INDUSTRY WATCH
EDP AS AN ORGANISATION VALUES
SUSTAINABILITY AS ONE OF ITS
BIGGEST CORPORATE OBJECTIVES,
AND ENSURING CYBER-RESILIENCE
TO PROTECT CUSTOMERS AND
EMPLOYEES IS A BIG PART OF THIS.
E
DP is a global company, operating in
16 countries across four continents,
specialising in energy generation,
transport and distribution of electricity and
gas. EDP has 12,000 employees across
Europe, United States, Canada, South America
and Asia and serves 11 million clients.
EDP recognises that information security
is a vital part of its strategic objectives and
is one of its key business requirements,
representing a core commitment at the
top management level. As a result, EDP’s
information security policy is approved at
Board of Director-level. The policy establishes
information security as a competitive
differentiator, which generates confidence
among EDP’s stakeholders. Also, EDP
recognises that it has a heavy responsibility
in the societal context, as an operator of
critical national infrastructure and manager
of large volumes of personal data for clients
and employees.
As part of the EDP group’s strategic
information security vision, it established
a three-year security master plan (2018–
2021) based on its end-to-end security
principle consisting of these objectives:
• Focus on people: Recognising people as
a central element of security, not only as
the organisation’s first line of defence but
also to create the capabilities to architect
and implement the security solution to
protect the organisation systems and
to build a critical incident response and
recover capacity
• Compliance: Following external laws
and regulations imposed on the relevant
sectors and generating trust
www.intelligentcio.com
• Intelligence: Making security
less intrusive, more efficient and
empowering business, especially in
Digital Transformation
• Resilience: Cyberattacks are ever
more common, so the resulting
security incidents must be handled by
the organisation to assure business
continuously deliver despite adverse
cyber events
Utilising BitSight Security Ratings
EDP was introduced to BitSight through its
threat intelligence company. The BitSight
Security Ratings platform provided the
necessary external view of its networks that
EDP required. Issuing daily ratings that are
akin to a credit score for security, BitSight
Security Performance Management helped
EDP take a risk-based and outcome-driven
approach to managing its performance.
This included broad measurement tools,
continuous monitoring and forecasting. EDP as
an organisation values sustainability as one of
its biggest corporate objectives, and ensuring
cyber-resilience to protect customers and
employees is a big part of this. The Security
Performance Management tool enabled them
to achieve this and reduce its cyber-risk.
EDP’s adoption of a metric based on the
BitSight Security Rating helped define
the group’s KPI around its overall security
performance. The specific metrics included
checking aspects such as security of its
own website, access to its networks from
dangerous locations or communications
coming from machines infected by criminal
networks. The EDP group has achieved the
proposed rating objectives for 2018 and 2019.
Fast and efficient information security
EDP’s dedicated global cybersecurity
incident response team (CSIRT) works 24
hours a day and participates in national and
international cybersecurity exercises. The
company tests its reaction to occurrences
of disruptive events, driving awareness
and training among employees. This is
where EDP saw value through its Security
Performance Management tools as not only
a reporting tool around its own security
posture, but also to credibly communicate
to stakeholders and the market. This added
value to the organisation’s objectives
around sustainability.
Internal Assessment
The CSIRT team utilises BitSight for Security
Performance Management to monitor and
receive real time infection alerts to help work
on fast remediation within its own network.
CSIRT also works closely with the BitSight
team to ensure all relevant information, such
as details of all risk vectors, are shared and
continuous behaviours are monitored.
Benchmarking
BitSight’s consistent and transparent rating
system on all companies is an important
feature that allows EDP to compare its
performance to industry peers and identify
wider security issues. The platform provides
intelligence on compromised systems,
security diligence and user behaviour risks
that affect EDP and its industry peers. This
provides EDP with the ability to see which
infections are targeting peer companies for
insight into industry-specific threats, as well
as understand security diligence standards
across its industry.
INTELLIGENTCIO
75