Corporate restructuring puts every organization in a state of heightened IT risk. M&A activity forces organizations to make big changes – large-scale consolidations of people and IT assets – on very short notice. In such an environment, proactive risk management is key. Any material weaknesses or deficiencies at the acquired company may impact the acquirer. Before an acquisition occurs, companies must assess their targets' compliance and risk posture. After the acquisition, it's critical for companies to protect sensitive applications and data that may be exposed during the transition period.
Mergers and acquisitions inevitably bring churn and layoffs. With layoffs, employee risk factors increase, requiring corporate security groups to more closely manage access to sensitive data and systems in order to prevent any deliberate acts of fraud or sabotage. We're all too familiar with the recent case where an employee planted logic bombs on servers after being notified of his termination.
It's imperative that IT and security teams proactively manage the business risks incurred during a merger or acquisition. These teams will feel pressure to manage the transition with speed and agility, but more importantly they must manage it securely and in compliance with corporate and regulatory guidelines.
Identity governance enables companies to identify, measure and manage the risk associated with employee access to sensitive applications and data. It approaches identity management as a cross-departmental discipline that gives organizations the business insight to strengthen IT controls and protect corporate assets. With identity governance, companies can streamline the integration of acquired IT systems, as well as measure and monitor identity risk to reduce the possibility of breaches and non-compliance.
For companies working through a merger or acquisition with an eye on their IT risk, the first step should be to answer the following identity governance questions:
- Who has access to what within the acquired company?
- How is access to critical systems audited on an ongoing basis?
- How is IT monitoring access changes resulting from the M&A (new access, changed access, revoked access)?
- How is access policy (e.g., separation of duty) defined and enforced?
- How is identity risk assessed, measured and managed by the acquired company?
Once these questions are answered, I recommend the following steps during the process of integrating workers and IT infrastructure:
- Centralize identity data and create transparency to who has access to critical systems within the acquired enterprise. Organizations need an enterprise-wide view of identity data so they can assess the effectiveness of IT controls, analyze risk and recommend appropriate changes. In the same way that business intelligence can improve visibility to sales and financial data, “identity intelligence” can help organizations perform due diligence on companies prior to IT integration.
- Conduct an automated access certification and policy evaluation cycle immediately after the acquired company's people and assets are integrated. Given the speed at which many mergers are completed and the need to quickly establish control and auditability over the acquired company's IT systems, manual processes are rarely sufficient. With identity governance solutions, organizations gain instant visibility into problem areas like orphan accounts, inappropriate access privileges and policy violations. With automation, they can better manage audit and compliance activities required during the transition process and ensure that the proper oversight and accountability are applied to the newly integrated people and assets.
Ultimately, the biggest success factor in a situation like this is for all relevant groups – HR, IT, security, line of business, legal – to work together to manage the risk associated with user access to sensitive data and applications. The process is difficult, particularly because there are so many agendas at work during an M&A process. Organizations tend to focus on departmental, product and process integration. But it's critical that the right focus is placed on IT and security challenges, and more specifically on identity governance issues, so that business risks can be proactively managed and mitigated.
[sidebar]
Defining identity governance
Identity governance is an emerging product category within identity management that delivers benefits for both business people and IT teams. Identity governance products provide three fundamental capabilities for effective identity data management:
- Visibility across critical information for the entire enterprise. Many deployments of provisioning solutions are limited to a small set of applications, and as a result only provide a fragmented view of identity data.
- Business context for identity data. Because identity management solutions were originally created for IT and security users, they provide access reports that can be too cryptic for reviewers to decipher, leading to inaccurate decisions and rubber-stamping.
- A risk-based approach. Protecting information assets — and the business as a whole — requires a way to identify and assess identity management risks and take the necessary steps to reduce risk to levels acceptable to the organization.