Information Security: Risk and Reward

Donald Gauci, Ernst & Young

Information security is the bedrock of any information risk-management system, and oil and gas companies are becoming more adept at minimizing risk by bolstering these systems across their organizations. Information technology (IT) is becoming such an important facet to these businesses and their disaster-recovery and business-continuity planning that the security issues now often spread to the upper echelons of many organizational charts, even to boards of directors and audit committees.

In fact, the industry is seeing an increase in the number of executives in charge of company IT assets. Such arrangements play a powerful role in IT security and can result in strategically aligning IT-security issues with business objectives. Oil and gas companies should evaluate the following as global priorities when assessing information security:

Integrating information security within the organization
Extending the impact of compliance
Managing the risks of third-party relationships
Focusing on privacy and personal-data protection
Designing and building information security

Some of the regulatory changes that have taken place over the last few years, particularly related to the Sarbanes-Oxley Act in the United States, have caused companies to move from a reactive to a more proactive mode. While many energy companies still would rather spend capital on commodity assets than on information assets, they are slowly shifting as they recognize that information security is a top business driver. IT security is becoming a part of the discussion in the context of a company’s priorities. Whether those priorities include adding new acreage or adding rigs, E&P companies are leveraging technology more and more, and, as that technology is leveraged, the need for IT security rises.

As Technology Is Leveraged, Risk Rises

As companies grow through expansion or from mergers and acquisitions, computer networks can multiply and expand like cell division. Gradually adding bits and pieces to a network, especially when knowingly or unknowingly commingling sensitive data, increases risks and elevates the need for IT security. Not long ago, petroleum engineers, for example, examined geology assets in a back room, working safely within a secured computer network. Today, more and more of these professionals are performing such work on broader company networks, a move that saves companies money, but also elevates the possibility of data being compromised.

The notion of E&P companies leveraging communications technologies is not new, but they are constantly breaking new ground where applications are concerned. Fiber-optic networks, for example, are commonplace, and energy companies are now investing billions of dollars to lay these systems in the Gulf of Mexico and at other offshore asset locations. They know that as they go out into deeper water, the fiber-optic network will offer better communications capabilities for current and future processing facilities and drilling activities.

All this leads to remote management. Already some companies adjust the temperature, pressure, and volume periodically from a home land base, and the future will require greater reliance on these remote management capabilities. By itself, that might not be significant. But add the fact that some engineers on land are connected to a company network operating over a remote fiber-optic facility, and the combination of the two could make a company’s oil and gas assets vulnerable through that network. So the perimeter security around a company’s network becomes more important, and many in the industry may not be thinking about that connection.

E&P companies, historically shrewd in finding new and imaginative ways to increase profits and production, already are planning to sell excess bandwidth on these fiber-optic networks. Along with that opportunity comes the obvious security risks of having crucial data vulnerable to intrusion. Partners on those networks must be carefully chosen, and disaster and continuity plans must be closely scrutinized. Such scrutiny is perhaps even more applicable when dealing with third-party vendors. A number of companies, rather than turning to one vendor to handle certain functions, are engaging in joint ventures and cosourcing work with or outsourcing work to multiple sources. These partnering companies must be interconnected on the same network—a move that is often the first time for them to do so. Unforeseen risks can emerge for any or all of the companies in these setups if even a single vendor or partner has a vulnerability in its IT system.

Third-Party Review

One form of protection in these situations is to have an independent reviewer assess the vendors and provide the results to each of the companies involved to inform them of how the vendor provides information, tracks activities, and unveils the risks associated with services managed by that vendor (Fig. 1). Companies should consider making a third-party review a part of any contracting relationship.

Fig. 1—Results from the Ernst & Young 2006 Global Information Security Survey.

The greatest risk in not doing such an independent review is for the E&P company to lose some type of strategic advantage. But, depending on the type of information that could be compromised, a company also might become subject to litigation. Human resources information, for example, has strict privacy requirements. Just because a company outsources an IT service may not mean the company is not legally responsible for a data breach.

A business-impact assessment should be part of any disaster-recovery or business-continuity plan, and a close look at vendors should be included in that assessment. In other words, companies need to evaluate the risk of a vendor going away or becoming incapable of providing its services for an assumed period of time.

Only essential vendors deserve such scrutiny. But E&P companies should make sure that a key service provider that helps manage its drilling activities has a plan in place to keep its rigs protected and to get them back to full operation quickly if needed so that drilling activities can continue.

Also, in anticipation of a disaster, such as a hurricane, it is important to draw up service requirements from essential vendors so that they are contractually obligated to be available in an emergency and to respond quickly to a company’s immediate business-continuity needs. Included in the agreement should be stipulations for pricing of products or services at those critical times. Without such terms in place, prices can be exorbitant.

Survey the Backup

Likewise, IT-security requirements play a vital role in business-continuity plans, and businesses that provide data backup and IT-continuity resources should be assessed. Many of these businesses have massive systems that during a disaster will be partitioned off to several companies working within the same system. Companies should examine carefully whether they want to contract with these businesses, which have their own specific hardware and locations for data centers.

That, however, drives up the cost. In determining whether this is needed, firms should determine how long they can be without these systems to do their business and whether the cost of these plans is going to offset the economic benefits of the downtime prevented. Such discussions should be part of the planning process.

More Educated About IT Security

Before passage of the Sarbanes-Oxley Act, most oil and gas companies were not handling IT controls at the highest executive levels. The federal law has significantly elevated awareness and priority of IT-security issues among chief executives, chief financial officers, and other corporate officers. With more executive involvement, IT security will achieve an even higher priority. Understanding the ramifications of IT security on business strategy and operations is critical as companies continue to expand and integrate locations around the globe into a single network. By focusing on the priorities outlined here, companies can make great strides in improving IT security and reducing risks.

Donald Gauci is a partner with Ernst & Young’s Technology & Security Risk Services practice and has more than 18 years of public accounting experience.