Organizational Processes in Security Governance
Security governance must extend to all facets of an organization, including key organizational processes like acquisitions, divestitures, and governance committees. Each of these processes carries inherent risks, and security oversight is essential to mitigate potential vulnerabilities.
Acquisitions and Mergers
Acquisitions and mergers elevate an organization’s risk profile, with threats like data breaches, downtime, and failure to achieve return on investment (ROI). During such transformative periods, security must be a top priority to reduce potential losses.
Without proper security considerations, the risks embedded in newly acquired products or services will persist throughout their lifecycle. Evaluating the total cost of ownership—including security costs—over the life of the product is essential when considering mergers or acquisitions.
Divestitures and Employee Reductions
Divestitures and employee reductions also present security challenges. Released employees should undergo exit interviews to review nondisclosure agreements and other binding contracts. Additionally, assets such as storage media must be securely sanitized and destroyed to prevent data leakage.
Risk Evaluation and Security Assessments
All acquisitions—whether hardware, software, or services—should be thoroughly evaluated for security risks. Products with built-in security may have a higher upfront cost, but they often prove more cost-effective in the long run compared to addressing security deficiencies in poorly designed products.
Outsourcing, engaging consultants, or contracting suppliers are also elements of acquisition that require security scrutiny. Ongoing security monitoring and assessment may be necessary to comply with industry best practices or regulations. When working with third-party services, it’s important to ensure that these external providers also prioritize security in their operations.
Evaluating Third Parties
When integrating external entities into your security framework, several processes should be followed:
- On-Site Assessment: Visit the third party’s site, interview personnel, and observe their operating practices.
- Document Exchange and Review: Review how documentation and data are exchanged, and assess their formal processes.
- Process/Policy Review: Request copies of the third party’s security policies, procedures, and incident documentation for review.
- Third-Party Audit: Consider an independent third-party audit based on Service Organization Control (SOC) reports for an unbiased review of the entity’s security infrastructure.
Minimum Security Requirements for Acquisitions
When making any acquisition, it’s essential to establish minimum security requirements that align with your existing security policies. Whether acquiring hardware, software, or services, security standards must meet or exceed those of your current infrastructure.
Additionally, review any service-level agreement (SLA) to ensure that security is included as a component of the contracted services. If working with an external provider that is crafting software or delivering a service (such as a cloud provider), define a service-level requirement (SLR) to clearly state the performance expectations.
Additional Organizational Processes
Other critical organizational processes that enhance security governance include change control/change management and data classification. These processes are vital for maintaining strong security oversight and aligning security practices with the organization’s overall goals.
