Organizations must use risk-based management concepts when they contract out tasks (such as hiring an air conditioning company to maintain the air conditioning in their data centers), bring on new suppliers or utilize service companies to transport their goods. Many of these concepts apply to mergers and acquisitions too.
- Risks associated with hardware, software, and services. The company should perform due diligence, which includes looking at the IT infrastructure of the supplier. When thinking about the risk considerations, you must consider:
- Hardware. Is the company using antiquated hardware that introduces potential availability issues? Is the company using legacy hardware that isn’t being patched by the vendor? Will there be integration issues with the hardware?
- Software. Is the company using software that is out of support, or from a vendor that is no longer in business? Is the software up to date on security patches? Are there other security risks associated with the software?
- Services. Does the company provide services for other companies or to end users? Is the company reliant on third-party providers for services (such as SaaS apps)? Did the company evaluate service providers in a way that enables your company to meet its requirements? Does the company provide services to your competitors? If so, does that introduce any conflicts of interest.
- Third-party assessment and monitoring. Before agreeing to do business with another company, your organization needs to learn as much as it can about that company. Often, third-party assessments are used to help gather information and perform the assessment. An on-site assessment is useful to gain information about physical security and operations. During the document review, your goal is to thoroughly review all the architecture, designs, implementations, policies, procedures, etc. You need to have a good understanding of the current state of the environment, especially so you can understand any shortcomings or compliance issues prior to integrating the IT infrastructures. You need to ensure that the other company’s infrastructure meets all your company’s security and compliance requirements. The level of access and depth of information you are able to gain is often directly related to how closely your companies will work together. For example, if a company is your primary supplier of a critical hardware component, then a thorough assessment is critical. If the company is one of 3 delivery companies used to transport goods from your warehouse, then the assessment is important but does not have to be as deep.
- Minimum security requirements. As part of the assessment, the minimum security requirements must be established. In some cases, the minimum security requirements are your company’s security requirements. In other cases, new minimum security requirements are established. In such scenarios, the minimum security requirements should have a defined period, such as 12 months.
- Service-level requirements. A final area to review involves service level agreements (SLAs). Companies have SLAs for internal operations (such as how long it takes for the helpdesk to respond to a new ticket), for customers (such as the availability of a public-facing service), and for partner organizations (such as how much support a vendor provides a partner). All the SLAs of the company should be reviewed. Your company sometimes has an SLA standard that should be applied, when possible, to the SLAs as part of working with another company. This can sometimes take time, as the acquiring company might have to support established SLAs until they expire or renewal comes up.