We have implemented a global program to identify, assess, manage, mitigate, and respond to information security risks
We strive to preserve the security of all electronic records that are created or transmitted using company tools, whether the data belongs to us or our customers or other third parties. We are committed to protecting and respecting the privacy and all personal data entrusted to us, including information relating to our employees, customers, suppliers, and other third parties. Specific internal data privacy requirements guide the collection, use, transfer-including transfer across international boundaries, release, disclosure, and security of such data. These requirements also describe our expectations for third parties who process such data on our behalf.
All employees in job-related functions are assigned specific Data Privacy training. For additional information, please refer to SLB Privacy Policy here.
SLB maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The underlying controls of this program are based on recognized best practices and standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and International Organization Standardization (ISO) 27001 Information Security Management System Requirements, as well as control frameworks such as NIST SP 800-53 for IT systems and International Electrotechnical Commission (IEC) 62443 for the Operation Technology (OT) systems. We have an annual assessment, performed by a third party, of our cybersecurity program against the NIST CSF. In addition, our Delfi™ digital platform has obtained System and Organization Controls (SOC 2) type 2 certifications from a third party. Penetration testing by independently qualified third parties validates the implementation of our security policies.
Cybersecurity function’s role is to “secure the digital performance of the company and protect the company’s reputation while improving compliance and supporting business agility.” This is done through a comprehensive security strategy covering the software lifecycle in collaboration with cyber partners to monitor and maintain the performance and effectiveness of products and services that are deployed in SLB’s environment.
We have a Cybersecurity Operations Center operating in three locations to provide 24/7 monitoring of our global cybersecurity environment and to coordinate the investigation and remediation of alerts. A program for staging incident response drills is in place to prepare support teams in the event of a significant incident. A mature Vulnerability Management practice works to identify weakness in our global environment, with a risk-based approach to investigation and remediation.
All SLB employees and contractors are required to complete annual training and certifications in information security best practices, phishing, software compliance, data privacy, and data protection. We also conduct periodic phishing scenario learning experiences and cybersecurity awareness campaigns during the year. Depending on their specific job functions, certain SLB personnel with a high exposure to cyber risk may be required to take additional security awareness training. In addition, we hold periodic Cyber Awareness sessions for the SLB Board of Directors.
Site Information Security Coordinators support promoting the cybersecurity agenda, awareness, and compliance at a local level, which is supported by a central awareness team and program to deliver regular and timely content through such media as email, our internal corporate social media channels, and management re-enforcement.
The Board’s Audit Committee oversees the company’s cybersecurity risk exposures and steps taken by management to monitor and mitigate such risks. The cybersecurity team briefs the Audit Committee on the effectiveness of SLB’s cyber risk management program and our internal audit team briefs the Audit Committee on information security matters, including cyber audits performed by our internal audit function, typically on a quarterly basis. In addition, cybersecurity risks are reviewed by the Board, at least annually, as part of the company’s corporate risk mapping exercise.
The Cybersecurity Risk program is aligned with our corporate Enterprise Risk management program and used to manage and mitigate our corporate cyber risk. An Integrated Risk Management approach is used and operationalized to identify risks from cyber sub-domains and correlate them together: Risk Management, Vendor Management, Incident Management & Assessment Management. A Cybersecurity Risk Mitigation program drives actions for cyber risks in an annual remediation program.
We maintain a view of our external information security posture through a cyber risk rating partner to monitor and benchmark us against established industry standards and best practices to ensure we have robust protection.
Intellectual property that is created when an SLB employee makes a new discovery, idea, device, technique, or process that is related to SLB’s business, the invention becomes the exclusive property of SLB, subject to provisions of any applicable laws. On joining the company, all employees agree to this concept as a condition of employment. The company also protects its intellectual property and confidential information by using nondisclosure agreements and confidential disclosure agreements before giving third parties access to such information.