What are the security risks of a corporate divestiture?

Security management expert Mike Rothman discusses the data protection issues involved with a corporate divestiture .

What types of information security risks are involved with divesting a company? Are there any particular risks or threats that should be anticipated when selling a corporation?
The biggest issue a security team faces in a divestiture is cleaning up access rights and identity information. In many cases, organizations have intermingled systems for overhead/corporate functions. For example, each business unit will use a common accounting, procurement, HR and technology system like email and VPNs. Those systems need to be decoupled and the access rights of employees moving to the spun-out firm need to be revoked.

Basically, there are two ways to do that revocation. The first is via brute force: going into every system and removing the access rights of employees who are no longer with the company. The other -- and better -- way to solve the problem is via a provisioning environment that will let you remove access cleanly and completely. By automating provisioning, you not only gain leverage in bringing new users on board, but by scripting the removal of all user accounts and access rights you also make sure that there are no loose ends remaining when the employees of the divested company are moved to new systems.

There's also the risk of data leakage in a divestiture. In many cases, information leakage is more accidental than malicious. Nonetheless, always make sure critical intellectual property does not go with employees to their new shop -- unless it's part of the deal anyway. It's not clear that software would effectively solve the problem, so you need to make sure there is a process in place to identify and protect data that should not be leaving your environment.

At a high level, the data protection process involves first understanding what data needs to be protected. I know it sounds simple, but a lot of organizations don't have a general understanding of what important data is. Then it's a matter of figuring out how that data should be protected. If software isn't going to work (especially in a divestiture situation), it comes down to training users and reinforcing what the corporation's data leakage policies are.

Finally an organization may want to look at a service that tracks how data appears on the Internet. Companies like Cyveillance Inc. can look for certain types of data and pinpoint potential data leakage and data misuse.

For more information:

  • In this tip, contributor Russell Jones unveils the two most important questions to ask when forming an enterprise data protection plan.
  • In the expert Q&A, Joel Dubin discusses what mistakes are made when implementing enterprise IAM systems.
  • Dig Deeper on Data security and privacy

    Enterprise Desktop
    Cloud Computing