COMPLIANCE, GOVERNANCE E SICUREZZA NELL ICT: TRE FACCE DELLA STESSA MEDAGLIA? 13 Dicembre 2012
Agenda Il contesto Il percorso Saipem 2
Agenda Il contesto Il percorso Saipem 3
Saipem Highlights Leading Global EP(I)C General Contractor Revenues (2011) 12.6 B Backlog (June 30 th, 2012) 20.3 B Employees 44,300 Engineers & Project Managers > 7,000 Operating in more than 70 countries, more than 50 permanent establishments, employees from 127 nationalities Key local employer and investor in strategic markets Engineering & Construction Full service EP(I)C provider Drilling High quality player onshore and in niches offshore Distinctive frontier focus in Oil & Gas industries Most modern, technologically advanced offshore construction fleet Saipem 4
Global Presence with a Multilocal Emphasis Human Resources 44,297 employees of 127 nationalities ( ) Paris Rome Milan Fano Chennai EP(I)C Hubs Engineering Centres Yards & Main Logistic Bases Other Main Areas and Rep. Offices ( ) October 31 st, 2012 Saipem 5
Two Global Business Units Engineering and Construction Sealines Subsea Field Development Fixed Facilities Floaters Subsea Services via Remote Technologies Drilling Oil & Gas Production Gas Processing, LNG, GTL, GTS Import/Export Terminals Pipelines and Oil & Gas Transportation Systems Refineries, Heavy Oils Conversion, Chemical Plants Offshore high quality niche player & Onshore frontier focus Saipem 6
Saipem Assets: Offshore Construction Vessels Saipem offshore fleet exceeds 40 units (Under construction) Ultra-Heavy Lifting & deepwater pipelaying Field Development / SURF Lifting and DLB Castoro Otto Saipem 7000 Saipem FDS 2 Saipem FDS Saipem 3000 Pipelaying Castoro Sei Castoro 7 Semac 1 Castorone Castoro 10 Castoro 2 S355 Saipem 7
Selected Drilling Assets From a total of 24 wholly-owned offshore units and almost 100 onshore rigs Deep Water Units Jack Up Units Onshore Units Saipem 12000 (W.D.: 12.000 ft) Angola Scarabeo 9 (W.D.:12.000 ft) Cuba Perro Negro 8 (W.D.: 350 ft) Italy 5898 1500 HP Desert Enviroment Algeria/Arabia Scarabeo 8 (W.D.: 10.000 ft) Norway North Sea Perro Negro 7 (W.D.: 375 ft) Saudi Arabia 5946 3000 HP Winterized Rig Kashagan Field - Kazakhstan Saipem 10000 (W.D.: 10.000 ft) Mozambique Scarabeo 5 (W.D.: 6.500 ft) Norway North Sea Perro Negro 6 (W.D.: 350 ft) Angola 5824 Helioportable Rig Ecuador/Perù Saipem 8
Infrastruttura Saipem Infrastruttura WAN Infrastruttura Windows Saipem 9
Agenda Il contesto Il percorso Saipem 10
Compliance ICT IT General Controls (ITGC) Framework: COBIT Scope: Saipem SpA + selected Operating Companies General Computer Financial Information Controls (GCC) Framework: COSO Scope: Saipem SpA Financial Information L.262/05 ISO27001 Saipem Model Framework: ISO27001 Scope: Saipem Group All Company Information ISO27001 2008/2011 ICT System of Control Frameworks: COBIT, COSO, ISO27001 Scope: Saipem Group All Company Information ISoC 2012/2013 Sarbanes- Oxley Act 2006/2007 Saipem 11
Compliance ICT General Computer Controls (GCC) Framework: COSO Scope: Saipem SpA Financial Information IT General Controls (ITGC) Framework: COBIT Scope: Saipem SpA + selected Operating Companies Financial Information L.262/05 Sarbanes- Oxley Act 2006/2007 Saipem 12
Monitoraggio SOX/262: processo e modello organizzativo Sarbanes-Oxley Act L.262/2005 COSO COBIT Matrice dei Controlli Rischio Controllo Procedura di test Matrice dei Controlli Nuovo Perimetro Revisione Matrice Verifica del Disegno Monitoraggio di Operatività Gestione Carenze SOX: da Eni 262: da Saipem Modello Organizzativo Corporate IT Compliance IT Risk Owner Referente di Attuazione del Monitoraggio Team di Supporto/Monitoraggio Local IT Operations IT Control Owner Local IT Manager/IT Coordinator Saipem 13
Compliance ICT IT General Controls (ITGC) Framework: COBIT Scope: Saipem SpA + selected Operating Companies General Computer Financial Information Controls (GCC) Framework: COSO Scope: Saipem SpA Financial Information L.262/05 ISO27001 Saipem Model Framework: ISO27001 Scope: Saipem Group All Company Information ISO27001 2008/2011 Sarbanes- Oxley Act 2006/2007 Saipem 14
Lo Standard ISO27001 come framework Progetto ISO27001 Adottare un sistema comune di gestione della sicurezza delle informazioni e dei relativi processi ICT Obiettivi Migliorare il livello di protezione di dati/informazioni contro minacce interne/esterne e garantirne l'integrità, la disponibilità e la riservatezza Creare una cultura aziendale condivisa in merito alla sicurezza ICT e volta all ottimizzazione dei processi Annex A ISO27001 Requisiti di Business Matrice dei Controlli Modello Saipem ISO27001 Saipem 15
ISO27001: processo e modello organizzativo Matrice dei Controlli Modello Saipem ISO27001 ASSESSMENT Invio Matrice Interviste Valutazione controlli Identificazione gap Condivisione risultati Remediation Plan MONITORAGGIO Chiusura gap Test (disegno/operatività) Implementazione Action Condivisione Action Plan Proposta Action Plan Modello Organizzativo Corporate IT Compliance IT Lead Auditor IT Auditors Team di Supporto/Monitoraggio Remediation Plan Coordinamento e Supporto attivo Local IT Operations Local IT Manager/IT Coordinator ~ 200 contatti mensili con Local IT Manager 20 Videoconferenze/mese 80 call conference/mese 100 email/mese Saipem 16
Gli assessment ISO27001 (1/2) Società Saipem Assessment ISO27001 eseguiti 28 Assessments eseguiti 69 interviste effettutate 2952 controlli testati (2393 valutati) 38 Server Rooms visitate (~16,000 postazioni di lavoro) ~1300 applicativi censiti 154 procedure & 461 documenti raccolti e analizzati 1135 gap identificati: 616 gap chiusi (test disegno/operatività) 228 gap aperti 145 gap in attesa Linee Guida Corporate 98 test di operatività in corso 48 test di operativa pianificati Saipem 17
Gli assessment ISO27001 (2/2) Risultati Assessment 2012 A.7 - Asset Management A.10 - Communications and Operations Management A.11 - Access Controls A.12 - Information Systems Acquisition, Development and Maintenance A.13 - Information Security Incident Management A.5 - Security Policy A.6 - Organization of Information Security A.8 - Human Resources Security A.9 - Physical and Environmental Security A.14 - Disaster Recovery and Service Continuity Management A.15 - Compliance Saipem 18
Compliance ICT IT General Controls (ITGC) Framework: COBIT Scope: Saipem SpA + selected Operating Companies General Computer Financial Information Controls (GCC) Framework: COSO Scope: Saipem SpA Financial Information L.262/05 ISO27001 Saipem Model Framework: ISO27001 Scope: Saipem Group All Company Information ISO27001 2008/2011 ICT System of Control Frameworks: COBIT, COSO, ISO27001 Scope: Saipem Group All Company Information ISoC 2012/2013 Sarbanes- Oxley Act 2006/2007 Saipem 19
Il nuovo modello di Governance: L Organizzazione Organizzazione IT Dept. 2006 2012 Saipem 20
Il nuovo modello di Governance: ISoC Implementazione di un Information Security Management System (certificazione ISO27001) Matrice dei Controlli SOX Matrice dei Controlli 262 Matrice dei Controlli ISO27001 MATRICE DEI CONTROLLI ISoC IRES ICT Regulations and Standards Assessment IT Lead Auditor IT Auditors Gestione IT Risk Owner Referente di Attuazione del Monitoraggio Team di Supporto e Monitoraggio Saipem 21
ISoC: Le Procedure Revisione Corpo Procedurale ICT Modello Corporate STD Corporate Standard Procedure Policy Controlli Segregation of Duties Vincoli WI Local Work Instruction WI Local Work Instruction WI Local Work Instruction WI Local Work Instruction Processi Ruoli e responsabilità Processo di gestione OBIETTIVO: Assicurare la Compliance a norme e Standard nazionali e internazionali applicabli all ICT e ai requisiti di business DRIVER Verifica Compliance a STD Supporto all implementazione Assessment ISO27001 Contesto legislativo e Standard ATTIVITÀ 1. Pianificazione annuale 2. Assegnazione di un owner per ogni procedura 3. Monitoraggio di attuazione del piano (con KPI) Requisiti ICT e di business Saipem 22
ISoC: la Gestione del Rischio (1/2) Modello di Gestione Rischio-Paese Electronic Data Classification & Risk Analysis Program Data Classification Objective: Opportunity to manage data and protection measures according to its value ENI Approach: Understand Value of data (Low, Medium or High) Risk Analysis Objective: Opportunity to know & mitigate or accept remaining risk Understand Risk remaining (Low, Medium or High) Survey responded to by ICT (Security) Manager Locally identified security threats analyzed Saipem 23
ISoC: la Gestione del Rischio (2/2) Modello di Gestione Rischio-Paese Definizione Misure Minime Di Sicurezza nell IT nei paesi a rischio Disaster Recovery Plan >... Piano di Sicurezza IT: servizi e asset critici + misure preventive per salvaguardarli Piano di Crisi IT: azioni in caso di crisi socio-politica R <... Disaster Recovery Plan Saipem 24