home
about us
products & services
news events
case studies
case study 1 - 2 - 3 - 4 - 5 - 6
resources
contact us
* *
case study previous case studynext case study

Application Service Provider - investor due diligence

client
commissum, acting on behalf of a syndicate of investors that included two global banks, was engaged to undertake an Information Security audit as part of the technical due diligence of a potential target for significant investment. A satisfactory outcome was a mandated prerequisite to securing the additional funding.

client requirement and business drivers
The subject of the review is a leading provider of on-line digital document and information management services. Their clients include a number of well know names within the commercial sector and local government.

The main business drivers were:

enabling
  • satisfying investors of the fact that appropriate levels of security were inherent in the company's delivery mechanism and their operations was a prerequisite to securing funding for the target organisation and fundamental to the investors realising a return
  • By the nature of the ASP's business, ensuring a sound Information Security environment is fundamental to protecting the confidentiality of their client's data, and to their ongoing business success
risk reduction
  • both the inadvertent and potential intentional, malicious exposure of client information was to be a top priority
  • the ASP was continually improving it's delivery platform through its in-house development team - it was essential that this ongoing development activity followed a rigorous process that would minimise the risk of later changes undermining current security levels

Operating within a carefully defined scope, commissum undertook to provide objective evidence of the security of the investment from an Information Security perspective.

commissum services provided

There were four parts to the audit.

  • a review was undertaken of the software development and management processes, driven by the importance of the unique, core application, which as part of the investment was to be significantly improved by an in-house development team - the investors wanted reassurance that the company environment would support the planned development, particularly with respect to security awareness being an inherent element of the process
  • the unique core application was subjected to a detailed application security review and test - this included "black box" testing as an external unauthorized attacker, and "white-box" testing from the perspective of both an external and internal authorized user
  • internal and external infrastructure penetration testing was conducted
  • a security audit of the operations at one of the ASP's data-centres was carried out against a BS7799/ISO17799 framework

The assignment provided direct evidence of the security measures taken to date, and that security risks were appropriately identified and acted upon. commissum presented findings to the investor syndicate. As a result of this and the company's demonstrated positive approach to adopting recommendations made by commissum, the company was successful in securing its funding.

   
site map

slash

 terms & conditions © 2001-2008 commissum