Acquisition Assessment Policy

Created by or for the SANS Institute. Feel free to modify or use for your organization. If you have a policy to contribute, please send e-mail to stephen sans.edu 1.0 Purpose To establish InfoSec responsibilities regarding corporate acquisitions, and define the minimum security requirements of an InfoSec acquisition assessment. 2.0 Scope This policy applies to all companies acquired by <Company Name> and pertains to all systems, networ s, laboratories, test equipment, hardware, software and firmware, owned and!or operated by the acquired company. 3.0 Policy I. General "cquisition assessments are conducted to ensure that a company being acquired by <Company Name> does not pose a security ris to corporate networ s, internal systems, and!or confidential!sensiti#e information. InfoSec will pro#ide personnel to ser#e as acti#e members of the acquisition team throughout the acquisition process. The InfoSec role is to detect and e#aluate information security ris , de#elop a remediation plan with the affected parties for the identified ris , and wor with the acquisitions team to implement solutions for any identified security ris s, prior to allowing connecti#ity to <Company Name>$s networ s. %elow are the minimum requirements that the acquired company must meet before being connected to the <Company Name> networ . II. Requirements A. Hosts &. "ll hosts 'ser#ers, des tops, laptops( will be replaced or re)imaged with a <Company Name> standard image. *. %usiness critical production ser#ers that cannot be replaced or re)imaged must be audited and a wai#er granted by InfoSec. +. "ll ,C based hosts will require <Company Name> appro#ed #irus protection before the networ connection. B. Networ s &. "ll networ de#ices will be replaced or re)imaged with a <Company Name> standard image. *. -ireless networ access points will be configured to the <Company Name> standard. !. Internet &. "ll Internet connections will be terminated. *. -hen .ustified by business requirements, air)gapped Internet connections require InfoSec re#iew and appro#al. ". Remote Access &. "ll remote access connections will be terminated. *. /emote access to the production networ will be pro#ided by <Company Name>.

#. $a%s &. 0ab equipment must be physically separated and secured from non)lab areas. *. The lab networ must be separated from the corporate production networ with a firewall between the two networ s. +. "ny direct networ connections 'including analog lines, IS1N lines, T&, etc.( to e2ternal customers, partners, etc., must be re#iewed and appro#ed by the 0ab Security 3roup '0abSec(. 4. "ll acquired labs must meet with 0abSec lab policy, or be granted a wai#er by 0abSec. 5. In the e#ent the acquired networ s and computer systems being connected to the corporate networ fail to meet these requirements, the <Company Name> Chief Information 6fficer 'CI6( must ac nowledge and appro#e of the ris to <Company Name>$s networ s &.0 #n'orcement "ny employee found to ha#e #iolated this policy may be sub.ect to disciplinary action, up to and including termination of employment. (.0 "e'initions )erms Business Critical Production Server "e'initions " ser#er that is critical to the continued business operations of the acquired Company.