Torstein Gimnes Are, Director, Corporate Information System Security, Norsk Hydro

Securing the Pipeline

Norwegian powerhouse, Hydro, strengthens ties between IT and business leaders

The Norwegians have been seeking their fortunes in the North Sea for about 1,300 years. But it's been less than half a century-since 1963-that they found them. It was then that the country's scientists, economists, and government agencies agreed that the black pitch seeping from the coal beds on either side of the sea-the same goo their Viking ancestors used to seal the planks of their ships-would change the fortunes of the nation and along with it, one of its oldest commercial enterprises, Norsk Hydro (Hydro). "We are a true Norwegian company," Torstein Gimnes Are says wryly. "We all have to agree on everything before we implement a solution."

To Gimnes Are, Hydro's director of corporate information services security since 2004, that meant getting consensus on a policy to protect the data of a company that long outgrew its roots as a fertilizer manufacturer and is today a NOK200 billion (about US$30 billion) per year enterprise, a leading offshore producer of oil and gas, and the world's third-largest aluminum supplier.

Simplifying solutions

To keep the information handled by Hydro's 33,000 employees in 40 countries safe, Gimnes Are focused on improving security reporting from technology solutions and simplifying data protection standards for Hydro's business leaders. "Better reporting gives us better documentation to take to management when we need money to improve things," Gimnes Are explains. "All the security processes we put into place for information risk management must be easy to understand and deploy. That improves our ability to get best practices implemented in the business areas."

The Hydro oil and energy business area is mainly centralized in Norway, while its aluminum metals and products business area operates factories and offices worldwide. The information security standard is a complex 10-page document based on ISO 17799, an internationally recognized set of controls. Gimnes Are is currently simplifying the best practice documentation by communicating the relevant requirement to the right target group or role in the business areas. "I provide the corporate requirements as to how people can handle information electronically. But it is each business area's responsibility to abide by those requirements," Gimnes Are says. "The IS organization strives to get the business side to take responsibility for information security."

To that end, Gimnes Are has been working for the past year to anchor IS concerns into Hydro's enterprise risk management process.

"We began thinking this should be a bottom-up process. We would do a risk analysis for every system and then aggregate a risk picture for the information services systems. It is a demanding process and the CIOs from each business area wouldn't accept it," says Gimnes Are. "Instead, they wanted a top-down approach, so we built the requirements into the enterprise risk management process. Now, when information systems pose an enterprise-level risk, we dig into a more detailed risk analysis of that system. Linking the process of information risk management to enterprise risk management has been an important task for us."