5. Proceed with caution. It's not uncommon for the two organizations in a merger to be operating at different security levels. One, for instance, may require two-factor authentication to access its network, while the other uses simple password authentication. Until the security infrastructures can be merged and the organization with the lower security brought up to the higher standards -- presuming that is the eventual plan -- the company will want to put extra security in the links between the two organizations, treating the organization with the lower security level as a semitrusted partner.
If the two organizations are going to remain as separate divisions and not be merged -- and particularly if they operate in two different verticals with different security needs -- this arrangement may become permanent. If the two organizations are to be merged at the operational level, the team will want to impose a standard set of security technologies wherever possible. However, they need to be careful to minimize disruption to business processes during the transition.
6. Evaluate the impact of planned changes in security procedures and levels before implementing them. Security is always a trade-off between protection of and access to the information and applications that the business needs in order to operate. The most secure system, as security experts are wont to remark, is one that is totally disconnected from everything in a locked vault that no one can access. But such a system does the business little good.
When evaluating security policies, levels and technologies, it's important to ask some key questions: How much disruption will this cause in the business? How much will the extra time and effort required to access IT resources cost the company? Is the added protection worth the price in terms of its impact on how the business operates? Is higher security justified by the extent of the risk or by compliance issues, despite the disruption it may cause?
Just because one of the merger partners operates at a higher security level than the other, that doesn't automatically mean the higher level is the better option for the merged organization. Management must evaluate all the sides of security issues to make the best overall decision for the company.