The task of reconciling policies, requirements, business processes, and procedures during a merger or acquisition is rarely straightforward. Further, there should be no assumption of one organization's policies, requirements, processes and procedures being the "right" or "best" way for all parties in the merger or acquisition — even if that organization is the acquiring entity.Instead, each organization's individual policies, requirements, processes and procedures should be assessed to identify the best solution for the new formed organization going forward.
Hardware, software, and servicesAny new hardware, software, or services being considered by an organization should be appropriately evaluated to determine both how it will impact the organization's overall security and risk posture, and how it will affect other hardware, software, or services already in place within the organization. For example, integration issues can have a negative impact on a system's integrity and availability.
Third-party assessment and monitoringIn a merger or acquisition, it's important to consider the third parties that each organization brings to the table. Not only do the acquiring or merging organizations need to carefully examine their third party risk programs, but also a fresh look at the third parties themselves is needed, to ensure that the risk level related to each third party has not changed in light of the merger or acquisition.
Any new third-party assessments or monitoring should be carefully considered. Contracts (including privacy, non-disclosure requirements, and security requirements) and service-level agreements (SLAs, discussed later in this section) should be reviewed to ensure that all important security issues and regulatory requirements still are addressed adequately.