Exhibit: Security Standards for Online Services
Definitions.
Online Services : the cloud-based services made available by SLB to Customer.
Personal Data Breach: an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with this Agreement.
Security Incident: any actual damage to the integrity or security of: (i) the Online Services available to Customer or others; or (ii) the infrastructure or systems on which the Online Services operate or rely upon. A Security Incident includes a Personal Data Breach and any other unlawful or unauthorized access to any data resulting in loss, disclosure, or alteration of the data.
1. Overview.
a. The controls and measures set out in this Exhibit shall apply to the facilities, systems, and operations that deliver the Online Services.
b. LB shall have in place a risk management and cyber security program for the Online Services. Such program shall include measures to address physical security, network protection, system security, development standards, and incident response.
2. Physical Security.
At SLB facilities, SLB shall maintain policies and procedures designed to prevent unauthorized access. These shall include: (i) ID-badges and visitor badge/ sign-in requirements; (ii) electronic intrusion detections systems and CCTV; and (iii) physical barriers and electronic access control.
3. Personnel.
SLB shall ensure SLB personnel:
a. are subject to confidentiality obligations.
b. are evaluated in terms of appropriate experience and background prior to (i) employment by SLB and (ii) assignment to particular roles (subject to local law restrictions).
c. Receive periodic training on cybersecurity, data protection, and rules of conduct for the safekeeping and security of data and systems.
4. Subcontractors.
a. SLB shall conduct due diligence on all subcontractors as part of onboarding, including an assessment of the security procedures of the subcontractor, and SLB shall require each subcontractor to enter into an agreement containing appropriate security and confidentiality terms.
b. SLB shall require that cloud service providers implement physical, network, and system controls to protect against unauthorized access, damage to, or loss of the Online Services or Customer Data. These shall include: physical perimeters, fire detection and suppression systems, 24x7 security, device security, fully redundant power backup systems, physical access controls, authentication mechanisms, and digital surveillance systems.
5. Network Security.
In order to protect against unauthorized access and isolate threats SLB shall:
a. maintain firewall policies and network segmentation to monitor and control network traffic.
b. harden the Online Services by removing unnecessary software and utilities, turning off unrelated services, and closing extraneous ports.
c. implement strict, logical separation of the Online Services from the internal SLB network, although the Online Services environment may be accessed by SLB operations and support teams via the internal SLB network.
d. Operating procedures and technical solutions shall be designed to effectively detect and react to network attacks.
6. Identity & Access.
a. SLB shall implement and maintain logical access control based on User-IDs, passwords, and access profiles.
b. The authentication policy applied to SLB personnel shall include one or more of the following (a) a minimum password length and character requirement; (b) re-use limitations; (c) lock-out after a pre-defined number of failed attempts; and (d) multi-factor authentication.
c. SLB shall manage access controls for SLB personnel based on the principle of ‘least privilege’.
d. SLB shall verify requests for new privileged accounts and review privileged accounts on a periodic basis. SLB shall revoke privileged access promptly upon termination of employment or role change.
e. SLB shall implement authentication requirements design to verify the identity of individuals requesting access. Customer shall ensure compliance by Users with all authentication tools. Such tools may take the form of a centralised log-on portal, multi-factor authentication and/or federation. Where federation is leveraged, Customer shall ensure its MFA, password, and user ID policies are sufficiently robust to prevent unauthorised use or access.
7. System & Operational Security.
SLB shall implement the following controls designed to provide system integrity, confidentiality, and availability:
a. Customer Data shall be encrypted at rest and in transit.
b. SLB shall install end-point protection, anti-malware, and anti-virus software on virtual-machines and servers hosting SLB software and applications.
c. SLB shall establish procedures and put in place technical solutions for backup and recovery operations, including operating systems, systems files and configuration settings of the Online Services designed to address the possibility of a potential disruption of service, disaster, failure or interruption.
d. SLB shall perform drills to test disaster recovery plans and procedures on at least an annual basis.
e. SLB shall implement change management procedures, including testing and approval processes, related to standard bug fixes, updates, and security patches.
f. SLB shall implement alerting and monitoring tools to generate alerts of unusual or suspicious activity and monitor access.
g. SLB shall establish operating procedures to log user activities and events. Logs shall be reviewed on a periodic basis.
h. SLB shall process Personal Data in accordance with its privacy notice and data processing addendum available at: https://www.slb.com/privacy
8. Incident Response.
a. SLB shall maintain Security Incident response plans to assess, monitor, and manage the response to incidents, which shall be tested on at least an annual basis.
b. To the extent Customer is affected by a Security Incident, SLB shall notify Customer of the Security Incident without undue delay. Such notification shall include, to the extent possible:
i. a description of the nature of the Security Incident;
ii. the details of a contact point where more information concerning the Security Incident can be obtained; and
iii. where SLB has determined such at the point of notification, its likely consequences and the measures taken or proposed to be taken to address the Security Incident, including to mitigate its possible adverse effects.
9. Secure Development.
SLB shall implement and maintain a software life cycle management process including secure software development methods consistent with the industry practices, including:
a. security review of architecture and design documents
b. static application security testing (SAST)
c. dynamic application security testing (DAST)
d. source code review
e. penetration testing.
10. Security Patching.
a. SLB shall have in place a procedure for the deployment of security patches.
b. Where the Online Services include the provision of virtual machines, or otherwise require that access to the Customer subscription is granted by Customer:
i. On request, Customer shall grant access to SLB personnel without undue delay and within any timeframe identified (for emergency patches, access shall be granted immediately); and
ii. SLB shall have no liability for any adverse effects or consequent Security Incident caused or arising due to Customer’s failure or delay in granting SLB the requested access.
11. Periodic Review.
SLB shall conduct periodic reviews of the adequacy of its internal controls and cyber security practices for the Online Services. Where appropriate SLB may adopt new or alternative controls in order to ensure alignment with industry standards and to respond to new cyber security risks.
12. Audits of Technical and Organisational Measures.
Upon Customer request (such request to be made no more than once annually) and subject to appropriate confidentiality obligations being in place, SLB shall provide Customer with a report summarising the review and assessment of SLB’s internal controls and security practices applicable to the relevant Online Services over a 12-month period. Such report may take the form of SOC 2 Type 2 report or other internal or external assessment and shall in all circumstances be deemed SLB Confidential Information.
Version: December 2024
