8 - Kuwait Oil Company

More documents

Recommendations

Info

Security practices entail theidentification of an organization’sinformation system assets andthe development, documentationand implementation ofpolicies, standards, proceduresand guidelines that ensureconfidentiality, integrity andavailability of information systemresources.To ensure the security of aserver and the supporting overallserver infrastructure, KOC hasimplemented the followingpractices:Organizational InformationSystem Security PolicyA security policy should specifythe basic information systemsecurity tenets and rules anddefine their intended internalpurpose. The policy should alsooutline who in the organizationis responsible for particular areasof information security (e.g.,implementation, audit, review).The policy must be enforcedconsistently throughout theorganization to be effective.Configuration/Change Controland ManagementThe process of controllingmodifications to a system’sdesign, hardware, firmware andsoftware provides sufficientassurance that the system isprotected against the introductionof an improper modificationbefore, during and after systemimplementation. Configurationcontrol leads to consistency withthe organization’s informationsystem security policy.Risk Assessment andManagementRisk assessment is the processof analyzing and interpretingrisk. It involves determiningan assessment’s scope andmethodology, collecting andanalyzing risk-related data, andinterpreting the risk analysisresults. Collecting and analyzingrisk data requires identifyingassets, threats, vulnerabilities,safeguards, consequences and theprobability of a successful attack.Risk management is the processof selecting and implementingcontrols to reduce risk to a levelacceptable to the organization.Standardized ConfigurationsDevelop standardized secureconfigurations for widely usedoperating systems and serversoftware. This will providerecommendations on how toconfigure systems securelyand ensure consistencyand compliance with theorganizational security policy.Contingency, Continuityof Operations and DisasterRecovery PlanningContingency plans, continuityof operations plans and disasterrecovery plans are established inadvance to allow an organizationor facility to maintain operationsin the event of a disruption.End UsersEnd users should not have accessto data that is beyond what theyare authorized to view to completetheir jobs and duties. End usersshould especially be monitoredwhen they have access to sensitivedata and access should be revokedwhen they move to a differentdepartment in which such accessis not needed or required. In thiscase, the onus falls on the originaldepartment to inform IT to stop ordelete such access.End users should only haveaccess to the database through28 April-June 2012
the proper application’s menus.The authorization to access anapplication is given only afterapproval by the authorized entity.End user authority is alwayschecked, reviewed and verified.For example, all access to HRmenus that are given to endusers should be approved andauthorized by specified userswithin the HR team.Developers and SystemsAnalystKOC follows the best practiceof having two environments forour computing setup, especiallyfor critical ERP systems. Oneenvironment is Productionand the other is Testing andDevelopment. Best practicedictates that Developers andSystems Analysts should onlyhave access to the testingenvironment and not theproduction environment. Any newdevelopment, update, upgradeor bug-fixes should first beapplied on the test environmentand once they pass thoroughtesting, they can be implementedand incorporated within theproduction environment.Only necessary patches are to beapplied. Patches are to be appliedonly to correct a bug, keep thedatabases up-to-date and to solveproblems. Patches that affectapplications are to be consideredand consulted upon by theconcerned staff from the users.ConclusionEnterprise databases – especiallyRDBMSs – and ERP systemsnow contain enormous amountsof critical, highly sensitiveinformation. This informationis frequently subject to rigorouslegal, regulatory and othercompliance requirements, and itsmisuse, exposure or unavailabilityhas the potential to cause seriousdamage to the enterprise. Anybehaviors that represent potentialdatabase security problems arenot tolerated and CITG authorizedsenior staff, along with internaland external auditors, routinelymonitor and audit these behaviorsand take the necessary actionsand recommendations to remedyand prevent such issues. •April-June 201229
Page 2 and 3: April - June 2012The Kuwaiti Digest
Page 4 and 5: Khaled Madhi Al-KhameesDeputy Manag
Page 6 and 7: International delegates participate
Page 8 and 9: KPC Board Members Visit KOC SitesKO
Page 10 and 11: Kuwait Oil & Gas Summit 2012KOC Cha
Page 12 and 13: is expected to grow to an annualrat
Page 14 and 15: KOC Organizes First Technology DayA
Page 16 and 17: share their experiences, andengage
Page 18 and 19: Arab Oil & Gas Magazine: Al-Zanki,A
Page 20: 4 th Town Hall Meeting & Exhibition
Page 23 and 24: Senior officials at the conferencea
Page 25 and 26: Senior oil officials at the inaugur
Page 27 and 28: paleo-sea level during the Albian-C
Page 32 and 33: WK Water Handling LabImplements LIM
Page 34 and 35: KOC’s Environmental AchievementsA
Page 36 and 37: 3rd Annual Production OptimizationM
Page 38 and 39: Enterprise Risk ManagementWhat is E
Page 40 and 41: Risk ReportingFigure 2 Outlines the
Page 42 and 43: Decades of ServiceMadathil Nair Rec
Page 44 and 45: Hi-TechFirst-Ever Images of Atoms M
Page 46 and 47: TETRATErrestrial Trunked RAdioSubmi
Page 48 and 49: TETRA standards chose the TimeDivis
Page 50 and 51: MiswakNature’s Tooth BrushFor mos
Page 52: www.kockw.com

8 - Kuwait Oil Company

Create successful ePaper yourself

Delete template?

Save as template?