On its way to becoming the fifth largest energy company in the world, Chevron has had its share of acquisitions, inheriting dozens of technology platforms and applications in the process. When the gigantic purchase of Texaco loomed in 2001, Chevron knew it needed more consistent IT standards and practices to make sense of the complexity. The resulting risk management initiative has served the company well in meeting the compliance demands that have since emerged.
To address its IT concerns back in 2001, Chevron adopted the Enterprise Security Architecture System (ESAS), an IT risk management framework developed by PricewaterhouseCooper and recently spun off to Brabeion Software. ESAS is a Web-based hierarchical system that helped Chevron define policies, standards and controls. For instance, Chevron's information security policy sets forth high-level guidelines for treating information as a corporate asset in compliance with applicable laws and regulations. Below the policy level are multiple supporting standards. So, for example, Chevron's companywide standard for passwords is eight alphanumeric characters that change every 90 days. The details of technology are left to technical controls that detail how to support the standards within, say, Windows or Unix.
"We have a very robust, dynamic technology environment, so with every advance of software and new means of communication, we go back to ESAS and update what is, in effect, our security strategy to take those changes into account," says Jay White, Chevron's global information protection architect.
Chevron used the framework to identify four levels of information security: public, such as press releases and quarterly reports; business, such as day-to-day e-mail and memos; confidential, including customer and HR records; and classified information, such as preliminary financial results and trade secrets.
"We needed to provide guidance on when you need to encrypt information," White says. "Encryption has an associated cost that isn't always justified, so our standard states that whenever you're handling classified or confidential information, it has to be stored in an encrypted state."
White says ESAS is compatible with some of the open frameworks now emerging for IT governance. For example, Chevron is an ITIL shop, and Brabeion says it's incorporating the COSO and CobiT frameworks into ESAS to address specific control and audit requirements.
Chevron now has some 85 pages of standards defined in ESAS as well as more than 1,500 pages worth of technical controls, and the company is moving beyond information protection to address intellectual property, information management, privacy and export compliance policies, standards and controls. The system also has defined business risks tied to IT. For example, SAP has been identified among Chevron's critical applications because a system failure could lead to loss of life, environmental damage, million-dollar losses and negative press across the globe. Incident recovery procedures were developed to mitigate each risk.
Given that it has some 100,000 employees operating in more than 180 countries, Chevron has to comply with scores of compliance mandates. But White says ESAS has given the company a leg up, as new requirements such as HIPAA and the Sarbanes-Oxley Act have emerged. "We had a set of controls that were already in place and being enforced, so when SOX came in, all we really had to do was align those specific controls back to the SOX Section 404 requirements."