Goverance Gauge: Security Drives Compliance at Chevron - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Enterprise Architecture
12:55 PM
Connect Directly

Goverance Gauge: Security Drives Compliance at Chevron

On its way to becoming the fifth-largest energy company in the world, Chevron made its share of acquisitions, inheriting dozens of technology platforms and applications in the process.

On its way to becoming the fifth-largest energy company in the world, Chevron made its share of acquisitions, inheriting dozens of technology platforms and applications in the process. At the start of the decade when its purchase of Texaco loomed, Chevron needed more consistent IT standards and practices to make sense of complexity. The resulting IT risk management initiative is helping the company meet a range of compliance demands around the globe.

In 2001, Chevron adopted the Enterprise Security Architecture System (ESAS), an IT risk management framework developed by PricewaterhouseCoopers and since spun off to Brabeion Software. The Web-based system has helped Chevron define IT policies, standards and controls. Chevron's information security policy sets high-level guidelines for treating information as a corporate asset in compliance with laws and regulations. Multiple standards support each policy. So, for example, Chevron's companywide standard for passwords is eight alphanumeric characters that change every 90 days. Technical details are left to controls detailing how to support the standards within, say, Windows or Unix.

"With every advance of software and new means of communication, we go back to ESAS and update what is, in effect, our security strategy," says Jay White, Chevron's global information protection architect.

Chevron has used ESAS to set policies and standards for everything from encrypting sensitive information to preventing or recovering from IT systems failures. Associated business risks range from financial losses and negative publicity to loss of life and environmental damage.

Chevron now has some 85 pages of standards and more than 1,500 pages of technical controls that have helped it comply with existing mandates and emerging regulations. "When the Sarbanes Oxley Act emerged, we already had a set of controls in place and being enforced, so all we had to do was align those specific controls back to the SOX Section 404 requirements."

— Doug Henschen

IT Governance and Globalization: How to Halt Chaos

At the CA Niku 2005 Global User Conference in November, Rick Davidson, Manpower's SVP and Global CIO offered a hard-boiled definition of governance: "a feeble attempt to deny the laws of physics." He was talking about entropy, the always increasing measure of disorder in a system. Manpower, which does most of its business outside the United States, is using CA's Clarity (formerly Niku) tools to halt entropy and gain visibility and control over global software development. "We have a rational process of deciding what ought to be done," says Davidson.

Identity Theft And New Laws Drive Software Demand

Led by California, state legislatures are responding to rising costs and damages caused by identity theft. The Federal Trade Commission says that the problem affects 10 million Americans every year at a staggering cost of $52.6 billion (in 2004). Vericept, focused on information protection and misuse prevention, has introduced software to help businesses comply by tracking, monitoring and controlling Internet-based transmissions of personal information.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll