Management, compliance & auditing

Business closures and consolidations: An information security checklist

November 4, 2020 by Beth Osborne

Introduction

In the current climate — a pandemic, economic uncertainty and an election year in the United States — businesses are feeling the strain. It’s forcing organizations to make some hard choices, including closures, restructuring and consolidation. 

In any of these transitions, there are many factors that decision-makers must take into consideration, one of which is information security. If your organization is going through changes, you’ll likely want to develop an information security requirements checklist to ensure you mitigate risk and keep data and networks secure.

What should your information security checklist include?

Much of that depends on the type of transition the business is undergoing, consolidations, or permanent closure. No matter the kind of change, you should focus on compliance, regulations, security and privacy. Even if a company doesn’t exist any longer, it still leaves behind lots of sensitive and/or personal data. In most cases, the closed business still must be a custodian of those records.

Additionally, the type of business will also impact what’s on your information security governance checklist. If you’re in a highly regulated industry such as healthcare or banking, you have more items to add.

Information security requirements checklist categories

Next, we’ll go through some specifics of the checklist.

Decommission physical and digital assets

Start decommissioning by determining what physical and digital assets you have. A starting point is an IT asset recycling and disposal (ITAD) policy. This should be a standard, but experts note that 60 percent of organizations don’t have one. If that describes your organization, then it’s likely you have a stockpile of old equipment. 

You’ll need to take inventory of these assets and make decisions about how to wipe them. NIST (the National Institute of Standards and Technology) provides best practices for proper and safe wiping and disposal. You can take on this exercise internally or engage a third party to do so. 

What you decide to do with these assets will also depend on the type of data and the regulations regarding it. For example, healthcare organizations must abide by HIPAA (the Health Insurance Portability and Accountability Act) security regulations. That means any data disposal must align with privacy and security requirements. Furthermore, healthcare also has medical record retention requirements; these vary by state but are typically seven years or longer. Healthcare organizations, even if they cease business, still must assign a custodian of those records. 

Regulated and non-regulated industries will have different checklists, but both must be accountable for ensuring the secure retirement of physical and digital assets. 

Critical considerations in the information security compliance checklist

  • Identify what records you must keep and for how long
  • Find an archiving solution that allows you to migrate data securely
  • Ensure that regulatory bodies or patients/customers have a means to request documents
  • Retire all software systems that contain sensitive information in a safe way that aligns with cybersecurity best practices 

Non-regulated information security checklist items

If your business doesn’t fall into the regulated area, that doesn’t mean you just turn everything off and walk away. There is still personal or protected information about customers in your physical and digital assets, which could include transaction details. Such data would be highly attractive to hackers if you simply leave it as-is, which could lead to legal liability should a breach occur. 

Here’s what you should include on your checklist:

  • Document all systems that contain data
  • Work with the platforms you use on ways to delete or archive data in a secure manner
  • Clean all physical technology assets like laptops and servers to remove any sensitive data
  • Make sure that any access points to internal platforms are no longer accessible

Client and vendor data

Most businesses house client and vendor data, as well as their own. What can you do with this data? The contracts you have with these parties may spell out what needs to occur. That could be a total deletion and wiping of the data from physical servers or anything in the cloud. The contract could simply request you deliver the data back to them. Another alternative is that they may require you to archive it on a secure platform, then provide them access.

Retiring domains

If you release domains, this could be extremely attractive to cybercriminals. They may seize these domains and use them to either infiltrate domains staying live, in the case of a consolidation. They could also use these to launch phishing attacks on former customers or partners. 

It’s in the best interest of all parties to hold onto the domains for at least several years. It has a relatively low cost and can be an easy way to prevent fraud. 

Don’t forget about shadow IT

Shadow IT refers to those systems deployed by other departments outside of IT. Failure to shut these down could create exposure. Include this in your IT security audit checklist, defining any software or applications that have been outside of the purview of IT. This could be file-sharing platforms like Dropbox or specialized software used by accounting or marketing. 

All department heads should provide an exhaustive list to the IT team handling the consolidation or closure. Determine what accounts need to be closed and how you’ll delete or archive the data, and ensure that any access to these programs is not available on any physical devices.

Revoke access to protect against insider threats

Closures and consolidations mean job losses. Some employees might be apt to steal or expose company data. Unfortunately, insider threats are all too prevalent, no matter the situation. A Wall Street Journal survey found that 70 percent of companies worry about malicious employees. 

The best way to get a handle on this is to be proactive. IT should work together with HR and legal to act as soon as the announcement is made regarding the company’s next steps. Immediately revoke access to anyone who is not essential to the transition. 

New policies for new times

In the case of a consolidation of locations, there will be significant changes in how the business operates. Cybersecurity policies need an update as well. You’ll be working on areas like removing redundancies, which could mean changes to your infrastructure, cloud usage and more. 

As part of an information security governance checklist, your team should review all your cybersecurity policies and procedures. Some of them may not be applicable any longer. Others may need retooling. There are also different or fewer players, so you may need to adjust roles and responsibilities. 

Communicate clearly and consistently

It may seem obvious that communication should be part of your IT security checklist, but it’s often the little things that cause the most chaos. Transitions are not easy, and you must make hard decisions. Being clear and consistent with communication to all stakeholders can make it less painful as you move on, whether that means complete dissolution following a bankruptcy or a restructured and more nimble company.

Evaluate new requirements

In the case of companies that are restructuring, there will be new requirements to evaluate. One example is the fact that many companies are downsizing and selling off physical office spaces. They are choosing to adopt a remote work model to reduce overhead. Even if remote work has been an option or you rushed to make it so at the beginning of the pandemic, that doesn’t mean you’ve identified all cybersecurity concerns.

It’s time to completely reevaluate any security loose ends now that you are formally restructuring. You should document the processes that will change in how you monitor, identify and mitigate risk. This could include new requirements for building a sustainable remote work model, including moving file sharing, platforms and applications to the cloud if they aren’t there already. Weigh options of bundling to simplify cybersecurity and reduce costs.

An information security requirements checklist is the best way to reduce risk

Any major business change — consolidations, restructuring and closures — should include cybersecurity in the conversation. In an increasingly digital world, your data assets are just as important as physical ones. Use these checklist items as a guide to navigate your transition, in order to ensure that security is always top of mind.

 

Sources

Secure IT Asset Disposition: Achieving Valuable Business Value While Mitigating Risks, Iron Mountain

NIST Special Publication 800-88, Revision 1, NIST

Companies Name One of the Biggest Cybersecurity Threats: Their Employees, The Wall Street Journal

Posted: November 4, 2020
Beth Osborne
View Profile
In this Series
Related Bootcamps
Incident Response