Determining Proper Security Levels

All software applications were not created equal – at least from a security requirements perspective anyway. Different applications require different security levels to be present to ensure they are “fit for purpose” in a particular deployment environment or to meet the acquiring company’s information security risk governance models. Determining the business criticality of the target company’s software is a critical first step in the mergers and acquisition process.

Veracode highly recommends that M&A Professionals thoroughly review the six potential Impact Categories below and determine if the associated impact is low, moderate or high based on the definitions of the Impact Category. Once determining the potential impacts from a security breach, Veracode will assign an application assurance level (business criticality) which will assist in the setting of proper security thresholds for the target company’s software to pass.

Six Impact Categories:

  • Potential impact of inconvenience, distress, or damage to standing or reputation;
  • Potential impact of financial loss;
  • Potential impact of harm to organization programs or public interests;
  • Potential impact of unauthorized release of sensitive information;
  • Potential impact to personal safety;
  • The potential impact of civil or criminal violations;

The following chart from NIST provides guidance on selecting an assurance level based on the business risk determined from the six Impact Categories above: