1 of 1 Items
1 of 1 Items
Mergers, Acquisitions & Divestitures (MA&D) Security Standards (MADSS)
The SCF took on an ambitious project to “build a better mousetrap” to fix the common complaints associated with MA&D due diligence. The Mergers, Acquisitions & Divestitures Security Standards (MADSS) is a standard to normalize MA&D-related assessment practices.
The MADSSis not “one-size-fits-all.” Instead, the guidance throughout this document should be adopted and tailored to the unique size, resources and risk circumstances of each organization. It can be modified, or augmented, with specific requirements. By following this methodology, cybersecurity and data privacy practitioners can improve the currently disjointed approach used to perform assessments of cybersecurity and/or data privacy controls.
Cybersecurity & Data Protection Assessment Standards
The following are the names of each CDPAS standard. The associate standard, justification and guidance can be found in the CDPAS document:
1. Professional Duty of Care
1.1. Ethical Conduct
1.2. Independence
1.3. Subject Matter Competency
1.4. Conflict of Interest (COI) Avoidance
2. Secure Practices
2.1. Security & Data Protection by Design & by Default
2.2. Statement of Work (SOW)
2.3. Assessment-Specific Data Protection Impact Assessment (DPIA)
2.4. Intellectual Property (IP) Protections
2.5. Protection of Assessment Information
2.6. Use of Assessment Information
2.7. Disposal of Assessment Information
3. MA&D Due Diligence - MA&D Due Care - Entities Being Assessed (EBA) & Acquiring Entity (AE)
3.1. Adherence To Data Protection Requirements
3.2. Assessment Boundary Demarcation
3.3. Graphical Representation of Assessment Boundary
3.4. Stakeholder Identification
3.5. Control Reciprocity
3.6. Control Inheritance
3.7. Defined Cybersecurity and/or Data Privacy Controls
3.8. Defined Risk Tolerance
3.9. Defined Maturity Level
3.10. Defined Materiality Threshold
3.11. Material Risk Designation
3.12. Material Threat Designation
3.13. Material Incident Designation
3.14. Internal MA&D Assessment
3.15. Implemented Capability
3.16. Virtual Data Room (VDR)
3.17. Post-Close Integration Security Plan (PCISP)
4. MA&D Due Diligence – Third-Party Assessors
4.1. Agreed Upon Control SEt
4.2 Formalized Assessment Plan
4.3. Defined Assessment Boundaries
4.4. Validate Control Applicability
4.5. Defined Evidence Request List (ERL)
4.6. Explicit Authorization For Testing
4.7. First-Party Declarations (1PD) - Control Inheritance
4.8. Third-Party Attestations (3PA) - Control Inheritance & Reciprocity
4.9. Stakeholder Validation
5. MA&D Due Care - EBA
5.1. Proactive Governance
5.2. Non-Conformity Oversight
6. MA&D Due Care – Third-Party Assessors
6.1. Assessment Methods
6.2. Assessment Rigor
6.3. Assessing Based On Control CDPAS Applicability
6.4. Assessment Objectives (AOs)
6.5. Control Designation
6.6. Objectivity Through Reasonable Interpretation
6.7. Adequate Sampling
6.8. Assessment Tools & Automation
7. Quality Control
7.1. MA&D Assessment Findings
7.2. Objective Peer Review
8. Conformity Designation
8.1. Report On Conformity (ROC)
8.2. MA&D Assessment Finding Challenges
8.3. Projected MA&D Remediation Costs