The digital transformation of our world is helping us make better and more timely decisions, while also giving us the tools to work more efficiently across all areas of our business. Our global team recognizes the value of information and the importance of maintaining high standards of security to avoid loss or corruption of data.
- Information Security Governance Structure
Organization and Responsibilities
We are a member of both the British Computer Society (BCS) and The Chartered Institute for IT (Information Technology) and uphold the BCS Code of Conduct. This sets out important standards governing a member’s actions in relation to public interest, competence, integrity and professional responsibilities.
The governance of our information security is overseen by our Board, but policy actions are the responsibility of our IT Steering Group. The Group reviews our information security strategy, objectives and key performance indicators. It also agrees on standards and processes and develops any information security related capital programs.
Reporting into the IT Steering Group is our IT Function team, which is responsible for proposing strategy and implementing information security systems alongside managing training and security standards. The team also oversees our information security incident management process.
Our legal compliance team also reports into the IT Steering Group. They review our global information security policies and procedures to confirm they are aligned with international data protection requirements.
- Cyber Security
Cyber security is a subset of our wider information security practices. It focuses on defending our IT systems and electronic information. New threats and vulnerabilities materialize daily, and maintenance of cyber security continues to be a challenge for all businesses globally. To ensure sustainability, it is vital for organizations to combat these threats by creating a risk-aware culture and protecting themselves from cyber risks. We are committed to continually improving cyber security through investment in our people, processes and IT infrastructure. In 2020, we launched our new cyber security strategy, whichcontinues to mature as we further align ourselves with the NIST (National Institute of Standards and Technology) Cyber Security Framework (Identify, Protect, Detect, Respond, Recover).
We first engaged NCC Group in 2019 to conduct an independent assessment of our cyber security maturity and risk against over 108 control areas, as specified in the framework. There are five levels of maturity: 1. ‘Non-Existent’, 2. ‘Repeatable but intuitive’, 3. ‘Defined’, 4. ‘Managed and Measurable’ and 5. ‘Optimized’. Following our first assessment in 2019, we set a target to reach level 3. ‘Defined’ maturity. Since this time, we have significantly improved our Endpoint Detection & Response capabilities across the group and are focused on continuing to embed IT security at the heart of all day to-day and project activities.
Following our 2021 assessment, it was confirmed that we have reached our target maturity level 3. ‘Defined’. We also benchmarked ourselves against levels reached by other chemical companies operating in similar geographies. As the threat landscape in the wider environment has shifted, we have committed to a new target to further increase our maturity rating by the end of 2022.
Our IT management team, in liaison with internal and external stakeholders, monitors best practice and ensures our solutions comply with the relevant legislative and regulatory standards on cyber security. This team is responsible for increasing awareness and developing our security training.
- Information Security Training
Regular communications are issued to raise awareness of key issues covering areas such as how to stay safe online, how to protect against online fraudsters and prevent organized cyber-attacks on our businesses. These communications are backed up by an extensive program of cyber security and phishing training courses through our “KnowBe4” global training platform.
The KnowBe4 platform provides regular, mandatory, internal training for all employees based around quarterly campaigns. The campaigns cover a range of information security topics including access control, acceptable use and cyber security threats, like phishing. Compliance with successful completion of issued training courses is tracked on an individual employee basis.
Across our global IT team, we continue to embed a culture of information security best practice in all areas of IT service delivery. This approach is backed up by periodic training courses and discussions in IT’s global monthly meetings.
In 2021, 1,287 employees completed our Global IT Acceptable Use Policy module, 1,413 employees completed the Cyber Security ‘Be Cyber Smart’ module and 1,134 employees completed the Social Media Awareness module.
Internal phishing tests were also sent out to see how alert we are to attempts to gather sensitive information through fake emails. Two phishing campaigns were completed in 2021.
- Audit and Risk Assessment
We recognize the importance of continually validating the security of the applications and services that we have in place to keep its information secure. The following checks are performed on a periodic basis with results presented to the IT Steering Group and, when required, to the Board.
- Staff information security assessments
- Penetration tests
- Vulnerability scans
- RED Team tests (internally stimulated network compromise security tests)
- Independent external security reviews and audits