POL00397343 - Post Office Community Information Security Policy For Horizon & Horizon Online Version 4.0
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Community
Information Security
Policy for Horizon &
Horizon Online
Author Information Security Policy Richard Barber
Manager
Reviewers Post Office Dave King
Fujitsu Services lan Howard
Prism Information Security Team Peter Watts
IT Strategy & Architecture Manager I David Gray
Group Internal Audit Steve Webb
Sign off authority Post Office Head of Security John Scott
Reference configuration POL/HNG/CIS/001
Version 4.0
Page 1
POL-BSFF-0224013
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
Operational Baseline
Number
Version 4.0
Status Approved
Classification Working Document
Date 13/10/2011
Circulation
Document Control
Version Histo
0.1 Initial Draft
0.2 Response to comments from Fujitsu Services and RMG
Information Security.
1.0 08/06/05 Base-lined
1.1 22/05/08 Restructured to align with IS017799:2005
1.2 05/09/2008 Update to align with ISO 27001 and incorporate changes
referenced in HNG-X security requirements, v1.6 of LINK ATM
Scheme Security Standard and PCI DSS v1.1.
13 29/01/2010 Changes to reflect Horizon Online development and PCI DSS
v1.2
2.0 22/03/2010 Base-lined
21 30/07/2010 Update to clarify policy requirements following review with
Fujitsu.
3.0 24/8/2010 Rejected
3.1 13/10/2011 Updated to incorporate changes for PCI
4.0 13.10 Base-lined
Change Control
All changes to this document are to be sent to the Change Controller named below:
Name
Job Title
Business Address
Version 4.0
Page 2
Roger A Hudson
Document & Stakeholder Management
2nd Floor,
148 Old Street
London, EC1V 9HQ
POL-BSFF-0224013_0001
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Telephone Number(s)
Version 4.0
Page 3
POL-BSFF-0224013_0002
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
References / Related / Dependent / Parent Documents
ISO/IEC Information technology - Security
27001:2005 Techniques - Information
Security Management Systems -
Requirements.
ISO/IEC Information technology - Code of
27002:2005 practice for information security
management, (also known as
ISO/IEC 17799:2005).
ISO / IEC Information technology --
27005:2008 Security techniques -- Information
security risk management
ISO/IEC Information technology - Security
24762:2008 techniques - Guidelines for
information and communications.
technology disaster recovery
services
LiNK ASISS_ I Link ATM Scheme Information 1.6
Security Standard
Dec 2006
ISO 9564 Personal Identification Number
Parts 1 to 3: (PIN) management and security
Banking
ISO 11568 Banking - Key management
Parts 1 to2 (retail)
APACS Chip & PIN
Recommendation No. 12
PCI DSS Payment Card Industry Data v1.2
Security Standard
Post Office Ltd. Policies
Information Security Policy, Post
Office Ltd
Clear Desk Policy, Post Office
Ltd.
Royal Mail Group Centre Technology & Information Systems policies!
e-Handbook: “Your Guide to
Information Security”,
Information Security Intranet site,
RMG
G30 Freedom of Information Act
1 Royal Mail Group is
retaining these policies until agreement has been reached on a new set.
Version 4.0
Page 4
in the process of updating its policies. In the meantime, Post Office Ltd. is
POL-BSFF-0224013_0003
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
policy
S1
Information security
Investigation and Prosecution
Policy
Royal Mail Group Human
Resources - Personnel Vetting
Policy
Security Policy
Information Classification Policy
LLIB
Information Classification
Guidelines
Mobile Security Policy
Logical access control Policy
Security Health Check Policy
Wireless Connectivity Policy
SB} BG] RS
Cryptographic Services Policy
S10
Clear Desk Policy
S11
Generic Account Policy
S15
Incident Management Policy
S16
Third Party Access Policy
S17
Security Architecture
Methodology
S19
Personal Computer Backup
Policy
$20
Third Party Provisioning Policy
Tl
1S/IT Compliance
V4.de
Disposal policy
T3
Anti-virus policy
Legal & Regulatory (see also §[
REF _Ref206228986 \r \h ])
Freedom of Information Act 2000
The Data Protection Act 1998
The Official Secrets Act 1989
The Computer Misuse Act 1990
The Copyright, Designs and
Patents Act 1988
Financial Services and Markets
Act 2000
Regulation of Investigatory
Powers Act 2000
Version 4.0
Page 5
POL-BSFF-0224013_0004
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Electronic Communications Act
2000 as amended by the
Communications Act 2003
Money Laundering Regulations
2003
Electronically Distributed Documents
Any problems, comments or improvement opportunities are to be sent to
Change Controller above. If not receiving this document direct from the
PSO, readers may wish to ensure it is the latest version by checking with
the Change Controller.
Version 4.0
Page 6
POL-BSFF-0224013_0005
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Contents
[ TOC \o "1-3" \h\z \u]
See §[ REF
Ref199240475 \r\h]
1. Introduction
1.1. Purpose and scope
This document provides policy and direction in information security for those
responsible for initiating, implementing or maintaining security for Horizon Online
including its migration from Horizon. This document describes for these systems:
e End-to-end security management process and physical requirements
e End-to-end technical security requirements.
1.2. Readership
This document is intended for systems and application designers, systems managers,
security and compliance managers associated with Horizon, Horizon Online and its
related systems.
1.3. Document classification
The policy is classified as INTERNAL and may be distributed within relevant
organisations. The policy may refer to associated documents that deal specifically with
sensitive security controls classified as CONFIDENTIAL. Those secondary
CONFIDENTIAL documents may only be distributed and copied on a “need to know”
basis.
1.4. Document Review
The owner of the policy is responsible for its maintenance and review - see §[ REF
_Ref206412463 \r \h J.
Version 4.0
Page 7
POL-BSFF-0224013_0006
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
2. Definitions
For the purposes of this document, the definitions below apply.
The term “must” identifies mandatory policy statements. The term “should” identifies
a recommendation. The term “will” signifies matters that can be assumed.
Where the text requires actions to be taken “promptly”, “regularly”, “routinely”, or
“periodically”, domains should perform them in a timescale that reflects the associated
security risks. Where there are contractual or regulatory requirements on Post Office to
perform the actions at a specific frequency, those responsible for performing the actions
must be advised in writing.
Where the text uses the term “critical”, “essential” or “sensitive”, it should be
interpreted by reference to the business impact of any reduction in security of the
associated item as identified in the risk assessment process (see [ REF _Ref206220387 \r
\h }). For clarity, Horizon / Horizon Online has been assessed by Post Office Limited as
a critical business system implementing critical business processes.
Branch staff: Those people who use an Horizon Online or Horizon Branch Terminal.
They consist of clerical staff who actually transact business, administrative staff (e.g. the
sub-postmaster) responsible for managing branch specific aspects of the Horizon or
Horizon Online service and global users who may visit any branch (e.g. auditors and
support engineers).
Branch terminal: A terminal used to enter Horizon or Horizon Online transactions
typically (but not always) located at a branch counter position. The definition includes
back-office Branch Terminals (used for cash accounting etc) and terminals in mobile
offices.
Breach: See Security Breach.
Cardholder Data Environment: A part of the Horizon Online system that possesses
Cardholder Data or Sensitive Authentication Data together with those systems and
segments that directly attach or support cardholder processing, storage, or
transmission. Adequate network segmentation, which isolates systems that store,
process, or transmit Cardholder Data from those that do not, may reduce the scope of
the Cardholder Data Environment and thus the scope of the PCI DSS audit.
Cardholder Data: means the Primary Account Number (PAN) of a payment card or the
PAN plus any of the following:
e cardholder name
* expiration date
« Service Code
e — start date
Version 4.0
Page 8
POL-BSFF-0224013_0007
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
e issue number;
Client: An organisation with which Post Office Limited contracts for the supply of
goods or services delivered to Customers via Horizon / Horizon Online.
Customer: An individual (or organisation) to whom goods or services are delivered via
Horizon / Horizon Online.
Domain supplier: an organisational entity responsible for the systems and applications
under its specific control and operation.
Horizon Online: The information system used to capture and process business
transactions originating in Post Office branches. It extends:
« from the counter positions that provide the interface between the Post Office and
members of the public that use its services,
* to the boundary with specialist service providers such as LINK, Card Account,
DWP and Streamline who are outside the contractual scope of Horizon Online.
Horizon: The information system used to capture and process business transactions
originating in Post Office branches prior to its migration to Horizon Online.
Information security management system (ISMS): That part of an the overall
management system, based on a business risk approach, to establish, implement,
operate, monitor, review, maintain and improve information security.
Information security: the preservation of confidentiality, integrity and availability of
information:
¢ Confidentiality: ensuring that information is accessible only to those authorised
to have access.
e Integrity: safeguarding the accuracy and completeness of information and
processing methods. Integrity controls include those used to protect against fraud
and those that ensure the accountability of individuals.
e Availability: ensuring that authorised users have access to information and
associated assets when required
Mobile code: any program, script, applet or other code that can be imported into the
Horizon / Horizon Online environment without having gone through the formal
testing and release procedures (see §[ REF _Ref199331332 \r \h ]). This includes any
web pages, Java / ActiveX controls and executable email attachments originating from
outside the Horizon / Horizon Online boundary.
PCI DSS: Payment Card Industry - Data Security Standard
Post Office branch: A location where Horizon Online or Horizon services are offered.
It includes directly managed branches, franchised branches and sub-post offices.
Version 4.0
Page 9
POL-BSFF-0224013_0008
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Risk assessment: assessment of threats to, impacts on and vulnerabilities of information
and information processing facilities and the likelihood of their occurrence
Risk management: the process of identifying, controlling and minimising or
eliminating security risks that may affect information systems, for an acceptable cost.
Security Breach: A breach of security occurs whenever a security policy statement is
contravened and/or when a security risk (see §[ REF _Ref206220387 \r \h ]) comes
about. The event causing the breach is known as a security incident.
Sensitive Authentication Data: security related information used to authenticate
cardholders appearing in plain text or otherwise unprotected form. This information
can be any of the following:
¢ The full contents of the magnetic stripe of a payment card (from the back of a
card, the equivalent from a chip or elsewhere).
«The card-validation value or code (three-digit or four-digit number printed on the
front or back of a payment card) used to verify card-not-present transactions?,
e The personal identification number (PIN) or the encrypted PIN block associated
with a payment card.
The Horizon or Horizon Online community: all domain suppliers involved in the
provision of Horizon or Horizon Online Services, including:
e Royal Mail Group Information Systems
e Fujitsu services
¢ Post Office Horizon end-to-end service management.
The organisation is shown below.
Post Office Service Management
Fujitsu Services Ltd Royal Mail Group Information
Systems
NOTE: Where this policy refers to the Royal Mail Group, it includes Post Office Ltd
unless the context makes it clear that Post Office Ltd is excluded.
Third party personnel: employees or contractors of a third party.
Third party: An individual or organisation that is neither:
2 Not to be confused with the similarly named field on a magnetic stripe (or its chip equivalent) that
protects the integrity of the magnetic stripe data.
Version 4.0
Page 10
POL-BSFF-0224013_0009
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
3.
4.
3
e A domain supplier (or one of its employees or contractors) involved in Horizon
or Horizon Online service delivery, nor
e Post Office Limited (or one of its employees or contractors).
User: Anyone involved in Horizon / Horizon Online service delivery, including those
who interact with the Horizon / Horizon Online applications, administrators, system
programmers, network managers, security administrators and Horizon / Horizon
Online terminal operators.
WAN (Wide Area Network): Any communications network that extends outside the
bounds of a domain’s physical security area.
Structure of this document
This document follows the 1S027001:2005 categories of control. It is derived from the
control objectives and controls listed in Annex A of IS027001:2005. These objectives and
controls are highlighted in shaded boxes throughout the document.
Where appropriate, the 15027001 controls are expanded to provide a more detailed
policy (based on the 1S027002:2005 Code of Practice) and/or to communicate detailed
control requirements placed on Post Office Limited by its clients.
Any changes to 1S027001, or other documents that affect this policy, will input to the
review process (see §[ REF _Ref206412463 \r \h ]) and, where changes to the policy are
required, these will be communicated to Domains using the agreed contractual change
control procedure.
Risk assessment and treatment
All domains must operate a formal process of risk management (of which risk
assessment and risk treatment are a part) as an integral part of an ISO/IEC 27001
compliant Information Security Management System. The process should comply with
ISO/IEC 27005. See §[ REF _Ref206413799 \r \h ] for the role of risk assessment in
identifying the security requirements in this policy.
This policy is based on a risk assessment which assumes:
e There is no direct access to Horizon / Horizon Online applications from the
Internet.
e There is no general purpose web-surfing or e-mail facilities at branch terminals
« There is no use of wireless LAN technologies such as Wi-Fi or Bluetooth within
the Horizon / Horizon Online system boundary.?
This does not prohibit the use of wide area networks that may use wireless technology and are
operated by licensed public telecoms operators.
Version 4.0
Page 11
POL-BSFF-0224013_0010
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
5. Security policy
4
5.1. Information security policy
5.1.1. The mandate
Information Security is mandated by Royal Mail Group; it is not an option.
Accordingly, all Post Office Ltd. personnel and its suppliers have a responsibility for
Information Security and are bound by a number of legal obligations!.
Security is only as strong as the weakest component. The Horizon and Horizon Online
community must individually and together maintain the appropriate level of
information security necessary for the end-to-end Horizon / Horizon Online services.
5.1.2. Objective
The Horizon Community Information Security Policy objective is to ensure that all the
Horizon and Horizon Online systems are protected from significant threats such that
the business needs of Post Office Ltd. can be met economically, efficiently and
effectively.
Each domain in the Horizon Community must establish and abide by the following
policy requirements:
¢ to maintain an organisation to direct and manage IT security for that part of the
Horizon / Horizon Online which is within its remit.
e to ensure that the risks are reduced to an acceptable level by applying the
appropriate protective measures, which are based on risk assessment, the
information classification scheme and which conform to agreed standards
* to ensure Post Office Ltd are advised of all relevant breaches of security togethe
with recommendations for recovery
* to ensure that all personnel involved with Horizon / Horizon Online are aware
their responsibilities under this information security policy (and associated.
practices and procedures), and that they fully understand those responsibilities
including their legal obligations
* to monitor and review information security arrangements to provide assurance
that policy, standards and procedures remain relevant and effective.
7
of
Any changes to legal obligations need to be input to the regular review and change control process.
Version 4.0
Page 12
POL-BSFF-0224013_0011
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
The mandatory elements of this policy set out the minimum level of security to be
adopted throughout the Community, and represent industry best practice.
The policy recognises that the measures taken by each domain may vary according to
the responsibilities and risks associated with the domain. Each domain must establish
and document an information security policy, consistent with this policy, which sets out
the policy and responsibilities for information security within the domain.
5.1.3. ISO/IEC 27001 baseline
Royal Mail Group requires that Post Office Ltd. implements and operates an
Information Security Management System (ISMS) in accordance with ISO/IEC
27001:2005, Information technology — Security techniques — Information security
management systems — Requirements, together with other approved technical and
procedural standards where appropriate.
Accordingly, the Horizon / Horizon Online community must apply ISO/IEC 27001 as
the baseline for managing Information Security in their domain. In interpreting the
controls required by 1SO27001, the recommendations in ISO/IEC 27002 must be
considered a statement of best practice by each domain, unless explicitly modified in
this document.
Post Office Ltd. requires all parties to apply the mandatory requirements and controls
specified in this document.
There is no specific requirement to undertake certification to ISO/IEC 27001, unless
specifically stated in the contract with the Domain. Domains contracted to comply with
ISO 27001 should seek formal certification to ISO 27001 in order to be able to
demonstrate compliance with the contractual requirement.
5.2. Review and evaluation
The controls documented in this document are classified as either mandatory or
recommended. The mandatory controls must be complied with unless the Post Office
Ltd Information Security Manager agrees a waiver. Waivers will only apply for a
limited, and defined, period.
This policy will be reviewed annually. The review process will be capable of
responding to any changes affecting the risk assessment. The review will consider:
e The policy's effectiveness, demonstrated by the nature, number and impact of
recorded security incidents
e The cost of controls and their impact on business efficiency
e The effects of changes in technology and processes
Version 4.0
Page 13
POL-BSFF-0224013_0012
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
e New and emerging risks
e New or changed legal and regulatory requirements.
The owner of the policy is responsible for its maintenance and review.
6. Organisation of information security
6.1. Internal organisation
An Information Security Management System must be established within each domain
to monitor and control information security within the domain. Suitable management
forums with management leadership should be established to review the domain's
information security policy, assign security roles and co-ordinate the implementation of
security for the domain. Where appropriate, sources of specialist information security
advice must be established and made available within the domain. Contacts with
external security specialists should be developed to keep up with industrial trends,
monitor standards and assessment methods and provide suitable liaison points when
dealing with security incidents. A multi-disciplinary approach to information security is
encouraged, e.g. involving the co-operation and collaboration of managers, users,
administrators, application designers, auditors and security staff, as well as specialist
skills in areas such as insurance and risk management.
6.1.1. Management commitment to information security
Information security should be a business responsibility shared by all who have a
responsibility for delivering the Horizon / Horizon Online service. A management
forum should therefore be considered by each domain to ensure that there is clear
direction and visible management support for security initiatives. That forum should
promote security within the domain through appropriate commitment and adequate
resourcing. The forum may be part of an existing management body. Typically, such a
forum undertakes the following:
a) reviewing the effectiveness of the implementation of the domain’s information security
policy and controls,
b) approving overall security responsibilities,
¢) monitoring significant changes in the exposure of information assets to major threats
and vulnerabilities,
Version 4.0
Page 14
POL-BSFF-0224013_0013
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
d) reviewing and monitoring information security incidents, and
e) approving major initiatives to enhance information security and information security
awareness.
In each domain, one manager must be identified to be responsible for all information
security activities related to that domain’s delivery of the Horizon / Horizon Online
service.
6.1.2. Information security co-ordination
Within each domain an experienced security professional must have the responsibility
for coordinating security for that part of Horizon / Horizon Online that is within the
domain’s remit. Tasks must include:
a) agreeing specific roles and responsibilities for information security within that part of
the Horizon / Horizon Online that is within the domain’s remit;
b) agreeing specific methodologies and processes for information security within that part
of Horizon / Horizon Online that is within the domain’s remit, e.g. risk assessment,
security classification system, change control and incident management;
c) agreeing and supporting information security initiatives within that part of Horizon /
Horizon Online that is within the domain’s remit, e.g. the security awareness
programme and the service improvement programme;
d) ensuring that security is part of the domain’s change management process for Horizon
and Horizon Online;
e) reviewing Horizon /Horizon Online-related information security incidents arising
within the domain and communicated to the domain, agreeing a classification of the
severity of each and, where appropriate, agreeing a recommended recovery plan and
coordinating recovery within the domain;
f) liaison with the Post Office Head of Information Security,
g) promoting the visibility of business support for information security throughout that
part of the Horizon / Horizon Online that is within the domain’s remit;
h) Maintaining an awareness of good security practice within the industry and promoting
it throughout that part of the Horizon / Horizon Online that is within the domain’s
remit.
6.1.3. Allocation of information security responsibi
Responsibilities for the protection of individual assets and for carrying out specific
Version 4.0
Page 15
POL-BSFF-0224013_0014
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
security processes must be clearly defined and documented. Each domain must
document and disseminate a system information security policy, consistent with this
policy, which provides general guidance on the allocation of security roles and
responsibilities in its organisation. This must be supplemented, where necessary, with
more detailed guidance for specific sites, systems or services. Local responsibilities for
individual physical and information assets and security processes, such as business
continuity planning, must be clearly defined and documented.
Areas for which each manager is responsible must be clearly stated; in particular the
following must take place:
a) The various assets and security processes associated with each individual system must
be identified and clearly defined.
b) The manager responsible for each asset or security process must be agreed and the
details of this responsibility must be documented.
c) Authorisation levels must be clearly defined and documented.
6.1.4. Authorisation process for information processing fac
The ISO/IEC 27001 control for authorisation of new information systems is not relevant to Horizon
/ Horizon Online as it is an existing system. See §[ REF _Ref199309597 \r \h \*
MERGEFORMAT I re authorisations of changes to Horizon / Horizon Online.
6.1.5. Confidentiality agreements
All users of Horizon / Horizon Online facilities must sign a confidentiality (non-
disclosure) agreement emphasizing their security responsibilities either as part of their
contract of employment or as a separate agreement. Employees must sign such an
agreement as part of their initial terms and conditions of employment.
Casual staff and third party users not already covered by an existing contract
(containing the confidentiality agreement) must be required to sign a confidentiality
agreement.
Confidentiality agreements should be reviewed when there are changes to terms of
employment or contract, particularly when employees are due to leave the organisation
or contracts are due to end.
Version 4.0
Page 16
POL-BSFF-0224013_0015
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
6.1.6. Specialist information security advice
There must be a source of information security expertise within each domain. Where
the expert has insufficient experience to advise on a particular issue, suitable external
advisers must be used.
The information security adviser or equivalent point of contact should be consulted at
the earliest possible stage following a suspected serious security incident or breach to
provide a source of expert guidance or investigative resources. Although most internal
security investigations will normally be carried out under management control, the
information security adviser may be called on to advise, lead or conduct the
investigation.
6.1.7. Cooperation between organisations
Post Office Ltd will maintain appropriate contacts with law enforcement authorities,
regulatory bodies and others to ensure that this information security policy is effective.
6.1.8. Independent review of information security
The Community Information Security Policy for Horizon & Horizon Online and all
referenced technical controls will be subject to quality checks by an external qualified
body and Horizon / Horizon Online will be audited against the policy and technical
controls.
Each domain’s information security policy sets out the policy and responsibilities for
information security within its remit. Its implementation must be reviewed
independently to provide assurance that organisational practices properly reflect the
policy, and that it is feasible and effective.
Such a review may be carried out by an internal audit function, an independent
manager or a third party organisation specialising in such reviews, where these
candidates have the appropriate skills and experience.
Version 4.0
Page 17
POL-BSFF-0224013_0016
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
6.2. External parties
6.2.1. Identification of risks related to external parties
Access to Horizon / Horizon Online information processing facilities must be
controlled. There must be a demonstrable need for third party access. A risk
assessment must be carried out to determine the security implications and control
requirements for any forms of physical or electronic access by third parties. In
particular, this policy is based on risk assessments that assume that:
e Any third party access to transaction data must be “read-only” and must not
breach the confidentiality requirements of this policy.
e Transactions initiated at a Branch Terminal must have a corresponding
application process in Horizon / Horizon Online and must not use Horizon /
Horizon Online only as a communications path to business applications operated
by third parties. As a minimum, the application must address audit trail and
financial reconciliation (see §15.3).
Any variations from these assumptions must be carefully explored in the risk
assessment. Additional controls to address any risks arising from the assessment must
be documented and agreed with Post Office Information Security.
Third party access to systems shall also mean any form of electronic access to Horizon /
Horizon Online systems or services from outside the Horizon / Horizon Online estate
and data centres without limitation and it must be taken to include all members of all
suppliers and all Post Office users other than authorized branch staff.
On-site contractors
On-site third parties must be identified and documented. A risk assessment must be
conducted wherever any on-site third party services are proposed.
All security requirements resulting from third party access or internal controls must be
reflected in the third party contract. Where there is a special need for confidentiality of
the information, non-disclosure agreements must be used.
Access to information and information processing facilities by third parties must not be
provided until the appropriate controls have been implemented and a contract has been
signed defining the terms for the connection or access.
Version 4.0
Page 18
POL-BSFF-0224013_0017
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
6.2.2. Addressing Security when dealing with customers
Post Office customers must not be granted remote access to Horizon / Horizon Online
information or assets. Security requirements for any customer operated terminals
connected to Horizon / Horizon Online must be identified and specified prior to
contracting for their supply and installation.
Security requirements for clients of Post Office Limited must be addressed as specified
in §[ REF _Ref205721619 \r \h ] and §[ REF _Ref205721677 \r \h ].
6.2.3. Addressing security in third party agreements
If third parties are to be provided with access to Post Office information and/or
Horizon / Horizon Online systems there must be a formal contract containing, or
referring to, all the security requirements to ensure compliance with this policy. The
contract must ensure that there is no misunderstanding between the domain and the
third party. See the corresponding section of ISO/IEC 27002 for a checklist list of
security-relevant terms.
Domain suppliers should require third parties to implement an Information Security
Management System compliant with ISO/IEC 27001. Domain suppliers shall not permit
any Third Party to access Cardholder Data or Sensitive Authentication Data unless
security controls (including those required to achieve compliance with PCI DSS) are
agreed contractually with Post Office Ltd.
For all information systems developed and implemented for and on behalf of Royal
Mail Group and Post Office Ltd, by their internal suppler, the group standard Third
Party Access Policy (S16) must be applied.
Where any outsourcing of aspects of Horizon / Horizon Online takes place, the security
requirements defined in this policy must be addressed in the contract between the
parties, including:
a) How legal and regulatory requirements are to be met, e.g. data protection
legislation (see §[ REF _Ref206228986 \n \h }).
b) What arrangements will be in place to ensure that all parties involved in the
outsourcing, including subcontractors, are aware of their security responsibilities
Version 4.0
Page 19
POL-BSFF-0224013_0018
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
(see §[ REF _Ref206229012 \n \h J).
c) How the integrity and confidentiality of the Post Office Ltd.’s business assets
(including data) are to be maintained and tested.
d) Segregation between Post Office Ltd components and any other systems
operated or managed by the contractor, e.g. on behalf of Post Office Ltd
competitors (see also §[ REF _Ref199331541 \n \h J, §[ REF _Ref199331482 \n \h
], and §[ REF _Ref199224556 \n \h ]).
e) How security incidents are to be reported and (where necessary) escalated (see §[
REF _Ref206229086 \n \h }).
f) What physical and logical controls will be used to restrict and limit the access to
the Post Office Ltd.’s business information to authorised users (see §[ REF
_Ref199320474 \n \h J).
g) How the availability of services is to be maintained in the event of equipment
failure, communications failure or a disaster (see §[ REF _Ref199233886 \n \h ]
and §[ REF _Ref204169468 \n \h }).
h) What levels of physical security are to be provided for outsourced equipment
(see §[ REF _Ref206229156 \n \h }).
i) The processes for monitoring and reviewing security arrangements (see §[ REF
_Ref251946424 \r \h J).
j) The right of audit (see §[ REF _Ref206229176 \n \h ]).
The contract must allow the security requirements and security procedures to be
expanded in documentation to be agreed between the two parties.
The following additional security requirements apply in the event that a domain
supplier wishes to outsource any development work for Horizon Online offshore. The
domain supplier must carry out an assessment of the potential risks involved in such
work being undertaken offshore. The domain supplier must agree with Post Office
Information Security details of the processes, procedures, systems and controls the
developer has (or intends to put in place) to address the risks identified in the
assessment prior to any such development taking place. [SEC-3270]
See also §[ REF _Ref206229223 \n \h ], third party service delivery management.
7. Asset classification and control
7.1. Responsibility for assets
Version 4.0
Page 20
POL-BSFF-0224013_0019
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
7.1.1. Inventory of assets
Each domain within the Horizon / Horizon Online community must maintain an
inventory of its assets. It must be possible to identify assets from their entry in the
inventory e.g. by by clearly marking physical assets.
Assets identified for Horizon / Horizon Online include:
e Information assets: databases and data files, system documentation, user
manuals, training material, operational or support procedures, continuity plans,
fallback arrangements, archived information
« Software assets: application software, system software, development tools and
utilities
e Physical assets: computer equipment, communications, magnetic media , other
technical equipment (power supplies, air-conditioning units), furniture,
accommodation
e Services: computing and communications services, general utilities.
7.1.2. Ownership of assets
Each asset or group of assets identified in §7.1.1 must be clearly identified, along with
its ownership within the domain, security classification and current location. The term
ownership refers to an individual or entity that has approved management
responsibility for controlling the production, development, maintenance, use and
security of the assets. It does not mean that the person actually has property rights to
the asset.
7.1.3. Acceptable use of assets
See §{ REF _Ref206223802 \n \h \* MERGEFORMAT ] for technologies that are not currently
supported under this policy. Also see §[ REF _Ref206225085 \n \h \* MERGEFORMAT I for the
policy concerning equipment off site.
5 This supports the risk management process by providing a record of asset value and importance.
Version 4.0
Page 21
POL-BSFF-0224013_0020
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
7.2.
Information security classification
7.2.1.
Classification guidelines
Horizon / Horizon Online information that is generated, processed, communicated or
stored within the Horizon / Horizon Online community, either physically or
electronically, must be assessed to identify its level of security classification and
determine the protective controls to be applied.
Royal Mail Group’s Information Classification Policy (S4) and associated guidelines
must be used for this purpose’. This defines two levels of confidentiality, for which the
classification given below must be used:
CONFIDENTIAL: Information that has been assessed to be of a sensitive nature
and likely to cause damage following unauthorised disclosure. Personal data (as
defined by the Data Protection Act) is classified as confidential. Personal data
includes customer account numbers and any transaction data associated with
them. FAD codes are sometimes used for authentication purposes and must
therefore be treated as CONFIDENTIAL. Transaction records that do not identify
a person are confidential on bulk data/reports only. Transaction receipts for
individual transactions do not need to be labelled as CONFIDENTIAL, since they
are intended as a receipt for a transaction by an individual.
STRICTLY CONFIDENTIAL: Information meeting the classification standards
of government departments, the security services, clients, or assessed to be so
sensitive that unauthorised disclosure would cause acute organisational damage.
Information identifying cash handling staff, routes and/or timings is STRICTLY
CONFIDENTIAL. PIN data and all encryption keys are also interpreted as
STRICTLY CONFIDENTIAL.
All other information must be classified as INTERNAL unless specifically authorised
for release.
There are also legal requirements concerning the release of information - see §[ REF
_Ref206228986 \r \h ]for more information.
® Domain suppliers may do this by mapping Royal Mail Group’s classification onto their own
classification provided the controls invoked in this policy by the Royal Mail Group classification are
applied.
Version 4.0
Page 22
POL-BSFF-0224013_0021
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
7.2.2. Information labelling and handling
All documentation, displayed output and storage media from systems containing
information classified as CONFIDENTIAL or STRICTLY CONFIDENTIAL must carry
an appropriate classification label (which, for the Domain’s own output, may be the
Domain’s equivalent classification - see [ REF _Ref204170172 \r \h]}).
A chain of custody must be established for any such information and any security
relevant event logged.
8. Human resources security
8.1. Security in job definition and resourcing
8.1.1. Roles and responsi
Security responsibilities must be addressed at the recruitment stage, included in
contracts, and monitored during an individual’s employment.
Security roles and responsibilities must be documented in individual job descriptions.
The description must include any general responsibilities for implementing or
maintaining security policy as well as any specific responsibilities for the protection of
particular assets, or for the execution of particular security processes or activities.
8.1.2. Screening
Potential recruits must be adequately screened, especially for sensitive roles.
Version 4.0
Page 23
POL-BSFF-0224013_0022
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Verification checks on permanent staff must be carried out at the time of job
applications. For Royal Mail Group and Post Office Ltd domains, reference should be
made to Royal Mail Group vetting policy (¢wned by Human Resources)
Where a job, either on initial appointment or on promotion, involves the person having
access to Post Office business data or other sensitive information, e.g. financial
information or highly confidential information, screening must include checks on
identity, qualifications and financial circumstances. Criminal record checks must be
performed where legally permitted [SEC-3255]. A credit check must also be conducted.
For staff holding positions of considerable authority this financial and criminal record
checks should be repeated periodically.
A similar screening process must be carried out for contractors and temporary staff.
Where these staff are provided through an agency, the contract with the agency must
clearly specify the agency's responsibilities for screening and the notification
procedures they need to follow if screening has not been completed or if the results give
cause for doubt or concern.
For Royal Mail Group and Post Office Ltd domains, if any aspect of Horizon / Horizon
Online is classified as Strictly Confidential, it may be necessary to carry out the National
Security vetting procedures as per the Royal Mail Group’s Vetting Policy. The Head of
Security for Post Office Ltd. must be consulted before such vetting procedures are
invoked.
8.1.3. Terms and conditions of employment
Although terms and conditions of employment are likely to be different in each domain,
employees must be aware of their responsibilities in respect of information security and
protecting organisational assets. Also see the requirement for confidentiality
agreements in §[ REF _Ref206237551 \r \h ] and security awareness training in §[ REF
_Ref206238952 \r \h ].
8.2. During Employment
Version 4.0
Page 24
POL-BSFF-0224013_0023
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
8.2.1.
Management responsibilities
8.2.2.
Information security awareness, education and training
All staff including employees, contract staff and third party personnel must receive
adequate training on how to:
* operate the technology and information systems provided to them
* understand the importance of information security (including the security of all
personal data - see §[ REF _Ref206236498 \r \h ]),
* use the security features provided within their information systems,
e select, manage and safeguard passwords (see §[ REF _Ref204163435 \r \h ]),
* prevent the spread of malicious software and data (see §[ REF _Ref199310581 \r
\hp,
e identify and safeguard important records from loss, destruction and falsification
(see §[ REF _Ref199325690 \r \h ]),
¢ identify and report information security incidents (see §[ REF _Ref206236896 \r
\h J), and
* ensure the physical security of their desktop and other information assets.
A formal security awareness program must be established to educate employees,
contract staff and third party personnel on appointment (see §[ REF _Ref206237403 \r
\h \* MERGEFORMAT ]) and at scheduled intervals thereafter. The content of
security awareness programs should be related to the current issues detected by the
monitoring processes within Information Security Management System. The
importance of the security of all personal data (see [ REF _Ref205974597 \r \h ]) must
be emphasised at least annually.
For the Royal Mail Group and Post Office Ltd. domains, all employees must be aware of
the contents of the e-Handbook on the Information Security Intranet site and undertake
the Information Security user-awareness training module, when available. System
owners must be aware of the contents of the System Owners Manual on the Information
Security intranet site.
Information Security training and awareness must be made available to Branch staff as
a mandatory specific subject area within any Horizon / Horizon Online training facility.
Version 4.0
Page 25
POL-BSFF-0224013_0024
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
8.2.3. Disciplinary Process
Each of the Horizon / Horizon Online domains must have their own disciplinary
processes to manage violations of security policy and procedure. At a minimum the
disciplinary process acts as an effective deterrent to employees who might otherwise be
inclined to disregard security procedures.
The process must also ensure correct, fair treatment for employees who are suspected of
committing serious or persistent breaches of security.
8.3. Termination or change of employment
8.3.1. Termination responsibilities
8.3.2. Return of assets
Domains must ensure that any physical or software assets under their control and
which belong to Post Office Limited or the Royal Mail Group are returned to the
domain upon termination or redeployment outside the Horizon / Horizon Online
domain. Information assets must be either returned or, at management discretion,
securely destroyed (see §[ REF _Ref204171048 \r \h \* MERGEFORMAT ] and §[ REF
_Ref204169269 \r \h_ \* MERGEFORMAT J).
8.3.3. Removal of access rights
Also see §[ REF _Ref199319275 \n \h ] - Access control policy.
Version 4.0
Page 26
POL-BSFF-0224013_0025
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
9. Physical and environmental security
9.1. Secure areas
9.1.1. Physical security perimeter
Central Facilities
Horizon / Horizon Online data centres and any location hosting other Horizon /
Horizon Online infrastructure facilities must be protected by at least two layers of
physical security:
e An outer Security Perimeter that restricts access by the general public.
e Aninner Secure Area that applies additional restrictions and which must be
located within a Security Perimeter.
Horizon / Horizon Online information processing facilities must be housed in secure
areas, protected by a defined Security Perimeter, with appropriate security barriers and
entry controls. They must be physically protected from unauthorised access, damage
and interference. The protection provided must be commensurate with the identified
risks. A clear desk and clear screen policy is recommended to reduce the risk of
unauthorised access or damage to papers, media and information processing facilities
(see §11.3.3).
Secure Areas must be used for housing all processing, storage and networking
equipment and all network termination points used by the Horizon / Horizon Online
service. Secure areas must also be used to house key management facilities and master
consoles (i.e., interactive devices providing a command interface to the operating
system without having identification and authentication of the operator).
Users of shared information processing facilities must not be located in the same secure
area as the information processing facility. They may be located within the same
Security Perimeter.
Domains are referred to ISO/IEC 27002 for specific controls covering the physical
security perimeter.
Version 4.0
Page 27
POL-BSFF-0224013_0026
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Branch Facilities
Horizon / Horizon Online facilities located in branches must be considered to be in an
insecure area. Facilities located behind the screen designed to protect branch staff and
valuables may be considered to be secure from general public access but still require
controls to protect against unauthorised access by Branch Staff. See also the policy on
siting of branch equipment in §[ REF _Ref199326016 \r \h \* MERGEFORMAT ].
9.1.2. Physical entry controls
a) The date and time of entry and departure of all visitors must be recorded and retained
securely for at least three months. All visitors must be supervised unless their access
has been previously approved; they should only be granted access for specific,
authorized purposes and must be issued with instructions on the security requirements
of the area and on emergency procedures.
b) Access to areas where sensitive information is processed or stored must be controlled
and restricted to authorized persons only; authentication controls, e.g. access control
card plus PIN, must be used to authorize and validate all access; an audit trail of all
access must be securely maintained;
c) Cameras must be used to monitor sensitive areas. Collected data must be audited and
correlated with other entries. Collected data must be stored for at least three months,
unless otherwise restricted by law.
d) All employees, contractors and third party users and all visitors must be required to
wear some form of visible identification and should immediately notify security
personnel if they encounter unescorted visitors and anyone not wearing visible
identification;
e) All physical access tokens / identity badges must be surrendered on leaving the
premises or when no longer valid.
f) Third party support service personnel must be granted restricted access to secure areas
or sensitive information processing facilities only when required; this access must be
authorized and monitored;
g) Access rights to secure areas should be regularly reviewed and updated, and revoked
when necessary (see §[ REF _Ref204166900 \r \h \* MERGEFORMAT ]).
9.1.3. Securing offices, rooms and facilities
Domains are referred to ISOMEC 27002 for specific controls covering securing offices, rooms and
facilities.
Version 4.0
Page 28
POL-BSFF-0224013_0027
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
9.1.4. Protecting against external and environmental threats
Equipment must be physically protected from environmental hazards. Special controls
may be required to protect against hazards and to safeguard supporting facilities, such
as the electrical supply and cabling infrastructure.
9.1.5. Working in secure areas
Domains are referred to ISOMEC 27002 for specific controls covering working in secure areas.
9.1.6. Public access, delivery and loading areas
Domains are referred to ISOMEC 27002 for specific controls covering isolated delivery and loading
areas,
9.2. Equipment security
9.2.1. Equipment siting and protection
General Policy on Equipment Siting & Protection
Equipment must be physically protected from security threats and environmental
hazards (see also Section §[ REF _Ref204167843 \r \h ]). Protection of equipment
(including network access and termination points) is necessary to reduce the risk of
unauthorised access to data and to protect against loss or damage. This must also
consider equipment siting and disposal. Domains are referred to the corresponding
section of ISO/IEC 27002 for specific controls covering equipment siting and protection.
Also see the branch policy below.
Version 4.0
Page 29
POL-BSFF-0224013_0028
IT Directorate
POL00397343
POL00397343
PSO Process
Community Information Security Policy for Horizon & Horizon Online
For
Horizon Online, all PIN Data Processing Devices, used in the Data Centres, must
comply with the requirements of Federal Information Processing Standard Publication
140-2, Security Level 3 or higher (FIPS PUB 140-2 Level 3) [SEC-3217].
Branch Policy on Equipment Siting & Protection
For
Horizon and Horizon Online equipment located in Branches, the following
additional policy statements apply:
a)
b)
°)
d)
e)
)
All Counter clerk operated equipment e.g. Branch Terminal equipment, printers, smart
card or magnetic stripe readers etc, whether in a secure or open area, must be sited.
such that information and data is visible only by authorised operators. This represents
no change in Post Office practice or policies for existing secure screened locations but
must be addressed in any open offices or mobile installations.
All Branch Terminals must have a facility to quickly and simply suspend operation of
the terminal e.g. in the event a clerk has to leave it momentarily. Operation must only
resume once the operator has been re-authenticated or another operator is
authenticated in accordance with the access control policy.
PIN pads must be sited such that the cardholder can prevent anyone from observing
the PIN value as it is being entered. The installation must take account of any video
surveillance cameras so that PIN entry cannot be observed and/or recorded. See the
APACS Chip & PIN Recommendation No. 12 for further advice on assuring cardholder
privacy at the counter. This represents no change in Post Office practice or policies for
existing secure screened locations but must be addressed in any open offices or mobile
installations.
The configuration of Branch Terminals must be strictly controlled such that branch
staff are unable to alter the configuration or run applications other than those
specifically authorized as part of the Horizon / Horizon Online service.
Consideration must be given to the siting and protection of branch networking
facilities, including WAN termination points, especially where such facilities are not
located behind a secure screen. Where there is a significant risk arising form
unauthorised access by the public or by Branch Staff, the facilities must be physically
protected.
Consideration must be given to the security of Branch Terminal cables and ports so as
to minimise the opportunity to intercept or capture clear text data passing through or
between terminal components or ports.
Note: Special considerations will apply to kiosks and other customer operated equipment. Siting and
protection controls must be identified via a risk assessment and specified to the installer.
9.2.2. Supporting Utilities
Version 4.0
Page 30
POL-BSFF-0224013_0029
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Equipment in data centres and associated support must be protected. Equipment in
Branches does not need protection. Domains are referred to the corresponding section
in ISO/IEC 27002 for specific controls covering utilities such as power supplies,
telecommunications, water supplies, and heating / ventilation.
9.2.3. Cabling Security
Domains are referred to the corresponding section of ISO/IEC 27002 for specific controls covering
cabling security. See I REF _Ref199326016 \r \h \* MERGEFORMAT J(f) for cabling security in
Branches.
9.2.4. Equipment maintenance
Control A9.2.4: Equipment must be correctly maintained to ensure its continued
availability and integrity.
Domains are referred to the corresponding section of ISO/IEC 27002 for specific controls covering
equipment maintenance.
9.2.5. Security of equipment off-premises
For the Royal Mail Group domain, all movement of equipment by Royal Mail Group
staff and third parties must be controlled by effective measures commensurate with the
value of the equipment and sensitivity of the data it might contain.
For Royal Mail Group owned assets on customer/supplier sites, the Mobile Security
Policy (S5) and the Mobile Security Guidelines must be observed. Post Office Ltd.
reserves the right to examine the suitability of all third party sites. See §[ REF
_Ref199326016 \n \h \* MERGEFORMAT ] for specific controls for Branch Terminals
9.2.6. Secure disposal or re-use of equipment
For all domains, reuse of devices or media containing plain text PINs, keys or any data
that could lead to their exposure must be controlled as required by ISO 9564 and ISO
11568.
Version 4.0
Page 31
POL-BSFF-0224013_0030
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Storage devices containing operational business data or other sensitive information
must be physically destroyed or securely overwritten rather than using the standard
delete function. All items of equipment containing storage media, e.g. fixed hard disks,
must be checked prior to disposal to ensure that any sensitive data and licensed
software have been removed or overwritten. Damaged storage devices containing
sensitive data may require a risk assessment to determine if the items should be
destroyed, repaired or discarded.
Paper records and reports containing operational business data or other sensitive
information must be physically destroyed by cross-cut shredding, incineration or
pulping.
For the Royal Mail Group domain, Disposal Policy (V4.dc) must be observed. Storage
media must not be incinerated, due to the toxicity of the fumes released into the
atmosphere. Re-use of storage devices that contain sensitive information must be
preceded by secure deletion and overwriting. Advice can be obtained from Royal Mail
Group Information Security on secure deletion.
9.2.7. Removal of property
Equipment, information or software should not be taken off site without authorisation.
Where necessary and appropriate, equipment should be logged out and logged back in
when returned. Spot checks should be undertaken to detect unauthorised removal of
property. Individuals should be made aware that spot checks will take place.
The removal of any media (including tapes, disks, cassettes and printed reports)
containing CONFIDENTIAL or STRICTLY CONFIDENTIAL data from secure areas
must be authorised by management (see §[ REF _Ref204171366 \r \h \*
MERGEFORMAT }).
10. Communications and operations management
10.1. Operational procedures and responsibilities
Responsibilities and procedures for the management and operation of all Horizon /
Horizon Online information processing facilities must be established. This includes the
development of appropriate operating instructions and incident response procedures.
Segregation of duties must be implemented, where appropriate, to reduce the risk of
negligent or deliberate system misuse.
Version 4.0
Page 32
POL-BSFF-0224013_0031
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for
guidance on implementing the controls in this section, which is subject to the specific
provisions, interpretations and highlights below.
10.1.1. Documented operating procedures
The operating procedures identified by the security policy must be documented and
maintained. Operating procedures must be treated as formal documents and changes
authorised by management (see §[ REF _Ref199240880 \r \h \* MERGEFORMAT ]).
Documented procedures must also be prepared for system housekeeping activities
associated with information processing and communication facilities, such as computer
start-up and close-down procedures, back-up, key management, equipment
maintenance, computer room and mail handling, management and safety.
10.1.2. Change Management
Changes to Horizon and Horizon Online information processing facilities and systems
must be controlled. Formal management responsibilities and procedures must be in
place to ensure satisfactory control of all changes to equipment, software, configuration
or procedures. In particular, it must not be possible to install any equipment,
application or operating system extension in Horizon Online except under the control of
properly authorised and authenticated systems administrators carrying out authorised
and audited changes [SEC-3299].
Operational programs must be subject to strict change control. When programs are
changed, an audit log containing all relevant information must be retained. Changes to
the operational environment can impact on applications. Wherever practicable,
operational and application change control procedures should be integrated (see also §[
REF _Ref199240880 \r \h \* MERGEFORMAT )). In particular, the following controls
must be implemented:
a) identification and recording of significant changes;
b) assessment of the potential impact of such changes;
c) formal approval procedure for proposed changes, including agreement with Post
Office Ltd were there is an impact on it;
d) communication of change details to all relevant persons;
e) procedures identifying responsibilities for aborting and recovering from
unsuccessful changes.
Version 4.0
Page 33
POL-BSFF-0224013_0032
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
10.1.3. Segregation of duties
Segregation of duties is a method for reducing the risk of accidental or deliberate
system misuse. Separating the management or execution of certain duties or areas of
responsibility, in order to reduce opportunities for unauthorized modification or misuse
of information or services, must be considered - see also §10.6.1.
Care must be taken that no single person can perpetrate fraud in areas of single
responsibility without being detected. The initiation of an event should be separated
from its authorization. The following controls should be considered.
a) It is important to segregate activities which require collusion in order to defraud,
e.g. raising a purchase order and verifying that the goods have been received.
b) If there is a danger of collusion, then controls need to be devised so that two or
more people need to be involved, thereby lowering the possibility of conspiracy.
c) The principle of dual control and split responsibility must be applied to the
management of all cryptographic keys that directly or indirectly protect banking
PINs - see ISO 11568.
10.1.4. Separation of development, test and operational facilities
Development, test and operational facilities must be separated to achieve segregation of
the roles involved and to protect the security of the operational system and its data (also
see §[ REF _Ref199225557 \r \h_ \* MERGEFORMAT ][ REF _Ref199331680 \r \h \*
MERGEFORMAT )). Rules for the transfer of software from development to operational
status must be defined and documented (also see §[ REF _Ref199331704 \r \h \*
MERGEFORMAT }).
10.2. I Third party service delivery management
10.2.1. Service management
Version 4.0
Page 34
POL-BSFF-0224013_0033
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
The risks should be identified in advance, and appropriate controls agreed with the
domain operator and incorporated into the contract (see also §6.2 for the policy on third
party contracts and outsourcing contracts involving access to Horizon / Horizon Online
facilities).
Any risks associated with the interoperability of Horizon / Horizon Online domains
must be identified in advance through a risk assessment. Appropriate controls must be
agreed by all parties and incorporated into the partnership contracts.
Issues that must be addressed are:
(a) Business continuity,
(b) Security standards to be specified and the process for measuring compliance,
(c) Allocation of specific responsibilities and procedures to effectively monitor all relevant
security activities, and
(d) Responsibilities and procedures for reporting and handling security incidents.
10.2.2. Monitoring and review of third party services
Domain suppliers who use third party services to deliver part of the Horizon Online
service must monitor and review the services provided with the same rigour as
internally provided services. Reviews must ensure that security controls are updated to
reflect changing business, technology and regulatory risks and requirements. Audits of
third party services must be carried out as part of the domain suppliers internal audit
program.
10.2.3. Managing changes to third party services
Horizon and Horizon Online are considered critical systems to Post Office Limited. All
changes impacting the service must be subject to change control procedures - see §[ REF
_Ref204167473 \r \h \* MERGEFORMAT ], which contains the policy on change
control.
10.3. I System planning and acceptance
Version 4.0
Page 35
POL-BSFF-0224013_0034
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
10.3.1. Capacity management
Advance planning and preparation are required to ensure the availability of adequate
capacity and resources. Projections of future capacity requirements must be made, to
reduce the risk of system overload.
Domains are referred to ISOMEC 27002 for specific controls covering capacity planning.
10.3.2. System acceptance
Domains are referred to ISO/EC 27002 for specific controls covering system acceptance.
The Royal Mail Group domain must comply with the Security Design and Testing Policy
(S18).
10.4. Protection against malicious and mobile code
10.4.1. Controls against mal
All hosts and terminals carrying operational data must be protected against malware
attacks. Such protection must be commensurate with the risk.
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for
appropriate controls. Specifically:
a) Precautionary measures must prevent and detect the introduction of malicious
software. It is essential that precautions be taken to detect and prevent computer
viruses and other malware on personal computers and servers using related
technology.
b) The use of software that has not been authorised for use in Horizon / Horizon Online
systems must not be permitted.
c) Detection and prevention controls to protect against malicious software and.
appropriate user awareness procedures must be implemented where appropriate.
Version 4.0
Page 36
POL-BSFF-0224013_0035
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
d) Malware detection and repair software must be installed on platforms where there is a
significant risk of malware attack. It must be operated and regularly updated.
Appropriate procedures and responsibilities must be in place to manage malware
protection, training in its use, reporting and recovery from malware attacks.
e) Communications processes must be in place to verify all information relating to
malware and to ensure that warning bulletins are accurate and informative.
For the Royal Mail Group domain, the Royal Mail Group Anti-Virus Policy (T3) must be
observed.
10.4.2. Controls against mobile code
In order to protect against the risks associated with Mobile Code (see definition in 8[
REF _Ref199240475 \r \h J):
a) Where Horizon or Horizon Online business applications are implemented using Java,
the domain supplier must define a Java security model for approval of Post Office Ltd.
b) Any ActiveX or Java applets must be signed or otherwise verified before the Branch
Terminal operating system allows their installation.
10.5. Back-up
10.5.1. Information back-up
Back-up copies of sensitive business information and software must be taken regularly
and immediately prior to events such as maintenance or migration that put such
information at risk of loss or corruption [SEC-3237].
Adequate back-up facilities must be provided to ensure that all essential business
information and software can be recovered following loss or corruption due to, for
example, a disaster, malicious attack, equipment failure or media failure. Back-up
arrangements for individual domains must be regularly tested to ensure that they meet
the requirements of business continuity plans (see §[ REF _Ref204169468 \r \h_ \*
MERGEFORMAT ]).
Version 4.0
Page 37
POL-BSFF-0224013_0036
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
All media containing back-up material must be protected against loss and un-
authorised access. Processes must exist which detect and report loss of, or unauthorised
access to, backed-up material (see §[ REF _Ref206229086 \r \h ]). The security of the
storage location must be reviewed regularly.
See §{ REF _Ref204169275 \r \h \* MERGEFORMAT ] for the policy on media in transit.
Restoration following a failure must be in accordance with the change control
procedures - see §[ REF _Ref199240880 \r \h \* MERGEFORMAT ].
The retention periods for data and information must be determined in order to fulfil all
legal requirements (see §[ REF _Ref206228986 \r \h ]) and to meet the retention
schedule expressed for Royal Mail Group. See §[ REF _Ref204169435 \r \h \*
MERGEFORMAT ] for the policy on data retention.
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for further guidance
on interpretation.
10.6. I Network security management
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for
guidance on interpretation, which is subject to the specific provisions, interpretations
and highlights below. Also see §[ REF _Ref199242017 \r \h \* MERGEFORMAT ] of
this document for the policy on network access control.
10.6.1. Network controls
Operational responsibility for networks must be identified and documented. Network
management must be separated from computer operations. Network managers must
implement controls to ensure the security of data in networks, and the protection of
connected services from unauthorized access.
For Horizon Online, configuration standards must be documented for all network
components (firewalls, routers etc) on which the security and segmentation of the
network depends. The standards must establish, document and justify the protocols,
services and ports necessary for the correct operation of Horizon Online. Protocols
which are generally considered risky (e.g. FTP) must also document the security
features implemented to mitigate the risks associated with the protocol. Operational
controls must ensure that all such components are configured in accordance with the
Version 4.0
Page 38
POL-BSFF-0224013_0037
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
standards at all times (including after re-booting the component).
See §[ REF _Ref199234799 \r \h \* MERGEFORMAT ] for more network controls.
10.7. Media handling and security
Domain suppliers must implement the following ISO / IEC 27001 controls, which are
subject to the specific provisions, interpretations and highlights below them.
See also §] REF _Ref204172493 \r \h \* MERGEFORMAT J.
All removable computer media, such as tapes, disks, cassettes and printed reports must
be managed to ensure that essential information is not lost and sensitive information is
not disclosed in an unauthorised manner (see also §[ REF _Ref204171048 \r \h ]).
Controls must detect if sensitive information is lost or subject to unauthorised access.
These should include maintaining an inventory (see §[ REF _Ref204171775 \r \h ])
which is periodically verified and tracking all movements of media that may contain
sensitive information.
10.8. Exchanges of information
Domain suppliers must implement the following ISO / IEC 27001 controls, which are
subject to the specific provisions, interpretations and highlights below them.
Version 4.0
Page 39
POL-BSFF-0224013_0038
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
The following specific provisions and clarifications apply to the above controls:
a) The source of any data that is intended to result in the movement of funds? must
be cryptographically authenticated unless a risk assessment identifies that there
is a negligible residual risk to Post Office Ltd after taking into account any other
countermeasures or related business processes that are implemented.
b) Replay of encrypted PIN values must be prevented especially over the otherwise
unprotected PIN Pad to Counter Terminal interface [SEC-3301].
a
Horizon’ must be protected against stolen or cloned Branch Terminals (i.e. an
appropriately configured PC running an unauthorised copy of the Horizon
application software). The protection mechanism must not be solely reliant on
the username and password entered by Branch Staff (or any other individual
attending the Branch other than maintenance staff using one-time passwords or
other dynamic authentication techniques).
d) Any Sensitive Personal Data (as defined by the Data Protection Act 1998 - see
§15.1.4) must only be transmitted across any network, internal or external, in
encrypted form. Consideration must be given to the encryption of other personal
data (as defined by the Act) prior to transmission over public networks. Any
? As part of a money transfer, banking or payment application. For other applications, the need for this
control should be assessed as part of the risk assessment.
8 This control is less critical in Horizon Online since the terminal does not store sensitive data nor is it
capable of transacting business as a stand-alone terminal.
Version 4.0
Page 40
POL-BSFF-0224013_0039
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
other data that is considered to be sensitive (including passwords and any data
identified as Strictly Confidential - see §[ REF _Ref204163708 \r \h ]) must be
transmitted across any network, internal or external, only in encrypted form,
unless a risk assessment identifies that there is a low residual risk to Post Office
Ltd. See also §[ REF _Ref199331960 \r \h_ \* MERGEFORMAT J.
e) Any Horizon / Horizon Online information exchanged with external parties,
including Post Office clients, must be the subject formal specifications approved
by Post Office Limited.
f) All Horizon / Horizon Online domains are likely to use electronic systems other
than those directly concerned with Horizon / Horizon Online. Each domain
(including Post Office Ltd.) must ensure that Post Office Ltd. data stored on such
systems is secure. Clear segregation must be maintained between Horizon /
Horizon Online and non-Horizon / Horizon Online systems.
g) All Horizon / Horizon Online domains must have appropriate measures in place
to ensure that their public facing connections or customer access points are
configured to ensure total separation from internal systems that contain Horizon
/ Horizon Online data.
h) Any access by a third party must be evaluated case by case on the basis of need
and a risk assessment.
i) Any messaging application (e.g. e-mail) used to communicate with branch staff
via Horizon / Horizon Online must be configured such that it cannot be used to
attack the integrity or availability of any Horizon / Horizon Online system
including those in the branches and the data centres. In the event that e-mail
facilities are added to Horizon Online, additional security controls must be
agreed with Post Office Information Security prior to implementation.
j) Ifany other systems are used, data on them must be secured.
10.9. I Electronic commerce services
See the specific provisions and clarifications relating to this control in §[ REF
_Ref199326362 \r \h \* MERGEFORMAT ].
Version 4.0
Page 41
POL-BSFF-0224013_0040
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
For transactions involving banking or payment cards, the Primary Account Number
(PAN) must be masked when displayed or printed such that only the first 6 and the last
4 digits are readable unless there is an overriding business case for an authorised user
to view the complete number.°
Also see specific provisions and clarifications relating this control in §[ REF
_Ref199326371 \r \h \* MERGEFORMAT ].
This control is not applicable to Horizon / Horizon Online since no Horizon / Horizon
Online information is made available on a publically accessible system.
10.10. Monitoring
10.10.41. Audit logging
An audit trail of all business transactions and all security relevant events" (including
failed ones) must be maintained. Transactions which are abandoned prior to submission
to the Data Centre only need an audit record where there is a reasonable customer
expectation that the transaction might proceed.
As a minimum, the audit trail for transactions must be able to identify at least the
following:
a) the type of transaction,
b) the transaction result,
c) the transaction value,
d) the identity and location of the person who initiated it, and
e) the date and time at which the transaction occurred.
Transactions must be uniquely identified in the audit trail. Transactions must be
Note that there are tighter rules set by the card schemes for the display of cardholder data on receipts
produced at branch terminals.
ie. those that might affect the confidentiality, integrity or availability of information and/or
information systems.
Version 4.0
Page 42
POL-BSFF-0224013_0041
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
traceable from end to end i.e. from the receipt produced for the customer at the Branch
Terminal to the point at which they cross the Horizon / Horizon Online boundary.
See §[ REF _Ref204174088 \r \h \* MERGEFORMAT ] for the policy on recording
events for inclusion in the audit trail.
The audit trail must be maintained securely for a period agreed contractually with Post
Office Ltd (see also §[ REF _Ref 199325690 \r \h ]). The audit trail may be archived after
an agreed period. It must be possible to extract relevant audit data, including archived
audit data, such that it is fit for use as legal evidence in support of a prosecution. It
must still be possible to extract data during the agreed period, even if the technology
originally used to generate the trail has been upgraded or replaced. See §[ REF
_Ref204172755 \r \h \* MERGEFORMAT I] for the policy on destruction of data
including audit data and any extracts thereof. See §[ REF _Ref204172779 \r \h \*
MERGEFORMAT J for the policy on back-up of data including audit data.
10.10.2. Monitoring system use
Network-based intrusion detection must be deployed to protect systems storing or
processing CONFIDENTIAL or STRICTLY CONFIDENTIAL data in the Horizon
Online Data Centre (see §[ REF _Ref204170172 \r \h_ \* MERGEFORMAT J). The
intrusion detection system must alert operational staff to suspected compromise of such
systems.
File integrity monitoring tools must be used to alert operational staff to unauthorised
modification of critical! system or content files in the Cardholder Data Environment at
the data centres. File integrity tools must be used elsewhere where a risk assessment
indicates they would be of benefit.
Log records documenting access to systems, resources, or selected functions must be
retained to ensure they are available for review or use during the investigation of
unauthorised access - see §[ REF _Ref204172827 \r \h_ \* MERGEFORMAT ] and §[
REF _Ref199325690 \r \h J.
Automated logging must be implemented in order to ensure the following events can
be reconstructed:
a) All individual access to Horizon / Horizon Online business data (including
Cardholder Data),
For file integrity monitoring purposes, critical files are those that do not regularly change, but the
modification of which could indicate a
‘stem compromise or risk of compromise. File integrity
monitoring products usually come pre-configured with critical files for the related operating system.
Other critical files, such as those for custom applications, must be evaluated and defined by the
domain provider.
Version 4.0
Page 43
POL-BSFF-0224013_0042
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
b) All actions taken by any individual with root or administrative privileges,
c) Access to all audit trails and event logs,
d) Invalid logical access attempts,
e) Use of identification and authentication mechanisms,
f) Initialization of the audit and event logs, and
g) Creation and deletion of system-level objects.
For each of the above events, the minimum that must be recorded is:
a) User identification,
b) Type of event,
c) Date and time,
d) Success or failure indication,
e) Origination of event, and
f) Identity or name of affected data, system component, or resource
Operational and support staff must maintain activity logs, these should include:
a) System starting and finishing times
b) System errors and corrective action taken
c) Confirmation of the correct handling of data files and computer output
d) The identity of the person making the log entry
Logs for all system components must be reviewed for potential security violations and
incidents at least daily. Special attention must be paid to all system components that
perform security functions like intrusion detection system (IDS) and RADIUS servers.
Filtering and alerting tools should be used to minimise the risk of violations or incidents
being missed.
Operator logs should be subject to regular, independent checks against operating
procedures.
10.10.3. Protection of log information
All event logging data must be promptly retrieved to a centralised system where it is
secured and analysed. Unauthorised changes to audit logging facilities and information
must be detected and reported.
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for further guidance
on interpretation.
Version 4.0
Page 44
POL-BSFF-0224013_0043
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
10.10.4. Administrator and operator logs
See §I REF _Ref204174241 \r \h ] for further policies on this topic.
10.10.5. Fault logging
There must be a process for reporting and handling faults and ensuring that
appropriate corrective action has been taken.
There must be a subsequent process to ensure that fault logs are reviewed and that
faults have been satisfactorily resolved.
10.10.6. Clock synchronisa‘
Relevant information processing systems must be interpreted as including any system
component generating audit logging file entries for Horizon / Horizon Online (see §[
REF _Ref204174297 \r \h_\* MERGEFORMAT )).
Domain suppliers are referred to corresponding section of ISOMEC 27002 for further guidance on
interpretation.
11. Access control
11.1. Business requirement for access control
11.1.1. Access control policy
General Policy
Control of access to all Post Office Ltd systems interfacing with Horizon / Horizon
Version 4.0
Page 45
POL-BSFF-0224013_0044
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
2
1B
Online must be in accordance with the Royal Mail Group Logical Access Control Policy
(S6).
Each Horizon / Horizon Online domain must have its own Access Control Policy
which addresses physical and logical access. This Access Control Policy defines the
policy for controlling access to resources involved in Horizon and Horizon Online in
line with the overall objectives specified in this policy.
The policy must take account of the following:
a) Security requirements of Horizon / Horizon Online applications,
b) Identification of all information related to Horizon / Horizon Online applications,
c) Policies for information dissemination and authorisation, e.g. the need to know
principle, security levels and classification of information,
d) Relevant legislation (see §[ REF _Ref267673872 \r \h ]) and any contractual obligations
regarding protection of access to data or services,
e) Standard user access profiles for common categories of job, and
f) Management of access rights in a distributed and networked environment, which
recognises all types of connections available.
Access must only be granted where there is an identified business need and must be
denied unless specifically allowed.
Access to Horizon / Horizon Online must only be from systems approved by
management.
Formal user access management processes must ensure that access control is kept up-to-
date to reflect changes in users’ employment and responsibilities - see §[ REF
_Ref205979241 \r \h J.
UserIDs and passwords must not be shared!2, unless in very specific circumstances for
which a specific exception would need to be agreed with Post Office Information
Security.3_ In the exceptional circumstances of a shared UserID or password, an audit
trail must be available to enable a specific individual’s access to be determined for
Royal Mail Group staff.
On newly installed equipment and software (including replacements), default
passwords and identification strings must be changed prior to setting the equipment /
software live.
All passwords transmitted across any internal or external network must be encoded
such that it is infeasible for an interceptor to deduce the password. Similarly, it must be
In particular, the practice of allocating group or shared passwords is explicitly prohibited.
This requirement also means that userIDs and passwords used by applications must not be shared
with individual users or other processes.
Version 4.0
Page 46
POL-BSFF-0224013_0045
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
infeasible to deduce password from the stored reference value against which entered
passwords are verified.
Horizon Online users must not have any access to add, modify, delete or execute any
operating system or application files (including databases) without first being properly
authorised, authenticated and audited. Controls must be in place to prevent this
requirement being bypassed by any new or upgraded application or system build [SEC-
3228].
Horizon & Horizon Online Branch Terminal - Specific Policy
a) All users of Branch Terminals must be identified and authenticated before using the
Branch Terminal. Each identity must be capable of being traced to a specific individual
such that each individual can be held accountable for their actions.
b) Permission to access Horizon / Horizon Online data and functionality must be based
on roles that reflect the duties of staff accessing the system. Branch Terminal users
must only be allocated permissions based on being allocated to such a role and not
based on their individual identity.
c) Branch Clerical Staff must only have access to Horizon / Horizon Online business
application(s); they must not have access to any operating system level functionality or
to any utilities that could be used to modify or attack the system.
11.2. User access management
11.2.1. User registration
The access control procedures for user registration and de-registration must include:
a) allocating unique user IDs to enable users to be linked to and held responsible for their
actions;
b) checking that the user has appropriate management authorisation
c) checking that the level of access granted is appropriate to the business purpose (see §[
REF _Ref204161912 \r \h }) and is consistent with security policy, e.g. it does not
compromise segregation of duties (see §[ REF _Ref204161940 \r \h ]);
d) ensuring users are aware of their responsibilities in respect of access control
procedures (see §[ REF _Ref204163435 \r \h ])
e) requiring users to sign statements indicating that they understand the conditions of
access;
Version 4.0
Page 47
POL-BSFF-0224013_0046
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
)
8)
h)
)
ensuring access is not granted until authorisation procedures are complete;
maintaining a formal record of all persons registered to use Horizon / Horizon Online
systems;
immediately removing or blocking access rights of users who have changed roles or
jobs or left the organization;
periodically checking for, and removing or blocking, redundant user IDs and accounts
(see §[ REF _Ref204162052 \r \h });
ensuring that redundant user IDs are not issued to other users.
A role must be provided such that authorised Branch staff (e.g. the Postmaster) can be
made responsible for administering all stages in the life-cycle of Branch Clerical Staff,
from the initial registration of new users to the final de-registration of users who no
longer require access to Horizon / Horizon Online.
11.2.2. Privilege management
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
interpretation.
11.2.3. User password management
a)
b)
°)
d)
e)
f)
8)
Procedures must be established which verify the identity of a user prior to providing a
new, replacement or temporary password.
Users allocated new or replacement passwords must be provided initially with a
secure temporary password (see §[ REF _Ref204159215 \r \h ]), which they are forced
to change immediately.
Temporary passwords must be given to users in a secure manner; the use of third
parties or unprotected (clear text) electronic mail messages must be avoided.
Temporary passwords should be unique to an individual and must not be guessable;
Users should acknowledge receipt of passwords.
Passwords must never be stored on computer systems in an unprotected form.
Default vendor passwords must be altered following installation of systems or
software.
11.2.4. Review of user access rights
Version 4.0
Page 48
POL-BSFF-0224013_0047
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
In this context, regular intervals must not exceed 90 days.
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for further guidance
on interpretation.
11.3. User responsibilities
11.3.1. Password use
All domains must comply with the following password policy for individuals:
a) Where passwords are used for authentication, the user must be forced to change
the initial password before any other access to the system is permitted.
b) Passwords must expire in 30 days.
c) Re-use of the same password must not be permitted for either a specified time or
until at least 4 other passwords have been used.
d) Passwords must be a minimum of 7 characters long and must be alphanumeric
(i.e. a mix of letters and numbers). There must not be more than two consecutive
identical characters. The password must not be the same as the username.
e) After 3 consecutive unsuccessful attempts to log-on, the user must be locked out
for at least 30 minutes or until an administrator has replaced the password in
accordance with §[ REF _Ref204164269 \r \h ].
Passwords used to authenticate one process to another must be longer (12 characters
minimum) but need not expire. Such passwords may be stored on the system to which
they apply but must not be deductible by any users other than authorised system
management staff.
11.3.2. Unattended user equipment
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
interpretation.
Version 4.0
Page 49
POL-BSFF-0224013_0048
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
11.3.3. Clear desk and clear screen policy
All domains must recognise the information security classifications of this policy. A
clear desk and clear screen policy must be followed whenever handling information
classified as CONFIDENTIAL or STRICTLY CONFIDENTIAL (see §[ REF
_Ref204163708 \r \h \* MERGEFORMAT ])).
Users of Branch Terminals must be encouraged to clear the screen on their terminal or
logoff whenever it is left unattended (also see §[ REF _Ref204163732 \r \h \*
MERGEFORMAT J and §[ REF _Ref204163740 \r \h \* MERGEFORMAT }).
All Post Office Ltd. employees must always observe the Post Office Ltd. Clear Desk
Policy. On Post Office Ltd premises, all suppliers, contractors and third parties must
observe The Royal Mail Group Clear Desk Policy (s10), to reduce the risks of
unauthorised access, loss of, and damage to, information during and outside normal
working hours.
Individual domains are also referred to the corresponding section of ISO/IEC 27002 for further
guidance on interpretation.
11.4. I Network access control
Also see §{ REF _Ref199233886 \r \h \* MERGEFORMAT J for the policy on Network Security
Management.
11.4.1. Policy on use of network services
(a) The Horizon / Horizon Online network configuration must permit traffic to flow
between clearly defined and documented security boundaries only as specifically
required for Horizon / Horizon Online applications and their associated management.
(b) Unauthorised access from non-Horizon / Horizon Online systems and networks must
be prevented, including unauthorised access from:
¢ any public networks used,
e networks connecting to Third Parties,
¢ networks connecting Horizon / Horizon Online to Post Office Ltd and/or Royal
Mail Group,
Version 4.0
Page 50
POL-BSFF-0224013_0049
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
©
¢ other systems operated by the domain supplier on behalf of itself or other clients,
and
¢ Unauthorised access via the Branch LAN.
Controls must protect against denial-of-service attacks originating from non-Horizon
/ Horizon Online systems including those listed in [ REF _Ref199242230 \w \h \*
MERGEFORMAT J and [ REF _Ref199242314 \w \h \* MERGEFORMAT ].
(d) The type and location of network security controls addressing points (a), (b) and (c)
(e)
10)
must reflect both the likelihood of breach via a particular network connection and the
likely impact of any successful breach on the overall security of the Horizon / Horizon
Online service.
The Horizon Online system must not retrieve data from any external web service,
including the Internet, unless additional security controls are documented and agreed
with Post Office Information Security. The objective of such controls is to prevent the
import of any mobile or malicious code (see §[ REF _Ref199310581 \r \h \*
MERGEFORMAT J] and §[ REF _Ref199310617 \r \h_ \* MERGEFORMAT ]) and the
unauthorised export of any Horizon Online business data.
All Horizon Online systems must use private IP addresses (see RFC1918) which must
not be exposed across the system boundary".
(g) For Horizon Online, a Cardholder Data Environment (see Definitions, §[ REF
(h)
(i)
@
(k)
_Ref199240475 \r \h \* MERGEFORMAT ]) must be defined, documented and
agreed with Post Office Limited’s PCI DSS auditors. The documentation must show all
connections to Cardholder Data and must be maintained to reflect changes to the
system. The Cardholder Data Environment must be segmented from other parts of the
Horizon Online system in order to minimise the scope of the PCI DSS audit in so far as
this is practical. Additional controls will exist in this environment to comply with PCI
Dss.
Network management staff within each domain must be alerted to any attempt to
reach the Horizon / Horizon Online systems in their domain from unauthorised
network addresses. Individual attempts must be treated as a minor security breach. A
concerted attempt or a successful breach of network security controls must be treated
as a major security breach.
Precautions must be taken to mitigate the risk of unauthorised equipment (see §[ REF
_Ref199309597 \r \h ] & §[ REF _Ref199240880 \r \h ]) being connected to any
component of the Horizon Online system, with the exception of passive devices within
the Branch.
A domain supplier may wish to disconnect a link in a security emergency. The
processes for any such enforced disconnection facilities must be agreed with Post
Office Ltd. and documented in an Operational Level Agreement with the Post Office.
WAN connections must be encrypted unless specifically agreed in writing by Post
Office Information Security. Encryption key management must be independent of
4 Eg. by the use of NAT (Network Address Translation).
Version 4.0
Page 51
POL-BSFF-0224013_0050
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
()
network configuration such that the confidentiality of Post Office Ltd traffic is not
compromised by a single configuration error of either the WAN or the encryption
system. Also see the cryptographic policy, §12.3.
Back-up network facilities should be provided to protect any single network
communications, equipment, or configuration failure. They must be provided where
such a failure would have a significant impact on the ability of Post Office Ltd to
transact business.
(m) Any backup or alternate network must be secured to the same level as the primary
(n)
(0,
network.
Test systems must only share network connections with operational systems in
carefully controlled circumstances. Test systems must only be configured to connect in
this manner for the minimum duration necessary to support testing and must be
logically separated from connections carrying live data. The connection must only be
permitted after an assessment has confirmed that live operation will not be adversely
impacted. Also see the policy on separation of live and test, §[ REF _Ref199331482 \r
\h].
The use of wireless LAN technologies within or associated with Horizon / Horizon
Online systems or services must be excluded with the exception of public
telecommunications services provided by UK licensed public telecommunications
operators or as otherwise agreed by Post Office Ltd. in response to a security risk
assessment.!5
11.4.2. User authentication for external connections
6
Users accessing Horizon Online facilities remotely (ie. over any external connection)
must be authenticated using a technique employing two factors: something the user has
(e.g. a cryptographic token) and something the user knows (e.g. a password). For the
sake of clarity, the connection between a branch and the data centre is not considered
external for the purpose of this statement.
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for further guidance
on interpretation.
11.4.3. Equipment identification in networks
The objective of this requirement is to ban Wi-Fi, Bluetooth and similar technologies whilst
permitting, for example, the use of mobile phone carriers and satellite technologies to provide branch
to data centre communications provided the traffic is secured appropriately for transit over a public
network.
Version 4.0
Page 52
POL-BSFF-0224013_0051
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
16
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
interpretation.
11.4.4. Remote diagnostic and configuration port protection
Ports, services, and similar facilities installed on an Horizon / Horizon Online
computer or network facility, which are not specifically required for business
functionality, must be disabled or removed.
Network access points used by third parties for remote diagnostic and/or configuration
purposes must only be enabled for the duration necessary for the specific activity being
undertaken. Enabling of the network access points must be under the control of the
appropriate Horizon / Horizon Online support management (see §[ REF _Ref199309597
\r \h ]) and recorded (see §[ REF _Ref204174088 \r \h ]). Third party staff and/or
diagnostic systems accessing Horizon / Horizon Online systems must be identified and
authenticated in accordance with this policy.
11.4.5. Segregation of networks
All RADIUS servers that authenticate network access must be secured and segregated
into logical network segments by carrier access method and be externally visible to
authorised domain users only.
The Cardholder Data Environment (see Definitions, §[ REF _Ref199240475 \r \h \*
MERGEFORMAT ]) must be secured and segmented to prevent unauthorised access to
Cardholder Data and Sensitive Authentication Data.
All network interfaces between the Horizon / Horizon Online environment and
external networks must ensure that there are barriers (such as dynamic packet filtering
firewalls and DMZs) that control access and communications flows between internal
systems and the external connections. Such controls must ensure segregation between
external networks as well as segregation between internal and external systems.'°
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for further guidance
on interpretation. Also see the policy on the use of network services, §[ REF _Ref199225557 \r \h
\* MERGEFORMAT ] above.
Also see specific policy for mobile and personal computers in §[ REF _Ref199321930 \r \h ]
Version 4.0
Page 53
POL-BSFF-0224013_0052
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
11.4.6. Network connection control
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
interpretation. Also see the policy on the use of network services, §[ REF _Ref199225557 \r \h \*
MERGEFORMAT I above.
11.4.7. Network routing control
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for additional
guidance on interpretation. Also see the policy on the use of network services, §[ REF
—Ref199225557 \r \h_ \* MERGEFORMAT I] above.
11.5. I Operating system access control
11.5.1. Secure log-on procedures
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
implementing this control, which is subject to the specific provisions, interpretations and highlights
below.
Branch staff must be prevented from accessing the operating system on Counter
Terminals. They must only have access to authorised applications (see §[ REF
_Ref199319275 \r \h ] & §[ REF _Ref267913075 \r \h ]). For Horizon Online, terminals
must be bootable only from the primary mass storage device on the terminal.
Branch Terminals must include a single user action that, in between customer sessions,
cleanly terminates the clerk session and presents a new clerk login screen. During a
customer session, the clerk must first complete or cancel the session in accordance with
business rules.
Version 4.0
Page 54
POL-BSFF-0224013_0053
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
11.5.2. User identification and authentication
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
interpretation. See also §[ REF _Ref204158711 \r \h ] for additional authentication requirements
over external connections.
11.5.3. Password management system
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for guidance on
interpretation. Also see the policy on password use, §[I REF _Ref204159215 \r \h ]
11.5.4. Use of system uti
See also the Branch access control policy §11.1.1
11.5.5. I Session time-out
Any inactive user session that has been idle for more than 15 minutes must be
suspended or terminated until the user is re-authenticated!’.
Users of Horizon Online Branch Terminals must have access to a single user action that
clears the screen, prevents further data entry and maintains the current session states,
until such time as the operator is re-authenticated or until the Branch Terminal sessions
are closed following an inactivity timeout; whichever is the sooner.
11.5.6. Limitation of connection time
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
ions may have a longer
ssessment process (see
This policy is primarily targeted at individual users. Process-to-process
time-out provided the reason is justified and documented as part of the
§[ REF _Ref206220387 \r \h]).
Version 4.0
Page 55
POL-BSFF-0224013_0054
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
interpretation.
The applicability of this control (if any) must be established by Domains as part of the
risk assessment process (see §[ REF _Ref206220387 \r \h ]).
11.6. Application and information access control
11.6.1. Information access restriction
Application-level logon to Branch Terminals must provide equivalent security to that
provided by logon via native operating systems. [SEC-3295]
Horizon Online Branch Terminals must have controls in place to prevent user bypass of
the standard application [SEC-3298].
All access to any database containing CONFIDENTIAL or STRICTLY CONFIDENTIAL
data as defined in §[ REF _Ref204165333 \r \h \* MERGEFORMAT ] (including
Cardholder Data as defined in §[ REF _Ref199240475 \r \h \* MERGEFORMAT ])
must be authenticated. This includes access by applications, administrators, and all
other users. Direct access to such databases by individuals is strongly deprecated and
must be limited to authorised database administrators.
Also see the access control policy, §[ REF _Ref199320486 \r \h \* MERGEFORMAT ].
11.6.2. Sensitive system isolation
Horizon and Horizon Online must be treated as sensitive systems in this context.
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for further guidance
on interpretation.
11.7. I Mobile computing and teleworking
Version 4.0
Page 56
POL-BSFF-0224013_0055
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Domain suppliers must implement the following ISO / IEC 27001 controls, which are
subject to the specific provisions, interpretations and highlights below them.
The Mobile Security Policy ($5) and the Mobile Security Guidelines must be observed
for security of laptops allocated to or used by Post Office staff.
When accessing Cardholder Data remotely via modem, it must not be stored onto local
hard drives, floppy disks, or other external media. Cut-and-paste and print functions
must not be used during such remote access.
Personal firewall software must be present and operational on any mobile and/or
employee-owned computers (for example, laptops used by employees) which is used to
access cardholder data and which also has direct connectivity to the Internet.
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for further guidance
on interpretation of these controls.
12. Systems acquisition, development and maintenance
12.1. Security requirements of information systems
12.1.1. Security Requirements Analysis and specification
All security requirements must be identified, justified, agreed and documented as part
of the overall business case.
The security controls must be specified within the statements of business requirements
for Horizon, Horizon Online, and enhancements, both the need for automated and
manual controls must be specified.
Version 4.0
Page 57
POL-BSFF-0224013_0056
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Security controls must reflect:
e — the business value of the information assets involved
¢ the potential business damage
e Regulatory and contractual requirements
Security requirements and controls should be identified from risk assessment.
Within the Post Office domain:
e a Business Impact Assessment must be conducted at the feasibility stage of a
development project, and
e aSecurity Risk Assessment must be conducted at the Conceptual Design stage of
project development.
The following must be considered during the analysis:
¢ identification and authentication of human and system “users”,
e control of access to information and services,
* segregation of duties,
* secure operation in degraded mode,
¢ incorporation and analysis of audit trails,
e data and system integrity protection,
¢ use of encryption to prevent unauthorised disclosure of data, and
e system resilience, including operation in fall-back mode and recovery.
12.2. Correct processing in applications
Domain suppliers must implement the following ISO / IEC 27001 controls, which are
subject to the specific provisions, interpretations and highlights below them.
In particular, applications must be protected against common application level attacks
such as buffer overflows, SQL injection and cross-site scripting.
Version 4.0
Page 58
POL-BSFF-0224013_0057
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
See also §[ REF _Ref199325178 \r \h \* MERGEFORMAT ]
In particular:
a) “Correct” and “appropriate” must be judged in the context of the application.
b) See the policy on Mobile Code, §[ REF _Ref252542154 \r \h J.
c) Applications requiring passwords must comply with the password policy in
§11.3.1 unless otherwise approved by Post Office Ltd Information Security.
d) The security of data, especially business data, sensitive data (see §[ REF
_Ref204163708 \r \h }) and audit data (see §[ REF _Ref204174297 \r \h ]), must
be maintained in accordance with this policy during any migration from a live
Horizon system or component to Horizon Online.
e) The secure file-store in configured Horizon terminals must be rendered
unrecoverable on migration to Horizon Online. Any terminal which is not
migrated (e.g. it is taken out of service instead) must have its file-store deleted in
accordance with established Horizon procedures [SEC-3273].
12.3. Cryptographic Controls
12.3.1. Policy on the use of cryptographic controls
Horizon / Horizon Online must operate within the framework of the Royal Mail Group
Cryptographic policy and follow the recognised financial industry guidelines!® on
cryptography which includes:
e Encryption
¢ Digital Signatures
18 Post Office must formally communicate any specific requirements additional to those listed below to
Domain Suppliers.
Version 4.0
Page 59
POL-BSFF-0224013_0058
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
e¢ Non-repudiation services
e Key Management
e Security of system files.
Cryptographic systems and techniques must be used for the protection of information
that is considered at risk (see §[ REF _Ref206220387 ¥r ¥h ]) and for which other controls
do not provide adequate protection.
Unless otherwise agreed with Post Office Ltd, cryptographic controls must be used as
follows:
(a) Once entered by a cardholder, plain text PINs must only be processed in a physically
secure device as defined in ISO 9564 (see also §[ REF _Refl199326016 \r \h \*
MERGEFORMAT J). At all other times, PINs must be encrypted as defined in ISO
9564.
(b) Any cryptographic key knowledge of which could directly or indirectly reveal plain
text PINs must be managed in accordance with ISO 11568 Parts 1 and 2.
(c) Unless point (d) applies, Banking MACs must be used to authenticate the source of all
messages or files that may result in the transfer of funds.
(d) Banking MACs may be omitted where there is a cryptographically authenticated
circuit (e.g. a VPN) between the source and destination of the payment data. The
encryptor must be located within the physical security of the data centre hosting the
payment application.
(e) Any link carrying information classified as “CONFIDENTIAL” in clause §[ REF
_Ref204163708 \r \h ] must be encrypted outside the physical security of a data centre
unless agreed in writing by Post Office Ltd Information Security and, for personal
data, the Data Controller. See also §[ REF _Ref199225557 \r \h ].
(f) Cardholder Data (see Definitions, §[ REF _Ref199240475 \r \h \* MERGEFORMAT })
must be rendered unreadable anywhere it is stored (including data on portable media,
backup media, and in logs) by using any of the following approaches [SEC-3307]:
¢ One-way hashes (hashed indexes), such as SHA-1
e Truncation
e Index tokens and PADs, with the PADs being securely stored
e Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated
key management processes and procedures (see §[ REF _Ref199327186 \r \h ]).
(g) All Sensitive Authentication Data and Cardholder Data must be encrypted using
approved algorithms and encryption protocols whilst in transit over any public
network unless specifically agreed in writing by the Client. It must also be encrypted
when sent by any end-user messaging technology (for example, e-mail, instant
messaging, chat), whether internal or external to the domain. Approved algorithms
are 128-bit 3DES (as per ANSI X9.52) and 256-bit AES (FIPS 197). Approved
encryption protocols are SSL v3 / TLS, SSH, IPSec, and PPTP. [SEC-3310]
Version 4.0
Page 60
POL-BSFF-0224013_0059
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
(h) Post Office Ltd. must ensure that the contract with domain suppliers contains or
references any HM Government requirement to use Government specified algorithms
and key lengths.
(i) Subject to (h), industry standard commercial algorithms and protocols should be used.
Cryptographic key lengths for commercial algorithms must be at least 112 bits for
symmetric keys and at least 1024 bits for public keys. Triple-DES (ANSI X9.52) is the
only approved symmetric algorithm for protecting banking PINs (see ISO 9564). 256-
bit AES is the preferred symmetric algorithm and key length.
(j) Encrypted traffic must only pass through firewalls where it is agreed with Post Office
Ltd. Information Security that it does not represent a significant threat to the security
of Horizon / Horizon Online - See §[ REF _Ref199224960 \r \h ]. Selectively
encrypted fields such as PINs, passwords and cryptographic key management fields
are not considered such a threat.
(k) All non-console administrative access must be encrypted. Technologies such as SSH,
VPN, or SSL/TLS must be used for web-based management and other non-console
administrative access.
12.3.2. Key management
See item 12.3.1(b), above for the policy on keys associated with cardholder PINs.
It must be possible to recover the system to a secure operating state from the
compromise of any key that could directly or indirectly expose plain text PIN values
[SEC-3226].
WAN encryption key management must be independent of network configuration such
that the confidentiality of Post Office traffic is not compromised by a single
configuration error of either the WAN or the encryption system [SEC-3168].
Key management processes and procedures must ensure that keys are generated such
that it is impractical for an attacker to deduce the value of the key.
Keys must be protected in storage and transmission such that the integrity and (for
secret / private keys) confidentiality of the key is maintained. Keys must also be
protected against misuse and unauthorised substitution.
Secret / private keys distributed manually must be distributed and entered using split
knowledge wherever a key is protecting against unauthorised internal disclosure. There
must be dual control over the generation and installation of all such keys i.e. no one
person may be able to generate, deduce or install such a key.
Key distribution must be restricted to the fewest possible people and places consistent
Version 4.0
Page 61
POL-BSFF-0224013_0060
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
with maintaining system availability.
Keys must be changed periodically (at least annually if protecting Cardholder Data or
Sensitive Authentication Data) and whenever it is known or suspected that they may
have been compromised. Public key certificates must be revoked whenever it is known
or suspected that the associated key set may have been compromised.
All key management procedures must be documented. Records must be maintained of
key management activities. Those involved in key management processes protecting
data classified as Confidential, Strictly Confidential, Cardholder Data, or Sensitive
Authentication Data (see §[ REF _Ref199240475 \r \h ] and §[ REF _Ref204170172 \r \h
}) must be formally advised of their responsibilities and sign that they accept them.
12.4. Security of system files
12.4.1. Control of Operational Software
a) Operational Horizon Online systems must be “hardened” to an appropriate level of
security in accordance with manufacturer's guidelines.
b) The updating of the operational software, applications, and program libraries must
only be performed by trained staff upon appropriate management authorisation (see §[
REF _Ref205973435 \r \h_ \* MERGEFORMAT }).
c) Systems must only hold approved executable code, and not development code or
compilers. All unnecessary functionality, such as scripts, drivers, features, subsystems,
file systems, and unnecessary web servers must be removed.
d) Applications and operating system software must only be implemented after extensive
and successful testing; the tests should include tests on usability, security, effects on
other systems and user-friendliness, and must be carried out on separate systems (see
also §[ REF _Ref199331482 \r \h \* MERGEFORMAT ]); it should be ensured that all
corresponding program source libraries have been updated.
e) A configuration control system must be used to keep control of all implemented.
software as well as the system documentation.
f) A rollback strategy should be in place before changes are implemented.
g) Anaudit log must be maintained of all updates to operational program libraries (also
see §[ REF _Ref204174088 \r \h_ \* MERGEFORMAT ]).
Version 4.0
Page 62
POL-BSFF-0224013_0061
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
12.4.2. Protection of System Test Data
Live Horizon / Horizon Online data must not be used for test or debug purposes unless
specifically authorised by Post Office Ltd and then only once it has been “sanitised”
such that no personal data is identifiable. Similarly, test data, test accounts, test
passwords and test cryptographic keys must be removed from development and test
systems (including all applications) before they migrate to live.
12.4.3. Access control to program source code
In particular:
a) Horizon / Horizon Online users must not have any access to add, modify, delete
or execute any operating system or application files without first being properly
authorised, and authenticated. The access must also be logged (see §[ REF
_Ref204174297 \r \h ]). Controls must be in place to prevent this requirement
being bypassed by any new or upgraded application or system build.
12.5. Security in development and support processes
Project and support environments must be strictly controlled.
Managers responsible for application systems must also be responsible for the security
of the project or support environment. They must ensure that all proposed system
changes are reviewed to check that they do not compromise the security of either the
system or the operating environment.
12.5.1. Change control procedures
In order to minimize the corruption of information systems, there must be strict control
over the implementation of changes - see §[ REF _Ref199309597 \r \h \*
MERGEFORMAT J]. Formal change control procedures must be enforced. They must
ensure that security and control procedures are not compromised, that support
programmers are given access only to those parts of the system necessary for their
work, and that formal agreement and approval for any change is obtained. Wherever
practicable, application and operational change control procedures should be integrated
Version 4.0
Page 63
POL-BSFF-0224013_0062
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
In order to maximize the availability of the system there must be strict control over the
maintenance of all operational Horizon / Horizon Online systems:
a) Wherever practical, maintenance activities must be planned in advance and
scheduled to take place at times of low traffic.
b) Where any maintenance task requires a system outage, the timing of the outage
must be agreed in advance with Post Office Ltd.
c) Also see the policy on Technical Vulnerability Management, §[ REF
_Ref199331121 \r \h J.
12.5.2. Further development & support policies
Domain suppliers must implement the following ISO/IEC 27001 controls.
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
interpretation.
Note: Horizon / Horizon Online has been assed as “business critical”.
See also §[ REF _Ref205721619 \r \h \* MERGEFORMAT I & §[ REF _Ref205721677 \r \h \*
MERGEFORMAT I
In accordance with Royal Mail policy S18, source code developed specifically for
Horizon Online systems must be reviewed prior to operational use. The review must
be independent of the developer producing the code and must check for compliance
with §[ REF _Ref199333408 \r \h ]. Any deficiencies detected in the code must be
corrected.
Version 4.0
Page 64
POL-BSFF-0224013_0063
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
12.6. I Technical Vulnerability Management
12.6.1. Control of technical vulnera
From time to time, product and service suppliers will issue details of security
vulnerabilities and recommend workarounds and / or fixes. Domain suppliers must
apply recommended workarounds and fixes in a timescale commensurate with the risk
to Horizon / Horizon Online and in accordance with the change control procedures.
13. Information Security Incident Management
13.1. Responding to security incidents and malfunctions
13.1.1. Reporting security incidents
When domains interact with each other, there is always a possibility that a security
incident in one domain will have an adverse impact on another domain. The impact
may extend to businesses that have no direct contractual agreement with the domain(s)
suffering the security incident and must therefore be reported to Post Office Ltd for
onward communication.
“Appropriate management channels” must be documented, communicated to all in a
position to detect a security incident and, for channels extending beyond the domain,
agreed with Post Office Limited.
See also §[ REF _Ref205974803 \r \h ] and §[ REF _Ref205721677 \r \h].
Version 4.0
Page 65
POL-BSFF-0224013_0064
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
13.1.2. Reporting security weaknesses
Domain suppliers are referred to the corresponding section of ISO/IEC 27002 for guidance on
interpretation.
13.2. Management of information security incidents and
improvements
13.2.1. Respon:
s and procedures
1 The objective is that a security incident is reported even if there is doubt about its existence or
Each domain must take responsibility for reporting (see §[ REF _Ref206240088 \r \h ]),
investigating and resolving security incidents within its own domains that present an
actual or potential threat to the Horizon / Horizon Online environment or to any of the
Horizon / Horizon Online participants. Domains must be able to identify and respond
to potentially serious security incidents!? at any time during the contracted operating
hours for the Horizon / Horizon Online service. Formal incident response plans must
be established for any incident likely to affect business continuity (see §[ REF
_Ref204169468 \r \h ]).
Procedures must exist to cover all potential types of security incident affecting
e Confidentiality, including compromise of Cardholder Data and other personal
data,
¢ Integrity, including errors resulting from incomplete or inaccurate business data,
and/or
¢ Availability, including information system failures, loss of service, and denial of
service.
Each domain must establish a formal reporting procedure, together with an incident
response process, setting out the action to be taken on receipt of an incident report or
security alert (see §[ REF _Ref204174088 \r \h ]). All suppliers, employees and
contractors must be made aware of the procedure for reporting security incidents, and
should be required to report such incidents as quickly as possible.
seriousness.
Version 4.0
Page 66
POL-BSFF-0224013_0065
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Suitable feedback processes must be implemented to ensure that those reporting
incidents are notified of results after the incident has been dealt with and closed.
An escalation process must be established to ensure that incidents are notified to
relevant parties (via Post Office) and managed across the Horizon / Horizon Online
community.
Security breaches and incidents must be reviewed regularly by the Information Security
Management Forum (see §[ REF _Ref206419393 \r \h ]) to establish cross-community
awareness.
Escalation procedures to the Royal Mail Group Crisis Management organisation must
be put in place.
Security incidents must be assessed for their likely impact on other parties involved in
the Horizon / Horizon Online service. Serious incidents must be reported to Post Office
Ltd. at the earliest opportunity. Where the timescales for reporting incidents are
formally agreed between Post Office and its Clients, those timescales must be agreed
with the relevant Domains in writing. A summary of other incidents must be reported
to Post Office Ltd. as part of the regular service review.
See §8.2.3 for the policy on the Disciplinary Process that can be invoked as a result of an incident.
13.2.2. Learning from information security incidents
Domain suppliers are referred to the corresponding section of ISOMEC 27002 for guidance on
interpretation.
13.2.3. Collection of evidence
It is necessary to have adequate evidence to support an action against a person or
organisation. Whenever this action is an internal disciplinary matter (see §[ REF
_Ref205717383 \r \h ]) the evidence necessary will be described by internal procedures.
Where the action involves the law, either civil or criminal, the evidence presented must
conform to the rules for evidence laid down in the relevant law or in the rules of the
specific court in which the case will be heard. Legal advice must be taken where
clarification is required.
To achieve admissibility of the evidence, domains must ensure that their information
Version 4.0
Page 67
POL-BSFF-0224013_0066
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
14.
systems comply with any published standard or code of practice for the production of
admissible evidence.
To achieve quality and completeness of the evidence, a strong evidence trail must be
maintained.
Post Office Ltd will agree the level of support it requires from domains in cases it
prosecutes.
Business Continuity
20
Business continuity for Horizon / Horizon Online concerns the provision of
appropriate processes across the Horizon / Horizon Online Community to develop and
maintain the continuity of all Horizon / Horizon Online business functions.
There must be a process in place, involving the Horizon / Horizon Online community,
to develop and maintain business continuity of the end-to-end Horizon / Horizon
Online service.
Similarly, individual domains must have a process in place for the development and
maintenance of their own business continuity plans in support of their responsibilities
for end-to-end business continuity, including integration with other Horizon / Horizon
Online domains.
Key elements of the business continuity planning process include:
e Understanding the risks, their likelihood and impact
e Understanding the impact of interruptions on Post Office Ltd. as a whole
e Formulating and documenting a business continuity strategy consistent with the
agreed business objectives and priorities
¢ Regular testing” and updating of the plans and amended processes put in place
where necessary.
An end-to-end Horizon / Horizon Online business continuity plan must define the
responsibilities of and interactions between, the individual domains of the Horizon /
Horizon Online Community, and must be integrated within an overall Crisis
Management framework agreed between all parties.
Individual Horizon / Horizon Online domains must each develop and maintain
business continuity plans as defined within the end-to-end plan.
Plans that address compromise of Cardholder Data must be tested at least annually.
Version 4.0
Page 68
POL-BSFF-0224013_0067
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
All relevant security controls must be retained even if degraded operating conditions
are in effect.
Domain suppliers must implement the following ISO/IEC 27001 controls. Domain
suppliers are referred to the corresponding section of ISO/IEC 27002 and to ISO/IEC
24762:2008 for guidance on interpretation.
Note: compromise of the confidentiality personal data (including Cardholder Data) can cause an
interruption to business processes, as systems may have to be closed down until the source of the
compromise is identified, further compromise prevented and/or legal evidence is collected.
15. Compliance
15.1. Compliance with legal requirements
Version 4.0
Page 69
POL-BSFF-0224013_0068
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
15.1.1. Identification of applicable legislation
Horizon / Horizon Online must ensure compliance with all legislative requirements
including the:
¢ Freedom of Information Act 2000
e Data Protection Act 1998
e Official Secrets Act 1989
*¢ Computer Misuse Act 1990
e Copyright, Designs and Patents Act 1988
e Financial Services and Markets Act 2000
e Regulation of Investigatory Powers Act 2000
e Electronic Communications Act 2000 as amended by the Communications Act 2003
¢ Money Laundering Regulations 2003
All Horizon / Horizon Online domains must clearly identify compliance measures,
legislation and industrial standards that surround them. Each domain must identify
how compliance is going to be monitored and how often compliance checks are going
to be carried out. The specific controls and individual responsibilities to meet the
requirements must be defined and documented. Where appropriate, advice on specific
legal requirements must be sought from the domain’s legal advisers, or suitably
qualified legal practitioners. Should any domain become aware that a change to another
domain’s systems or procedures is required in order to meet legal requirements, it must
inform the other domain.
15.1.2. Intellectual property rights (IPR)
Appropriate procedures must be implemented to ensure compliance with legal
restrictions on the use of material in respect of which there may be intellectual property
rights, such as copyright, design rights, trade marks.
Proprietary software products are usually supplied under a licence agreement. They
must only be used in accordance with any such licence. Domain suppliers must ensure
that sufficient licences are available to fulfil their contractual obligations.
Version 4.0
Page 70
POL-BSFF-0224013_0069
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
POL00397343
POL00397343
15.1.3. Protection of organizational records
Each domain must identify the records important to it (e.g. though risk assessment and
contractual processes). These records must be protected from loss, destruction and
falsification.
The retention periods for essential data and information must be determined in order to
fulfil all legal requirements and meet the retention schedule expressed for Royal Mail
Group. Domains must issue guidelines on the retention, storage, handling, and disposal
of records and information. A retention schedule must be drawn up identifying records
and the period of time for which they should be retained. The schedule must also
identify where there are requirements for the disposal of records at the end of their
retention period. To comply with PCI DSS, the audit trail (see §[ REF _Ref205722017 \r
\h ]) must be retained for at least one year with a minimum of three months available
online (Royal Mail Group requirements are currently in excess of this).
Sensitive Authentication Data (see §[ REF _Ref199240475 \r \h ] - Definitions) must not
be stored in any file or database including log, audit or diagnostic files after a
transaction has been authorised even if the data is encrypted. Such data must also be
deleted after use [SEC-3304].
See also §[ REF _Ref204169342 \r \h ] and §[ REF _Ref204169468 \r \h ] for policies on
the protection from loss.
15.1.4. Data protection and privacy of personal information
Account identifiers, such as the PAN in a banking transaction, can be considered to
identify a living individual in the context of the Data Protection Act 19982!. The body
responsible for maintaining the account is deemed to be the Data Controller as defined
by the Act. For instance, Alliance & Leicester is the Data Controller for personal data
relating to transactions involving cards it has issued. Similarly, other Horizon /
Horizon Online transactions containing an account identifier, or other data capable of
identifying an individual, may have a Data Controller who is a Third Party in the
context of Horizon / Horizon Online. Security requirements specified by a Data
Data which identifies an individual, even without a name associated with it, may be personal data
where it is processed to learn or record something about that individual. For more detailed guidance
see the Data Protection Technical Guidance on “Determining what is personal data” published by the
Information Commissioner at [ HYPERLINK "http://www. ico.gov.uk" ]
Version 4.0
Page 71
POL-BSFF-0224013_0070
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Controller must be contractually specified where they are to be the responsibility of a
Domain (see [ REF _Ref205721677 \r \h ], specifying security in contracts). Where Post
Office Ltd is not the Data Controller it must ensure it has the authority to delegate Data
Processing to a domain. All other Horizon / Horizon Online domains are a Data
Processor as defined by the Act and must only process personal data for the purposes
specified in the relevant Horizon / Horizon Online contract and associated
specifications.
Any data associated with an account identifier must be treated as personal data as
defined by the Act. Any person claiming to be the data subject and requesting access to
the personal data must be referred to the organisation responsible for the account as the
body capable of authenticating the request. Any other requests for access to the
personal data, other than by authorised Post Office staff, must be declined unless
supported by a duly authorised legal warrant.
The Data Protection Act also identifies certain personal data as Sensitive Personal Data.
The relevant Data Controller is responsible for identifying such data as Sensitive
Personal Data and must inform those responsible for implementing the Horizon /
Horizon Online system so that appropriate additional security measures can be taken -
see §[ REF _Ref199321405 \r \h ]({ REF _Ref205974982 \r \h J.
Post Office Ltd. has developed a policy which covers the handling of Freedom of
Information requests by customers for third party services delivered over the Counter,
The Freedom of Information Act does not permit the release of personal data covered
by the Data Protection Act.
15.1.5. Preven
n of misuse of information processing faci
The Horizon / Horizon Online facilities are provided strictly for authorised business
purposes (see [ REF _Ref199319275 \r \h ]). Any use of these facilities for non-business
or other purposes not associated with Horizon / Horizon Online, will be regarded as
improper use of the facilities. If such activity is identified by monitoring or other means,
it must be brought to the attention of the individual manager concerned for appropriate
disciplinary action (see §[ REF _Ref205717383 \r \h ]). The security incident reporting
procedures (see §[ REF _Ref206229086 \r \h ]) must be used where one domain detects
misuse by staff of another domain.
15.1.6. Regulation of cryptographic controls
Some countries have implemented agreements, laws, regulations or other instruments
Version 4.0
Page 72
POL-BSFF-0224013_0071
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
to control the access to or use of cryptographic controls. Such control may include:
a) import and/or export of computer hardware and software for performing
cryptographic functions;
b) import and/or export of computer hardware and software which is designed to
have cryptographic functions added to it;
c) mandatory or discretionary methods of access by the countries to information
encrypted by hardware or software to provide confidentiality of content.
Before encrypted information or cryptographic controls are moved to another country,
legal advice should be taken concerning the controls to be implemented.
Legal advice should also be sought to ensure compliance with the Regulation of
Investigatory Powers Act 2000. Note that PINs are an authentication mechanism as
defined by the act and thus the act does not apply to PINs or the keys used to protect
them.
See §[ REF _Ref204172827 \r \h ] for the policy on the collection of evidence.
15.2. Reviews of security policy and technical compliance
15.2.1. Compliance with security policies and standards
The security of information systems must be regularly reviewed. Such reviews must be
performed against the Horizon / Horizon Online security policy and any other
applicable security policies.
15.2.2. Technical compliance checking
Technical platforms and information systems must be audited for compliance with
security policy at planned intervals, and after any major change”? and after any major
security incident:
2 Including after new system component installations, changes in network topology, firewall rule
modifications, product upgrades, etc.
Version 4.0
Page 73
POL-BSFF-0224013_0072
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
a)
b)
°)
d)
e)
)
8)
h)
Firewall and router rule sets, especially those protecting the system boundary and the
Cardholder Data Environment, must be reviewed at least quarterly.
Security controls, limitations, network connections, and restrictions must be tested at
least annually to assure compliance with the access control policy (see §[ REF
_Ref199319275 \r \h J).
A scan of live data centres and operational support centres must be performed at least
quarterly to demonstrate compliance with the policy in §[ REF _Ref199225557 \r \h \*
MERGEFORMAT Jf REF _Ref199321772 \r\h_\* MERGEFORMAT ] (policy
prohibiting the use of wireless technologies). [SEC-3191]
Vulnerability scans of any internal IP port which provides access to the Cardholder
Environment must be performed at least quarterly. Scans must be routinely scheduled
and performed to confirm all ports are configured to support the network access
control policy (see §[ REF _Ref199225557 \r \h J).
Vulnerability scans must be performed at least quarterly by a scan vendor qualified by
the payment card industry on any IP port which provides access to the Cardholder
Environment from the Internet.
Penetration tests must be performed routinely to confirm Horizon Online is not
susceptible to known hacking exploits. Penetration tests of the Cardholder
Environment must be performed at least annually at both network layer and at
application layer. Tests of other elements of the system can be scheduled based ona
risk assessment of the consequences and likelihood of a successful attack. All tests must
be performed in accordance with Royal Mail Group Policy S7 - Security Health Check
Policy.
File integrity checks (see §[ REF _Ref204174088 \r \h ]) must be performed at least
weekly.
LINK requires an annual statement of compliance with the LINK ATM Scheme
Information Security Standard (LASISS). Post Office Ltd must produce and submit the
statement. Domains must co-operate with Post Office Ltd in the preparation of the
statement as required by the contract with the domain.
15.3. Information Systems Audit Considerations
Domain suppliers must implement the following ISO / IEC 27001 controls. Domain
suppliers are referred to the corresponding section of ISO/IEC 27002 for guidance on
interpretation.
Version 4.0
Page 74
POL-BSFF-0224013_0073
POL00397343
POL00397343
IT Directorate PSO Process
Community Information Security Policy for Horizon & Horizon Online
Post Office Ltd retains the right to review activity records of all Horizon / Horizon
Online domains for any evidence of failure to comply with this policy and associated
procedures.
Audit requirements and activities must be planned to minimise the risk of breaching the
security of Horizon / Horizon Online.
See §[ REF _Ref205722532 \r \h \* MERGEFORMAT J for the policy on creating a transaction
audit trail.
Access to system audit tools must be safeguarded to prevent any possible misuse or
other breach of security.
Version 4.0
Page 75
POL-BSFF-0224013_0074