Issuu on Google+


Contents

Introduction.............................................................................................................................................................. 2 Digital Security’s role in BP....................................................................................................................................... 2

intro

Our approach............................................................................................................................................................ 2 Managing digital security in BP................................................................................................................................ 2 An overview of our service areas............................................................................................................................. 4 Using the catalogue.................................................................................................................................................. 5 Section 1 – Risk Management.................................................................................................................................. 8 Threat Monitoring..................................................................................................................................................... 9

one

Risk Assessment.....................................................................................................................................................11 Risk Mitigation Support...........................................................................................................................................14 Change Approval......................................................................................................................................................16

Section 2 – Security Framework..............................................................................................................................18 Digital Security Standards.......................................................................................................................................19

two

Digital Security Architecture................................................................................................................................... 21 Digital Security Solutions........................................................................................................................................ 22

Section 3 – Capability Development....................................................................................................................... 23 Expertise Sourcing.................................................................................................................................................. 24

three

Training................................................................................................................................................................... 25

Section 4 – Detection & Response......................................................................................................................... 26 Security Event Management.................................................................................................................................. 27

four

Incident Resolution Support................................................................................................................................... 28 Investigations......................................................................................................................................................... 29

Section 5 – Business Continuity Management...................................................................................................... 30 BCP Standards....................................................................................................................................................... 31

five

BCP Deployment.................................................................................................................................................... 33 BCP Training............................................................................................................................................................ 34 BCP Risk Management.......................................................................................................................................... 35 Disaster Recovery.................................................................................................................................................. 36 Appendices............................................................................................................................................................. 37 Glossary.................................................................................................................................................................. 37

a

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Intro

Introduction

Our role BP’s digital systems control the production of billions of tonnes of hydrocarbons, manage multibillion-dollar treasuries and house personal data on over 100,000 employees. Yet BP’s systems are under constant danger of attack from a wide range of threats from viruses to industrial espionage. The role of Digital Security is to protect the digital security of BP by safeguarding the systems and information vital to the organisation’s safety, performance and reputation. We work closely with Group Security, who manage the broad threats to physical assets and people while we focus on digital risks.

Our approach We ensure that the digital assets BP depends on remain secure, reliable and available. This means helping safeguard them from all types of risk, including those that impact BP’s business continuity and regulatory compliance.

Our approach to risk management covers five areas of activity (see figure A below): . Identifying the critical security risks 2. Protecting BP against those risks 3. Detecting vulnerabilities or breaches in our defences 4. Taking action and responding appropriately depending on the level of risk 5. Helping recover our key operations when the unexpected occurs

Figure A: Digital Security’s risk management approach

Identify

Protect

Detect

Respond

Recover

We enable those who own and operate digital systems and information to understand the risks they face and manage those risks effectively according to their potential impact. This means effort is focused only where it is needed, and security controls are matched to the level of risk. Our work ranges from influencing the basic judgements ordinary users make using email or the Internet through to advising project teams on secure solutions (covering people, processes and technologies) for new offshore platforms and refineries.

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Intro

Introduction

Our services We provide services in five areas: . Risk Management – identifying, assessing and mitigating digital risks impacting BP’s critical business operations and assets 2. Security Framework – establishing the security standards, controls and processes needed to protect BP from digital security risks 3.

Capability Management – providing training and awareness materials to help BP people manage their own digital security, and connecting teams to accredited third-party digital security expertise

4. Detection & Response – monitoring, helping to resolve, or investigating digital security-related incidents or infringements 5.

Business Continuity Management – ensuring that business continuity plans are in place to recover BP’s most critical business flows in the face of unexpected events

Each service area supports a part of our risk management approach and is made up of a range of services (see figure B).

Strategic themes Across all our work, we try to: • Live on the leading edge – acting as a ‘centre of expertise’ to detect, analyse and respond to digital incidents, as well as current and future threats • Focus on the critical and risky – targeting our skills and res ources on critical projects, assets and operations, and high-risk environments •

Embed capability – offering advice, training and selfservice tools that enable BP people and projects to incorporate digital security precautions into their daily activities

Standardise and automate – developing and promoting consistent, re-usable digital security solutions and a framework of minimum standards to systematically manage digital security risks across BP

We have a small central team of highly qualified security experts who focus on helping manage significant risks that could have material impact on the Group. While doing this, we also look for ways to help Segments and Functions protect themselves by standardising, automating and embedding good digital security practices.

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Intro

Introduction

Figure B: Breakdown of Digital Security services by service area

Identify

Protect

Risk Management

Security Framework

Detection & Response

Business Continuity Management

Threat Monitoring pg 9

DS Standards pg 19

Security Event Management pg 27

BCP Standards pg 31

Vulnerability / Exploit Analysis

BP Group Standard

Incident Resolution Suppor t pg 28

Group BCP Standard

Geo-political Threat Analysis

GBSOS

t Incidents Digital Security Assessment for CMRR

BCP Template and Toolkit

Threat Advisories

Digital Security Position & Direct Statements

Privacy & Data Proctection Incidents

BCP Guidance Material

Investigations pg 29

BCP Deployment pg 33

Risk Assessment pg 11

DS Architecture pg 21

Detect

Respond

Recover

HCDA Risk Assessment

Technology Roadmap

Digital Investigation Support

BCP Consultancy

Non-HCDA Risk Assessment

Architecture Consultancy

Digital Forensic Services

Projecy Portfolio Management

Self-Assessment Tools

DS Solutions pg 22

Invocation Support

Firewall and Network Risk

Solutions Library

BCP Tools

Firewall and Network Integrity

Capability Development

BCP Status Reports

Risk Mitigation Support pg 14

Expertise Sourcing pg 24

BCP Training pg 34

Remediation Decision Support

Resource Accreditation

BCP Network Support

Risk Reporting

Resource Database

BCP Risk Management pg 35

Risk tracking

Training pg 25

Group Standard RiskBCP Analysis

Change Approval pg 16

Digital Security Training

BCP Template and Capability Planning Toolkit

GSMS Chang e Request Review

Privacy & Data Protection

Threat Review and BCP Guidance Material Event Testing

New Network Connection

Disaster Recovery pg 36

Firewall Change Approval Security Testing

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Intro

Introduction

How to use the catalogue This catalogue is your guide to how Digital Security can support you in your work. You can use it to find out about our services and how to access them. If you know the kind of support you need, turn to figure B and select the service you want by clicking on it or turning to the relevant page. If you’re unsure what support you need, you can use the table on the following page to see the services most relevant to your role. Alternatively, contact the Digital Security Service Desk. In some cases, you’re obliged to use one or more of our services. Throughout the catalogue, we indicate whether a service is mandatory or optional, and in what circumstances. Digital Security Service DeskFor personal advice on how Digital Security can help protect your business against digital risk, get in touch with the Digital Security Service Desk. Our dedicated advisors can pinpoint the Digital Security service you need and put you in touch with the right Digital Security team. They can also answer general questions about our work.

(

+44 (0)1932 [XXXXXX]

8

[tbc]@dsservicedesk@bp.com [tbc]

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Intro

Introduction

What service do I need? Role Area Relationship Managers GO

Service Risk Assessment

Mandatory or optional? Mandatory for digital assets classed as HCDAs.

BCP practitioners

BCP Standards

BCPs are mandatory and the use of the Group Standard is strongly recommended. However, except in the case of the Pandemic Response Planning Project, the use of the service is optional.

BCP Deployment

Optional

BCP Training

Optional

BCP Risk Management

Optional

BP Group

BCP Standards

BCPs are mandatory and the use of the Group Standard is strongly recommended. However, except in the case of the Pandemic Response Planning Project, the use of the service is optional.

BP Legal

Threat Monitoring

Mandatory for technologies whose failure represents systemic risk to the Group. These technologies are listed in the risk register.

Investigations

Optional

Custodians of regulated data

Threat Monitoring

Mandatory for technologies whose failure represents systemic risk to the Group. These technologies are listed in the risk register.

Data Protection Officers

Threat Monitoring

Mandatory for technologies whose failure represents systemic risk to the Group. These technologies are listed in the risk register.

DCT GI

Disaster Recovery

Optional

DCT GO Service Line Leaders

Risk Mitigation Support

Mandatory for systemic risks and risks of Group materiality. It is optional for other types of risk.

DCT Leadership and FCG

Risk Mitigation Support

Mandatory for systemic risks and risks of Group materiality. It is optional for other types of risk.

Digital asset owners

Risk Assessment

Mandatory for digital assets classed as HCDAs

Risk Mitigation Support

Mandatory for systemic risks and risks of Group materiality. It is optional for other types of risk.

Digital Security Standards

Although standards are usually mandatory, there will be cases where exceptions are possible (these is a process to manage these). Statements of position and direction are guidelines only.

Threat Monitoring

Mandatory for technologies whose failure represents systemic risk to the Group. These technologies are listed in the risk register.

Change Approval

Mandatory for changes within the remit of the Global Service Management System (GSMS). Changes outside the GSMS are not systematically reviewed.

Security Event Management

Although this is an advice service, where an event may cause systemic unavailability of digital services or impact Group material risk, the appropriate response is mandatory.

Incident Resolution Support

This is an advice service. However, where an event may cause systemic unavailability of digital services or impact Group material risk, the appropriate response is mandatory.

Risk Assessment

Mandatory for digital assets classed as HCDAs

Investigations

Optional

Group SPAs

BCP Standards

BCPs are mandatory and the use of the Group Standard is strongly recommended. However, except in the case of the Pandemic Response Planning Project, the use of the service is optional.

Heads of country and BP Legal

Risk Assessment

Mandatory for digital assets classed as HCDAs

Human Resources

Investigations

Optional

Global Operations

Group Security (BSMs and BSRs)

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Intro

Infrastructure and Application Architects

Introduction

Digital Security Standards

Although standards are usually mandatory, there will be cases where exceptions are possible (these is a process to manage these). Statements of position and direction are guidelines only.

Digital Security Architecture

Optional

Digital Security Solutions

Optional, but highly recommended

Line managers

Investigations

Optional

Process control community

Threat Monitoring

Mandatory for technologies whose failure represents systemic risk to the Group. These technologies are listed in the risk register.

Risk Mitigation Support

Mandatory for systemic risks and risks of Group materiality. It is optional for other types of risk.

Security Event Management

Although this is an advice service, where an event may cause systemic unavailability of digital services or impact Group material risk, the appropriate response is mandatory.

Incident Resolution Support

This is an advice service. However, where an event may cause systemic unavailability of digital services or impact Group material risk, the appropriate response is mandatory.

Risk Assessment

Mandatory for digital assets classed as HCDAs.

Risk Mitigation Support

Mandatory for systemic risks and risks of Group materiality. It is optional for other types of risk.

Change Approval

Mandatory for changes within the remit of the Global Service Management System (GSMS). Changes outside the GSMS are not systematically reviewed.

Digital Security Standards

Although standards are usually mandatory, there will be cases where exceptions are possible (these is a process to manage these). Statements of position and direction are guidelines only.

Digital Security Architecture

Optional

Digital Security Solutions

Optional, but highly recommended

Capability Development

Optional

Digital Security Expertise Sourcing

Optional

Segment DCT

Change Approval

Mandatory for changes within the remit of the Global Service Management System (GSMS). Changes outside the GSMS are not systematically reviewed.

SPAs for Segments, Functions and priority sites

BCP Risk Management

Optional

Project Managers

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


one one

Risk Management

Identify

Protect

Detect

Respond

Recover

Risk Management is about identifying and managing digital risks to BP’s critical operations and assets worldwide. We monitor potential threats (including technical vulnerabilities), assess the impact and likelihood of vulnerabilities being exploited, recommend appropriate controls to mitigate the risks, and track remedial actions. We also assess and approve changes to digital assets that could introduce digital risk. For non-critical activities, we offer self-assessment tools. Some of our Risk Management services are mandatory; others are optional. Whether you are obliged to use them depends on the level of risk associated with the area or asset.

Figure 1.1: Risk Management products and services Risk Management Threat Monitoring pg 9

Risk Mitigation Support pg 14

Vulnerability / Exploit Analysis

Remediation Decision Support

Geo-political Threat Analysis

Risk Reporting

Threat Advisories

Risk tracking

Risk Assessment pg 11

Change Approval pg 16

HCDA Risk Assessment

GSMS Chang e Request Review

Non-HCDA Risk Assessment

New Network Connection

Self-Assessment Tools

Firewall Change Approval

Firewall and Network Risk

Security Testing

Firewall and Network Integrity

“Identifying and managing digital risks to BP’s critical operations and assets worldwide”

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Risk Management

one

Threat Monitoring

What we do for you We monitor and report on: . Threat sources and technical vulnerabilities affecting digital infrastructure production technology (e.g. networks and platforms) 2. Geo-political threats 3. Global privacy and data protection legislation

Who it’s for • Process control community • DCT Global Operations (GO) • Digital Security • Data Protection Officers • BP Legal

Key services Threat Advisories We monitor trends and developments in BP’s external environment that may threaten the organisation’s digital security. This helps with the prioritisation of threats according to the impact they may have on BP systems or operations. Threat Advisories available: • Digital Security Threat Levels: threat-level statements published by the Digital Security Alert Centre for its customers (e.g. PCN, GO). These are rated red, amber or green according to agreed threat or event thresholds • Digital Security Threat Digest: an online summary of the key security threats

• Custodians of regulated data

• Threat Report: a top-line report for managers giving an overview of current threats and status

Your options

Vulnerability/Exploit Analysis

Threat Monitoring is mandatory for technologies whose failure represents systemic risk to the Group. These technologies are listed in the risk register.

Cost allocation Costs are met by Digital Security and not allocated to specific asset owners or operators.

Accountability David Burns

We scan external intelligence sources for new digital security issues affecting specific BP technology platforms e.g. Microsoft Windows 2000, VMS (a complete list is given in the technology register). Three levels of alert service are available to subscribers: • Bronze: an automated alert with no analysis of the impact on BP • Silver: an alert describing the vulnerability and generic recommended responses based on the threat and its impact on the BP environment • Gold: an alert describing the vulnerability and specific recommendations on the actions to take appropriate to the platform in question in the BP context

Geo-political Threat Analysis We monitor external intelligence sources for digital security issues affecting five countries where BP operates: [COUNTRY], [COUNTRY], [COUNTRY], [COUNTRY] and [COUNTRY]. Threat Monitoring in action The Digital Security Alert centre provides daily reports and alerts by email and text to people globally. In 2005 it sent hundreds of reports, and assisted with several major events including BP’s security preparations for the G8 summit in Scotland.

Analyses available: • The Digital Security Geo-political Threat Report: annual review of threats by country • A Digital Security Regulatory Impact Assessment: review of the likely impact on BP of new and proposed privacy and data protection legislation

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 


Risk Management

one

Threat Monitoring

How to access the services Service Digital Security Threat Levels

Availability and applicability https://digitalsecurity.bp.com

Operating hours 24/7

Contact dctdsalertcentre@bp.com +44 1932 739 489

Digital Security Threat Digest

https://digitalsecurity.bp.com

24/7

dctdsalertcentre@bp.com +44 1932 739 489

Threat Report

Subscription only

Global business hours

dctdsalertcentre@bp.com +44 1932 739 489

Vulnerability/ Exploit Analysis

Subscription only

Global business hours

dctdsalertcentre@bp.com +44 1932 739 489 Or sign up at: https://digitalsecurity.bp.com

Geo-political Threat Analysis

Subscription only

Global business hours

dctdsalertcentre@bp.com +44 1932 739 489

Digital Security Geo-political Threat Report

Subscription only

Global business hours

dctdsalertcentre@bp.com +44 1932 739 489 Or ask your Digital Security Risk Manager

Regulatory Impact Assessment

On request

Standard business hours (New Zealand)

Sandra Kelman sandra.kelman@bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 10


Risk Management

one

Risk Assessment

What we do for you We identify risks to digital and physical operations and report key risks, unmitigated risks and trends. We also offer self-assessment tools to help Segments and Functions conduct these tasks themselves for assets not considered critical from a Group perspective.

Who it’s for • Digital asset owners • Project Managers • Area Relationship Managers (GO) • Group Security (BRMs and BSRs)

Your options Risk Assessment is mandatory for digital assets classed as high criticality digital assets (HCDAs) – in other words, where security breaches are likely to affect safety, performance or reputation at a Group level (as defined in the Enterprise Risk Management Standard).

Cost allocation Costs are not allocated to owners of HCDAs or projects building new HCDAs. However, as a small central function, we cannot offer this service to all HCDAs. For very large HCDA projects, the project would pay for the services of an accredited third party, but we would oversee their work (see Digital Security Expertise Sourcing on page 24).

Key services HCDA Risk Assessments We assess the digital risks associated with HCDA digital assets. The outputs include: • HCDA Compliance Report: an assessment of the asset’s compliance with security controls (e.g. BP policies, standards and guidelines) • HCDA Asset Integrity Report: documents and ranks the risks of operating the asset, and recommends steps for reducing risk

Non-HCDA Risk Assessments Although we retain oversight and give policy compliance approval for non-HCDAs, we do not assess the risks associated with those assets. Instead, we help asset owners by providing self-assessment tools and finding accredited third parties when required (see Digital Security Expertise Sourcing on page 24). Self-assessment Tools We offer a wide range of risk self-assessment tools. They help users identify and prioritise compliance gaps, and give recommendations for remedial actions.

Funding for the risk assessment of non-HDCA assets and projects is the responsibility of the Segment or Function concerned. Assessments can be carried out on a selfassessment basis (using our tools), or by accredited third parties.

Accountability John Knowles

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 11


one

Risk Management

Risk Assessment

Tools include:

Firewall and Network Risk Assessment

• DS-INF (for infrastructure)

We assess the security of segregations between the digital systems that make up BP’s networks. These segregations are necessary to limit digital security risks (e.g. by preventing the spread of a virus from the office to the process control network).

• DS-PCN (for process control networks)

Network and Firewall Integrity Management

• DS-SAP (for SAP systems)

We maintain the integrity of supported firewalls by conducting audits and scans. These include: • Firewall Audit/Test: an assessment of firewall rule bases against BP’s Code of Connection and the FIM rule-base coding convention

• DS-APP (for applications) • DS-DC (for data centres)

• DS-SITE (for sites) • DS-WH (for web hosting) • DS-3P (for third parties) • Privacy Impact Assessment Tool • Light Privacy Compliance Audit

• Network Perimeter Scan: scanning BP’s network to find holes and leaks

Privacy and Data Protection Compliance Report We compare the IT application or business unit against legal and policy requirements relating to the processing of personal data. The resulting report summarises the areas of deficiency and risk.

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 12


one

Risk Management

Risk Assessment

How to access the services Service

Availability and applicability

Operating hours

Contact

HCDA Risk Assessment

https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp

Global business hours

Digital Security Risk Manager/Tag for your Segment or Function

Non-HCDA Risk Assessment

https://digitalsecurity.bp,com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp

Global business hours

Digital Security Risk Manager/Tag for your Segment or Function

Self-assessment Tools

For non-HCDA assets only. https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp http://globalprivacyanddata protection.bpweb.bp.com/ secondregion/default.asp?cat=7

Global business hours

Digital Security Risk Manager/Tag for your Segment or Function

24/7

Melissa Gregory melissa.gregory@bp.com

Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp For supported firewalls. Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp Engage at: http//globalprivacyanddata protection.bpweb.bp.com

Global business hours

Chuck Simons charles.simons@bp.com

Global business hours

Chuck Simons charles.simons@bp.com

Global business hours

Chuck Simons charles.simons@bp.com

Standard business hours (New Zealand)

Sandra Kelman sandra.kelman@bp.com

Privacy Assessment Tools

Firewall and Network Risk Assessment

Firewall Audit/Test

Network Perimeter Scan

Privacy and Data Protection Compliance Report

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 13


Risk Management

one

Risk Mitigation Support

What we do for you We assist digital asset owners in managing risks identified in risk assessments. We help them decide whether to accept or mitigate risks and find the right security solution when one is needed.

Key services Remediation Decision Support

Who it’s for

We advise on the most appropriate security service or solution to address the risk faced. We only offer this service after the completion of a Risk Assessment or Privacy and Data Protection Compliance Report.

• Project Managers

Risk Reporting

• Project Portfolio Managers

We provide two kinds of risk report (known as Integrity Reports): • report documenting the unmitigated risks associated with a specific project or production asset

• Digital asset operators • DCT GO Service Line Leaders • Process Control Network Engineers • DCT Leadership and FCG

Your options Risk Mitigation Support is mandatory for systemic risks and risks of Group materiality. It is optional for other types of risk.

• portfolio report advising the key risks and trends at the Segment or Group level

Risk Tracking We track Segment and Group-level risks. Outputs include a Digital Security Key Risk Mitigation Report, which provides risk mitigation status (based on red, amber or green classification system).

Cost allocation The cost of this service is not allocated, although the cost of taking any resulting risk mitigation action is the responsibility of the digital asset owner.

Accountability John Knowles

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 14


one

Risk Management

Risk Mitigation Support

How to access the services Service Remediation Decision Support

Risk Reporting

Risk Tracking

Digital Security Key Risk Mitigation Report

Availability and applicability For HCDA assets only. Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp

Operating hours Standard business hours (GMT & CST)

Contact Digital Security risk manager/Tag for your segment or function

Standard business hours (GMT & CST)

Digital Security risk manager/Tag for your segment or function

Standard business hours (GMT & CST)

Digital Security risk manager/Tag for your segment or function

Standard business hours (GMT & CST)

Digital Security risk manager/Tag for your segment or function

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 15


Risk Management

one

Change Approval

What we do for you We assess and approve changes to digital assets (e.g. IT upgrades or software additions) that could introduce digital risk into the Group’s digital technology environment.

Key services GSMS Change Request Review

• Global Operations

We assess all changes that are part of the DCT Change Management Process and handled by the Global Service Management System. We determine if digital security risks exist and whether the change is compliant with relevant Digital Security Standards (see page 19). Based on this, we either approve or reject the change request.

• Segment DCT

New Network Connection Approval

• Project Managers

We assess risks and controls associated with the connection of new networks to the BP infrastructure. We also provide formal approval of new connections to external networks in BP (e.g. Internet, extranet and thirdparty networks).

Who it’s for

Your options This service is mandatory for changes within the remit of the Global Service Management System (GSMS). Changes outside the GSMS are not systematically reviewed.

Cost allocation The cost of this service is not allocated (except for Security Testing).

Accountability Robert Martin

Firewall Change Approval We assess and approve or reject proposed changes to the rules of supported firewalls to ensure they do not impact firewall integrity. We also help change requesters submit approved Internet Gateway rule changes to the appropriate ISP (requesters must be in Digital Security’s list of Authorised Firewall Change Requesters). Security Testing (“Pen Tests”) We conduct security tests on new websites, applications and systems to ensure the content and related firewalls and application systems are reasonably protected from external attack. We co-ordinate all external penetration tests and maintains the preferred vendor list.

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 16


one

Risk Management

Change Approval

How to access the services Service GSMS Change Request Review

Availability and applicability For changes within the GSMS only. Via request for change (RFC) submitted in the GSMS process

New Network Connection Approval Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp Firewall Change Approval Engagement process at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2. aspx?pagetag=ds_dsapp Security Testing (“Pen Tests�) For project managers. Engage via Chuck Simons.

Operating hours Global business hours

Contact Robert Kreutz robert.kreutz@bp.com

Global business hours

Chuck Simons charles.simons@bp.com

Global business hours

Chuck Simons charles.simons@bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Chuck Simons charles.simons@bp.com

Page 17


two

Security Framework

Identify

Protect

Detect

Respond

Recover

The Security Framework is made up of the standards, control statements and processes that protect BP’s critical operations and assets from digital security risks. They set out BP’s approach to the identification, ownership, management and monitoring of those risks. They also give project managers and technical architects the information they need to integrate security controls into their work. As part of the Security Framework service, we maintain a library of approved security solutions. Some of our Security Framework services are mandatory; others are optional but represent the most effective approach.

Figure 2.1: Security Framework products and services Security Framework

DS Standards pg 19 BP Group Standard GBSOS Digital Security Position & Direct Statements DS Architecture pg 21 Technology Roadmap Architecture Consultancy DS Solutions pg 22 Solutions Library

“Standards, control statements and processes that protect BP’s criticaloperations and assets from digital security risks”

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 18


Security Framework

two

Digital Security Standards

What we do for you We develop and maintain standards to manage BP’s digital security risk according to the potential business impact. We also issue position statements on out likely strategic technology direction.

Who it’s for • Digital asset owners and operators • Project Managers • Infrastructure Architects • Application Architects

Key services BP Group Standard for Digital Security The Group Standard for Digital Security is one of the mandatory standards established under the BP Management Framework. It is designed to limit digital risk to the BP Group as a whole. It complements the BP Group Security Standard, which covers physical threats to individuals, information and locations. Group Baseline Security Operating Standards These are a set of mandatory controls to ensure digital security risk is limited to the appropriate level (i.e. that needed to ensure systemic risks of material Group impact are contained).

Your options

Digital Security Statements of Position and Direction

The security standards we produce are usually mandatory (although exceptions are possible and we have a process for managing them). By contrast, our position statements contain no mandatory requirements.

We provide clear, concise statements of our current technology positions and intended future direction. These “bite-sized” views on technology strategy help inform technology decisions made by projects.

Cost allocation The costs of producing standards and position statements are not allocated to asset owners or operators. However, any costs of compliance with standards will have to be paid by the business or project.

Accountability Sam Thornton

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 19


Security Framework

two

Digital Security Standards

How to access the services Service BP Group Standard for Digital Security

Availability and applicability Applicable across the Group. View and engage at: https://digitalsecurity.bp.com

Operating hours Standard business hours (MST)

Contact Scott Macmillan scott.macmillan@bp.com

Group Baseline Security Operating Standards

Applicable across the Group. View and engage at: https://digitalsecurity.bp.com

Standard business hours (MST)

Scott Macmillan scott.macmillan@bp.com

Digital Security Statements of Position and Direction

For DCT people making technology Standard business hours (GMT) and strategy decisions (e.g. project managers or architects). View and engage at: https://digitalsecurity.bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Sam Thornton sam.thornton@uk.bp.com

Page 20


two

Security Framework

Digital Security Architecture

What we do for you

Key services

We recommend the technology architecture needed to meet the Digital Security Standards and other requirements arising from risk assessments.

Who it’s for • Project Managers • Infrastructure Architects • Application Architects Group Security (BRMs and BSRs)

Your options Architecture services are optional.

Cost allocation Only external consultancy costs will be allocated.

Digital Security Technology Roadmap We carry out a rolling five-year view of security technology. It indicates the maturity of various security technologies and their expected relevance to BP. It is used to guide decisions about the implementation of new security technologies. The Technology Roadmap also provides the framework for the Digital Security Statements of Position and Direction (see page 19). Security Architecture Consultancy We provide consultancy to projects to help them to re-use or develop security solutions that meet control requirements. This reinforces the integrity of BP’s security architecture. We record any new and approved solutions in the Solutions Library (see page 22) for future re-use.

Accountability Sam Thornton

How to access the services Service

Availability and applicability

Operating hours

Contact

Digital Security Technology Roadmap

For Infrastructure and Applications Architects. Engage at: https://digitalsecurity.bp.com

Standard business hours (GMT)

Sam Thornton sam.thornton@uk.bp.com

Security Architecture Consultancy

For Project Managers. Engage at: https://digitalsecurity.bp.com/ Securefiles/TopicPage2.aspx? pagetag=ds_dsapp

Standard business hours (GMT)

Sam Thornton sam.thornton@uk.bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 21


Security Framework

two

Digital Security Solutions

What we do for you

Key service

We support the development of common, re-usable digital security solutions and approaches.

Digital Security Solutions Library

Who it’s for • Project Managers • Infrastructure Architects • Application Architects

We maintain a library of pre-approved solutions and approaches that projects and technical architects can use to incorporate necessary security controls from the start of a project. This reduces the likelihood of digital risks being found later on, and therefore keeps subsequent security work to a minimum and helps projects stay on track and on budget.

Your options The approaches and solutions we put forward are optional but highly recommended as they represent the most effective ways of meeting the control requirements of Digital Security Standards and those identified in specific projects.

Cost allocation The cost of maintaining the library is not allocated.

Accountability Sam Thornton

Digital Security Solutions in action The Digital Security Solutions Library provides an online repository of re-usable, Digital Security-approved solutions and approaches for projects and technical architects. By helping teams adopt common solutions to control requirements, the library improves project efficiency. It cuts threat assessment and remediation times, speeds up project delivery, and – through encouraging the re-use of approved solutions – reduces effort and cost.

How to access the service Service Digital Security Solutions Library

Availability and applicability For projects and technical architects. View at: https://digitalsecurity.bp.com

Operating hours Standard business hours (GMT)

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Contact Sam Thornton sam.thornton@uk.bp.com

Page 22


three

Capability Development

Identify

Protect

Detect

Respond

Recover

We provide training to help BP people manage their own digital security whether they are ordinary computer users or technology professionals. We also help projects find digital security expertise from accredited third parties. These services are optional (although some Segments or Functions may insist their people complete certain training).

Figure 3.1: Capability Development products and services Capability Development Expertise Sourcing pg 24 Resource Accreditation Resource Database Training pg 25 Digital Security Training Privacy & Data Protection

“Building BP’s digital security capability through training and expertise sourcing”

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 23


Capability Development

three

Digital Security Expertise Sourcing

What we do for you

Key services

Not all digital security work can be done in house and, when this is the case, we provide access to qualified and accredited third-party resources. Digital Security takes responsibility for sourcing thirdparty support only for activities where a security breach could have material impact on the Group. For other activities, Segments and Functions can use our database to find accredited third parties.

Who it’s for • Project Managers

Resource Accreditation We evaluate the quality of external third parties and award Digital Security accreditation to those who meet our standards. Resource Database We maintain a list of accredited external individuals and organisations. As part of this work, we look after relationship management, demand forecasting, request processing, and negotiating service agreements with major consulting houses.

Your options The service is optional (although it is essential that third parties providing digital security services are accredited by Digital Security).

Cost allocation The cost of this service is not allocated. However, the requesting Segment or Function bears the cost of using the third-party resource they find through the service.

Accountability Robert Martin

How to access the services Service Resource Accreditation

Availability and applicability For third parties (contractors and consultancies etc).

Operating hours Standard business hours (GMT)

Contact Michael Freiberg michael.freiberg@bp.com

Resource Database

For project managers. Engage at: https://digitalsecurity.bp.com

Standard business hours (GMT)

Michael Freiberg michael.freiberg@bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 24


Capability Development

three

Training

What we do for you We provide training to improve the basic digital security practices of BP people, including compliance with relevant legislation and policies (e.g. privacy laws). We also offer tailored training to address specific digital security needs (e.g. among Project Managers, Process Control Engineers or secret data users).

Who it’s for • All users of BP digital systems • Process control network community

Training in action The industry’s growing reliance on digital technology to run core production processes in refineries, chemical plants and pipelines has exposed our traditionally isolated process control environments to a new class of risk – cyber attack. BP is leading the world in protecting refineries and pipelines from cyber threats thanks to Digital Security’s work with Process Control Engineers. Training plays a key role in educating engineers about threats and helping them apply best practice to the process control environment.

• Project Managers • Users of secret data • Country coordinators and data protection Tags

Your options The service is optional. However, Segments or Functions may mandate some training for their people.

Cost allocation The cost of providing this service is not allocated.

Accountability Sam Thornton

How to access the services Service

Availability and applicability

Operating hours

Contact

Digital Security Training

For BP people, teams and businesses. Access via: https://digitalsecurity.bp.com

Standard business hours (GMT)

Ian Nottage ian.nottage@bp.com

Standard business hours (GMT)

Melissa Gregory melissa.gregory@bp.com

Privacy and Data Protection Training For country coordinators, Tags, BP people and teams. Access via: http://globalprivacyanddata protection.bpweb.bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 25


four

Detection & Response

Identify

Protect

Detect

Respond

Recover

We monitor BP’s digital estate for security incidents, determine the business impact, and advise incident resolution teams. We also gather digital forensic evidence for Legal, Compliance and HR investigations, and advise on privacy and data protection. Detection & Response services are optional except where events may cause systemic unavailability of digital services or impact Group material risk.

Figure 4.1: Detection & Response products and services Detection & Response Security Event Management pg 27 Incident Resolution Suppor pg 28 t Incidents Digital Security Assessment for CMRR Privacy & Data Proctection Incidents Investigations pg 29 Digital Investigation Support Digital Forensic Services

“Monitors BP’s digital estate for security incidents, determines the business impact and supports incident resolution teams”

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 26


Detection & Response

four

Security Event Management

What we do for you We provide 24x7 event monitoring covering high-risk elements of BP’s digital systems (e.g. specific HCDAs, Internet-facing digital systems and process control network firewalls). We also analyse external security events in a BP context (e.g. the potential impact of political developments and vendor announcements), identify appropriate responses, and agree with digital asset owners and operators the actions they should take.

Security Event Management in action In 2005, the Internet gateway for Europe became overloaded, causing traffic slowdown. As part of its Security Event Management service, the Digital Security Alert Centre advised DCT Global Operations (GO) the cause of the slowdown was a malware outbreak (the SQL Slammer worm). This enabled GO to fix the problem and restore service fast.

Who it’s for • Process control security community • DCT Global Operations

Your options Early detection of malware infections and targeted attacks limits their impact on the business and stops widespread loss of digital services. Therefore, although Security Event Management is an advice service, where an event may cause systemic unavailability of digital services or impact Group material risk, the appropriate response is mandatory.

Cost allocation The cost of this service is not allocated.

Accountability David Burns

How to access the service Service Security Event Management

Availability and applicability Engage via: dctdsalertcentre@bp.com +44 1932 739 489 (24x7)

Operating hours Global business hours

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Contact David Burns david.burns2@bp.com

Page 27


Detection & Response

four

Incident Resolution Support

What we do for you

Key services

We analyse digital security incidents to determine their business impact, and advise incident resolution teams when incidents are thought to be digital security-related.

Digital Security Assessment of CMMR incidents

• DCT Global Operations

We assess all incidents declared by DCT as Crisis Management Resolution and Reporting (CMRR) incidents to see if digital security expertise is needed. If so, we assign the appropriate resources. We can also take part in CMRR-related technical and management calls (we can extend operating hours to 24x7 if needed).

Your options

Digital Security Engagement in Privacy and Data Protection Incidents

Who it’s for • Process control security community

This is an advice service and is usually optional. But where an event may cause systemic unavailability of digital services or impact Group material risk, the appropriate response is mandatory (although it will be agreed first with digital asset operators).

We provide expert resources to help with privacy and data protection incidents.

Cost allocation The cost of this service is not allocated.

Accountability David Burns

How to access the services Service Digital Security Assessment of CMRR Incidents

Availability and applicability For CMRR incidents. Engage via: dctdsalertcentre@bp.com +44 1932 739 489 (24x7)

Operating hours Global business hours

Contact David Burns david.burns2@bp.com

Digital Security Engagement in Privacy & Data Protection Incidents

Engage via: http://globalprivacyand dataprotection.bpweb.bp.com

Standard business hours (New Zealand)

Sandra Kelman sandra.kelman@bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 28


Detection & Response

four

Investigations

What we do for you

Key services

We provide expert advice and forensic analysis to aid internal investigations when digital data or evidence is required – for example, in investigations of suspected infringements of the BP Code of Conduct.

Digital Investigation Support

Who it’s for

We provide the first contact and advice point for privacy, data protection and security or control breach investigations. We explain what support can be obtained within BP and the legal limitations.

• Group Security

Digital Forensic Investigation Services

• Human Resources

Where detailed digital forensic analysis or evidence is required, we offer a digital forensic capability and/or access to external forensic specialists (see Digital Security Expertise Sourcing, page 24).

• Legal and Compliance teams • Line managers

Your options The service is optional.

Cost allocation The only costs allocated to the requester are for external forensic expertise if required.

Accountability

Investigations in action HR teams have asked Digital Security to provide evidence in disciplinary actions against employees who have repeatedly used BP computer systems to access inappropriate material on the Internet. Average lead times vary between five and seven days depending on the type of evidence required.

James Powell

How to access the services Service Digital Investigation Support

Availability and applicability Engage via: fwrc@bp.com

Operating hours Standard business hours (CDT)

Contact James S Powell powelljs@bp.com

Digital Forensic Investigation Services

Engage via: fwrc@bp.com

Standard business hours (CDT)

James S Powell powelljs@bp.com

Privacy and Data Protection Investigation Support

Engage via: http://globalprivacyand dataprotection.bpweb.bp.com

Standard business hours (New Zealand)

Sandra Kelman sandra.kelman@bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 29


five

Business Continuity Management

Identify

Protect

Detect

Respond

Recover

Digital Security helps the Group, and Segments and Functions, develop business continuity plans (BCPs) to recover critical activities in the face of unexpected events. We also test BCPs for critical areas and help BP businesses develop their capability to manage their own BCPs. Our Business Continuity Management services are optional, but having a BCP is mandatory.

Figure 5.1: Business Continuity Management products and services Business Continuity Management BCP Standards pg 31

BCP Training pg 34

Group BCP Standard

BCP Network Support

BCP Template and Toolkit

BCP Risk Management pg 35

BCP Guidance Material

Group BCP Standard Risk Analysis

BCP Deployment pg 33

BCP Template and Capability Planning Toolkit

BCP Consultancy

Threat Review and BCP Guidance Material Event Testing

Projecy Portfolio Management

Disaster Recovery pg 36

Invocation Support BCP Tools BCP Status Reports

“Helps BP develop business continuity plans to recover critical activities in the face of unexpected events�

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 30


Business Continuity Management

five

BCP Standards

What we do for you We publish the Group Business Continuity Plan (BCP) Standard – a risk-based standard that ensures planning consistency across BP – and keep it in line with best practice. We monitor compliance with the standard and advise Segments and Functions on how to adhere to it. We also facilitate continuity planning networks (e.g. involving practitioners and Single Points of Accountability) across BP.

Key services Group BCP Standard The Standard outlines a risk-based process to managing business continuity planning within BP. This is then tailored to the needs of each Segment or Function. BCP Template and Toolkit

Who it’s for

This is a scaled-down version of the Group BCP Standard for smaller sites and Functions for whom the full version is not applicable.

• BP Group

BCP Guidance Material

• Group SPAs

These are tools to help teams complete business continuity plans for different threat scenarios (e.g. environmental disaster, loss of power, pandemic infection etc).

• BCP practitioners

Your options Having a BCP is mandatory and the use of the Group BCP Standard is strongly recommended. However, except in the case of the Pandemic Response Planning Project, the use of our Business Continuity Management services, methods and tools is optional.

Cost allocation The cost of this service is not allocated.

Accountability Alan Moult

BCP Standards in action Events from natural disasters to power cuts and bomb scares can leave businesses unable to function. Our BCP standards and supporting services are helping businesses across the Group prepare for the unexpected. The results pay off. When their BCPs are invoked, business can save millions of dollars by being able to quickly resume operations and minimise disruption to their critical business flows.

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 31


Business Continuity Management

five

BCP Standards

How to access the services Service Group BCP Standard

Availability and applicability Segment and Function heads and those responsible for delivering business continuity planning down to site level. Engage via BCP central team management or Tags. Available via: http://bcp.bpweb.bp.com

Operating hours Standard business hours (GMT)

BCP Template and Toolkit

For smaller sites and Functions. Engage via Segment or Function Tag

Standard business hours (GMT)

Contact Roland Trott – BCP Deployment Manager (and R&M Tag) roland.trott@uk.bp.com Edgar Salomon – E&P Tag edgar.salomon@bp.com Gael Christie – GRS&T Tag gael.christie@uk.bp.com Wout Hoff – Functions Tag wout.hoff@uk.bp.com Tags as above

BCP Guidance Material

For anyone developing a BCP plan: http://bcp.bpweb.bp.com

Standard business hours (GMT)

Via website

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 32


Business Continuity Management

five

BCP Deployment

What we do for you

We help Segments, priority Functions and priority sites put in place their business continuity plans (BCPs). This includes: • Reviewing work at ‘stage gates’ in the Group BCP Standard implementation process • Producing progress reports • Developing tools to standardise BCP deployment

Key services BCP Consultancy Facilitators and Tags in our central BCP team provide consultancy to BCP practitioners in Segments and Functions. They help with the development of plans and provide stage-gate reviews during implementation. Facilitation may be more proactive depending on the threat scenario.

• Managing a projects portfolio on behalf of the BCP community and the Group Single Point of Accountability, Paul Dorey.

BCP Tools

Who it’s for

Invocation Management Support

• BCP practitioners

We provide tools and best practice guidelines to help practitioners and others with their BCPs. These can be tailored to meet customer needs. When a BCP is invoked, we support and advise site management to ensure that the BCP is robust and fit for purpose.

Your options The service is optional.

Cost allocation The cost of this service is not allocated.

Accountability Alan Moult

How to access the services Service BCP Consultancy

BCP Tools

Invocation Management Support

Availability and applicability For practitioners in Segments and Functions. Engage via regional, Segment or Function BCP SPA For use by BP practitioners in Segments and Functions. http://bcp.bpweb.bp.com

Operating hours Standard business hours (GMT)

For any site requiring support during an invocation

Standard business hours (GMT)

Standard business hours (GMT)

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Contact Alan Moult moulta@bp.com Roland Trott roland.trott@uk.bp.com Via website

Alan Moult moulta@bp.com Roland Trott roland.trott@uk.bp.com

Page 33


Business Continuity Management

five

BCP Training

What we do for you

Key service

We create training programmes to support business continuity plan (BCP) deployment and maintenance. We also provide knowledge management and communication support for the BCP practitioner community.

Who it’s for

BCP Network Support We organise and facilitate regular forums for BCP practitioners to share information and learn from each other. This work includes arranging clinics for BCP practitioners and implementers in which we help them with BCP deployment.

• BCP practitioners • Teams developing BCPs

Your options The service is optional.

Cost allocation The cost of this service is not allocated.

Accountability Alan Moult

How to access the services Service BCP Training

BCP Network Support

Availability and applicability For people developing or implementing BCP plans. Engage via: http://bcp.bpweb.bp.com For BCP practitioners and implementers. Engage via: http://bcp.bpweb.bp.com

Operating hours Standard business hours (GMT)

Contact Alan Moult moulta@bp.com

Standard business hours (GMT)

Alan Moult moulta@bp.com

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 34


Business Continuity Management

five

BCP Risk Management

What we do for you

Key services

We assess business continuity plan (BCP) preparations, identify areas of Group risk and associated capability requirements, put in place risk mitigation plans and conduct threat reviews and event testing.

Who it’s for

Group BCP Standard The Standard outlines a risk-based process to managing business continuity planning within BP. This is then tailored to the needs of each Segment or Function. BCP Template and Toolkit

• SPAs for Segments, Functions and priority sites • BCP practitioners

This is a scaled-down version of the Group BCP Standard for smaller sites and Functions for whom the full version is not applicable.

Your options

BCP Guidance Material

The service is optional.

These are tools to help teams complete business continuity plans for different threat scenarios (e.g. environmental disaster, loss of power, pandemic infection etc).

Cost allocation The cost of this service is not allocated.

Accountability

BCP Standards in action Events from natural disasters to power cuts and bomb scares can leave businesses unable to function. Our BCP standards and supporting services are helping businesses across the Group prepare for the unexpected. The results pay off. When their BCPs are invoked, business can save millions of dollars by being able to quickly resume operations and minimise disruption to their critical business flows.

Alan Moult

How to access the services Service Group BCP Standard

Availability and applicability Segment and Function heads and those responsible for delivering business continuity planning down to site level. Engage via BCP central team management or Tags. Available via: http://bcp.bpweb.bp.com

Operating hours Standard business hours (GMT)

BCP Template and Toolkit

For smaller sites and Functions. Engage via Segment or Function Tag

Standard business hours (GMT)

BCP Guidance Material

For anyone developing a BCP plan: http://bcp.bpweb.bp.com

Standard business hours (GMT)

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Contact Roland Trott – BCP Deployment Manager (and R&M Tag) roland.trott@uk.bp.com Edgar Salomon – E&P Tag edgar.salomon@bp.com Gael Christie – GRS&T Tag gael.christie@uk.bp.com Wout Hoff – Functions Tag wout.hoff@uk.bp.com Tags as above

Via website

Page 35


Business Continuity Management

five

Disaster Recovery

What we do for you We support the disaster recovery programme for BP’s IT infrastructure and key systems run by DCT Global Infrastructure (GI).

Who it’s for • DCT GI

Your options The service is optional.

Cost allocation The cost of this service is not allocated.

Accountability Alan Moult

How to access the service Service Disaster Recovery

Availability and applicability For DCT GI Disaster Recovery team

Operating hours Standard business hours (GMT)

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Contact Alan Moult moulta@bp.com Roland Trott roland.trott@uk.bp.com

Page 36


Appendices

a

Asset operator Asset owner

BSM BSR Business continuity planning (BCP) CMRR incidents Critical risk DCT Digital asset DS Digital system ERM FCG Global business hours GBSOS Group materiality/ Segment, Function, Region materiality Group risk/Risk with Group materiality GSMS High criticality digital asset (HCDA)

Glossary

An individual, within or outside BP, who is accountable for the maintenance or operation of a digital system on a dayto-day basis. Includes individuals from Digital & Communications Technology, Group Technology and other Functions, Segments and Regions and the third parties that support them. A BP Segment, Region or Function manager who has accountability for delivering a pre-defined set of digital information resources, including applications, digital services or the delivery of digital infrastructure – normally a Business Leader or his or her delegate. The digital asset owner is the person who is the single point of accountability for the availability, integrity and confidentiality of the Segment, Region or Function digital information resource in addition to the consequences of actions carried out by the custodians and users of that resource. Business Security Manager. Business Security Representative. An ongoing management process that seeks to periodically assess the risk to the business associated with unforeseen or unexpected events, and put in place appropriate contingencies to maintain business continuity. Crisis Management Resolution and Reporting. This is the process used by DCT to quickly and efficiently manage significant incidents or a DCT crisis. Risk affecting critical digital assets or business processes of Group materiality, e.g., an asset or a group of assets commonly associated with a business process where breach or disruption has the potential to result in material financial or reputation risk or that could result in a MIA or HIPO HSSE incident or regulatory sanction. Digital & Communications Technology. Digital infrastructure, computer systems, applications and related software, computerised process control systems or information held in digital form, including data files, communications networks, e-mails, voice, video, all forms of data transmission and storage, and digital services. Digital Security. Digital infrastructure, computer systems, applications and related software, computerised process control systems, i.e. all digital assets except digital services and data. Enterprise risk management. Functional coordinating group of Senior Vice-Presidents who meet to oversee the activities of a particular function. Monday 8am Melbourne to Friday 5pm Central Standard Time (US); Sunday 10pm to Friday 11pm GMT (UK). Global Baseline Security Operating Standards. A risk to a digital asset that could result in material financial or reputation risk, or could result in an HSSE incident or regulatory sanction, i.e. criticality levels 1-5 in the Group enterprise risk management process. Group risk is defined by reference to critical risk or to systemic risk.

Global Service Management System. A digital asset important from a Group perspective. HCDAs are those where the impact of a loss of availability, of data or transaction integrity or of confidentiality have the potential for Group impact (failures corresponding to levels one to three in the Group Enterprise Risk Management Standard). Incident A situation that has the potential to escalate into an emergency should preparatory systems fail to respond adequately. ISP Internet service provider – a business that provides access to the Internet, usually for a fee. Normal criticality digital A digital asset of lower value or sensitivity than HCDAs and where non-availability, failures in integrity or breach of asset (NCDA) confidentiality are anticipated to have business impact of four or greater under the Group Enterprise Risk Management Standard. Note that ‘normal’ systems and ‘standard builds’ are not necessarily ‘normal criticality’, e.g., regional network gateways or domain controllers may be HCDAs even though standard systems. PCN Process control network. Project Manager Individual accountable for managing a project that includes the development, installation or maintenance of digital systems. Can be from any part of BP or a third party. SPA Single point of accountability. Normally the SPA is a member of the BP Group leadership (band D or above in Segment, Function or Region), or a BP employee with appropriate knowledge who has been given an explicit delegation from a member of the BP Group leadership. Standard business hours 9am-5pm. Standard business hours 9am-5pm Central Daylight Time (USA). (CDT) Standard business hours 9am-5pm Central Standard Time (USA). (CST) Standard business hours 9am-5pm Greenwich Mean Time (UK). (GMT) Standard business hours 9am-5pm Mountain Standard Time (Canada). (MST) Systemic risk Risk affecting a significantly large number of BP’s digital assets, whether because of the potential to spread or propagate, or because of wide aggregate affect (i.e. risk where the overall cumulative affect could have a material impact on the Group).

See our website for the latest version of the catalogue: https://digitalsecurity.bp.com

Page 37


See our website for the latest version of the catalogue

https://digitalsecurity.bp.com


Digital security catalog v3 (2)