Securing the Pipeline (cont.)

Norwegian powerhouse, Hydro, strengthens ties between IT and business leaders

Safeguarding systems

Having a strong security strategy is critical for Norsk Hydro, which, like other energy companies, uses Supervisory Control and Data Acquisition (SCADA) systems technology to monitor and regulate the flow of oil and gas through its pipelines. While SCADA makes data readily available to company engineers and contractors, it creates more risk because the system can be remotely accessed.

To better safeguard Hydro's computer systems, Gimnes Are needed a more comprehensive view on the company's security challenges, specifically patch management and the handling of viruses and malicious code.

Under Gimnes Are's leadership, Hydro expanded its use of Symantec antivirus and client security products, which provide antivirus, firewall, intrusion prevention, and antispyware capabilities. Symantec AntiVirus Enterprise Edition provides reporting, as well as centralized distribution of virus updates for enterprise-wide management. Symantec products also handle viruses from email attachments and spam emails. "On the technical side, we have achieved a great deal," Gimnes Are says. "We now have monthly reports on patch and antimalware from all of Hydro's business areas."

Gimnes Are also described Hydro's identity management processes. "We have procedures to ensure an employee operating a computer in a particular location is, in fact, the right person," he says. "We have different levels of authentication depending on how critical the system is or what kind of information is stored there. Critical systems have stronger authentication requirements based on a digital certificate or two-factor authentication. The business areas define what is critical information and how it should be safeguarded."

Business areas are required to run a risk analysis using a common harm reference table to assess risk. "If one of the business areas wants to provide a new application for e-business over the Internet, we require that they run the risk analysis to put the right security requirements in place for that application," Gimnes Are says.

Internal support

Finding funding for information security projects can be challenging-at least on the aluminum side of the business. The oil and energy business area can support advanced IT systems, including remote oil production and e-operations, and also works continuously with user awareness. "In aluminum, it is more challenging. We have a lot of factories and offices globally," Gimnes Are explains. "It's difficult for those units to work methodically with information security because it's a very distributed organization. I give the business areas our standards and procedures and follow up with internal audits to see if they implemented corporate requirements."

When necessary, Gimnes Are funnels money to problem areas through Corporate IS Services. These services are intended to handle business-critical issues as well as the company's common infrastructure. Each business area pays a monthly fee to Corporate IS based on the number of computers it uses. When Gimnes Are becomes aware of a threat, he approaches management with possible Corporate IS Services solutions. "If the business areas find it reasonable, we take money from Corporate IS Services to address threats," he says.

In 2007, Gimnes Are intends to double the money spent on internal audits. "That's the best measurement I have to check the effectiveness of information security work," he says.

"Among other focus areas, we will continue to develop our use of the Symantec products. We'll address both sides: technical solutions and an awareness campaign to make end users aware of their behavior. I think it's important to put awareness on the agenda, but it is more effective to address security problems with technical solutions."

Lynn Tryba is the managing editor of CIO Digest: Strategies and Analysis from Symantec.