Chapter 17

IT Risk, Security, and Controls in M&A

Identifying and Managing Common Considerations

David CarusoKelly MoynihanJohn ClarkJamie FoxJoseph JoyScott Kaufman

Understanding the IT Risk, Security, and Controls Current State

Mergers and acquisitions (M&A) and related transactions present a vast array of tangible and intangible benefits to the stakeholders of the entities involved. Yet, these benefits can be greatly diminished through the misunderstanding and mismanagement of common IT risk, security, and control considerations. While no two M&A transactions are the same and no blueprint can be used to minimize security and IT issues totally, there are consistent actions that can help reduce the risks to organizations while also helping to improve operating effectiveness.

The first step in combating and managing common M&A IT risk considerations is to obtain a thorough understanding of the parent and target organizations' IT environments. Information such as asset inventories, employee rosters, and infrastructure diagrams can provide a snapshot of the environment for which controls must be applied. However, there will be limited insight initially into how the companies operate. Regardless of the M&A transaction size, budget, or potential cost savings, one of the key responsibilities of a chief information officer (CIO), chief information security officer (CISO), chief privacy officer (CPO), chief compliance officer (CCO), chief risk officer (CRO), and office of general counsel ...

Get M&A Information Technology Best Practices now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.