Today organizations face the need to improve security levels while containing costs. It also becomes imperative to create IT value for their customers based on efficient business processes.
The International Maritime Industries (IMI) in the Kingdom of Saudi Arabia is aware of the current challenges the Board addresses related to the new IT paradigm. Especially relevant is the need to implement an Integrated Risk Management policy, and in consequence, they have partnered with Satec Group to launch a project that aims to design and define all the necessary mechanisms for IT Governance, Risk and Compliance.
The International Maritime Industries (IMI) is conceived as the largest full-service maritime yard in the region driving the development of a new maritime industry in the Kingdom of Saudi Arabia.
They seek to building and operating the largest, integrated, full service maritime facility in MENA offering competitive, safe, high quality and on-time solutions to ship and rig customers around the globe.
IMI yard consists of four zones:
- Zone A provides new build and maintenance, repair and overhaul (MRO) services for commercial vessels including VLCC’s, Bulk Carriers, Offshore Support Vessels (OSV) and rigs.
- Zone B is dedicated to Offshore Support Vessels (OSV) new build.
- Zone C, the largest zone, carries out new build activities for commercial vessels.
- Zone D offers new build for Offshore Jackup Rigs, Lift Boats/Barges.
State-of-the-art technologies including artificial intelligence, biometrics and the Internet of Things are embedded into the yard’s infrastructure, offering customers a cutting-edge advantage in an era of digitalization.
The Security Challenge
Aligning IT with the business is a well-known mantra for any modern organization. Within the success factors, there are three key measures that deserve to be highlighted:
- Defining a Risk Management Process
- Aligning IT and Enterprise Risks
- Comparable, measurable and guarantee Traceability
Attending to recognized international standards and framework, like ISO 31000, the main actions to achieve this IT-corporate alignment, are the following:
- Understanding the organization and its context
- Establishing risk management policy
- Integration into organizational processes
- Establishing internal communication and reporting mechanisms
- Establishing external communication and reporting mechanisms
On the one hand, IMI realized that every company must create a global security program consisting of the development and implementation of processes, technologies, and procedures.
On the other hand, SATEC understands that a company can devote limited resources to security. Consequently, the projects proposed are based on one essential and first-step requirement: an information security management system needs to be on place. As part of this system, SATEC implements a risk analysis process where to decide which are the most important activities and assets of the company and, therefore, those on which the investment should be focused.
The first activity of the project has been the Cybersecurity Maturity Assessment. It comprises the analysis of how IMI is managing cybersecurity and the benchmark of industry best practices.
In this case SATEC has applied, as a reference, the Cybersecurity Framework (CSF) framework, provided by the US National Institute of Standards and Technology (NIST). The NIST CSF framework is subdivided into several functions that the company, in this case the IMI, must perform in relation to cybersecurity:
- Identify: Understand the organization to manage cybersecurity risks in systems, assets, data and capabilities.
- Protect: Implement appropriate safeguards to ensure the security of the organization.
- Detect: Implement the necessary activities to detect that the organization is suffering a security attack.
- Respond: Develop the necessary activities to be able to respond to a security attack.
- Recover: Develop the necessary activities to be able to recover the organization to its normal state once a security attack has been suffered
During the assessment performed, a score is assigned for each function and activity based on its degree of maturity. The score system is based on the Capability Maturity Model Integration (CMMI) defined by the SEI Institute where the following five maturity levels are defined:
As part of this strategic project, SATEC has also provided a guide for the implementation of an IT governance framework and its associated processes, based on the international standard COBIT 2019 (Control Objectives for Information and related Technology) developed by ISACA.
COBIT is a best practice guide presented as a framework, aimed at the control and supervision of information technology (IT). It provides a series of resources that can serve as a reference model for IT management. It includes an executive summary, a framework, control objectives, audit maps, tools for implementation and, mainly, a guide to management techniques.
For the IMI SATEC have delivered:
- A process map tailored to your needs.
- For each governance objective:
- A process definition and guide
- A matrix of roles and responsibilities
- A guide for other components
At a high level, COBIT governance objectives are grouped into 4 domains:
- Align, Plan, and Organize (APO) address the whole organization, its strategy and the rest of the activities that support IT.
- Build, Acquire, and Implement (BAI) addresses the definition, acquisition, and implementation of IT solutions and their integration into business processes.
- Deliver, Service, and Support (DSS) address the delivery and support of IT services, including security.
- Monitor, Evaluate, and Assess (MEA) address the monitoring of IT performance and compliance with internal and external IT objectives.
The last phase of the project for IMI was to perform a risk analysis and an assessment of the Security Operation Center (SOC) based on what is determined in the risk analysis.
The risk analysis allows SATEC identifying vulnerabilities and threats and assessing potential impacts to determine where controls and security measures should be implemented in an organization such as IMI.
The objective of this risk analysis is to implement such measures in a way that is most profitable, appropriate, and timely for the IMI.
It is generally common to implement too much security, too little security or incorrect security controls and spend too much money in the process without achieving the necessary objectives. Risk analysis like the one performed by SATEC helps companies prioritize their risks and show to the Board the right number of resources to apply to protect the company against those risks in a sensible way.
To do this, the following steps have been carried out by SATEC in the risk analysis:
- Identify the assets and their value to the organization.
- Determine the probability of a threat exploiting a vulnerability.
- Determine the business impact of these potential threats.
- Provide an economic balance between the impact of the threat and the cost of the security measure to be implemented to counter it.
Once the risk analysis has been performed, SATEC has evaluated the current state of IMI’s SOC to determine if their current processes, technology, and people are adequate to meet the needs of IMI and if not, make relevant recommendations.
If you want to know in more detail our services, do not hesitate to contact us.