel Corp

2. 2
Security does not happen
by default.
Mergers and Acquisitions represent a significant risk to
organizations as integration and data sharing can expose assets
to confidentiality, integrity, and availability threats. Security must
identify the risks across a broad scope of areas. This guide is a
starting point for M&A security evaluation.

3. Areas of Interest (AOI)
Information security is as pervasive as information
systems. Security aspects are chained together to form
a posture, which is only as strong as the weakest link.
M&A InfoSec must scope projects to understand high
risk areas, including those which may conflict with
ethical and regulatory expectations
Determining information security AOI’s is an exercise to:
1. Identify areas which are likely strong and need no further
immediate attention
2. Identify areas which will require intervention, attention, or
further scrutiny

4. Strategic Areas of Interest
1. Application, Identity, and
Access Management Security
2. Network/DMZ Security
3. Host Security (client, server,
PDA, Mid, phone)
4. Data Security and Privacy
5. Security Policy and Training
(behavioral security)
6. Security Operations and
Support
7. Security Investigations
8. Outsourcing and 3rd Party
Security (extranets, etc.)
9. Legal Discovery and Corporate
Retentions
10. Crisis Response and BCDR
11. Risk and Threat Analysis
12. Security Business Management
and Metrics
13. Information Security Legal
14. HR & Corporate Legal Security
15. Internal Audit
16. Physical Security (corporate/off-
site/facilities)
17. External Product Security Design
and Incident Response
18. Export Control and Controlled
Country Technology Security
19. Security Engineering and
Integration
20. Behavioral Security Controls
21. Security Architecture and
Strategy
22. Security Regulatory Compliance

5. Application, Identity, and Access
Management Security
Access management is the backbone to controlling
authorized users to access systems and locations.
Critical systems and areas should be controlled for both
physical and logic access. Poor access management is
nearly as detrimental as no access control.
Example areas:
• Security controls (C/I/A) for critical and sensitive applications
• Number of persons accessing, internally and externally, local
and remotely
• Identity (Authentication) for access to systems (formal/informal,
automated/manual, etc.)
• Access (Authorization) for access to systems
• Integration with physical access systems (proximity badges)

6. Network/DMZ Security
Securing communications connectivity between
systems on the intranet and internet is the first line of
defense in isolating the spread of malicious activity.
Integration of the Internet exposes the organization to a
plethora of threats.
Example areas:
• Defense in Depth security (predict, prevent, detect, respond)
• Recent and historical security breaches
• Technical controls – firewalls, proxies, filters, honeypots, etc.
• Update capability, monitoring, and configuration control

7. Host Security
(client, server, PDA, Mid, phone)
The value of computer networks resides on the hosts.
This includes both the value of data as well as the
services they operate for their owners. Compromise of
hosts leads to confidentiality, integrity, and availability.
Example areas:
• Number and type of hosts
• Defense in Depth security controls (predict, prevent, detect,
respond)
• Recent and historical security breaches?
• Standard host builds (OS, apps, data, usage model, etc.)

8. Data Security and Privacy
Data can be exposed, altered, stolen, moved or deleted.
Critical and sensitive data must be secured. This
includes personal private data, intellectual property,
and trade secrets. Various regulations mandate or
restrict how data is stored, transmitted,
shared/reported, and deleted. Additional requirements
may require notification to end users and regulatory
agencies. In most cases security controls must be well
documented and assurance mechanisms in place
Example areas:
• Defense in Depth security (predict, prevent, detect, respond)
• Data Destruction policies – reasonable, gaps, defined,
communicated, monitored/audited, actualized
• Recent and historical security breaches?

9. Security Policy and Training
Policy and training lends itself to behavioral security,
insurance against liability actions, and in some cases
proof of regulatory compliance. One of the best
practices in the industry and considered a first step to
any mature security program
Example areas:
• Policies well documented and current
• Owner for policies, maintenance/care
• Marketing plans for policy dissemination
• Measurements for absorption
• Mandatory end-user training/participation

10. Security Operations and Support
Security systems must be maintained and issues
addressed in support of end users and system
administrators. Operations and support insure controls
stay current with the threats and the system maintains
the capability of detection and response.
Example areas:
• Service overview for capabilities and access of systems
• Service Level Agreements
• Scope and roles defined
• Incident volume and resolution
• Issue tracking and reporting capabilities

11. Security Investigations
Virtually every organization is at risk of compromise,
theft, and abuse. The capability to investigate issues is
both a preventative (deterrence) as well as responsive
control. Investigation capability may be successfully
outsourced if the proper engagement triggers are in
play.
Example areas:
• History of investigations (areas, numbers, impacts)
• Scope and capability of team
• Proper documentation and investigation techniques
• Awareness of local, national, and international regulations

12. Outsourcing and 3rd Party Security
(extranets, ICC’s, etc.)
Outsourcing to 3rd party services (examples: HR, IT,
CRM, etc.) are popular, but connectivity and data
sharing to such organizations represents a massive risk.
The home network may easily be compromised, the
data left insecure or tampered without the knowledge
or ownership by either party
Example areas:
• What services and data are outsourced
• Have service providers been audited (SAS70 Type II)
• Do service providers use standard security models
• Do systems connect directly or via bastion/proxy systems in the
DMZ

13. Legal Discovery and Corporate Retentions
Litigation is rapidly evolving to incorporate IT systems
into evidence discovery edicts. IT represents a well of
discoverable data for civil lawsuits and criminal
investigations. Companies must be able to properly
respond to LEHN’s and provide data in a satisfactory
and consistent manner
Example areas:
• What capability to process eDiscovery requests (legal hold
orders)
• What capability to gather data across the organization
• Current LEHN’s and disposition
• Designation of persons/team responsible

14. Crisis Response and BCDR
Everything can be broken. For an information security
crisis, it may purposely be a complex failure where
normal operating procedures lack in response.
Survivability in these situations depend heavily on an
effective crisis response and Business Continuity
Disaster Recovery (BCDR) capability
Example areas:
• Documented BCDR processes
• Client/Server backups
• Crisis response teams
• Offsite backup data storage
• Fail-over/secondary redundant systems
• Critical system hot-swap/warm backups
• Key recovery capabilities

15. Risk and Threat Analysis
Predicting weakness, what will be targeted, and who is
the gravest threat is paramount in distilling the massive
cloud of threats down to the most likely risks.
Advanced organizations will maintain this capability in-
house, while smaller companies may rely on vendors,
service providers, or FUD principle
Example areas:
• Risk assessment methodology (OCTAVE, etc.)
• Designated risk evaluation/management group
• Published risk assessments
• Indicators and metrics
• Identified areas of greatest exposure

16. Security Business Managements and Metrics
Organizations with complex, costly, or well managed
security will have some capacity for indicators,
measures, and metrics. They should be aligned to
critical business capability. If present, these represent
key pain points and areas where security is typically
focused
Example areas:
• Published security metrics
• Responsible group/person to manage and analyze data
• Measurable goals and objectives for security
• ROI, ROSI, or value assessments for security projects

17. Information Security Legal
Legal counsel is strongly recommended for many
different regulatory, and litigation areas. Lack of
counsel, either internal or external, reflects on the level
of maturity of the security organization. This is
becoming a specialty field
Example areas:
• Designated information security attorney
• Regular process to review incidents, contracts, and security plans
• Integration with the security team and established
communication expectations
• Data destruction guidelines

18. HR & Corporate Legal Security
Human Resources and Legal departments have their
own longstanding set of legal issues and security
requirements. Specialty fields which should be
represented either internally or outsourced.
Example areas:
• Employment law alignment and best practices (disgruntled
employees, terminations, LDO)
• IP and Trade Secret protections
• Secure data handling and storage
• Data request guidelines and alignment
• Data retention guidelines

19. Internal Audit
Independent auditing functions are a requirement for
some types of businesses and regulations. Lack of a
properly represented IA may be a concern. If present,
past IA findings and where they chose to audit can be
very telling as to both the security state and capability
of the organization
Example areas:
• Existence of an independent IA group
• Past audit areas and finding
• Response to past findings and resolutions
• Documentation and quality of audits
• Certifications and associations of auditors

20. Physical Security
(corporate/off-site location/facilities)
As the saying goes “physical security trumps logical
security”. Physical security must be aligned to support
information security. The greatest infosec controls may
be undermined by poor physical security. This includes
site, facilities, communications, personnel, systems, and
data areas.
Example areas:
• Co-location sites, trade shows, vendor/customer meetings,
product demo’s, etc.
• Proximity of competitors
• Health/Life Safety computing controlled risks
• Physical security of offices, labs, telecom/network and DCs
• Behavioral controls for physical security
• Historical physical security issues/incidents

21. External Product Security Design and Incident
Response
Product security is gaining more attention and can pull
resources from internal security as they are leveraged
for content expertise. Understanding the general
security of products may translate into impacts of
internal resources.
Example areas:
• Product number, type, and industry
• Past commit for internal resources
• Known exposures of current products
• Crisis response for newly discovered vulnerabilities
• Integration with necessary internal/external researchers

22. Export Control and Controlled Country
Technology Security
For companies doing business in Controlled Countries
or High Performance Computing restricted countries,
the US Export Regulations must be actively applied.
Business in embargoed countries is forbidden.
Ownership must be established and controls taken
Example areas:
• Designated responsible parties for export control compliance
• Internal communication and training dissemination
• Listing of controlled/HPC products related to the organization
• Listing of countries where business is being conducted
• Tracking of CC employees
• Technical controls limiting information transfer

23. Security Engineering and Integration
Security controls rarely apply out-of-the-box for
anything but the smallest organization. For larger or
complex environments some level of customization and
engineering is required. This is especially true when
legacy systems must be sustained.
Example areas:
• Designated engineering group for security
• What custom security solutions exist
• What customization of COTS has been done
• Have external organizations been employed, if so what access
did they have?

24. Behavioral Security Controls
People tend to be the weakest link in any system and
have the creativity and permissions to go outside the
controls limiting a computer. A security savvy user base
is one of the strongest controls. A user base which is
lacking security competencies may represent the single
largest threat vector.
Example areas:
• Defense in Depth controls (predict, prevent, detect, respond)
• Documented policies and mandatory training
• Absorption and adherence to policy
• Communications programs
• Deterrence, as part of preventative controls, utilized
• Reinforcement of good security practices, and how they benefit
the end-user

25. Security Architecture and Strategy
Large, regulated, or complex organizations need to
have a solid strategy and supporting architecture to
manage security.
Example areas:
• Designated architecture/strategy team or person
• Published designs and strategies for different aspects of
security and regulation adherence
• Measures and Metrics to track maturity and performance

26. Security Regulatory Compliance
Information security related regulatory compliance
must be confirmed for different types of acquisitions.
Information security is being pulled into more areas
where data must be assured, kept confidential, and
available
Example areas:
• PCI DSS – Payment Card Industry Data Security Standard
• HIPAA – Health Insurance Portability and Accountability Act
• SOX – Sarbanes-Oxley Act
• Privacy – PII, PHI, Web Privacy Policy, COPPA, etc.
• eDiscovery litigation – LEHN – Legal Event Hold Notice
• Export Control Compliance – CC, HPC, Embargoed countries
• Human Resources
• GINA – Genetic Information Nondiscrimination Act
• ADA - American Disabilities Act

27. Information security is a burgeoning industry. As
information technology leaps forward, so matches
the velocity of information security.
Think strategic. Act competitive. Be secure.

28. 28