Oil & Gas Production & Development Company
Our client is an independent oil & gas production and development company with onshore and offshore assets in the UK and Asia.
Teed has been working with the client since 2012 when the client’s Business Continuity Management (BCM) programme was initiated with a Business Impact Analysis, followed by the development of a comprehensive IT Disaster Recovery plan. In helping to define recovery strategies and improvements, this informed decision-making for the company’s IT strategy and was duly implemented.
Since then with technology and business changes, the client was aware that not all recovery documents have been kept up-to-date. Whilst there are good lower level technical recovery procedures, there was no overarching document to bring these together.
The client recognised the need for a single disaster recovery plan that deals with the different threats and scenarios that it finds itself exposed to in the current climate. The client wanted an independent opinion on the effectiveness of risk mitigation and recovery strategies/solutions given that disaster recovery (DR) had become disconnected from the organisation’s incident management and business continuity systems.
With the increasing cyber security threat, it is more important than ever to give due consideration to the responsibility, communications and recovery process to ensure operations and credibility are maintained should a security incident occur.
In discussion with the client, Teed’s consultant determined that a complete re-write of the disaster recovery plan was required, highlighting the processes in place to maintain systems. The client was fairly comfortable with the recovery strategies and technical recovery documents within the IT department, but these were being managed in isolation with no real direction from the business. This was recognised during an audit from which there was an audit action to ensure up to date DR was in place.
An independent perspective was needed to understand the whole picture by determining the DR position in relation to business continuity, incident management and cyber security for the whole business.
Teed’s consultants have worked in the oil and gas sector for many years and have an in-depth understanding of the industry and relevant threats. Cyber security is relevant to every type of organisation and is of increasing focus for all Teed’s clients, therefore, the consultant was able to bring an additional level of experience to this project.
Through a combination of discussions with technical and management representatives and a desk analysis of existing documents, the consultant was able to pull together a new Disaster Recovery Plan. This Plan has more dimensions than the previous version with defined strategies for the loss of many different resources, for example, server rooms, office locations, connectivity, power, key dependents/suppliers and cyber security incidents.
The updated document includes roles and responsibilities for various IT response and recovery teams (major incident, IT DR, cyber security incident), together with details of how teams sit within the overall business response structure. Checklists were developed showing activities and guidance to manage DR and to recover specific technologies linking to relevant technical recovery documents accordingly.
Alongside the Disaster Recovery Plan, the consultant produced an IT Statement of Recovery detailing priorities and achievable recovery times for specific IT services.
To validate the effectiveness of the new Disaster Recovery Plan, the consultant developed and facilitated a tabletop exercise that exposed the IT response and recovery team members to a number of scenarios including the loss of a data centre and an evolving cyber security incident.
Tweaks to documents were identified during the exercise; known improvement actions were validated and a further 15 actions were highlighted which would further improve the DR capability.
IT and business management are confident that effective DR is now in place subject to taking forward recommendations.
The client recognised that the experience and independent opinion brought to the project by Teed’s consultant was invaluable in working through existing information to tease out what was needed to create a workable and useful plan, rather than just adding another layer of paperwork to sift through at the time of an incident.
The learnings from the project highlighted to the client that there is a need to focus further on business continuity in the business to deal with the non-IT related threats they could face. Although priority services are known from an IT DR perspective, this needs to be communicated to the business who should think carefully about how they would workaround situations where there is a temporary unavailability of IT services, to ensure safe and efficient operations can be maintained.