Any Merger or Acquisition (M&A) scenario that involves integrating networks or services, with a previously unvetted organization or partner should be subject to extensive security audit first. ProCheckUp’s mergers and acquisition security assessment provides the proactive visibility necessary for M&A activities to be successful, by addressing any uncertainty of a unvetted organization or partner. As well as allowing M&A participants including third party legal firms, to demonstrate expert due diligence in the determination and reduction of any cyber risk present.
Armed with information about the security posture of a possible acquisition, companies planning to acquire another can plan fixes for identified vulnerabilities, use the information to aid decision-making whether to proceed with the acquisition, and may help negotiate a lower purchase price. The M&A security assessment can also be performed after an acquisition is complete but before the IT environments are connected
ProCheckUps M&A security assessment service helps organizations obtain a security baseline of any pending acquisition, revealing the critical information needed to gauge the viability of the acquisition
ProCheckUp utilises a standard engagement model for the M&A security assessment using a robust, holistic approach consisting of eight phases as defined below:
A Compromise Assessment will identify any environmental risks, security incidents, and ongoing threat actor activity in a network environment.
The goal is to detect and stop any active security incidents quickly and quietly. The assessment addresses core problems such as:
- Data exfiltration and sabotage
- Command and control activities
- User account anomalies
- Malware and persistence mechanisms
- Identification of potential threats and/or vulnerabilities
- Network, host, and application configurations
External Vulnerability Assessment / Penetration Testing
An external vulnerability assessment is where the exposed infrastructure is frequently assessed to ensure that all vulnerabilities are identified, prioritised and the appropriate actions/patches applied in a timely fashion.
To conduct a thorough test of a client’s Internet defences and to identify vulnerabilities that may be difficult or impossible to detect with scanning software. Technical pen testing experts use a mix of manual and automated testing techniques, to gain access to the system features and data.
Internal Vulnerability Assessment / Penetration Testing
An internal vulnerability assessment is where the internal infrastructure is frequently assessed to ensure that all vulnerabilities are identified, prioritised and the appropriate actions/patches applied in a timely fashion.
To conduct a thorough test of a client’s internal defences and to identify vulnerabilities that may be difficult or impossible to detect with scanning software. Technical pen testing experts use a mix of manual and automated testing techniques, to gain access to the system features and data. Additional pen testing can be performed from the perspective of an unauthorized internal user to mitigate the impact of a malicious or disgruntled employee
Architecture Security Assessment
ProCheckUp consultants will conduct a detailed review of the organisations network security goals and requirements as well as evaluating any associated security technology policies. We will then conduct an in-depth analysis of the network security architecture, including the network topology, architecture diagrams, relationships, solution components, device features and configurations. To determine if the policies in place are sufficiently strict, proper network segmentation is in place, and other security configurations are enforced to reduce an organization’s attack surface. Security technology policies for remote access, network segmentation, server protection, authentication, and firewall design can all be included in the scope of the review.
Additionally, the service can evaluate the overall security architecture for scalability, performance, and manageability.
PCI/NIST Cybersecurity Framework (CSF) Gap Analysis
The goal of a PCI/NIST CSF Gap Analysis is to evaluate the policies, standards, and procedures implemented by the organization and how they align with the five core NIST functions: identify, protect, detect, respond, and recover.
And the six control objectives: build and maintain a secure network and systems, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks and maintain an information security policy
Information reviewed will include:
- Policy, standards, and procedures
- Program management
- Human resources and organization
- Asset management
- Physical and environmental considerations
- Communications and operations
- Access control
- Information systems management
- Response plans and management
- Regulatory compliance
The policy review determines the overall state of the client’s information security environment and identifies program gaps to improve the overall security posture of the organization. ProCheckUp will review security policies, standards, and procedures, WAN and LAN network diagrams, data flow diagrams, and vulnerability scan reports that explain how the client identifies, protects, detects, responds, and recovers data and information systems. ProCheckIp will identify and highlight risks that exist and provide a gap analysis for each area compared to chosen security standard baselines (PCI/NIST).
Security Software Assessment
The security software assessment evaluates all the security software within a client environment to assess redundancy, waste, and poor configuration/implementation. The assessment highlights any gaps in coverage or insufficient capabilities that the organization may have in terms of coverage and implementation.
ProCheckUp then provides a comprehensive report containing prioritised recommendations to mitigate the identified operational risks, including improvements to topology, protocols, policy, device configurations and network and security management tools. The report will include: -
- Any compromises detected
- A list of vulnerabilities and potential threats
- Detailed listing of attacks that were successful during the assessment
- Gap analysis and tool capabilities and functionality
- Assessment findings and alignment of the security policies and procedures to the NIST CSF. Remediation strategies to achieve compliance with the NIST CSF and industry best practices
- Instructions for developing a roadmap for continuous improvement and monitoring
Please contact us for more information on how ProCheckUp Mergers and Acquisitions services can help you.