On its way to becoming the fifth-largest energy company in the world, Chevron made its share of acquisitions, inheriting dozens of technology platforms and applications in the process. At the start of the decade when its purchase of Texaco loomed, Chevron needed more consistent IT standards and practices to make sense of complexity. The resulting IT risk management initiative is helping the company meet a range of compliance demands around the globe.
In 2001, Chevron adopted the Enterprise Security Architecture System (ESAS), an IT risk management framework developed by PricewaterhouseCoopers and since spun off to Brabeion Software. The Web-based system has helped Chevron define IT policies, standards and controls. Chevron's information security policy sets high-level guidelines for treating information as a corporate asset in compliance with laws and regulations. Multiple standards support each policy. So, for example, Chevron's companywide standard for passwords is eight alphanumeric characters that change every 90 days. Technical details are left to controls detailing how to support the standards within, say, Windows or Unix.
"With every advance of software and new means of communication, we go back to ESAS and update what is, in effect, our security strategy," says Jay White, Chevron's global information protection architect.
Chevron has used ESAS to set policies and standards for everything from encrypting sensitive information to preventing or recovering from IT systems failures. Associated business risks range from financial losses and negative publicity to loss of life and environmental damage.
Chevron now has some 85 pages of standards and more than 1,500 pages of technical controls that have helped it comply with existing mandates and emerging regulations. "When the Sarbanes Oxley Act emerged, we already had a set of controls in place and being enforced, so all we had to do was align those specific controls back to the SOX Section 404 requirements."
— Doug Henschen
At the CA Niku 2005 Global User Conference in November, Rick Davidson, Manpower's SVP and Global CIO offered a hard-boiled definition of governance: "a feeble attempt to deny the laws of physics." He was talking about entropy, the always increasing measure of disorder in a system. Manpower, which does most of its business outside the United States, is using CA's Clarity (formerly Niku) tools to halt entropy and gain visibility and control over global software development. "We have a rational process of deciding what ought to be done," says Davidson.
Led by California, state legislatures are responding to rising costs and damages caused by identity theft. The Federal Trade Commission says that the problem affects 10 million Americans every year at a staggering cost of $52.6 billion (in 2004). Vericept, focused on information protection and misuse prevention, has introduced software to help businesses comply by tracking, monitoring and controlling Internet-based transmissions of personal information.