Commissum

Application Service Provider Due Diligence
Investor Consortium



Finance and Insurance GraphicThe Client

Commissum, acting on behalf of a syndicate of investors that included two global banks, was engaged to undertake an Information Security audit as part of the technical due diligence of a potential target for significant investment. A satisfactory outcome was one of the mandated prerequisites to securing the additional funding.

Client Requirement and Business Drivers

The subject of the review was a leading provider of on-line digital document and information management services. Their clients include a number of well know names within the commercial sector and local government.

The main business drivers were:

Enabling

  • Satisfying investors of the fact that appropriate levels of security were inherent in the company’s delivery mechanism and their operations was a prerequisite to securing funding for the target organisation and fundamental to the investors realising a return
  • By the nature of the ASP’s business, ensuring a sound Information Security environment is fundamental to protecting the confidentiality of their client’s data, and to their ongoing business success

Risk Reduction

  • Both the inadvertent and potential intentional, malicious exposure of client information was to be a top priority
  • The ASP was continually improving it’s delivery platform through its in-house development team – it was essential that this ongoing development activity followed a rigorous process that would minimise the risk of later changes undermining current security levels

Operating within a carefully defined scope, Commissum undertook to provide objective evidence of the security of the investment from an Information Security perspective.

Services Provided

There were four parts to the audit:

  • A review was undertaken of the software development lifecycle and management processes, driven by the importance of the unique, core application, which as part of the investment was to be significantly improved by an in-house development team – the investors wanted reassurance that the company environment would support the planned development, particularly with respect to security awareness being an inherent element of the process
  • The unique core application was subjected to a detailed application security review and penetration test – this included “black box” security testing as an external unauthorized attacker, and “white-box” security testing from the perspective of both an external and internal authorised user
  • Internal and external infrastructure penetration testing was conducted
  • A security audit of the operations at one of the ASP’s data-centres was carried out against the ISO 27001 framework

The assignment provided direct evidence of the security measures taken to date, and that security risks were appropriately identified and acted upon. Commissum presented findings to the investor syndicate. As a result of this and the company’s demonstrated positive approach to adopting recommendations made by Commissum, the company was successful in securing its funding.