SLB has implemented a global program to identify, assess, manage, mitigate, and respond to information security risks.
We take every available measure to preserve the security of all electronic records that are created or transmitted using company tools, whether the data belongs to us or our customers or other third parties. We are committed to protecting and respecting the privacy and all personal data entrusted to us, including information relating to our employees, customers, suppliers, and other third parties. Specific internal data privacy requirements guide the collection, use, transfer-including transfer across international boundaries, release, disclosure, and security of such data. These requirements also describe our expectations for third parties who process such data on our behalf.
SLB has developed and implemented a comprehensive, risk-based, global cyber security management program that is designed to identify, assess, manage, mitigate, and respond to information security risks both for all SLB business systems and corporate IT as well as all SLB provided systems owned & developed by the SLB divisions. The underlying controls of this program are based on industry cyber security and information technology globally recognized best practices and standards, such as the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and International Organization Standardization (ISO) 27001 Information Security Management System Requirements as well as control frameworks such as NIST SP 800-53 for IT systems and International Electrotechnical Commission (IEC) 62443 for the Operation Technology (OT) systems. We verify and drive improvements using an annual external maturity assessment of our cyber security program against the NIST CSF. In addition, our DELFI cognitive E&P environment has obtained System and Organization Controls (SOC 2) type 2 certifications using a trusted third party. Penetration testing by independently qualified third parties validates the implementation of our security policies.
Cyber Security function’s role is to “Secure the digital performance of the company and protect the company’s reputation while improving compliance and supporting business agility.” This is done through a comprehensive security strategy covering the entire software lifecycle in collaboration with the world’s largest cloud providers to ensure all our developed products are secure from inception.
We have a follow-the-sun Cyber Security Operations Center (CSOC), across three geographically dispersed locations, which provides 24/7 monitoring of our global environment and immediate response to any alert or incident for investigation and remediation. A formal program of practicing incident response drills is in place to ensure that all critical supporting teams of our corporate environment know what to do when a significant incident occurs, this covers such exercises as Table-Top or simulations. A mature Vulnerability Management practice works to identify any weakness in our global environment, with a risk-based approach to investigation and remediation.
All SLB employees and contractors are required to complete annual training and certifications in information security best practices, phishing, software compliance, data privacy, and data protection. We also conduct periodic phishing scenario learning experiences and cyber security awareness campaigns during the year. Depending on their specific job functions, certain SLB personnel with a high exposure to cyber risk may be required to take additional security awareness training, in addition we hold periodic Cyber Awareness sessions for the SLB Board of Directors.
Site Information Security Coordinators support promoting the Cyber Security agenda, awareness, and compliance at a local level, which is supported by a central awareness team and program, to deliver regular and timely content through such media as email, our internal corporate social media channels, and management re-enforcement.
The Board’s Audit Committee is responsible for oversight of the company’s cyber security risk exposures and steps taken by management to monitor and mitigate such exposures. Typically, once a quarter, senior Cyber leadership, including our Chief Information Officer, and our internal audit team brief the Audit Committee on information security matters, including cyber audits performed by our internal audit function. In addition, cyber security risks are reviewed by the Board at least annually as part of the company’s annual corporate risk mapping exercise.
The Cyber Security Risk program is aligned with our corporate Enterprise Risk management program and used to manage and mitigate our corporate cyber risk. An Integrated Risk Management approach is used and operationalized in a commercial tool, to identify risks from multiple cyber sub-domains and correlated them together: Risk Management, Vendor Management, Incident Management & Assessment Management. An annual Cyber Security Risk Mitigation program drives the remediation actions for the most important cyber risks in a formal annual remediation program.
We maintain a view of our external information security posture through a cyber risk rating partner to continuously monitor and benchmark us against established industry standards and best practices to ensure we have robust protection.
Intellectual property that is created when an SLB employee makes a new discovery, idea, device, technique, or process that is related to SLB’s business, the invention becomes the exclusive property of SLB, subject to provisions of any applicable laws. On joining the company, all employees agree to this concept as a condition of employment. The company also protects its intellectual property and confidential information by using nondisclosure agreements and confidential disclosure agreements before giving third parties access to such information.