This article can also be found in the Premium Editorial Download "Information Security magazine: Keeping on top of risk management and data integrity essentials."
Download it now to read this article plus other related content.
When ChevronTexaco puts a drill in the ground, it must live with that decision for decades. Risk management and data integrity are essential. Risk is a crude fact of life for ChevronTexaco.
It permeates the investments that the energy giant makes in oil exploration and where it will plant its oil rigs for 30 years. It threatens the hundreds of terabytes of data the company accumulates annually. It shadows each IT policy.
And yet, when business units want to launch a risky venture, chief information protection officer Richard Jackson cannot say no. It's not in his vocabulary.
"The mission of our group is to figure out a way to do projects safely by detailing the cost and risk factors," says Jackson. "Our business is finding crude oil. I exist because of our business units, and I have to make them successful. My organization is a support organization, as opposed to being an adversarial one."
Jackson's concept of support is to entrench risk assessment into each of ChevronTexaco's business processes and policies. In the coming months, a consolidation of all the company's information-related risk will be funneled into his domain to better manage not only data assets, but regulatory compliance and the IT procurement process. While it's hardly a revolutionary initiative, it's symbolic of how the business of information protection has evolved into an integral, prominent part of the overall business process.
"I think, in the short
ChevronTexaco commissioned teams of decision makers to start at the beginning by reviewing its data management processes and policies. Strategically, ChevronTexaco realized that keeping the 500 terabytes of research data generated annually by exploration fields accessible and safe meant consolidating policies, eliminating overlaps and better allocating information protection responsibilities.
Old policies had become stagnant, and risks hadn't been re-evaluated. Something considered a high risk five years ago is likely a much lower risk today. By contrast, unknowns five years ago must quickly be taken into consideration.
"Risk is addressed in each of these policies, and we're setting the corporate strategy around those," Jackson says. "They'll be revised and consolidated. We want simple guidelines for employees to manage and use assets."
Already, Jackson's group has assumed responsibility for privacy and IT security policies, and will be taking on information management and business document classification, retention and destruction.
Jackson says intellectual property rights protection will also come under his purview. ChevronTexaco is diligent about the technology it brings in-house and is defending itself against the trend of third parties suing larger companies for purported patent violations. Hardware and software license reviews are provisioned to ward off suitors who could potentially drain a company of its resources via legal challenges.
By consolidating these information risk components, Jackson hopes to strongly influence the procurement process by injecting risk assessment early, rather than leaving security as an afterthought.
"Our approach is to try to engage our diverse business units in our processes, and engage in a healthy enterprise debate between policies and business needs," says Jackson, who reports to the CIO on matters of information protection and the CTO on areas of compliance. "We engage in debate and reach an enterprise agreement that business units agree to. They make it happen."
This was first published in April 2005