Acquisition Assessment Policy

1.0 Purpose

The ~~process~~purpose of this policy is to establish the framework and minimum security requirements for assessing and integrating a newly acquired ~~company~~companies into the organization's environment. Integrating acquisitions can ~~have a drastic~~significantly impact on the security ~~poster of either the parent company or the child company.~~ ~~The network and security infrastructure~~posture of both entities ~~may~~due ~~vary~~to ~~greatly~~differences in infrastructure, policies, and ~~the~~culture. ~~workforce~~This ofpolicy aims to manage these risks by defining a process to:

* Assess the ~~new~~acquired ~~company may have a drastically different culture and tolerance to openness.~~ ~~The goal of the security acquisition assessment and integration process should include:~~

~~Assess company’~~company's security landscape, posture, and ~~policies~~

practices.
*

Protect both ~~<Company~~the ~~Name>~~parent organization and the acquired company from increased security risks

during and after integration.
* Educate the acquired ~~company~~company's ~~about~~personnel ~~<Company~~on ~~Name>~~the organization's security policies and ~~standard~~

standards.
*

~~Adopt~~Facilitate the adoption and ~~implement~~implementation ~~<Company~~of ~~Name>~~the ~~Security~~organization's ~~Policies~~security policies and ~~Standards~~

standards

~~Integrate~~within the acquired ~~company~~

entity.
*

~~Continuous~~Ensure secure integration of networks and systems.
* Establish requirements for ongoing monitoring and auditing post-acquisition.

This policy outlines the responsibilities of the ~~acquisition~~

designated

~~The~~IT ~~purpose~~authority ~~of this policy is to establish~~(e.g., Precision Computer ~~responsibilities regarding corporate acquisitions,~~Team) and ~~define~~defines the minimum security ~~requirements~~baseline ofrequired anbefore ~~Precision~~connecting ~~Computer~~acquired ~~acquisition~~systems ~~assessment.~~or networks to the organization's infrastructure.

2.0 Scope

This policy applies to all ~~companies~~corporate ~~acquired~~acquisitions made by ~~<Company~~the ~~Name>~~organization. ~~and~~It pertains to all personnel, systems, networks, data, laboratories, test equipment, hardware, ~~software~~software, and ~~firmware,~~firmware owned and/or operated by the acquired ~~company.~~company that will be integrated or connected to the organization's environment.

3.0 Policy Statements

3.1 ~~General~~Acquisition Assessment and Integration Process

~~Acquisition~~* ~~assessments~~**IT ~~are~~Authority ~~conducted to ensure that a company being acquired by <Company Name> does not pose a security risk to corporate networks, internal systems, and/or confidential/sensitive information.~~Involvement:** The designated IT authority (e.g., Precision Computer ~~Team~~Team) ~~will~~must ~~provide~~be ~~personnel to serve as~~an active ~~members~~member of the corporate acquisition team from the outset and throughout the entire ~~acquisition~~process.
* ~~process.~~**Risk Assessment:** The ~~Precision~~IT ~~Computer role~~authority is responsible for conducting thorough security assessments of the acquired company to ~~detect~~identify and evaluate information security ~~risk,~~risks related to their infrastructure, systems, applications, data handling practices, and overall security posture.
* **Remediation Planning:** Based on the risk assessment, the IT authority will develop a remediation plan in collaboration with relevant parties from both the ~~affected~~organization ~~parties for~~and the ~~identified~~acquired ~~risk,~~company.
* ~~and~~**Implementation:** The IT authority will work with the ~~acquisitions~~acquisition integration team to implement ~~solutions~~necessary security controls and remediate identified risks *before* establishing connectivity between the acquired entity's network and the organization's network.

3.2 Minimum Security Requirements for ~~any~~Integration

~~identified~~

The ~~security risks, prior to allowing connectivity to <Company Name>'s networks. Below are the~~following minimum requirements ~~that~~must be met by the acquired company ~~must meet~~ before ~~being~~network ~~connected~~integration, tounless ~~the~~a ~~<Company~~formal, ~~Name>~~risk-accepted ~~network.~~exception is granted:

**Hosts

(Servers, ~~Requirements~~

Desktops,

~~Hosts~~

Laptops):**

* All ~~hosts~~end-user devices (~~servers,~~ desktops, laptops) ~~will~~must either be replaced orwith organization-standard equipment, re-imaged with athe ~~<Company Name>~~organization's standard ~~image~~operating environment build, or ~~will~~demonstrably bemeet ~~required~~all torequirements ~~adopt~~outlined in the ~~minimum~~organization's endpoint security standards ~~for~~(e.g., ~~end~~Baseline ~~user~~Workstation ~~devices.~~

Configuration

~~Business~~Standard).
* All hosts must have organization-approved and updated endpoint protection (anti-virus/anti-malware) software installed and operational before network connection.
* Business-critical production servers that cannot be ~~replaced or re-imaged must be audited and a waiver granted by Precision Computer.~~

~~All PC based hosts will require <Company Name> approved virus protection before the network connection.~~

~~Networks~~

~~All network devices will be~~immediately replaced or re-imaged ~~with~~require a ~~<Company~~specific ~~Name>~~security audit and a formal waiver granted by the IT authority (e.g., Precision Computer Team). These servers must meet applicable organizational security standards for servers.
* **Networks:**
* Network infrastructure devices (routers, switches, firewalls) within the scope of integration must typically be replaced with organization-standard ~~image.~~equipment

reconfigured/re-imaged to meet organization standards.
* Wireless network access points ~~will~~must be ~~configured~~reconfigured or replaced to ~~the~~comply ~~<Company~~strictly ~~Name> standard.~~

~~Internet~~

~~All Internet connections will be terminated.~~

~~When justified by business requirements, air-gapped Internet connections require Precision Computer review and approval.~~

~~Remote Access~~

~~All remote access connections will be terminated.~~

~~Remote access to~~with the ~~production~~organization's ~~network~~Wireless ~~will~~Network beConnection ~~provided~~Standard. byUnauthorized ~~<Company~~or ~~Name>.~~

insecure

~~Labs~~

wireless

~~Lab equipment~~networks must be ~~physically~~disabled.
* ~~separated~~**Internet ~~and~~Connections:**
~~secured~~ ~~from~~* ~~non-lab~~Existing ~~areas.~~direct

internet

~~The~~connections ~~lab~~of ~~network~~the acquired company must generally be ~~separated~~terminated ~~from~~post-integration, with internet access routed through the ~~corporate~~organization's ~~production~~controlled ~~network~~perimeter.
~~with~~ a* ~~firewall~~Air-gapped ~~between~~or ~~the~~segmented ~~two networks.~~

~~Any direct network~~internet connections ~~(including~~required ~~analog~~for ~~lines,~~specific, ~~ISDN~~justified ~~lines,~~business ~~T1, etc.) to external customers, partners, etc.,~~needs must be reviewed and formally approved by the IT authority (e.g., Precision Computer Team).
* **Remote Access:**
* All existing remote access solutions (VPNs, dial-up, etc.) of the acquired company must be terminated.
* Remote access for acquired personnel will be provisioned through the organization's standard, approved remote access solutions and policies.
* **Laboratory Environments (If Applicable):**
* Laboratory networks must be logically and, where appropriate, physically segregated from corporate/production networks, typically using firewalls managed according to organizational standards.
* Physical access to lab environments must be secured and restricted based on organizational physical security policies.
* Any direct external network connections (e.g., to partners, customers) originating from labs must be reviewed, justified, and approved by the relevant security authority (e.g., Precision Computer Team or a specialized Lab Security Group ~~(LabSec)~~["LabSec"], if applicable).

* All acquired labs must ~~meet~~adhere ~~with~~to ~~LabSec~~the organization's specific lab ~~policy,~~security policies/standards or ~~be granted~~obtain a formal waiver byfrom ~~LabSec.~~the relevant authority ("LabSec" or IT Security).

3.3 High-Risk Acceptance

* In ~~the~~exceptional ~~event~~circumstances ~~the~~where critical business needs necessitate connecting acquired networks ~~and computer~~or systems ~~being connected to the corporate network~~that fail to meet these minimum requirements, the ~~<Company~~associated ~~Name>~~risks must be formally documented by the IT authority. Connection under such circumstances requires explicit acknowledgment and acceptance of the identified risks by the organization's Chief Information Officer (CIO) ~~must~~or ~~acknowledge~~another designated executive sponsor.

4.0 Compliance

4.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer team) will verify the acquired company's compliance with these requirements through audits, configuration reviews, vulnerability scans, interviews, documentation review, and ~~approve~~other assessment methods before and during integration. Ongoing compliance will be monitored post-integration.

4.2 Exceptions

As noted in sections 3.2 and 3.3, exceptions to specific requirements require formal documentation, risk assessment, justification, compensating controls (if applicable), and advance approval from the designated IT authority (e.g., Precision Computer team) or, for high-risk acceptance, the CIO.

4.3 Enforcement

Failure to meet these requirements may delay or prevent the integration of the ~~risk~~acquired ~~to <Company Name>'~~company's networks

and

~~Compliance~~systems. ~~Measurement~~

Continued

~~The Precision Computer team will verify~~ non-compliance topost-integration ~~this~~may ~~policy~~result ~~through~~in ~~various~~disconnection ~~methods,~~or ~~including~~further ~~but~~remediation ~~not~~actions. ~~limited~~Policy ~~to, business tool reports, internal and external audits, and feedback to the policy owner.~~

~~Any exception to the policy must be approved~~violations by ~~the Precision Computer team in advance.~~

~~An employee found to have violated this policy~~personnel may be subject to disciplinary ~~action,~~action upaccording to ~~and~~the ~~including~~parent ~~termination~~organization's ~~of employment.~~ policies.

~~None.~~5.0 Definitions

~~The~~* ~~following definition and terms can be found in the SANS Glossary located at:~~

~~https://www.sans.org/security-resources/glossary-of-terms/~~

**Business Critical Production ~~Server~~Server:** A server hosting applications or services whose failure would significantly impact core business operations, revenue generation, or service delivery.
* **Air-gapped:** A security measure where a computer network or device is physically isolated from other networks, particularly unsecured ones like the public internet.