112
A Practical Guide to Security Assessments
division or business unit does and how the business unit is doing. This
information can be evaluated to identify potential areas of concern from
a security perspective. Although the 10K will probably not go into process-
level detail, it might give enough information to allow you to have a high-
level understanding of the different business units. The business unit
information can also be used in conjunction with the financial information
to understand the focus of the business. In some cases, the 10K might
contain a breakdown of revenues at the business unit level providing some
indication about which business units are more or less critical to the
business. This information becomes more important as the business
becomes larger and more complex. For smaller businesses, there may be
only one business unit, and this type of information might be a moot point.
•
Management discussion and analysis —
The Management Discussion and
Analysis (MD&A) is management’s discussion of the business, which
includes a review of the year’s results as well as an idea of what is to
come in the future. This discussion goes through some of the financial
details of the company and typically includes a comparison with the
numbers from the prior year. Any significant variances in the results from
the prior year are explained, which can provide information regarding
changes in the business. Keep in mind that the MD&A is prepared by the
company’s management, so it is not objective and independent. Even so,
the information is valuable because it might give a sense of what the
company views as important in the business. Note that the numbers
referenced in the MD&A are audited, but the overall content of the MD&A
is management’s view of the business today and where they see it going
in the future.
•
Merger or acquisition activity —
Merger or acquisition activity is an
important consideration for a security assessment. Mergers and acquisi-
tions potentially introduce new processes and technologies into a com-
pany. The degree to which a company can integrate processes and
technology infrastructure as a result of a merger or acquisition can have
an impact on the overall security posture of the company. Questions
regarding security policies, security infrastructure, and security ownership
all become more relevant when mergers or acquisitions occur. The sig-
nificance of the merger or acquisition depends on how large the new
business is and how it is going to be integrated. Companies sometimes
will integrate new acquisitions over a period of time and let them function
“business as usual” for a short time before beginning the integration
process. If a merger or acquisition has occurred, it should definitely be
covered in the interviews with the client.
In addition to the information listed above, the 10K also contains financial
statements and supplementary data. The statements include the balance sheet, income
statement, and cash flow statement, as well as other summary statements and the
notes to the financial statements — all of which are worth looking at.
AU1706_book.fm Page 112 Tuesday, August 17, 2004 11:02 AM