Oil & Energy

A complete and innovative solution for Digital Information Risk insight and intelligence

Almost all of governing bodies and the different entities supervising publicly listed companies with a high exposure to a large number of retail clients private information are imposing a strict management of Digital Information Risk Management, and of the overall ICT infrastructure security, when it comes to the security of data and respect of privacy laws.

SUCCESS STORIES
Banking
Telco
Oil & Energy

Context

With the rise of the Digital Information age the task of protecting information assets whilst keeping systems and ICT infrastructures aligned with the pertaining business core processes became a massive task, namely due to the humongous quantity of data that a large ICT infrastructure manages and generates, especially for companies with a very high brand exposure and a vast number of retail clients information to be kept available and secure.

Sensitive data breaches or infrastructure down time can lead to negative outcomes in term of public perception on the overall company security and reliability, when it comes to security in the cyber space on customer data and privacy protection, and to sanctionable outcomes as well.

Client Description

The Client is a top Italian Oil and Gas groups by capitalization, operations and overall reach, with a large presence of retail customer points of contact, both in Italy and abroad.

Client Need

The client, having in place a number of powerful and yet disparate security appliances, solutions and tools added along the years and preserving different layers of the overall ICT infrastructure security, expressed some key needs to Esc2 team:

  • Given the diversity of format, difference of infrastructural layers and the huge number of detail data feeds and reports coming from the ICT security operations in place, the client had many difficulties in piecing together and monitoring all the underlying risks;
  • Digital Information and ICT Security management reporting processes needed an overall improvement in terms of uniformity and semantics of the results of the different analysis performed on output and logs of appliances and tools, so to gain a clear, meaningful and comparable insight on the overall ICT risks;
  • The lack of an aggregated reporting model for ICT risk management, providing an integrated view of the different risks on multiple layers, was ultimately making it difficult to understand the changes in the nature of attacks and incidents, and thus of the potential and existing risks on the different ICT dimensions and layers;
Infosync RM Architecture
 

Esc2 Value Added Solution

Esc2 analysts, based on the client requirements proposed a packaged solution with the following key functionalities:

  • Collection, reuse and aggregation of all already available information from logs and reports, i.e. produced by all the security appliances, solutions and tools, establishing a clear and complete risk intelligence base of data to be used on a new, screen based, real time reporting analysis framework, with simple and powerful dashboard and drill down navigation paradigms;
  • Aggregation of risk values based on Risk Management best practices such as COBIT and ISO 27005, creating a clear standard based measurement;
  • Realization of a Risk Summary overview on different dimensions, such as geography, business service and department, functional areas and business process, and impacted ICT layer and assets;

Client Experience

During a period of three months the client progressively integrated the newly designed base of data on Infosync platform, and successfully created thereafter several reporting dashboards and drill down navigation schemas, perfectly responding to the management expectations regarding the company policies and needs on timely and transparent security and audit reporting for the pertaining statutory requirements on ICT security regarding privacy and client data security.

Key Benefits

  1. Reuse of all available data and information from disparate log analysis and reporting systems;


  2. Standardization of the reporting model supporting the risk evaluation processes;


  3. Adoption of standard measurement of values in operational risk (Cobit5, ISO 27001, Privacy Law);


  4. Reduction of the complexity with regard to Internal Audit counterparts communication of relevant ICT security aspects, and compliance with multiple directives and regulations and mandates for the treatment, storage, security and overall privacy respect of client data;