Page 53 - Tatweer AR 2022
P. 53
Tatweer Petroleum | Annual Report 2022 53 www.tatweerpetroleum.com
CYBER SECURITY FOR OPERATIONAL TECHNOLOGY (OT) IS THE HIGHEST PRIORITY FOR TATWEER PETROLEUM. AS SUCH, A DEDICATED PERSON WAS ASSIGNED FROM THE CYBER SECURITY SECTION TO HELP BUILD THE SECURITY CONTROLS, MEASURES, AND MONITORING TOOLS.
performed by a third-party vender against NIST (National Institute of Standards and Technology) to assess the current organization maturity level.
Cyber Security Framework was initiated by IOT department to start the journey of building the capabilities towards a highly mature cyber security function and the framework was finalized by end of 2022. Cyber security has identified the gaps for short- term resolution and is currently building the three (3) to five (5) years plan to reach maturity levels 3-5 for long term resolution.
In 2022, as part of the company’s directions to move towards ISO standards for IT Disaster Recovery Management Systems (DRMS/ISO22301) and Information Security Management Systems (ISMS/ ISO27001), the IOT conducted a Disaster Recovery Drill to ensure that Tatweer Petroleum implements the best data and system recovery practices and cyber security management.
Policies and procedures have been developed and approved by AMD to be implemented in the IT domain. The Cyber security section is working on developing the same for the OT environment, and has designed several documentations for guidance and minimum-security controls for references and easy implementation for IT and OT.
Cyber security for Operational Technology (OT) is the highest priority for Tatweer Petroleum. As such, a
dedicated person was assigned from the cyber security section to help build the security controls, measures, and monitoring tools. In 2023, multiple projects are budgeted to enhance the security controls to mitigate the security risks against OT, such as antivirus and threat monitoring tools.
Cyber security in the IT domain has witnessed considerable improvement, and multiple projects to mitigate cyber security risks in the IT domain have been implemented. In 2022, cyber security proactively started the data classification project. In 2023, Tatweer Petroleum started the Data governance program as an ad-hoc function which helps in protecting the Company’s most critical data against tampering and exfiltration. The program is still in its infancy and will progress as the Company matures.
The security awareness program has witnessed a vast improvement; employees who did not pass phishing test during the first campaign was 245. However, numbers significantly improved in the latest campaign, as there were only 20 employees who failed the test.
The Internal Audit has identified multiple gaps in December 2021, and several gaps were closed as below:
1. Cyber for IT domain
2. Cyber Security OT
3. IT governance and control
Tatweer Petroleum is working with nogaholding and NCSC for Critical Network Infrastructure (CNI) by NCSC which is intended to have minimum controls and regulation requirements for CNI organizations. The initiative commenced in January 2023.