By Thomas Schmidt
Ask any IT professional, and the word "compliance" is likely to mean a number of different things. But the intent of multiple regulations, industry standards and best-practice frameworks across industries today is unambiguous: The emerging compliance paradigm seeks to ensure the security, availability and integrity of business information.
For oil and gas companies, which face numerous regulations and standards associated with different aspects of their business, compliance has become an increasingly critical issue, particularly as state and federal agencies such as the EPA and DOT have issued environmental directives mandating the auditing, reporting and disclosure of critical information.
With such an array of regulations and standards to contend with, compliance in the oil and gas industry is a much broader issue than just meeting legal requirements imposed by regulatory bodies.
This article provides an overview of today's security compliance landscape, followed by an examination of proven best practices and governance polices that will enable oil and gas companies to proactively comply with existing and new regulations while reducing costs.
The scope of the challenge
Given that regulatory pressure is increasing for all industries, it may come as a surprise that an overwhelming percentage of businesses still fall far short in their compliance efforts. But according to a report published by the IT Policy Compliance Group in July, some 90% of all businesses still do not have sufficient policies in place to meet data governance regulations and adequately limit the risk of a security breach.
In the survey of 475 companies, one-third of which reported revenues of more than $1 billion last year, the industry group found that an overwhelming majority of the firms expect to deal with at least six business disruptions related to major data incidents per year along with five or more instances of information loss or theft.
While businesses continue to invest in policy enforcement software, and other technologies aimed at helping them meet data-handling regulations, most are still struggling to fill all the gaps left in their systems that leave them open to potential incidents, James Hurley, managing director of the IT Policy Compliance Group, told Computerworld.
"When it comes to protecting data, a lot of organizations still find information all over the place that they may not even have control over," Hurley said. "People are finally discovering this is a difficult problem and that the controls they thought they have in place may not be adequate [and] that they need to rethink those controls and find out where the data inventory actually is because in most organizations, it's not under control."
Five steps to policy compliance
One of the first tasks for achieving compliance is proving that systems are locked down to an industry-accepted framework, such as CIS or ISO. To satisfy internal and external auditors, companies must be able to demonstrate the deployment of strict controls and settings (real-time and historical data), remediate unintentional errors and generate consistent and thorough proof of compliance.
To sustain policy compliance efforts, organizations must regularly analyze the effectiveness of technical controls (such as access, configurations and patches) and procedural controls (such as personnel rules and physical conditions), optimize them when required and demonstrate due diligence to both internal and external stakeholders. By adding a software solution to automate technical controls, oil and gas companies can test controls on a scheduled basis. This will aid them in enforcing compliance to prevent data loss. Companies must understand why automated compliance management is needed, as full compliance will lead to better security.
The following five-step security process, centered on best practices, is specifically designed to facilitate compliance:
- Identify critical operational assets, catalog underlying technologies, and perform a security vulnerability assessment.
- Create a security policy based on the vulnerability assessment and penetration testing, monitor and enforce compliance.
- Conduct disaster recovery planning, including the evaluation of backup and restoration procedures and other measures that help ensure uninterrupted operations.
- Deploy protective security and disaster recovery measures that promote policy compliance.
- Monitor and manage on an ongoing basis to ensure initial and continued compliance with regulations.
Conclusion
Keeping oil and gas industry IT assets secure and resilient in the face of attacks and disruptions presents a host of challenges. Protection must be deployed across increasingly interconnected SCADA and DCS control systems and conventional business systems. Conflicting priorities between protection and access must be managed. And industry and regulatory mandates establishing risk management benchmarks must be addressed.
Compliance regulators are continually penalizing firms for failing to disclose, retain, and secure information being monitored by new laws, regulations and guidelines. These failures are not normally caused by an intent to deceive, but rather by a lack of controls (in the form of policies and procedures), or the inability to detect fraudulent employee activities.
To ensure that their compliance and mitigation postures are effective, oil and gas companies must continue to measure compliance against assets and operations and keep their programs highly adaptive as new technologies are introduced and new risks are identified.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.