Information Security News: Security Q&A: Avnet's 'Cookbook' for Safe Systems Integration

[InfoSec News <alerts () infosecnews org>]

http://www.baselinemag.com/article2/0,1540,2072453,00.asp

By Anna Maria Virzi
Baseline
December 21, 2006

Over the last 10 years, electronics component distributor Avnet has 
acquired more than 25 companies. Its largest deal, based on sales, came 
in July 2005, when the $11.1 billion Avnet purchased the Memec Group, a 
$2.3 billion semiconductor distributor, for $663 million.

Steve Phillips, Memec's chief information officer, was named CIO at 
Avnet in August 2005, taking responsibility for integratingand 
securingthe information systems for the merged organizations. His 
predecessor, Ed Kamins, was promoted to chief operational excellence 
officer at Avnet. Previously, Phillips was CIO at computer maker Gateway 
and I.T. director for the European foods division of Diageo.

He spoke with Baseline executive editor Anna Maria Virzi in a Sept. 27 
interview about the measures his organization has taken to keep systems 
secure during times of transition.

-=-

With Avnet's ambitious acquisition strategy, how can you be sure that 
systems remain secure while merging operations?

Security is job number one for I.T. leaders. It has to be done right.

I like to assess our security posture in two ways. First is internally; 
you look at risks and how you can mitigate those security risks using 
our internal folks. At both Avnet and Memec, we had directors of I.T. 
security dedicated to protecting our information assets and our physical 
I.T. assets.

We also use external parties. Some diversity is important when you look 
at your security posture. So, third parties come in, audit, and validate 
the security of our systems environments, our information assets.


How does that work during an acquisition?

We make a review. We understand where we stand. Then we apply common 
standards across both the organizations in a very fast way.

One of the things that Avnet has learned through its many acquisitions 
is that moving both fast and deliberately is important. So, for example, 
we completed the integration of Memec's I.T. systems within 90 days from 
the acquisition. And early in that process, the security teams at Memec 
and Avnet held a discussion to validate the security of Memec's I.T. 
environment. We wanted to ensure that we maintained in-place security 
practices to make certain we did not expose those environments to 
unnecessary risk. As Memec was absorbed into the Avnet infrastructure, 
Avnet's security policies took force.


All within 90 days?

Ninety days start to finish.


How were you able to pull that off?

With a lot of hard work by a lot of good people. Avnet has what we call 
the "cookbook," and the cookbook gives guidance and advice on how to 
integrate companies into Avnet. It's the collective knowledge base of 
our acquisition expertise.

When we have an acquisition and start the integration, we pull down that 
cookbook and open it up. It's got all sorts of useful information to 
help with a fast integration, such as template plans, checklists, and 
processes and procedures that we execute. And then, again, at the end of 
an integration project, we update it so it becomes a stronger document 
every time.


How does Avnet's cookbook address security?

People are one of the most important assets and elements of an 
acquisition. At Avnet, our acquisition cookbook outlines the process for 
rapidly incorporating the new employees into our infrastructure and 
mapping their job functions into Avnet's applications. Mass loads into 
Active Directory, e-mail, HRIS [human-resources information system] and 
the ERP [enterprise resource planning] systems enable large numbers of 
new users to be added quickly. The Memec America operations were 
converted to Avnet's infrastructure and applications only 30 days after 
the acquisition was approved.

Leading up to the integration of systems, business analysts map the 
incoming data to Avnet systems. A minimum of three "dry runs" are 
performed to validate the data and uncover any issues with it. The 
business analysts also review any errors from the dry runs and determine 
if those problems are due to mapping or programming issues in the 
conversion.

Another important asset associated with an acquisition is data, which 
also requires careful attention to security. Backups of critical data 
are maintained for safety, and physical security controls are reviewed 
for data leaving the environment. The strategy for moving data between 
entities is established early in the process, and secure FTP connections 
are generally a good starting point. Until the network architecture of 
the acquired entity is completely understood, all data connections are 
treated as "untrusted," meaning that data between entities flows through 
firewalls, intrusion detection sensors, antivirus and other security 
controls to bring the data into the corporate environment.


During the integration, how did Memec's security director and Avnet's 
security director work out the selection of a particular 
technology/approach for security?

Every acquisition at Avnet is guided by a "best people, best practices" 
policy in which each company's people, tools and processes are evaluated 
to determine the best long-term fit for the company. Following Avnet's 
acquisition of Memec, the I.T. teams from both organizations worked 
together to inventory their security tools, and followed this 
best-practices approach to identify and move forward with the best tools 
and systems from both environments. For example, Memec was using a 
third-party Web content filtering tool that blocked employee access to 
Web sites considered a potential security risk. Avnet did not have such 
a broad tool in place. The security directors from both Avnet and Memec 
worked together to implement and deploy this tool throughout the Avnet 
organization.


When you use a third party to audit and validate security, how does that 
arrangement work?

We use two different firms.


Who are they?

I don't want to disclose their names. The idea behind using two firms is 
driven by, again, diversity. We have some fairly routine security audits 
that are automated, that happen regularly and frequently, and we take 
actions on those audits' results.

One of the things about security is that the threat constantly evolves. 
It's not a one-time event. You have to constantly look at your security, 
constantly change your security posture to address whatever threats are 
evolving. So, we have a fairly routine audit that happens regularly, and 
we take actions from that.


How often are those routine audits?

Monthly.


What types of things do you audit for?

We primarily check our security from external intruders. Less frequently 
we complete more hands-on audits that look at our internal security as 
well as our external security. And those are pretty comprehensive.


What is an example of what is included?

It would include looking at, for example, application security.


As you mentioned, security threats evolve daily. How do you keep 
up-to-date, as CIO, on what's important?

I'm helped by a really great team, and we have a dedicated I.T. security 
director, Bill Smathers. He and his team work on staying very close to 
what the threats are, and making sure that as collective I.T. teams we 
address those threats. Even though we have a dedicated director of I.T. 
security, we make it clear that security is everybody's job. He 
coordinates and helps us become aware of risks, but it is everybody's 
job to make sure that we protect our information assets.


Are you referring to everyone on the I.T. team, or the entire company?

In terms of I.T. security, that's the I.T. team's job.

Often, the greatest threat to a company is someone inside the building, 
not an outsider. We have a fairly clear code of conduct that every 
employee of Avnet reviews and signs every year. And that clarifies each 
individual's responsibilities in terms of protecting Avnet's 
information.


Did Memec have an information security director, and if so, what 
happened to him or her?

Bill Smathers was the Avnet I.T. security director at the time Avnet 
acquired Memec, a role he fills today. The security officer role at 
Memec was carried out on a part-time basis by a senior I.T. director. 
That director decided not to relocate from San Diego, where Memec was 
based, and left Avnet after an agreed transition period, and now fills a 
leadership role at a large company based in San Diego.


How often does Avnet perform the more intensive security audits?

Periodically.


Is that two or three or four times a year?

I'd rather just say periodically.


So, during a merger or acquisition, how do those reviews fit in?

As Avnet makes an acquisition, we still have a regular business to 
support and we have to continue to support it. It's a competitive 
marketplace, and our competition doesn't take a rest because Avnet makes 
an acquisition. So, the challenge for all of the folks involved in 
integrationand not just the information-technology teamsis that we have 
to sustain and continue to grow our business as well as complete an 
integration quickly and effectively.


Have you ever said, "Whoa, I need to slow down here," because the 
timetable is not realistic?

We have some collective knowledge, as I said, through the Avnet 
cookbook. We know what works and doesn't work in terms of timing. We 
know that the sooner we get these [mergers] completed, the sooner we can 
get on with just totally dedicating ourselves to supporting that 
business. Do I ever say to myself, "Slow down"? I like the pace, and I 
have a team that likes the pace as well.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn