Website security due diligence
Companies need to practice due care in the operation of their internet, intranet and extranet websites, web applications and e-commerce systems to prevent security breaches and to have controls in place to mitigate the effect when breaches occur. Failure to practice such due care is negligence and increases business risk.
Information technology (IT) security due diligence involves investigating and assessing security vulnerabilities to understand the level of risk. Watson Hall provides independent security analyst services for organisations developing, operating or purchasing web applications.
Example web security due diligence projects
- Mergers and acquisitions web security due diligence assessment
- Management buy-in/out web security due diligence assessment
- Web application procurement due diligence assessment
- Web application e-risk due diligence report
- E-risk evaluation and assessment of a web site
- Web liability insurance security review
- Web site insurance due diligence
- Web application insurance due diligence
- Cyber security assurance review
- Web project procurement due diligence assessment
Internet web application security
Internet-facing systems are increasingly a vital part of the business strategies for many organisations. For some near-virtual companies, this can be the main arena for interactions with staff, suppliers and customers. Internet web applications are complex since they can be:
- comprised of disparate linked systems
- integrated with internal information systems
- dependent on third party services
- open to a multitude of users at many locations
- reply on user-managed browsers
- using emerging technologies (such as Voice over IP telephony, mobile computing, AJAX, Adobe Flex, open source software, virtualisation, wireless networks and removable media)
It is prudent to ensure that web application security is an integral part of due diligence reviews and this requires specialist knowledge.
Mergers and acquisitions
Merger and acquisition due diligence and insurability concerns, including regulatory requirements, are generating a broader awareness of security related issues for web applications. Mergers (formation of a new company combining assets) and acquisitions (takeovers involving taking ownership of another business) transfer these risks and issues between organisations. During a merger or acquisition consideration will normally be made on how the IT systems will be handled. This might include replacing one organisation's systems with those of the other, parallel separate operation, or integration of the two systems.
Due diligence investigations will include IT matters, but web applications can have special and unusual elements which need to be considered systematically and thoroughly. Reducing, avoiding, or allowing for, security risks that are reasonably foreseeable will improve knowledge and the negotiating positions prior to investment, and if the project goes ahead, increase the likelihood of success by being able to manage and mitigate risk.
Assessment of website and web application security is undertaken when companies wish to transfer the risks from such operations (e-risks) to their insurers. Review and testing of websites and web applications provides an understanding of the risk involved, whether security best practice is being followed and whether due care is being taken.
The outcome of such reviews are used to cost insurance and provide information for negotiation between the organisation and its insurers. Some risks may be excluded from the insurance or are mitigated by actions of the organisation so that insurance for those aspects are not required. Organisations can also benefit from a greater understanding of their website or web application to mitigate potential security liability risk.
Goods and services procurement
Due diligence reviews are also usually undertaken by companies considering purchasing services (e.g. hosting or application development) including partners, co-sourcing, outsourcing arrangements and traditional suppliers. In these cases, the risks of using a particular supplier need to be investigated and considered as part of the procurement process. The specific web application security issues can be complex and require specialist knowledge to identify and evaluate the information.
Vendor security risk management includes assessing and minimising the risks over third parties who the organisation has less control over. But some of these may be business critical components for the continued, and safe, operation of the website or web application. If these are not properly understood, the organisation is exposed to unmanaged risk.
Data security due diligence investigations
The investigations systematically identify, evaluate and assess vulnerabilities, threats and issues relating to security.
It is necessary to utilise creative and intuitive analysis to identify the security risk exposure. The types of areas which need to be considered from a web application security perspective would include:
- development and testing information such as hosting and web application metrics
- application software details including architecture, security framework, extensibility, scalability and flexibility, data protection and privacy
- security governance, policy and processes (procedures, guidelines and standards)and testing including existing business impact analysis (BIA) and business continuity plans (BCP), prevention and detection systems and security breaches
- intellectual property such as application software licensing extension of scope and/or termination clauses and licensing of components or elements necessary for continued operation of the applications
- partnerships and relationships with other organisations that have an interest in the application e.g. hosting contracts with service level agreements, contracts with third parties such as payment acquirers and data feeds, and background of key suppliers, financial standing, capability for support, post-sales support, terms and conditions of business, security policy, quality assurance and disaster recovery plans
- details of major existing customers, clients, etc. and complaints, feedback and queries directly from users and metrics on response times, and indirectly available in other arenas
- compliance with information security legislation and security best practice
A fuller example information security due diligence checklist is available to download.
Other web security analysis services from Watson Hall
development security and compliance,
security best practice
Contact Watson Hall
Information security risks must be understood for corporate mergers & acquisitions, company and partnership formation and disposals, partnership and shareholder disputes and procurement.
Watson Hall is an independent third party providing review and consultation services based in London. Contact Watson Hall to see how we can assist you with undertaking a due diligence investigations for web applications, websites and e-commerce systems.