FUJITSU
FUUITSU SERVICES.
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Originator & Dept:
Internal Distribution:
External Distribution:
Ref: RS/POL/003
Horizon Access Control Policy Verdiea: “70
Commercial In Confidence Date: 14/04/2005
Horizon Access Control Policy
Policy
BB
This Access Control Policy (ACP) defines the policy for
controlling access to resources in the operational Post Office
Account solution.
ApprovedA PPROVED
Pete-Sewell—CS -SecurityBill Mitchell (CS Security and Risk)
ae Regnier a Mik Peach. PR
Sewell
Ei tacks Martin Riddell Jan Hol
34 i Tee hha Jex Robi
fa
Jan DA} Pater Ds Mark
Warren Welsh, Andrew Gibson, Colin Johnson
Approval Authorities: (See PA/PRO/010 for Approval roles)
Name Position Signature Date
Martin—RiddelDave I FS POA Director Customer
Baldwin Services
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 1 of 72
[I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460
co Re RS/POL/003
FUJITSU Horizon Access Control Policy Gates 40
FUITSUSERVICES Commercial In Confidence Date: 14/04/2005
0.0 Document Control
0.1 Document History
Version No. I Date Reason for Issue ‘Associated
CP/PinICL
0.1, 02 28/10/96 Initial drafis for review by security team
03 T1196 Tnitial Draft for internal ICL Pathway review
05 6/12/96 ‘Response to comments; Addition of new
information including ICL Pathway Corporate
Services domain, Network Management
0.6 423/97 I Further clarifications in many areas including
network, SequentSolaris access, Post Office
outlets
10 T6497 ‘Terminology changes.
Major updates to the Post Office section have
been made.
Numerous minor changes have been made.
1.1/3 See separate note
2 23/2198 Draft version of 1.3.
21,22 Sep/Oct 98 I See separate note Approval responsibility
passed to John Dicks
3.0 18/12/98 Minor updates
31 May “99 Re-organisation and change to focus on policy,
taking out most descriptive text;
See separate note for changes and issues.
33 Jan 2002 Removal of Benefit Encashment Service and so
PAS/CMS, CAPS links, FRM, De La Rue etc
and other changes
34 May. 2002 I Various updates/changes to reflect the S10
release state and thus serve as a baseline for
NBS updates
Further changes to incorporate new Fujitsu and
Post Office references.
35 Tuly 2002 I Incorporates comments from internal review
40 Tuly 2002 I Minor updates
41 August 2002 I Various updates/changes to reflect the BI3
release state.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 2 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0001
P-)
FUJITSU Horizon Access Control Policy
FUUITSU SERVICES.
Commercial In Confidence
Version: 7.0
Date: 14/04/2005
42 ‘August 2002 I Incorporates comments from review primarily
relating to Section 3.5.2. concerning the
management of NB related keys.
Minor typographical changes.
5.0 Sep 2002 I For Approval
31 Jul 03 Minor change to review list and table at section
6
6.0 Aug 03 Incorporated changes to correct Role names.
"PO key recoverer" changed. Minor
typographical changes.
G1 To/1/05 To incorporate changes up to release S75
7.0 14/04/05 I For Approval
0.2 Review Details
Review Comments by : I 24% April 2005
Review Comments to: Bill Mitchell
Mandatory Review
FS CS Director Dave Baldwin
Optional Review
FS Crypto Dev TDA Alex Robinson
FS Quality & Audit Manager Jan Holmes
FS CS SSC Manager Mik Peach
FS CS Business Services Manager Richard Brunskill
FS Estate Management & Secure Builds I Mark Ascott
Team
FS System Management Architect
Glenn Stephens
FS RASD - Infrastructure
Nial Finnegan
FS RASD Security TDA
FS CS OBC Service Manager
Stephen Probert
Denise Miller
Issued for Information ~ Please restrict this
distribution list to a minimum
Post Office Ltd
‘Sue Lowther
©Copyright Fujitsu Services Ltd 2005
‘Commercial In Confidence
[I KEYWORDS \* MERGEFORMAT I
Page: 3 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0002
co Re RS/POL/003
FUJITSU Horizon Access Control Policy Gates 40
FUITSU SERVICES Commercial In Confidence Date: 14/04/2005
0.3 Associated Documents
Reference Version I Date Title Source
PA/TEM/001 Fujitsu Services Document Template I PVCS
CR/FSP/004 Service Architecture Design Document I PVCS
TD/ARC/001 Technical Environment Description PVCS
[TED]
RS/POL/002 Post Office Account Security Policy PVCS
[SECPOL]
RS/FSP/001 Security Functional Specification PVCS
[SFS]
CSIFSP/003 PAS/CMS Help Desk Call Enquiry PVCS
Matrix
CRIFSP/006 ‘Audit Trail Functional Specification I PVCS
1SO17799 A Code of Practice for Information I PVCS
Security Management
DITSG/ITSS/00 DSS IT Security Policy (Departmental I PVCS
01.04 IT Security Standards)
SRR Appendix Post Office Counters Information I PVCS
41 System Security Policy
TD/DES/059 High Level Network Design for CSR & I PVCS
CSR+
CS/PROM9O CSR+ Access Control. and User I PVCS
[ACUA PPD] Administration Processes. and
Procedures
NB/PRO/O07 NB Manual Key and Password I PVCS
Management
RS/REQ/022 Secure Role Definition for Secure NT PVCS
Build
RS/DES/080 NT Domain Structure Design PVCS
RS/DES/081 Implementation Guide for NT Platform I PVCS
‘SAP Security Operating Standard Pycs
Unless a specific ver
approved versions of the documents.
is referred to above, reference should be made to the current
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS
Commercial In Confidence Page: 4 of 72
\* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0003
FUJITSU
FUUITSU SERVICES.
Ref: RS/POL/003
Horizon Access Control Policy Verdiea: “70
Commercial In Confidence Date: 14/04/2005
0.4 Abbreviations/Definitions
‘Abbreviation Definition
ACP ‘Access Control Policy
ASD Architecture and Strategy Development
CAW Certification Authority Workstation
CESG ‘Communications-Electronic Security Group
cu Calling Line Identification
cS Post Office Account Customer Services
DBA Database Administrator
DC Debit Card
DMZ De-militarised Zone
DRS Data Reconciliation Service
DSA Digital Signature Algorithm
DWP Department for Work and Pensions
ECCO. Electronic Cash Registers at Counters.
EPOSS Electronic Point Of Sale Service
ESNS Electronic Stop Notice System
FTMS File Transfer Management Service
Core Services
Fujitsu Services Core Services
HIFHSH Horizon Incident FeamService Helpdesk
HFSO Horizon Field Support Officer
IT Information Technology
KEK Key Encryption Key
KMA Key Management Application
LAN Local Area Network
MIS Management Information Services
MSUMI Management Support UnitInformation (in Post Office Account CS).
NAO National Audit Office
NBENBX Network Banking Engine
NBS Network Banking Service
NMS Network Management Station
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 5 of 72
[I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0004
FUJITSU Horizon Access Control Policy Vere RepOT00S
FUITSU SERVICES Commercial In Confidence Date: 14/04/2005
‘Abbreviation Definition
NT New Technology (Microsoft’s operating system)
OBC Outlet Business Change
OBCS Order Book Control Service
OCMS Operational Change Management System
POA Fujitsu Services, Post Office Account
POM Post Office Manager
RDMC Reference Data Management Centre
RDT Reference Data Team
SMC ‘System Management Centre
SMDB Service Management database
SNMP ‘Simple Network Management Protocol
sae Structured Query Language
SSC ‘System Support Centre
TACACS+ Terminal Access Controller Access Control System +
TP Transaction Information Processing
TME Tivoli Management Environment
VME Virtual Machine Environment
VPN Virtual Private Network
0.5 Changes in this Version
Version
Changes
7.0
For approval
0.6 Changes Expected
Changes
NoneComments from reviewers
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 6 of 72
[I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0005
POL00400790
POL00400790
SO Ref: RS/POL/003,
FUJITSU Horizon Access Control Policy Vecsim: “70
FUITSU SERVICES
Commercial In Confidence Date: 14/04/2005
0.7. Table of Contents
[TOC \o"1-3" \f\h\z]
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 7 of 72
I KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0006
FP)
FUJITSU Horizon Access Control Policy
UUTSU SERVICES
Commercial In Confidence
1.0 Introduction
11
1.2
Purpose
This Access Control Policy (ACP) defines the policy for controlling access to resources in
the Horizon system.
Effective control depends on:
‘© Understanding the information in the system and what access to it should be permitted,
and where it is vulnerable;
‘© Having a clear definition of the roles and responsibilities of all personnel who need some
form of access to the system;
‘© Setting access policies and controls to provide the required access while countering the
threats and vulnerabilities.
Context
Information Security is based on a number of precepts, the most important of which are
defined as being; confidentiality, integrity and availability,
These are broad categories of security controls which can be employed to provide various
levels of security to guard against specific or perceived ‘risks’ which have been jointly
identified by Post Office and Fujitsu. This document defines the policies for controlling
access to the Post Office Account IT system in compliance with the Post Office Account
Security Policy and -fits into the structure of documents for Post Office Accounts security as
illustrated in figure 1-1 below:-
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 8 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0007
POL00400790
POL00400790
SO RS/POL/003,
FUJITSU Horizon Access Control Policy i
FUATSU SERVICES Commercial In Confidence 14/04/2005
Contract Horizon
Related I Security
Documents Policy
i
‘Access Securty Technical
Control Functional Environment
Paley Spectication Deseriton
[ 1
Other
Securty Documents Operational Detailed
Detailing the Procedures for ‘spectications,
Physical, Personnel People Accessing including
Security & Business Post Offes Account Configuration
Contingency Services Information
Planning, etc
Contract POA Security Policy
& related
documents \.
‘Access Control] _[ Security Functional I_I Technical Environment I
Policy Specification I __Deseription
[ H
[ [ i
[Other security documents I [Operational procedures I [ Detailed specifications
hhysical,personnel security] I for people accessing including
icontingeney planning ete I I Pathway services figuration information
Figure 1 - I Post Office Account’s Security Documents
BS/ISO_IEC_17799, “A Code of Practice for Information Security Management”, is
primarily concemed with management and operational controls, but also sets out a number
of technical security controls. BS/ISO IEC 17799 is used as the basis of Horizon’s Security
Policy and Procedures to define the controls used throughout Post Office Account.
Fujitsu Services shall operate a quality management system which complies with BS EN
ISO 9001:2000 as defined within Schedule 2 of the Post Office Itd and Fujitsu Services Ltd
‘Agreement.
©The Security Functional Specification (SFS) defines the security functionality that is*-——(Formatted: Bults and Numbering }
incorporated into the Horizon system.
*__The Technical Environment Description (TED) describes the architecture and technical
environment for the Post Office Account solution.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 9 of 72
[ KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0008
SO RS/POL/003
I FUJITSU Horizon Access Control Policy varie vad
PATS SERVICES Commercial In Confidence Date: 14/04/2005
1.3.1.2
1.3.1.3
1.3.1.4
1.4
Controlling access to IT resources requires a combination of both physical controls and
manual procedures as well as technical controls oin the IT system._ Other documents define
the related policies, procedures and processes, for example, for the physical security of
information, -{including the procedures for entering a site and the safeguarding manual
records,}-as well as procedures for using the system and the handling security incidents.
Other documents define how the various Post Office Account components are configured
and integrated into the system.
Effect on other Post Office Account Standards and Procedures
This Access Control Policy defines the policy for controlling both human and non human
access to resources in the operational Horizon system._~As explained in section 1.2; other
documents give more details of the technical solution and the associated policies and
procedures.. The effect of the Access Control Policy on these other documents is:
Configuration documents should define in detail how systems are configured to conform
to the ACP, for example, how the roles defined in the ACP are set up to restrict access as
required.
The roles defined in the ACP should be used in other standards and procedures, not just
information system controls. For example:
where a role requires access to administrative privileges or sensitive data, this should
be reflected in the level of vetting required for staff in that role;
© users in these roles must be formally registered and authorised to take that role by
the appropriate authority before being added to the IT system. _Records of all
persons registered to use the system must be kept, though the way this is done may
be role or service dependent.
Where physical security and/or procedures are required to complement the IT controls to
provide-achieve the required level of access controls, such procedures need to conform
to the ACP.
The Post Office Account Security Manager will satisfy himself that the procedures at the
various Outlets are in compliance with the Post Office Account security policies and
specifications.
Scope and Document Structure
This Access Control Policy defines how access to information system resources is controlled
in the Post Office Account solution. It covers the Post Office Account Data Centre systems;
Post Office Account managed systems such as interface systems at Post Office Ltd. Outlets
and closely related Post Office Account project-systems. Access may be the result of direct
user action, or automatically initiated activities.
The ACP contains:
* An outline of the services, the roles of the people and the Outlets used in the Post Office
Account solution (ChapterSection 2);
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 10 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0009
POL00400790
POL00400790
SO RS/POL/003
FUJITSU Horizon Access Control Policy 710
Comet sewees Commercial In Confidence Date: 14/04/2005
© The access control policies for the whole of Post Office Account, covering policies for
authentication, information access within systems, system set-up and network access ete
(ChapterSection 3);
Specific access controls for human users - where the policies in ChapterSection 3 are
specialised for particular user roles or there are exceptions to the general policies
(ChapterSection 4);
Specific access controls for particular systems - specialisation and exceptions to the
policies in ChapterSection 3 and (Chapier-5);
* A complete list of Post Office Account human roles and an overview of the IT access
permitted to each of these (ChapterSection 6).
This document specifies access control policies, not the detailed procedures for configuring
and running operating these systems.
Separate internal Post Office Account documents also cover system development and test
systems and other activities prior to the handing over of the software for operational use.
.
.
1.5 Access Control Policy Review
This document will be formally reviewed at least annually. It will also be reviewed, where
necessary, relevant-after a significant security incident, as part of an update following
enhancements or new services being introduced, or a more general security policy review,
and updated whenever—as_and when necessary_if there has been a significant security
incident.
Responsibilities for the approval, review and issue of this document will conform to the
review procedure for Post Office Account policy and standards defined in the Post Office
‘Account Security Policy.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 11 of 72
[ KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0010
SO RS/POL/003
FUJITSU Horizon Access Control Policy vent BS
FUITSUSERMCES Commercial In Confidence Date: 14/04/2005
2.0 Outline of Services, Roles and Outlets
2.1
The Horizon system can be described from different views as follows:
‘© The operational systems and their business users.
© The business management users of the system, including security and auditing.
‘© Outlet Business Change used during the introduction of new Post Office outlets.
© System & operational management and support.
This chapterSection gives an outline of the people and systems involved as a context for the
policies and roles described later. It is not intended as a complete description of the system -
for that, see [TED].
Operational Services and their Main Users
The operational systems and their main business users and Outlets are shown in the
following diagram.
POL and POL Client Sites
POL POL Clients »
Transaction II DWPESNS I using E-Top, Up NBX
&Reference II System II Automated II Dorn’;
jebit Gard
Data Payments
AT
Data Centres a
Host Applications, e.g. TPMS, ODBC, ROMS
mainly on Solaris Systems
Related
Services t
(e.g. Key ‘Agent & Correspondence Servers (Riposte) Authorisation
Management) ‘on Microsoft Platforms Agents
Public Network
Post Offices:
Poster I Counter Infrastructure (Riposte) & Post Office
Corer I Applications e.g. EPOSS, APS, NBS/NBX
Post Office Clerk & Customer
Figure 2-1 Main Operational Systems
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 12 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0011
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
2.1.1 Services, Systems and Interactions
Information is sent from Post Office Ltd. (reference data) and Post Office Ltd. clients (APS
information from Post Office Ltd. clients) to the Post Office Account Data Centres. Most of
this data is also forwarded to relevant Post Office outlets for use by applications there.
Transactions at the Post Office outlets are recorded at the correspondence servers and
forwarded to Post Office Ltd, and/or other Post Office Ltd, clients as relevant, NBS on-line
transaction data is exchanged with the NBENBX via dedicated NB-Authorisation Agents
over an encrypted link.
At the Data Centres the main applications are on Sequent/UNIXSolaris systems but the
agents and correspondence servers which handle distribution of information to and from the
Post Office outlets are on NFMicrosoft servers, as are most of the supporting systems such
as the key management systems. Post Office Systems are also NFMicrosoft platforms:
Apart from at the Post Office outlets, all activities are automated in normal circumstances,
so there are no business users.
2.1.2 Roles
At the Post Office counters, operational roles are the Post Office Manager, Supervisor and
Counter Clerk. There are equivalent roles in franchises and Sub Post Office outlets i.e. Sub
Postmasters and their staff.
2.2 Business/Corporate Management
Post Office Account corporate management users and the systems they use are shown in the
following diagram:
Post Office Lit
Toshudng RMG Data
Data Cenres
Secu
a Aut
Operational] I Services C >
was L] Services
+ Corporate & Fnac Lapp Key
Management Manager I POA seouity &
snes Dev & Support ‘Avdiine. pis
“Cistomer Serves, T indir
(ee MSU,RDT, ee) ‘extemal
Pubic Adios
Network
Post Office Ltd
‘Tet ies Auditors & Emergency Managers
Figure 2.2 Corporate Management
2.2.1 Services and Systems
Corporate management services provide analysis and reporting of management information
on Post Office Account’s operation of the Horizon system. Systems include:
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 13 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0012
SO RS/POL/003
FUJITSU Horizon Access Control Policy i
FUUTSU SERVICES
Commercial In Confidence 14/04/2005
+A Date warehouse (Sequent system) which takes input from many Post Office Account and
" wa disteib
“ BT &
Sila inerellon aboat nip doa)
‘© Related_MIS systems, including a financial system at a separate site.
The Data-warehouse/MIS systems at the Data Centre support a number of services including
Contract Management, Reconciliation and Accounting and Asset Management.
CS Management Service wseruser's access wse-aggregated information stored-within-the
Sfoervise love Aacose ir vin the SMDB, which is placed in a DMZ formed " the use of
‘wo separate firewalls. Authentication to the Webserver on the SMDB is by username and
password.
There are also Security Specific Services including an Authentication Service for security
token users and key management services. Keys are installed at the Data Centre and also at
interface PC’s at other sites.
Roles
‘The main roles are:
© Arrange of Post Office Account corporate management roles e.g. financial management,
contract management and associated support roles.
© A number of Post Office Account customer service roles such as Management Support
which assist business operations such as financial reconciliation of payments and
Reference Data roles for maintaining reference data.
© Post Office Account—SecurityAccount Security Management, which manages security
tokens for Post Office Account—usersAccount users. This includes the Post Office
ieAccount Cryptographic Key Manager who is responsible for
generating and distributing all cryptographic keys used in Post Office Account
teAccount to protect communications links, digitally sign information and encrypt
filestores__within Post Office _account__and_—at Post Office Outlets.
The Key Manager will delegate some responsibility for installing and updating keys to
Post Office Account—CryptographieAccount Cryptographic Key Custodians and
Cryptographic Key Handlers.
© Post Office Account—ProsecutionAccount Prosecution Support, which provides system
data and associated information in support of investigations and litigation activities
undertaken by or on behalf of Post Office Ltd.
© Post Office Account—AuditorsAccount Auditors: both a Business Function Auditor
responsible for general auditing of the Horizon system (focusing on business, rather than
security, auditing) and a Security Event Auditor responsible for auditing all use of the
Horizon systems. Both types of auditor access information on the Horizon system.
© Post Office Lid. Auditors, Investigators and Emergency Managers who can access
services at Post Office outlets.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 14 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0013
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
Post Office Ltd. and NAO Auditors also have indirect access to audit information at the
Data Centres. This is via Post Office Account—AuditersAccount Auditors, rather than
direct access to the Horizon system.
2.3 Outlet Business Change
The main people and systems involved in implementation of new Post Office outlets or their
closure/suspension are shown in the following diagram:
a ‘Data Centres
ete Help Dest
24 Management Auto.
Centre figuration I [ Relared stems
HH, satsbase_[} sieningserer, I Auto-confguraton
ocas software depot ‘tal
OROBC Stall cabana Jooot server, KMS.
;
centre based staf) =F
Ae y
Generic software Network,
onc
supphers J
cd
Fs PC wih twue
9G a ‘ol Taco vi
Ik @ & migration
Installation engineer
Staff setting-up ‘and PO Manager
& verifying terminals
Figure 2.3 Outlet Business Change - Services and People.
2.3.1 Services and Systems
The OCMS database contains information about Post Office outlets where Horizon is to be
implemented or withdrawn, for example, Post Office details, the state of the site etc.
Configuration information comes mainly from the auto-configuration system and is used in
the initial set-up or in respect of decommissioning activities of Post Office outlets, updating
the generic set-up of the counter systems as delivered. The auto-configuration process is
very largely automated.
2.3.2 Roles
The main roles here are:
© The Help Desk;
© Outlet Business Change Team;
‘© The staff responsible for auto-configuration, who may need to amend information in
certain circumstances.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 15 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0014
SO Ref: RS/POL/003
FUJITSU Horizon Access Control Policy ‘en 46
RUITSU SERVICES Commercial In Confidence Date: 14/04/2005
In addition, there are Outlet Business Change suppliers who are responsible for site surveys,
installation etc (who use bulk transfer, not interactive access to the OCMS database) and the
people who set-up and verify the counter terminals in the factory.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 16 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0015
cD RS/POL/003
FUJITSU Horizon Access Control Policy 10
FUJITSU SERVICES
Commercial In Confidence 14/04/2005
2.4 System & Operational Management and Support
The main people and systems are shown in the following diagram:
‘Operational met
[POA project Sites
Configuration Mgt
Firewall mg
Other I LE & — Application support
Speneepat Post Offices ‘with technical query
Figure 2.4 System Management & Support,
2.4.1 Services and Interactions
System and operational management and support users manage and support Post Office
outlets, systems at the Data Centre (including routers and firewalls) and Post Office Account
managed systems such as the interface PCs at Post Office Ltd.
The help desk handles all technical calls from Post Office Lid. and other Post Office
Account users including those from the Post Office requiring key and password recovery
services.
Post Office Account project sites include a Configuration Management system that enables
software to be distributed to the Horizon systems, including Post Office outlets. There are
also test rigs used by application support staff for detecting and fixing bugs.
The technical help desk and system/operational management and support staff also use
internal Post Office Account/Fujitsu Services support tools such as the Powerhelp and
Problem Management systems for recording, progressing and monitoring calls to the help
desk.
Note that many of the system and operational management and support staff are remote
from the systems being managed.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 17 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0016
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
2.4.2 Roles
2.5
The main roles are as follows:
© Operational Management (sometimes called System Administration): keeping the
system running where this is not carried out by system management. Operational
management is normally split into sub-roles, including:
— System set-up and installation: setting up the base and application software on the
system and configuring it for live running, including roles.
— Software update, where this is not automated via system management.
— Security/User administration: administering user security information such as their
authentication information, the roles they can perform and the groups to which they
belong.
— Database (e.g. Oracle) or Package (e.g. Riposte) administration.
— Computer operator: on most systems, this is a minimal role - switching on machines,
loading media and similar operations.
— Other system administration functions.
Note that some package administration is done by people supporting the application
users eg. Discoverer and Business Objects are administered by corporate
management support staff.
‘* System Management: monitoring events and resources in the operational system and
taking appropriate action to rectify problems. Also, distributing software (complete new
packages or patches), where this is automated, for example, at the Post Office outlets.
Sub-roles for operational management separate specific roles and also. separate
administration of users and the Tivoli system itself.
© Network Management: managing the network, including routers and firewalls, which
connect machines and Outlets.
‘© Application support; 2nd, 3rd and 4th line.
© Other hardware and system support.
‘* Horizon System and other technical help desks and supporting staff.
© Engineers.
Post Office Account Sites and Interactions
The main Horizon services run at the secure Post Office Account Data Centres. This
includes primary operational systems, most corporate management systems, some Outlet
Business Change and system & network management systems as outlined in previous
sections.
The main operational and management services can be run at either site, if needed, though
there is a prime site for each. Figure 2-5 shows the sites with electronic links to the Post
Office Account Data Centres.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 18 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0017
POL00400790
POL00400790
SO RS/POL/003
FUJITSU Horizon Access Control Policy Version: 7.0
CSTE Commercial In Confidence Date: 14/04/2005
Data Cente
POA project secure site es ween FO
&. ore operational, MIS, ron nemnes
perational, MIS, L
ro arher systems Pes [TT foystems
Siew -
2} 28 8 sess II eee
POA Corporate Mgt
system management,
support ete Goa copes
implementation
te sites Post Oftices
Figure 2.5 Post Office Account Data Centres and linked Outlets
All links to the Data Centres are protected by routers, firewalls and DMZs, cryptographic
boxes or VPN (or a combination of these) depending on the requirements protecting each
type of link and the data that travels over it. Routers and firewalls are also used to separate
Data Centre systems in some cases.
Where Post Office Account communicates with other organisatior tes (such as Post
Office Lid.), Post Office Account will manages the interface PC/router at that site to provide
a gateway between Post Office Account and that organisation’s systems, however, this
differs in a number of cases for services such as NBX for LiNK and CAPO, Streamlineand
The main Post Office Account project sites that have access to the Data Centre systems have
secure LANs for that access with an encrypted link to the Data Centre. Where people at
these sites access other systems, including other sites, there are separate networks. At some
Post Office Account project sites there are more complex networks which permit limited
traffic to/from other controlled systems (e.g. for software distribution from the
Configuration Management systems and for downloading of data to test rigs for
investigating faults). In these cases, firewalls are used at the project sites to control this
traffic.
There are a number of other support and Outlet Business Change sites with different types
of access. These are subject to different access control policies as appropriate for the site.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 19 of 72
I KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0018
SO RS/POL/003
FUJITSU Horizon Access Control Policy vases one
FUNTSU SERVICES Commercial In Confidence Date: 14/04/2005
3.0 Overall Access Control Policies
3.1
3.1.
This chapterSection identifies the overall access control policies and associated procedures
and controls that apply across the Horizon solution. It outlines the general policies that apply
across systems and identifies where variants and exceptions are permitted. In these cases,
the exceptions are defined in the appropriate sub-section of ehapterSections 4 and 5 below.
No other variants are permitted.
Introduction
The objectives in the Post Office Account Security Policy give the requirements for
confidentiality and integrity of data, whether in storage or in transit, and integrity of the
services and software components. The ACP defines the policies for controlling access in
line with these objectives.
Post Office Account Human Roles
Human access to the Post Office Account information systems is specified in terms of roles.
People in specified roles are permitted to carry out defined functions and access specified
data, This is normally monitored by controls within the information systems, though in some
cases, manual procedures are used to supplement these.
Post Office Account controls the roles people are allowed to perform, and which functions
they are allowed to carry out, Users are individually identified so that they can be made
accountable for their actions.
Where practical, the same or similar roles are defined for several systems to reduce
complexity and make it easier to check compliance with the overall security policy.
The Access Control Policy includes all roles for users who have direct access to the Horizon
operational systems and the related systems at the Data Centres. In addition, this document
includes a limited number of user roles that enable others to use the system on their behalf
(e.g. in response to a phone call).
Roles are normally associated with major functions. Defining separate roles allows different
functions to be allocated to different individuals. However, the actual allocation of roles to
individuals is done by administrative action. Some users may be permitted to carry out more
than one major function, so are permitted to take more than one “role”. This is not
permitted in cases where security may be undermined.
Types of Information and its Use
Information in the Horizon system that requires protection from unauthorised access
includes:
© The business data exchanged with Post Office Ltd. and its clients (e.g. reference data to
support EPOSS and transaction data resulting from Post Office counter activities.)
Business data is transferred between Post Office Ltd., Post Office Ltd. Clients and the
Post Office Account Data Centres and between the Data Centres and the Post Office
outlets. It is stored at the main operation systems and also in archives. Some data is also
available for management services at-the Data Warehouse-and-accessed-via the SMDB.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 20 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0019
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
3.2
3.2.1.1
3.2.1.2
3.2.13
3.2.1.4
3.2.15
‘* Post Office Account business management data - financials, service level agreements
etc. Confidentiality and integrity requirements exist for much of this data, The
Management Information System collects this data from the operational systems. This is
then forwarded as appropriate to Post Office Account sites, Post Office Ltd. and their
Clients.
© Other data supporting the business processes such as training data (special, non-
sensitive, business style data used in training sessions) and on-line documentation (c.g.
Post Office procedures.)
‘© Operational systems data such as the software, configuration information, Tivoli scripts,
system management event logs etc. This information is held mainly at the Data Centre
and accessed remotely from system management and support sites.
© Security information about users, keys, security audit logs etc.
Most processing of the business information, except at the Post Office Outlet, is automated
and therefore not subject to human access. Most processing of system data is also
automated.
All information is protected in compliance with the Security Functional Specification and
Post Office Account Security Policy.
General Principles
The following general principles should be followed in controlling access to the Horizon
systems.
The principle of “least privilege” must apply to restrict the access rights of users. (This
may be applied through a mixture of technical and procedural controls.)
Duties of different users should be separated to minimise the damage that any one user
can do to the system or the information it contains.
Ifa role at a particular location is allocated to a single person there should generally be
at least one other person who can deputise for that person. (At small Post Office outlets
where no deputy is available, and the Post Office Manager is unavailable, the Post
Office Outlet will not open until emergency procedures have been invoked.)
Where possible, Post Office Account operations are automated to reduce the need for
human intervention and the potential accidental and malicious security breaches that
could result from human activity. E.g. applications should be designed to reduce the
dependence on human interaction and jobs should be scheduled automatically in
response to the receipt of files or at a particular time.
Similarly, where practical, system management tasks should be automated. This
includes taking remedial action where the results of monitoring the system show this is
needed. Only where action cannot be taken automatically, or human verification of an
action is needed, should human intervention be required.
Note: Tihat-this document covers access by system entities as well as human users, but does
not define roles for them.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 21 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0020
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
3.3, Human Access
3.3.1
3.3.11
3.3.1.2
3.3.13
3.3.1.4
3.3.15
3.3.1.6
3.3.17
3.3.1.8
This section contains the policies for how human access to the Horizon systems is
controlled. It is divided into sub-section for policies on:
© Authentication to prove the user’s identity to the IT system, and hence the user’s right to
take on a particular role and access particular resources.
‘© User registration’ administration to establish and maintain the user’s identity and
security attributes (i.e. role, password, etc).
* Authentication of visitors.
‘© Authentication by telephone.
© Control of human access to resources (see also 3.5).
Authentication to IT Systems
All users must be authenticated to IT systems. This authentication must identify them as
individuals. (The few permitted exceptions to this policy are in ChapterSection 4).
People accessing Horizon systems are required to identify themselves using hand held
tokens if
© They are at sites remote from the Data Centre and can update operational or MIS
systems (for example, to perform systems management actions).
© They can access Post Office Ltd. business data (except at Post Office outlets).
© They are authorised to update system data that can affect the running of the Horizon
systems. This includes roles that have UNIX root privilege, NT users belonging to
the administrator’s group and database administrators.
Where such tokens are used for authentication, the associated PIN must be at least 6
characters long.
Each user must have an individually allocated token except in emergencies, e.g. when a
token is lost. In such cases, specific authentication will be agreed.
Where a user needs to authenticate to multiple systems/domains in one session, the first
authentication (normally to the local workstation) should be with a token.
If a user who authenticates with a token to one system/domain needs to perform an
additional authentication to another system/domain, the second authentication should
also be a token based one, using the same token. Agreed exceptions to this must be
documented.
Where passwords are used for authentication, the user should be forced to change the
initial password before any other access to the system is permitted.
Passwords must expire in 30 days unless otherwise stated (in the section on the
appropriate domain).
ight Fujitsu Services Ltd 2005 Commercial In Confidence Page: 22 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0021
SO RS/POL/003
FUJITSU Horizon Access Control Policy to
FUITSUSERMCES Commercial In Confidence 14/04/2005
3.3.1.9 Re-use of the same password is not permitted for either a specified time or until at least
3-12 other passwords have been used.
3.3.1.10 _ Passwords must be a minimum of 6 characters long and be alphanumeric (ie. a mix of
letters and numbers). There cannot be more than two consecutive identical characters,
The password cannot be the same as the username.
Note: The minimum password length recommended by industry best practice is 9 characters and
should consist of upper case letters. lower case letters, numbers and symbols. All new systems
should conform to this recommendation, however, it is recognised that some legacy systems will
only be able to meet the requirements at 3.3.1.10 above.
3.3-4103.3.1.11 After 3 consecutive unsuccessful attempts to log-on, the user should be
locked out unless otherwise stated.
3.3.1.12 Users are authenticated with their individual usernames on first access to the system. A
change to use another username will only be permitted to certain authorised operational
management roles in exceptional circumstances as specified in this document. _(e.g-for
Any change to use another username must be controlled and audited in a way that is
always recorded.
3___In limited circumstances an operational management role may need full
system administrator access. In these cases, where possible, the user should be given
limited privileges on log-on with additional privileges being subject to further
authorisation. In particular, no user will be allowed to log onto UNIX with root access
(though some may be permitted a controlled change to root access later).
3.3.2. User Registration and Administration
3.3.2.1. People must be identified to Post Office Account information system as individuals.
Users with direct access to the system should be registered as follows:
© Ifaccessing the system via a package such as Oracle or Tivoli, they are registered
with that package.
* Users who require direct access to the operating system are registered with that
operating system (at the local system or NFMICROSOFT domain)
© Users requiring token authentication are also registered with the appropriate
authentication service.
Note: ¢The only exceptions allowed to this rule are the specific cases identified in later sections of
this document. In these limited exceptional cases, the user, (e.g. an engineer) is identified as an
individual using manual means prior to using the system in a way specially set up for this, and
where the use of the system is suitably monitored.)
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 23 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0022
Oo RS/POL/003
FUJITSU Horizon Access Control Policy woniaa! 90
RUITSU SERVICES Commercial In Confidence Date: 14/04/2005
3.3.3 Authentication of Visitors to Post Office outlets and Post Office Account
Sites
3.3.3.1 All visitors to Post Office Account sites who need access to operational systems must.
have a company identity card, which includes their photograph and pass number. For all
such visits, the pass number of the visitor must be notified in advance to the relevant
manager; access will not be permitted if this has not been done.
3.3.3.2. Post Office Ltd. Auditors may visit Post Office outlets and other Outlets without prior
notice to the Post Office Manager.
3.3.3.3 Post Office Account visitors to Post Office Outlets must be subject to Post Office
Account vetting procedures and approval by Post Office Ltd.
3.3.3.4 Other visitors to Post Office Outlets are also subject to agreed vetting procedures.
3.3.4 Telephone Authentication at Help Desks
3.3.4.1
3.3.4.2
3.3.4.3
The Help Desks receive calls from Customers, Post Office Ltd. staff at Post Office outlets
and other people such as Post Office Account staff. The following categories of call have
different authentication requirements:
© Category 1: Calls where the source of call would not affect the action taken. For
example, the call is just a query of generally available information.
© Category 2: Where the result of the call is to cause an action which has only limited
consequences e.g. to report a problem in the Post Office Outlet (which could result in an
engineer call).
* Category 3: Where the consequences of misidentifying of the caller can be serious and
the telephone authentication is the only authentication of the caller. For example, the
wrong person may be allowed access to sensitive information, and/or be able to disrupt
the service.
© Category 4: Where the consequences of the call could potentially be serious, but
authentication of the user on the phone is only part of the process needed to complete an
action. For example, a Post Office Manager has lost the PIN associated with the card
used to boot the system, but will still also require a password to use the system.
For category I calls, no authentication is needed.
For category 2 calls made, for example, by Post Office Ltd, staff, at least the location of
the caller should be verified, for example, the particular Post Office outlet, or Post
Office Ltd. regional centre. This location must be one already known to the Help Desk
for which suitable verification information is available.
For category 3 calls, the caller must be identified individually. (If the person concerned
is not known individually to the Help Desk, the call must be routed via a known centre
for verification, For example, calls from Post Office staff at the Outlet could be routed
via a Post Office Ltd. regional centre whose staff authenticate to the Post Office Account
Help Desk.)
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 24 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0023
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venion 70
RUITSU SERVICES Commercial In Confidence Date: 14/04/2005
3.3.4.4 — For category 4 calls, the authentication process should at least verify the location of the
call to one known and acceptable for this type of call.
3.3.4.5 Help Desks must maintain the information required to authenticate the callers and their
Outlets/offices as required for the type of call.
3.3.4.6 If the call needs to be passed onto another internal Post Office Account help desk, the
call should be forwarded only afier the initial authentication has been carried out.
3.3.4.7 There are several different types of calls in each category. The authentication process for
3.3.5
3.3.5.1
3.3.5.2
3.3.53
3.4
3.4.11
each call type must conform to these policies.
Details of the information used for different types of call must conform to these policies and
be given in the appropriate Help Desk procedures.
Control of Human Access to Resources
Control of access to resources is achieved partly by workstation set-up and partly by
administration of the resource, e.g. in the form of an access control list. Details of the way
the access controls are implemented in information systems depend on the product used.
They are not defined in this policy document.
All human users with access to Post Office Account Data Centre or Post Office Account
managed systems on other sites must do so using controlled workstations as defined in
3.6.1.
Access controls associated with resources should define the “role” of the user, not the
individual user’s identity (unless there is an agreed need for individual access). The role
may be represented by a group identity, for example, in products such as Riposte, UNIX
.and-Windows NT and Windows 2000, which support groups, not roles directly.
Access controls associated with resources should provide access to the resources as in
the role definitions in ehapterSection 6.
Non Human Users
Much of the operational Horizon system is automated. Some users are therefore s
based, not human users, so there are usernames and passwords for both types of users. In
general, system users should be subject to the controls specified above (e.g. for password
protection). This is because these usernames generally cannot be confined only to human
users and therefore-they can potentially permit access to usernames intended for system
users. However, some differences are permitted.
The username and password used to automate the login may be held in clear if it is only
accessible to authorised operational management staff for that system and the potential
damage from misuse of that username is minimised.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 25 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0024
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venion 70
RUITSU SERVICES Commercial In Confidence Date: 14/04/2005
3.4.1.2 The password may expire less frequently than the 30 days for human users where
3.5
3.5.1.1
3.5.1.2
aB13
suitably obscure passwords are used, e.g. strong passwords consisting of upper case,
lower case characters, numbers and symbols~ and the risk of external access to such
accounts is very low.
Information and Resource Access
This Policy is concerned with protecting information contained in, and transmitted between
all Horizon systems. This includes the Data Centres, Post Office Account managed systems
(such as interface systems at Post Office Ltd. and other Outlets), and the systems used to
access Data Centre and managed systems. Information requiring protection includes that
generated during fault investigations/correction and that retained for auditing and fraud
investigation.
Human access to sensitive information should be restricted to those whose role
authorises them to see it.
Information in transit between systems should be encrypted for confidentiality and/or
integrity according to the needs of the particular link as defined in the Security
Functional Specification {FS}.
Digital signatures should be used for integrity of business information between the Post
Office Outlets and other services where required. E.g. for signing automated payments at
the Post Office Outlet prior to transmission via Post Office Account to Post Office Ltd.
or Post Office Ltd. Clients. Some Clients may specify other protection such as
encryption.
System data should also be integrity protected when required. E.g._-digital signatures
protect software distributed to the Post Office outlets and elsewhere.
Business information in filestore at the Post Office PCs should be encrypted.
Passwords should be stored in encrypted format_and held- separately from application
data and executable code, except for the specific cases listed in Non Human Access
above.
Horizon systems should prevent interference between human user roles, between
applications and between human users and automated applications.
Information should be appropriately separated in filestore, database tables etc. Each data
set should be accessible only to those with a need for that access.
Different applications should run in their own user names or that of the user that calls
them (or at the Post Office Outlet, in the Riposte username impersonating the user).
3.5.1.10 Access to shared resources such as filestore should be controlled by:
© Access to that filestore being restricted to a specific product which is available only
to authorised users, or
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 26 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0025
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
3.5.1.11
3.51.12
3.5.1.13
3.51.14
3.51.15
3.5.1.16
© Access to those resources being restricted to users in specified roles. (Group IDs may
be used to represent roles. Access control lists using these will ensure that only
authorised people can access the resource).
Information in relational databases should be accessible only via authorised client
“applications” (such as Oracle Forms, Discoverer, Business Objects, Tivoli database
interfaces) except where there is a proven need for lower level access. Lower level
access will only be granted for agreed operational management and support functions.
‘System Management actions by Tivoli should be activated using pre-defined Tivoli tasks
authorised for use by SMC and the Post Office Account configuration management and
software distribution process. This includes collection of diagnostic information from
the Post Office Outlet for application support.
Packages (such as Oracle and Tivoli) and applications above the operating system must
also conform to the Access Control Policy. For example, Oracle should restrict users to
the authorised tables and views. Also, access to the package’s resources should use role
based access controls.
For client-server applications (such as Oracle Forms ones), audit records should be
generated at the server so audit logs do not rely on input from workstations.
Security audit logs must be protected from everyone except those permitted to take
specified Security Event Auditor roles. Unless otherwise specified for a particular
domain (such as the Post Office outlets), the security-auditing role is separate from other
roles at that domain.
All systems, except Post Office counter systems, must provide read access to audit trails
by authorised security auditors.
3.5.2. Key Management
Cryptography is used widely in Post Office Account as described in the Security Functional
Specification {SES} for:
Protecting information on links for confidentiality, integrity and origin authentication in
line with the requirements for that link.
End-to-end integrity and data origin authentication, potentially over multiple links using
digital signatures.
Filestore encryption at the Post Office Outlet.
Protecting keys associated with the preduction-operation of PINPads and with the keys
that protect customer PINs.
The following general policies apply for protection of keys.
3.5.2.1
CESG approved keys must be protected in line with CESG requirements.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 27 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0026
SO RS/POL/003
FUJITSU Horizon Access Control Policy -
PATS SERVICES Commercial In Confidence Date: 14/04/2005
3.5.2.2 Key material (symmetric keys, DSA private keys and DSA entropy) should be held in
clear only when in physically secure environments.
Public keys (except for the CA’s public key) should be held in certificates signed by the
Certification Authority.
3.5.2.4 Symmetric keys should only be stored where necessary, and be held securely.
3.5.2.5 Keys (or part keys) held in filestore must be in a separate filestore accessible only to
authorised key custodians via authorised applications.
3.5.2.6 Keys used for protecting data should not be resident in filestore in clear.
3.5.2.7 Keys should be changed periodically according to CESG policy or, where commercial
algorithms are employed, in accordance with industry recognised timescales. Different
periods may apply to Symmetric Keys used for encrypting data, Key Encryption Keys
(KEKs) used to encrypt other keys and Certification Authority keys.
3.5.2.8 New KEKs should not be distributed solely under the protection of existing KEKs.
3.5.2.9 Key material in transit electronically must be encrypted (except for CHAP keys between
the routers within the Post Office Account Data Centre LAN).
3.5.2.10 Cryptographic keys and Key Encryption Keys are either installed locally at the machine
where they are to be used, or are distributed electronically using an approved protocol
which protects these keys in transit.
3.5.2.11 Where a key is delivered in two parts, e.g. a red key and a black key), the parts should
be delivered by different routes.
3.5.2.12 The key (or part key) to be handled manually must be held in a locked safe when not in
use. Access to this must be authorised and recorded in conformance with Post Office
Account procedures.
3.5.2.13 The creation, handling, transmission and storage of keys must be undertaken in
accordance with ISO9S64. Key generation must be undertaken on_ standalone
workstations or other hardware units within a physically secure environment.
In addition, the following policies also apply to the management of the NBS related keys:
3.5.2.14 Key generation and management must comply with ISO11568 Parts 1 to 3.
3.5.2.15 All keys that may directly or indirectly reveal a plain text PIN must be generated,
handled, transcribed and stored in a way which ensures that no one individual has access
to all key parts.
3.5.2.16 PINs and any cryptographic key that may directly or indirectly reveal them must never
appear in plain text outside a tamper detecting hardware security device complying with
the relevant section of ISO9564. Modules handling PINs or keys associated with
multiple PINPads should conform to FIPS 140-1 level 3.
ight Fujitsu Services Ltd 2005 Commercial In Confidence Page: 28 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0027
SO RS/POL/003
FUJITSU Horizon Access Control Policy 710
Comet sewees Commercial In Confidence Date: 14/04/2005
3.5.2.17 Devices used to generate keys associated with PIN encryption and PINPad loading must
be physically secure and conform to agreed standards.
3.6 System Set-up Policies
3.6.1 Workstation Set-up Policies
3.6.1.1. Users with interactive access to Horizon systems should use “controlled, NT
orkstations” as defined in the following policies in this section. All such exceptions to
the “Implementation Guide for NT Platforms” policy must be authorised and
documented in the ACP.
3.6.1.2. Workstations from which operational systems can be updated should have floppy drives
disabled or be fitted with physical locking devices. Booting from CDROM should also
be disabled once a system has been configured.
In all cases, exceptions to this rule must be documented and agreed with Post Office
Account Security Management,
3.6-1.23.6.1.3 Workstations at the Post Office display sensitive business data (e.g. about payments)
as part of normal operation. All other workstations, which can display sensitive
information, should be in physically secure areas.
3:6:h33.6.1.4 All systems should have the required roles, groups and other privileges set up on
installation, It should rarely be necessary to update these. “Guest” users must not be
enabled in the installed systems, and where possible, Guest_accounts should not be
included. Other generic users should not be accessible for user logon except in
exceptional circumstances explicitly defined in the appropriate section below.
3:6-h43.6.1.5 Operating system set-up and services available at that workstation should be
controlled by Post Office Account or shown to conform to Post Office Account
standards.
3:6c53.6.1.6 After a workstation is booted up, a login screen should be displayed which cannot be
by-passed.
3:6c1,63.6.1.7 The selection of tasks available on the desktop (or via secure menu system, where
used) should be constrained to those available to users with that role.
3.6.2 Server Set-up
3.6.2.1 ___ Servers should have floppy drives disabled at boot time. Booting from CDROM should
also be disabled once a system has been configured. Wherever possible USB ports that
are not required for the operation of the service should also be disabled.
In all cases, exceptions to this rule must be documented and agreed with Post Office
Account Security Management.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 29 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0028
cD RS/POL/003
FUJITSU Horizon Access Control Policy 10
FUJITSU SERVICES
Commercial In Confidence 14/04/2005
3.6-243.6.2.2 Where a server is delivered with pre-defined usernames for human users, these
should be deleted, -for if this is not possible, ddisabled) once the initial individual
usernames required for -administering the system have been set-up. Usernames should
be disabled by changing by renaming the user account and assigning a strong to-a
password, which is extremely difficult to guess, then storing this password in a safe with
appropriate manual controls for recording access.
3.6.3 Workstation Environment Related Access Controls
3.6.3.1
3.6.3.2
3.6.3.3
Users with interactive access to Horizon systems should access these systems via
controlled, NFMICROSOFT workstations in secure environments as defined in the
following policies. All exceptions to these policies must be authorised and documented
in the ACP.
The following diagram shows the main types of workstation environment supported for
access to the Post Office Account Data Centres and other Post Office Account managed
systems:
Site type 1 Site type 2 Site type 3
POA Data Centre
-- Data Centre systems,
“OB (& via them
Pathway managed systems)
Figure 3-1 Workstation Environments Supported by Type
Workstations that have access to sensitive data or can be used to access Horizon systems
(code or data) should be on separate secure LANS linked only into the Post Office
Account secure network. (Site types I and 2 and the Data Centres)
The only permitted exceptions are:
© For authorised transfers of software and data from the controlled Post Office
Account LAN at the management site at Feltham to the appropriate Data Centre
system.
© For application support users linking to test rigs. In agreed circumstances, authorised
application support users may access operational data to investigate a problem and
may download that data to the workstation or test rigs
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 30 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0029
SO RS/POL/003
FUJITSU Horizon Access Control Policy ar
UUTSU SERVICES
3.6.3.4
3.6.3.5
3.6.3.6
3.6.3.7
3.6.3.8
3.6.3.9
3.6.3.10
3.6.3.1
Commercial In Confidence 14/04/2005
For management support and systems-management access to the Data Warehouse. This*
is-via-the SMDB situated-within a DMZ,
In these site type 3 cases, firewalls between the LAN on the project site and the
enerypted link to the Data Centres must constrain traffic to just that authorised from
identified project systems to the identified Data Centre systems.
All such users should authenticate using a token.
The secure LAN and workstations must be located in a physically secure area restricted
to permitted users. This also applies to any routers, encryption boxes and firewalls
connecting them to the Post Office Account Data Centres.
Where the workstation is remote from the system being accessed, encrypted links should
be used.
There may be exceptions to this policy in the case of FTMS, Streamline and the TESQA
links to Post Office Ltd. Clients, in any such cases the client is made fully aware the
risks taken in using unencrypted links (see also 3.7.2.7 below).
Where a user also needs access to internal Horizon systems (such as the call recording
and management systems and e-mail), the user must use a second workstation linked to
the internal network and system required but not to the Post Office Account Data Centre.
(Site types 2 and 3).
Incident tracking systems using networks outside the Post Office Account secure
controlled area, for example e.g. the Fujitsu Services corporate network, may include
information relating to a particular record of customer data but must not include such
data, unless adequately protected, for example, by encryption.
There may be exceptions to this policy in the case of PEAK and SMBD where data is
stored unencrypted.
Any external users must conform to these policies.
External support users of Horizon systems (such as SequentSolaris and Cisco) should be
permitted access to Post Office Account Data Centre systems only from approved
Outlets/environments and subject to agreed network and other controls (see 4.6.3)
Where, by the nature of the role(s) to be performed, the workstation requires access to
the Diskette or CR-ROM sub-systems, the workstation must be afforded additional
protection through the use of anti-virus software. Where appropriate other controls such
as the use of physical floppy locking devices and BIOS passwords should also be
employed.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 31 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
(Formatted: Sul and Numbering )
POL-BSFF-0227460_0030
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
3.7 Network Access Policies
Post Office Account controls should be in place to restrict who can access particular services. This
covers all traffic in and out of, as well as within, the Post Office Account Data Centres and
managed systems and also within parts of the Post Office Account management systems. In
addition to the workstation environment controls above, network access policies should be enforced
where appropriate by the use of a combination of access lists at routers, controls at firewalls,
NFMICROSOFT domain controls, platform controls on use of ports and other application controls.
3.7.1 Information in Transit
3.7.1.1 Business and system data in transit to/from the Post Office Account Data Centres must
be protected in accordance with [SFS]. This covers, for example:
« Transfer of data to/from Post Office Account managed systems at other Outlets such as
Post Office Ltd. and Post Office Ltd. Client systems.
© Business and system management traffic to/from the Post Office outlets (which is
protected using a VPN to provide authentication and encryption as well as digital
signatures in some cases - see above)
Business and system information between the Data Centres and Post Office Account
management and Outlet Business Change sites
© NBS data transferred to/from the Data Centres and the NBENBX.
3.7.1.2 The Energis ATM network with its closed user group should be used to restrict access to
the main Post Office Ltd. data (TIP and Reference data) to Post Office Account only.
3.7.1.3. Alll Fujitsu Services Core Services links should use VPN protection (for authentication
and encryption) or in cases where that cannot be justified, CHAP authentication and
CLI
3.7.2, Control of Traffic In and Out of Data Centres
3.7.2.1 All access in and out of the Post Office Account Data Centres should be restricted to the
required traffic from/to the authorised sources/destinations for business and system
traffic using routers and firewalls, Such traffic should be routed only to the ports at
systems, which require that traffic.
3.7.2.2 All management and support users access the Data Centres (and other managed systems)
from controlled workstation environments as defined in 3.6.3 above.
3.7.2.3 All Post Office Account Corporate management, system management and support sites
with access to the main operational systems should have fixed links to the Data Centres,
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 32 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0031
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venion 70
FUATSU SERVICES Commercial In Confidence Date: 14/04/2005
3.7.2.4 External support users with access to any of the Horizon systems containing sensitive or
3.7.2.5
3.7.2.6
3.7.2.7
3.7.2.8
3.7.2.9
3.7.2.10
protectively marked information must access the systems via controlled workstations
and environments as for Post Office Account support staff, but subject to extra controls
see appropriate section below. (Support of routers is an exception ~ see below).
All such fixed links should be protected by the use of hardware encryption devices using
the Rambutan algorithm or where this is not appropriate, by the use of an agreed
commercial algorithm.
Apart from links via the Energis closed user group to the main Post Office Ltd. systems
(and via Post Office Ltd., to Royal Mail), all access to the Data Centre by external
organisations for support or other purposes should be firewalled from the main Data
Centre systems. Any exception to this must be agreed with the Post Office Account
Security Manager and documented in the ACP.
Traffic to/from Post Office Account managed interface PCs/routers at other Outlets
(Post Office Lid., Post Office Ltd. Clients etc) should be restricted (by routers and
firewalls) to:
© Authorised business traffic between the managed system and the particular Post
Office Account Data Centre server handling that link (normally just file transfer
between the systems).
« Network management traffic between the routers and the NMS.
© System management traffic between the PCs and Tivoli Management Centre
RADIUS Servers at the Data Centres authenticate traffic from managed PCs at Outlets.
The Radius Servers, which are-intredueedused to authenticate -with-FRIACO ISDN and
ADSL network services for NBS, hold CHAP usernames and passwords for the live
estate. No operational Post Office traffic should be accepted via other routes. Firewalls
and Routers should also restrict where traffic can be routed to/from within the Data
Centre i.e. to VPN servers the Correspondence Servers, Tivoli management servers and
KMS.
When implementing a new or significantly changed Post Office Outlet, the initial
connection will be to a dedicated boot server. Access to this from the Post Office outlets
is via a firewall, which also restricts traffic between the boot server and the main
Horizon Data Centre LAN.
Firewalls and Routers should be configured to deny access to external users (e.g. CISCO
support) until this access has been agreed - see 4.6.3. When permitted, the appropriate
router should be configured to restrict access to the Data Centre to the particular
system(s) needing support.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 33 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0032
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
3.7.3 Controlling Traffic Within Data Centres
3.7.3.1
3.7.3.2
3.7.3.3
Controls in the Data Centre should reduce the possibility of interference between
systems by separating independent parts of the system, particularly where these which
have different security requirements. (This may be by a combination of network set-up,
router controls, controls at ports of specific systems and NFMICROSOFT domain
structure.) For example,
Systems concerned with Outlet Business Change should be separate from those used for
operational running.
Security services, e.g. the Key Management Service (KMS), showld-be-wellmust_be
protected from unauthorised access from other systems.
Traffic originating within the Post Office Account Data Centres is generally initiated by
controlled applications. These applications (and the way they are configured in the
system) should restrict traffic between systems to the minimum necessary.
Additional network controls should be used where specific s
risks or vulnerabilities in the Data Centre network. All
documented in the ACP.
stems are subject to higher
ich special cases should be
3.7.4 Controlling Traffic at and from Post Office Account Project Sites
Post Office Account project sites include:
3.7.4.1
3.7.42
3.7.43
3.744
Various systems and operational management sites and support sites
The main Post Office Account management Sites
© The OBC Teams main site
* Offices used by Post Office Account Regional Managers
The main Post Office Account management sites should separate their main networks
from both the Fujitsu Corporate network and from those more secure LANs used to
access the Data Centre e.g. via a DMZ.
Most local users should only have access to specific LANs that provide access to local
services and (via controlled connections) to the Fujitsu Corporate network.
The only permitted connections from this management site network should be:
© To the Fujitsu Corporate network via a controlled router, which restricts traffic to
specifically that-permitted-authorised traffic only.
* To OBC users at regional offices and OBC suppliers at their sites via a controlled
router and firewalls.
© To the secure LANs via a firewall which restricts data to that permitted (e.g.
software from the Configuration Management system).
The only permitted connections from the secure LANs should be:
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 34 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0033
SO RS/POL/003
FUJITSU Horizon Access Control Policy 10
PATS SERVICES Commercial In Confidence Date: 14/04/2005
3.7.4.5
3.7.4.6
3.7.4.7
To the Data Centres via encrypted links.
To other secure LANs via an encrypted link (i.e. between the Post Office Account
management sites).
All users with any interactive access to the Data Centres must do so via secure LANs
(see also 3.6.3)
Separate secure LANs should be used for separate user groups/activities where sensitive
data is being handled at Post Office Account management sites. For example, Security
Management and Audit users should be on a separate high security LAN separate from
other users.
Servers at the Post Office Account management sites that handle
sensitive/RESTRICTED data or are used to update the Data Centre require stronger
security and they-should therefore be on a secure LAN. This applies, for example, to the
CM signing server, which distributes software to the Data Centre and reconciliation
database.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 35 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0034
SO RS/POL/003
FUJITSU Horizon Access Control Policy ar
UUTSU SERVICES
Commercial In Confidence 14/04/2005
4.0 Specific Human Access Controls
4.1 Introduction
This chapterSection deals with access control polices, in particular authentication policies for
specialised human user roles and where exceptions to these polices are permitted.
Note that a full list of Post Office Account roles, outlining the IT access permitted to each of them,
is given in chapterSection 6.
4.2 Post Office Outlets — Operational and Installation Roles
There are no system management and support roles at the Post Office outlets. These tasks are run
remotely apart from some limited tasks available to Post Office managers.
4.2.1 Post Office Normal Running
For normal functions, Post Office Managers, Clerks and Supervisors authenticate using a Riposte
username and password.
On normal counter start up (once installation is complete) the Post Office Manager (or authorised
other user) uses the Post Office Memory card and PIN (which is also used in protecting the
filestore, as defined in the [SES}-Security Functional Specification),
The following specialisations of the policies in chapterSection 3 apply in these cases.
4.2.1.1 A password cannot be re-used for 18 months.
4.2.1.2 The password is checked to conform to quality standards as follows:
© The password cannot contain spaces;
© The password cannot be one of an agreed “excluded passwords” list.
4.2.13 Afier a period of inactivity at a Post Office counter, the session will time out but can be
resumed on entry of the password. After a longer period of inactivity, the user is forcibly
logged out.
4.2.14 The PIN used for the Post Office Manager’s memory card is a 15 character
alphanumeric value.
4.2.1.5 The Post Office Manager should secure the Memory card and associated PIN in separate
places.
4.2.1.6 — When a new Post Office user is added to the system, a full name must be supplied. This
ensures that the user can be identified from the user name included in the transaction
logged in the Riposte journals.
4.2.2 Customer Authentication at Post Office Outlets
For most Post Office operations, customers do not need to authenticate themselves.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 36 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0035
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
4.2.3 Post Office Exceptional Cases except Installation
This subsection includes exceptional cases involving the Post Office Manager and other Post Office
staff and also supports engineers, Post Office Ltd. auditors and emergency managers.
For some user groups, and some exceptional circumstances, the Post Office Manager (or other
authorised person) authenticates using a one-time password with the assistance of the Horizon
System Help Desk (HSHD). The Post Office system generates a value, then phones the HSHD
authenticating to the HSHD as defined for that user role/circumstances (see Access Control_and
User Administration Processes and Procedures).
f{ACUA PPD}-The HSHD, (after authenticating the user, } provides a check value that the user can
type in at the Post Office counter to authenticate themselves,
The following policies apply to these exceptions.
4.2.3.1 If there is a failure on booting the counter systems after installation of new software, the
Post Office Manager then reverts to the failsafe version of NT supported by HSHD and
using a one-time password.
4.2.3.2. If the Manager loses his password, he (or an authorised deputy in his absence) logs into
a SUPPORT username using a one-time password provided via the HSHD.
4.2.3.3 If the Manager loses his card or PIN, he obtains an emergency recovery key via the
HSHD (after authenticate to the HSHD).
4.2.3.4 Support engineers (installing new hardware and running tests to check it) and Auditors
use generic Riposte usernames for the appropriate role and authenticate via one-time
passwords. For both engineers and auditors, the pass number is also typed in; so
individual users can be identified in the log.
4.2.3.5 Ifa Post Office Ltd. Emergency Manager takes over a Post office when the manager is
unavailable or unco-operative, he may use the emergency recovery procedure to boot up
the Post Office ~ see 4.2.3.3.
4.2.4 Installation Roles at Post Office Outlets
On installation of a Post Office Outlet,
© The installation engineer sets up the connection to the data centre
© The Post Office Manager (POM) completes the Post Office set-up for normal working
including set up of the memory card and PIN
4.2.4.1 The installation engineer must authenticate to the POM (see Visitor Authentication) prior
to using the Auto-configuration application. Authentication to NF-Microsoft or Riposte
must be impossible at this stage.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 37 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0036
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
4.2.4.2 On first installation of the Post Office (after memory card set-up), the Manager logs in
under the Set-up Manager username to create his individual username. He then logs in
using this, and deletes the Set-up Manager username. On all future occasions, the POM
must authenticate using his individual user name except in cases identified in 4.2.3
above.
4.3 Corporate (including Security) Management Users
Unless stated otherwise, all corporate management users are authenticated to their local
soft domain using a security token. They use controlled NFMicrosoft workstations on
at Post Office Account sites linked by encrypted links to the Data Centré
type 1 in 3.6.3).
4.3.1 Business Management
These users may also need to authenticate to the relevant system and/or application for particular
systems, This is required for Oracle applications, and for Business Object universes used to access
data at Data Warehouse systems via Oracle/Business objects.
The only specialisation’s and exceptions to the policies in ehapterSection 3 for these users are:
4.3.1.1 People in the following roles have access to CD writers at their workstations:
- Management support users, who write agreed warehouse data to CD for transfer to
Post Office Ltd.
- The Business Function Auditor, who provides information to external auditors
= Security Management users for generation of key material.
4.3.2. Key Management
43.2.1 The Key Manager is responsible for the generation or other acquisition of cryptographic
keys and organising their distribution.
4.3.2.2 The Key Custodian uses the local console at the platform where the key is to be
installed/changed and authenticates using a token to the local system. (For NFMicrosoft,
this is defined as a local role.)
4.3.23 The Key Handler has the key on the appropriate media (e.g. floppy) for re-installation of
the key during system reboot. He is not a known user of the system and does not
authenticate to it.
4.3.24 The Key Handler role may be performed by identified, authorised (non-Post Office
Account) staff at remote Post Office Account managed systems e.g. by Post Office Ltd.
etc. at interface PCs at their sites.
4.3.25 The Cryptographic Key Manager and KMA Data Manager roles are SQL Server users,
so log-on to Oracle-Orucle, (after NFMicrosoft workstation, token logon). This gives
access to specific functions only.
ight Fujitsu Services Ltd 2005 Commercial In Confidence Page: 38 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0037
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
4.4 Outlet Business Change Users
No specialisation to the policies in chapterSection 3 have yet been identified for OBC users, except
at the Post Office ~ see above.
4.5 System Management and Related Users
All system management, operational management and application support users have controlled
N¥Microsoft workstations for management/support activities, and a separate workstation for access
to call monitoring and other systems as in 3.6.3 site type 2 and 3.
4.5.1.1 SMC/HFFHSH teehnicians,technicians and other Tivoli users (e.g. Auditors, SSC
application support) authenticate to Tivoli as well as the workstation logon to
NF Microsoft.
4.5.1.2 For Post Office Key Recovery, the SMC Team Leader may also need to log onto the
KMA via the specific KMS role created for this purpose.
4.5.13 SMC/HEF-HSH technicians also have limited read only access to some data centre
systems for the purposes of fault diagnosis. Access is via SSH client on the support
Terminal Server.
4.5.1.4 All network technicians access only the NMS and routers, so access for them is
described in that section.
4.5.15 Controlled access to floppy diskette and/or CD devices is permitted in exceptional
circumstances where such access is required in order to achieve the desired
functionality, e.g. on AP client remote platforms where diskette is the nominated media
for onward transmission of AP clients data, on Audit workstation from which extracts of
audited information are delivered on CD-ROM.
4.5.2. Engineering Access
4.5.2.1 Where possible, engineering access to the machines, for example, for hardware
diagnosis and repair, should be subject to the same controls as other users, as specified
in chapterSection 3.
4.5.2.2 In agreed, limited circumstances, (e.g. when the operating system cannot be booted)
special access is permitted, by-passing the normal controls. In all such cases any visiting
engineer must be subject to the policies for “authentication of visitors” (see
chapterSection 3) and two people must be present during such access,
4.5.3 Procedures for getting in Support Staff
A number of problems can lead to staff being required to support the system. This could be Core
Services or SSC staff coming in to support the system from their normal support sites. However, it
could also require support staff from other organisations such as SequentSolaris or Cisco. Core
Services is generally responsible for the call out procedures.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 39 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0038
SO RS/POL/003
FUJITSU Horizon Access Control Policy -
PATS SERVICES Commercial In Confidence Date: 14/04/2005
4.5.3.1 All requests for technical support should be made to the Horizon System Help Desk. The
identity of the caller requesting support (if by telephone) should be verified to ensure the
call comes from an appropriate source, before being actioned. The Help Desk will pass
on the call to the appropriate unit in line with Help Desk Procedures using the call
handling system.
4.5.3.2 All support calls should be recorded in the call handling system and their progress
reported there, including who was called out and the actions taken.
4.5.3.3 Routers will by default, be configured to prevent access from support organisations other
than the SSC. SMC and the standard-Core Services. When support is required from
another authorised site (e.g. SequentSolaris or Cisco), a router should be configured to
allow this access, and then re-configured to disallow it after use.
4.5.4 Software Distribution and Exceptions for Fixes
4.5.4.1 All software (new software and fixes) must be registered in the configuration
management system controlled by configuration librarians. It should be tested using test
rigs and authorised by the CS Release Manager prior to distribution by Software
Distributors.
4.5.4.2 In exceptional circumstances, where this is not fast enough, authorised code fixes may
be done directly by Core Services according to agreed procedures.
4.5.5 Application Support
Application Support calls come via HSHD, from there they are forwarded to the appropriate unit.
Many application support calls are routed to SMC/HIFHORIZON SERVICE DESK for filtering
known errors, before being forwarded to System Support Centre (SSC) or Core Services as
appropriate for solving. Calls may sometimes be forwarded to other 3"! and potentially also to 4th
line support units, which may include application suppliers.
Note that no application support users have access to Post Office counter systems except as allowed
for in 4.5.5.2 below. Errors here are diagnosed using logs of events extracted via Tivoli.
4.5.5.1 All support users with access to the Post Office Account Data Centre must do so using
NFMicrosoft controlled workstations in a secure workstation environment as defined in
3.3. (For SSC, the secure environment must include a firewall to restrict traffic between
the test rigs and the secure LAN, though the workstation gives access to both Data
Centres and test rigs.)
4.5.5.2 SSC access to the counter estate via SSH and may Limited data may be downloaded data
from the Data Centres to the-SSCan appropriate test rigs where this is required to assist
in diagnosing application problems and testing new software to fix the problem.
4.5.53 Support users should have only read access to the supported systems, except for:
© SSC support managers (not normal SSC support users) “correcting” data under
controlled conditions. (Data may need to be corrected where it has been corrupted by
faulty code.) Correction of data must be subject to agreed authorisation procedures.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 40 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0039
POL00400790
POL00400790
SO RS/POL/003
FUJITSU Horizon Access Control Policy 10
PATS SERVICES Commercial In Confidence Date: 14/04/2005
© Core Services operational management staff that will fast fix code, when authorised,
under controlled conditions. Where time permits, correction of errors should be by
re-issue of a new version of the software via the Configuration management system.
When faster fixing is required, agreed Post Office Account authorisation procedures
must be followed. For applications supported by SSC, this will start with a request
by SSC.
Remote access to FTMS Gateways and Counters is managed and supported using
SSH client on a support Terminal Server.
4.5.54 — Inall cases, updates to code or data by application support staff require two staff to be
present when the change is made and all such changes to be audited, identifying what
has been changed (before and after values) and the individual who made the change.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 41 of 72
I KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0040
SO RS/POL/003
FUJITSU Horizon Access Control Policy -
PATS SERVICES Commercial In Confidence Date: 14/04/2005
5.0 Specific System Access Controls
5.1 Introduction
This chapterSection deals with cases where the access control policies in chapterSection 3 are
specialised for particular systems and where exceptions to these policies are permitted.
In addition to the policies in chapterSection 3, all systems should support the roles in chapterSection
6, with only the required functions and resources available as defined there with the human access
controls defined in ehapterSection 4.
Note: the ACP does not cover internal systems such as Powerhelp and PinJCLPEAK.
5.2 Post Office outlets Platforms
‘A multi-counter Post Office has a local LAN with NFMicrosoft workstations, one of which is the
gateway with a link to the Post Office Account Data Centres.
5.2.1 Human Users
The roles supported are Post Office staff (Post Office Manager, Counter Clerk and Supervisor),
Customer (indirectly), Post Office Ltd. Auditors and Emergency Managers, Engineers (Support and
Installation Engineers) and SSC (see 4.1, 4.2 and 4.4).
5.2.1.1 At no stage after leaving the factory should it be possible to logon directly to Windows
NENT and Windows 2000 or for a user to access NFMicrosoft functions or data.
5.2.1.2 No operational management roles should be supported at the Post Office systems, or any
other roles apart from than those listed above.
5.2.2 Factory Set-up Controls
Software is installed at the factory (though may be updated on installation) and initial configuration
done.
5.2.2.1 Riposte user groups set-up should be Manager, Supervisor, Clerk, Engineer, PinPad
Install, Auditor, AuditorE (used by Emergency Managers), Support (used for emergency
procedures such as the Manager forgetting his password). The Engineer, Auditor,
AuditorE and Support groups should be set up to require one-time password
authentication
5.2.2.2 Usernames should be set up in Riposte and NFMicrosoft for an Engineer, an Emergency
Manager, a Support user and for a number of Auditors (enough to allow an auditor at
each counter of the largest Post Office) and a set-up manager associated with the
relevant Riposte groups. (The Post Office Manager will introduce further users later.)
5.2.2.3 When leaving the factory, it should only be possible to run the Auto-configuration
application, not log-on to NFMicrosoft or Riposte.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 42 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0041
SO RS/POL/003
FUJITSU Horizon Access Control Policy -
PATS SERVICES Commercial In Confidence Date: 14/04/2005
5.2.3. Post Installation Controls
5.2.3.1 After installation, special software used for installation only should not be accessible.
Usernames used for installation only should be removed.
5.2.3.2 The encrypted filestore should not be accessible unless the workstation has been booted
using the memory card and PIN (or agreed emergency procedures).
5.2.3.3 Afier a user has logged on using Riposte, all access to the system should be controlled
by Riposte ~ the Riposte desktop should allow access to only those items available to
people in the user’s role. The user must not be able to call any other applications or
NF Microsoft functions or resources. No direct access to Windows NFMicrosoft should
be possible at any time, even for engineers.
5.2.3.4 The Riposte infrastructure should not need NFMicrosoft administrator privilege.
5.3. SequentSolaris Systems
5.3.1 Introduction
SequentSolaris systems with-Dynix-operating-system-and Oracle databases are used for the main
operational applications (see 2.1) and-the-DataWarehouse-(see22}-at the Data Centres. The
systems also have data in flat files (e.g. before/after transfer to/from other systems).
5.3.2, Human Access
‘All SeguentSolaris systems support the operational management and support roles listed in
chapterSection 6, They also support application roles for the particular applications such as ODBC,
RDMC and Business Objects.-for-access-to- Data Warehouse data,
5.3.2.1 All business users (such as the Business Support unit) should use Oracle applications —
Oracle Forms, Business Objects or Discover3i.
5.3.2.2 Where the SQL*Net or Oracle NEF--access to the database could potentially give more
access than that permitted for the business role, the application at the client must restrict
access to that permitted. In addition, a secure controlled workstation conforming to Post
Office Account policies (see 3.2) must be used and the user identified there with the
correct role so that the application controls cannot be by-passed.
5.3.2.3 Users using only Oracle via applications on their controlled workstations should be
registered to the Oracle application, not the underlying operating system, and
authenticate using a password.
5.3.2.4 Where users need to be both UNIX and Oracle users, they should be registered in UNIX,
and have Oracle use the result of the UNIX (and security token) authentication.
5.3.2.5 Oracle database administration functions should use:
* Patrol for monitoring the database
ight Fujitsu Services Ltd 2005 Commercial In Confidence Page: 43 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0042
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
5.3.2.6
5.3.2.7
5.3.2.8
33.29
5.3.2.10
5.3.2.11
5.3.2.12
5.3.2.13
5.3.2.14
© Pre-defined Discover queries to examine the state of the database. (Discoverer
should be configured to restrict access to the tables and views needed for the task
and audit actions.)
« Pre-defined, authorised SQL*Plus for database updates (which should include
auditing)
Application support users of Oracle should use:
+ Pre-defined forms for correcting standard types of data problem
© Pre-authorised SQL*Plus scripts for correcting other data problems
All pre-defined forms and pre-authorised scripts should audit the correction made.
Users who require any access to operating system facilities must do so via a secure menu
system that restricts the user to functions authorised for users of that role (and audits all
functions performed by that user).
Where a function called from the secure menu system requires a change of username,
that change should be done automatically by the menu system and audited. Changes to
username must also cause a Patrol event.
The secure menu system should have specific functions for most system management
activities. However, for emergency use, the menu will include an item that provides root
access and use of UNIX commands.
Computer operators access SequentSolaris systems from the console, using the secure
menu system to access a limited number of predefined jobs such as back-ups.
Engineering access when the operating system cannot be fully booted, is via “single user
mode” under controlled conditions (see Visitor Authentication and Engineering Access).
Single user mode should only be used when more controlled methods are not possible.
Operational management staff must always authenticate under their own names to UNIX
and perform functions wherever possible without superuser/root privileges. If root is
needed, the appropriate menu item on the secure menu system will be used to switch
users. This will be audited and an alert sent to BMC Patrol so a record remains available
even if the audit log at the UNIX machine is subsequently corrupted.
Where non-Post Office Account, e.g. SequentSolaris staff provide 3rd line support, this,
may be from the 3rd party site. In this case, access must be from a controlled
NMicrosoft workstation and controlled environment as for Post Office Account
operational management - see 3.2. Call in procedures are as in 4.5.3.
As SequentSolaris requires root access, an independent monitoring system will be used
where all key strokes on the SequentSolaris workstation are captured and echoed on a
Core Services workstation.
ight Fujitsu Services Ltd 2005 Commercial In Confidence Page: 44 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0043
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
5.3.2.15 Application support managers can correct application data subject to authorisation
5.3.3
5.3.3.1
5.3.3.2
procedures — see 4.5.5. For Oracle applications, this should, where possible, be via
specific functions available to the Oracle SSC role. In exceptional circumstances, use of
SQL*Plus scripts will be authorised after checking. For other services, this may involve
updates to flat files. In all cases, corrections to the data are audited.
Application/Oracle Roles at the Operational SequentSolaris Systems
Database roles with appropriate database views/tables should be used to separate what
data is available to whom.
The following Oracle roles should be defined for all Oracle applications on the
operational SequentSolaris servers. Note that in some cases, people with different human
roles in the list in ehapterSection 6 may have the same access to the same Oracle role.
Oracle role Functions, and roles
MONITOR Read only access to application data in this database
- used by Auditors, application support ete
AUDITOR As MONITOR plus access to audit information
~ used by auditors
CORE_SERVICES_DBA _I Full dba privileges
ssc As for MONITOR, plus limited updates, implemented by
pre-authorised SQL*Plus scripts.
Management Specific business support functions on OBCS and some
Information MSU other applications - see chapterSection 6.
3.3.33
5.3.3.4
5.3.4
5.3.4.1
5.3.4.2
5.3.43
Other application roles should be defined for particular applications to support the
application roles listed in chapterSection 6, for example, Reference Data roles at RDMC.
Information available to people doing ad-hoc queries should be further constrained e.g.
using Business Object universes.
Note that there are also roles for non-human users.
Dynix-Solaris and Oracle Access Controls
The Bynix-Solaris operating system should be set-up according to the access control
policy in 3 above.
Automated processes should do all loading/unloading of data to/from Oracle databases.
Separate interface tables should be used to restrict the damage possible due to failures
during automated processes.
The set-up of the system should be regularly monitored, for example, to check for
dormant accounts and to review any changes made to important system files.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 45 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0044
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
FUITSUSERMCES Commercial In Confidence Date: 14/04/2005
5.4 Windows NT and Windows 2000 Systems
This section deals with NT-Microsoft workstations and servers at the Data Centres and other Post
Office Account managed NT—Microsoft systems except the Post Office outlets. MicrosoftNT
workstations at secure Post Office Account management and support sites should also conform to
ind the NT domain policies.
5.4.1 Generic NF Microsoft Policies
NF-Microsoft_systems support the operational management and support roles listed in
chapterSection 6 unless otherwise stated.
5.4.1.1 As on other systems, engineers should only have controlled access and must be
accompanied by Core Services staff when using the system.
5.4.1.2 Apart from event logs ete, which are relevant to all NFMicrosoft systems, application
support users should access application databases via relevant tools, rather than just
operating system facilities.
5.4.13 All NTMicrosofi servers should be set up with a group and template user for the generic
management and support roles (plus any others defined for the particular NFMicrosoft
system). When a user is assigned to a role these templates should be used to set up that
user with the required user profile providing access only to those tools needed to carry
out the role.
5.4.14 While use of NFMicrosoft domains allows a user to log in once to multiple servers,
some roles (such as Engineer and Key Custodian) should always be defined as requiring
the user to be local to the machine.
5.4.2. NT Domain Policies
Windows NFMicrosoft domains are used in Post Office Account to control which NFMicrosoft
servers can share NFMicrosoft resources and which users have access to those resources. They are
also used to simplify user authentication — a user need only logon once to a domain (or once to a set
of domains) which have an established trust relationship that includes trust in the users of the
domains
N¥Microsoft domains should conform to the following policies:
5.4.2.1 N¥Microsoft domains should generally have at least one Backup Domain Controller.
This should be on a separate site from the Primary Domain Controller. Exceptions to this
must be agreed and are expected to be small domains with few users.
5.4.2.2 Where a set of related NFMicrosoft systems is run by a different authority from other
NFMicrosoft systems, this should be set up as a separate domain,
5.4.2.3 Where such a domain does not share users or resources with other domains, it should be
a separate domain with no trust relationship with other domains.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 46 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0045
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venion 70
RUITSU SERVICES Commercial In Confidence Date: 14/04/2005
5.4.2.4 Domains may span sites where all NFMicrosoft workstations and servers in the domain
5.4.2.5
5.4.2.6
5.4.2.7
5.4.2.8
5.4.2.9
5.4.2.10 Users should not be registered as NF!
54.211 Set up of NZ
5.4.3
5.4.3.1
5.4.4
are run by the same authority and are subject to the same physical and network security.
(For example, the SMC system management domain spans the SMC workstations
attached to a secure LAN on the secure SMC Site and the Tivoli NFMicrosoft servers at
the Data Centre).
A domain must be confined within an area of the network, which is subject to the same
security policies and controls. For example, it must not include NFMicrosoft systems on
different sides of a firewall.
Where sharing of resources, but not users, is required between domains, then the trust
between domains should be restricted to sharing the agreed resources/files across the
domain boundary. The resource sharing must be restricted to the minimum required for
the agreed functions.
Where sharing of files is required between domains on different sides of a firewall, this
should be subject to special authorisation procedures as well as the policy above
A domain should not establish trust in users registered in a domain in a less trusted part
of the network.
Users should only have access to the NFMicrosoft systems to which they are permitted
access. The domain set up should prevent them accessing any other NFMicrosoft
systems.
‘oft users at domains where their only access
is at the application level, for example, from a remote client via an application protocol
to a particular application that has its own logon,
icrosoft domains should assist separation of systems to reduce
interference between them.
Correspondence Servers
Business Support and Auditor access to the operational Correspondence servers should
be restricted to exceptional circumstances for limited amounts of data (as otherwise, the
performance of the system could be impaired). In all cases, access should be controlled,
and limited to use of a specific agreed query tool.
Security Servers on NFMicrosoft
Security services on NFMicrosoft are:
The Key Management Application (KMA) which generates and distributes cryptographic
keys to Horizon services and the Post Office outlets. An associated Certification Authority
Workstation (CAW) generates public key certificates and Entropy servers that generate
DSA entropy for digital signatures.
The VPN servers used for protection of the traffic to Post Office outlets and across to Post
Office Outlet LAN.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 47 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0046
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
© The audit and key management workstations supporting the Post Office Account Security
Manager and his staff.
Signing servers to sign software and auto-configuration information sent to the Post Office
Outlet.
(This is in addition to the software security services to protect data in transit on particular links.)
5.4.4.1 The Certification Authority Workstation (CAW) that includes the CA should be off-line
—not connected to any network.
5.4.42 The KMA should store all keys encrypted, and the key used to encrypt these keys should
be subject to the normal KEK policies ~ see 3.5.
5.4.43 Application level access to the KMA should be restricted to the agreed functions for
each of the specified roles, and each role should have the least privilege needed to do the
job. All security significant actions should be audited.
5.4.44 On-line interactive access by human users to the NFMicrosoft server on which the KMA
resides should not be generally possible. It should require approval by the Post Office
Account Security Manager to permit this access (except for key handling on reboot). The
access will only ever be permitted for:
* Read only access by application support staff (updates should always be via the
standard Tivoli software distribution)
© Limited, authorised, system admin access by local users
© Engineers
5.5 Authentication Service for Authentication using Tokens
Authentication using tokens will be supported by an Authentication Service at each Data Centre
(one the master, generally used for all authenticationauthentications, with the other acting as a slave
to provide resilience).
5.5.1.1 Afier installation and configuration of the Authentication Service, the only application
access to the Authentication service should be by the Post Office Account Security
Manager workstation at the Post Office Account management site. These must be
controlled NFMicrosoft workstations on the secure LAN (see ehapterSection 3).
5.6 Cryptographic Boxes
5.6.1 Hardware Encryption Boxes
Hardware encryption boxes are used to provide link level encryption on a number of links. These
are government approved point-to-point encryption devices generally using Rambutan encryption
but can operate with commercial encryption algorithms where this is agreed.
5.6.1.1 Access controls at these devices should be as specified by the manufacturer and / or
informed by Post Office Account Security.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 48 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0047
SO RS/POL/003
FUJITSU Horizon Access Control Policy -
PATS SERVICES Commercial In Confidence Date: 14/04/2005
5.6.2, Host Security Modules.
Host Security Modules (HSMs) provide a secure environment in which to translate an encrypted
PIN value between domains — primarily between the Post Office Central Services domain and the
NBENBX domain.
5.6.2.1 1_procedures—forthese—devices—isAccess control procedures for these
devices are documented in NB/PRO/007.
5.6.3, Secure Configuration Terminals
Secure Configuration Terminals are hand-held devices used to generate and encrypt keys and to
load keys into HSMs.
6.3.1 ~ deed proceed fe hese dev isAccess control procedures for these
devices are documented in NB/PRO/007.
5.7 Symmetrix discs
EMC require access to the live Central Host systems for support of the Symmetrix Remote Data
Facility used to replicate disk array data between two Campuses. The disk arrays are monitored by
an internal system, which regularly checks the disks against predefined thresholds such as numbers
of failed read or write attempts. When a threshold is exceeded, the disk monitoring system
automatically telephones the EMC support unit.
5.7.1.1 Access to EMC disc controller (and to discs) is as specified and restricted to the use of
the special EMC client
5.8 Interface Systems at Business and Outlet Business Change
The Horizon system manages interface PCs at some related Outlets (Post Office Ltd., Post Office
Ltd, Clients and Outlet Business Change supplier). It also manages the interfaces to the Post Office
‘Account netwerk(network (e.g, routers.)
In all cases, routers are managed by Post Office Account Network Management and interface PCs
are managed using Horizon System Management.
5.8.1 Interface Systems with Interface PCs
Post Office Account has links to a number of Post Office Account managed interface PCs at Sites
remote from the Post Office Account Data Centres. These include Post Office Ltd. and Post Office
Lid. Client systems. (The Post Office Ltd. TIP link is also used for Royal Mail traffic.) There may
also be interface systems at Post Office Account Outlet Business Change Suppliers.
5.8.1.1 Once configured, the PCs and routers at these sites should not normally have any human
access ~ file transfers should be automated and the PCs managed remotely using Tivoli.
5.8.1.2 The operational management role at these sites is limited to local system administrative
funetions only.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 49 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0048
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venion 70
RUITSU SERVICES Commercial In Confidence Date: 14/04/2005
5.8.1.3 The engineer role is restricted to installing or replacing the PC, The PC will not be
5.8.1.4
5.8.1.6
repaired when configured into the operational system.
Business data in transit to the Data Centres is protected as defined in 3.7 above.
Where the PC is directly connected to other systems (such as the Post Office Ltd. ones),
it should also be configured to restrict traffic with such systems.
Controls at the interface PCs at Post Office Ltd. (and similar) sites must ensure
separation of incoming and out going files so that all files supplied by Post Office
Account are read only for Post Office Ltd. access. In addition, files for different systems
(e.g. TIP, Royal Mail and Reference Data) are separated.
5.9 System Management Servers
A set of Tivoli system management servers are used to manage the Post Office systems and related
Data Centre NFMicrosoft systems (mainly using Tivoli products). They also monitor other Post
Office Account management systems and collect event data from other systems.
5.9.1.1
5.9.1.2
5.9.13
All users of Tivoli must be registered at the Tivoli server and associated with the
appropriate roles, groups (and regions) to restrict their access to facilities, which they are
permitted to access. (All such users have security tokens, so are also registered with an
Authentication Service)
In addition to SSC and SMC/HIF-HSH roles, Tivoli servers should also support:
Post Office Account Security Auditors with read access to audit information via the
web interface — platform audit logs, Tivoli notices, and Tivoli events collected for
auditing.
© Application support users with access to pre-authorised Tivoli tasks to extract
diagnostic information from the Post Office.
Tivoli integrity features should also be used to protect Tivoli traffic on the link.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 50 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0049
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
5.10 Network and Firewall Management
5.10.1 Network Management and Routers
The Post Office Account network routers are managed using HP Open View with Cisco Works as
illustrated below.
Data feeds e.g. Events to Tivoli Data outputs
Po addresses t 4 e.g. audit logs
Network Management Station (Sun, UNIX)
HP Open View
TACAC!
At the Data Centres,
Post Offices and
Interfacing sites
Managed routers
& ISDN adaptors
Figure 5-1 Network Management
There is a single Network Management Station (NMS) at each Post Office Account Data Centre.
NMS users use controlled NFMicrosoft workstations with tokens (see section 3) but also need to
log onto UNIX for access to author
sed OpenView and Cisco Works/View functions.
In addition to NMS roles, there are also Cisco router support roles. Engineers may also require
direct access to routers.
There are no on-line application support roles. Support of Open View, Cisco Works etc is done off-
line. Post Office Account auditors access audit information from the NMS via audit records sent
through to Tivoli and extracted audit logs.
5.10.1.1 Network Management configuration must be carried out before live running and the
configuration independently validated and authorised by a senior Core Services network
person before use.
5.0.1.2 Even though network management workstations run 24 hours a day, all users must still
be individually authenticated. (This implies that at the end of the shift, the existing user
must log out and the new user log on.)
Network management should normally be done using OpenView. In agreed exceptional
circumstances (for example, for fault resolution requiring use of the debug facility, in
times of excessive network workload or during fault conditions), the network may be
managed using router facilities directly via telnet, not via Open View, and therefore not
subject to its controls. This is confined to authorised Core Services Network Managers
using Telnet access to routers from a specific dedicated NFMicrosoft system on the
Operational Bridge area of the Network Centres.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 51 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0050
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venion 70
RUITSU SERVICES Commercial In Confidence Date: 14/04/2005
5.10.1.4 Telnet access to routers is permitted only to Core Services senior network management
5.10.1.5
5.10.1.6
5.10.1.7
5.10.1.8
5.10.1.9
5.10.1.10
5.10.1.11
staff and Cisco staff supporting the routers from a remote CISCO site. All such access
must be authorised by a member of the Telnet authorisation list. Manual records must be
kept of this authorisation each time Telnet access is used.
All users of Telnet access to routers must authenticate using TACACS+ and their access
audited at the NMS.
Cisco staff must access the router needing support via a separate gateway router
dedicated for Cisco use. This gateway router must be configured to permit Cisco access
only when Cisco support is needed. A different TACACS username and password must
be used on each occasion, valid for the particular session only.
The standard Cisco engineers must have only read access to the routers. Only named and
authorised senior CISCO staff may have the—“the “enable” mode needed for reviewing
configuration files and debugging. CISCO staff should not make changes to the routers,
but advice the Network Manager of any changes required.
The only direct access permitted to routers is for engineers investigating hardware
problems. In this case, access should always be done locally at the router using a
console.
In normal running, the routers must not have consoles attached, though console access
may be enabled. Any attempt to log-on at a console should be via TACACS+ and so be
flagged at the NMS.
A faulty router must be configured out of the network before a console is attached and
the router engineer logs on to diagnose and repair the fault, When the router is connected
back into the system, its configuration must be checked and the new configuration
authorised before the router is configured for normal use in the operational system.
Engineers are not individually known to the routers, so manual procedures must identify
the engineer when he visits the site before he is given today’s password, The password
used for direct router console access should be changed via the NMS every 28 days and
also immediately when an engineer requires access.
5.10.2 Firewall Management
Firewalls are managed using Enterprise Centres on Solaris systems (shared with Security token
management), one at each Data Centre.
Enterprise Centre roles supported are Firewall Manager and Firewall Monitor. There are no on-line
support roles for the Enterprise Centre application or the firewall application.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 52 of 72
[KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0051
SO RS/POL/003
FUJITSU Horizon Access Control Policy -
FUATSU SERVICES Commercial In Confidence Date: 14/04/2005
5.10.2.1 All access to the firewalls must be via the NMS and the appropriate _proprietry
5.10.2.2
5.10.2.3
administration tools, Checkpoint Enterprise Manager_for_Checkpoint_FW-I_and
CentreXXX for Cisco PIX Firewalls and Firewall Security Modules within the Core
Switches, except for hardware maintenance. For routers, in normal running, firewalls
must not have consoles attached — they should only be attached for hardware
maintenance after the firewalls has been configured out of the system.
All configuration changes must be made via the NMS and the appropriate proprietry
administration tools, Checkpoint Enterprise Manager for Checkpoint FW-1 and XXX for
Cisco PIX Firewalls and Firewall Security Modules within the Core Switches Enterprise
‘Centse-and logged via Tivoli. Firewall audit logs should also be sent to the Enterprise
Centre.
Firewalls should restrict traffic as in the network access policies in 3.7. (This is different
for different firewalls).
5.11 Software Distribution Servers
Software distribution servers include the Configuration Management and associated signing servers
on Post Office Account project Outlets and the depot/Tivoli servers at the Data Centres to which
software is sent for onward transmission to other Horizon systems at the Data Centres, Post Office
outlets and elsewhere.
5.1111
5.1.1.2
The Configuration management system should have access controls, which conform to
this policy, even though it is not at the data centre, or on a separate secure LAN.
The associated signing server should be on the secure LAN, and control:
conformant with this policy.
5.12 OBC Servers at the Data Centres
The Post Office counters are delivered with a standard configuration, which needs to be
personalised and updated when installed.
The servers involved in this process are shown in the following diagram.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 53 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0052
POL00400790
POL00400790
RS/POL/003
10
14/04/2005
FP)
FUJITSU Horizon Access Control Policy
UUTSU SERVICES
Versi
Commercial In Confidence Dat
POA Data — Centre
‘Auto-Configuration
opc [POA mgt sire
staff &—y OcMS Signing Server
suppliers [saieseven)
J
Configuration depot Tivoli serverI__ Other systems
‘mgt via —" cluding KMS
signing server pS
Generic A.
PO 7 PO config fnfo &I KMS exchanges
Seftate ne software updates
software installed
Factory »
[auio-coniguer I Installation Engineer
stalation Engine:
Post Office Manager
Figure 5-2 Interactions of Post Office Installations
5.12.11 The terminals should be delivered from the factory conforming to the agreed build with
software, including an Auto-configurer application, installed.
5.12.1.2 Access to the ACDB should be confined to:
© ACDB administrators using controlled NEMicrosoft workstations (Site type 1 in
section 3.6.3)
* Application support using controlled NFMicrosoft workstations (Site type 1 in
section 3.6.3)
«File transfers from the OCMS database at the Post Office Account Management site
via the firewall
The normal NFMicrosoft admin, audit and engineering access.
5.12.1.3 Access to the software depot/Tivoli software distribution system from outside the Data
Centre should be confined to the feed of software and associated files from the signing
server at the Post Office Account Management centre and to the managed distribution to
the Post Office outlets.
5.13 Third Party Access to Aurora-Managed Consoles + — (Formatted: Bulets and Numbering
Access to a third party supplier, e.g. UKME, Fujitsu Sun Support, Oracle to any of the UNIX server
consoles managed by the Aurora servers in Bootle, Wigan or Bracknell will be as follows:
The following is a high-level overview of the process:
© Enable 3rd party access to the server under investigation i.e. log on to console as root and+———{ Formatted: Bullets and Numbering
monitor output
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 54 of 72
[ KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0053
SO Ref: RS/POL/003,
FUJITSU Horizon Access Control Policy woniaa! 90
FUITSU SERVICES Commercial In Confidence Date: 14/04/2005
¢ Enable 3rd party access to Aurora (enable modem and set password for 3rd party UNIX
user)
* Give details of dial-up and login process to 3rd party engineer
* Monitor 3rd_party access to the server under investigation (using aurora "view" mode)
Once complete, monitor engineer logging off and disable all access (modem and UNIX
user)
Monitor all engineer activities until investigation complete. if, at any point, the engineer looks to be
putting the POA service at risk, either knowingly or unknowingly, take control of the console. This
prevents the engineer being able to type commands at the console.
On completion check that the engineer has logged off Aurora by checking for the relevant user and
if the engineer has not logged off, then force a log-off and free up the modem.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 55 of 72
[ KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0054
SO RS/POL/003
FUJITSU Horizon Access Control Policy -
PATS SERVICES Commercial In Confidence Date: 14/04/2005
6.0 Roles and Permitted Access
This chapterSection specifies all human roles with access to the Post Office Account Data Centres
and the other Post Office Account managed systems such as the interface PCs at Post Office Ltd.
Sites.
For each role, the following table outlines the job functions performed and also the IT functions and
resources accessed to carry out these roles, including which systems are accessed. The table is
ordered into:
* Main operational roles (Post Office outlet staff);
* Corporate management roles (Post Office Account business management, customer services
including business support, Post Office Account security roles including cryptographic key
ones and auditor roles including Post Office Ltd. and NAO auditors);
* OBC roles (help desk, ACDB roles);
© System and operational management and support roles (operational management on
‘SequeniSolaris, and -NFMicrosofi ete, SMC system management, software distribution,
network and firewall management, application support and other support roles).
In the following table:
© The site type is:
* DC for Data Centre
© PPS for a Post Office Account project site
SL/PPS for secure LAN at a Post Office Account site
* PO for Post Office
© The system is:
© Solaris for all SequentSolaris systems
*DW-for Data Warehouse
© HS for the Host Application SequentSolaris system
Unless otherwise stated, users access the system via controlled NFMi
into the appropriate NFMicrosoft domain.
ft workstations, logging
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 56 of 72
I KEYWORDS \* MERGEFORMAT I
POL00400790
POL00400790
POL-BSFF-0227460_0055
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation) I Main Job Functions Tt Functions & Data Access ‘Systems Accessed
Main Operational Roles
Post Office Staff and Customers at Post Office outlets
Post Office Manager I All the management of the Post Office system I Key (and memory card) custodian - installing, changing I Post Office only
: including setting up workstations, introducing I and recovering keys.
(The person in charge I Pee ene
of the Post Office, I WF Colne Accounts, User management (of local post office staff),
who may be a sub- I Post Office Managers may allow other staff t0 I s)cific management applications, for example, balancing
postmaster or agent.) I deputise for them, and so take this role. Post Office accounts and stock unit management
(Post Office Ltd.) I Workstation set-up, emergency procedures, I (including allocation to clerks).
ihdtallaboarimctians Run diagnostics to check system and peripherals are
functioning correctly.
All counter clerk functions.
Post Office Counter I Run the PO applications e.g. APS, EPOSS and I System boot-up using the memory card. (At some Post I As above
Clerks (Post Office OBCS. Office outlets, this may be restricted to more senior staff.)
Ltd.) Do training. Run applications e.g. EPOSS, APS, OBCS.
Stock unit balancing etc.
In training mode, special training data (counter clerk also
uses special training benefits/APS cards so does not need
a customer present)
Post Office ‘All Counter Clerk functions plus other functions. _ I As Counter Clerk plus viewing stock, users. ‘As above
Supervisor
(Post Office Ltd.)
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 57 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0056
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
‘Customers
Transactions at Post Office outlets e.g. buying
stamps, collecting benefits, paying utility bills.
‘Customers do not access the system directly.
‘Corporate M:
janagement Roles
Post Office Account Corporate Management Roles and associated support roles
(all Post Office Account staff on secure LAN at Post Office Account management site)
Post Office Account
Management Support
Managing the set-up of the management
information services (e.g. setting up Business
Object Universes and associated controls).
Providing information to other Post Office Account
Management users on request.
Also, providing the Post Office Lid. interfaces for
management information — including provision of
management data regularly and on request.
Business Object Universes (including _ supervisor
functions);
Read and update access to agreed MIS data including
CONFIDENTIAL and SLAM;
Data required for download to workstations for reports
(Post Office Account, Post Office Ltd.)
DW; other MIS
Post Office Account I Use of financial management information in the I Access to Common Charging System (CCS) and other I DW
Financial Common Charging System and elsewhere financial information
Management
Post Office Account I Use of contract management information in the I Access to CON service DW
Contract Contract Management system (CON)
Management
Use of selected Data Warehouse information in I DW: read only access to Post Office information DW
Post Office Account
Business
Development
development of the business
©Copyright Fujitsu Services Ltd 2005 Commercial In Confid
[I KEYWORDS \* MERGEFORMAT I
jence Page: 58 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0057
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation) I Main Job Functions Ti Functions & Data Access Systems Accessed
Post Office Account Customer Services, including Management Support
(mainly Post Office Account staff on secure LAN at Post Office Account management site)
Post Office Account] Service Level agreement management Business Objects Universe with predefined Reports Tor I DW
Customer Support SLA’s.
Managers
CS User Service Level agreement Monitoring of Oullets I SMDB Database access via Corporate LAN SMDB
Management Tait function ‘Access to services for cases needing reconciliation. TS: OBCS,_APS,
Support Manager Support the business when there is a Post Office I Access to services such as OBCS, APS and TPS (po I NBS
Account problem, for example a service I transaction logs) etc when required. Also access to NBS I Correspondence
breakdown. [This includes reconciliation of data I reconciliation services via NWS User role and DRS. server, DRS.
hier sezvicely, All update access is via specific Oracle forms
Role function applications.
Authorising adjustments t0 business records
subject to agreed procedures.
Management Support I Investigating incidents, and adjusting business I Access to OBCS, TPS, NBS elc as above ‘As above
Analyst records, (but not finally authorising them.)
Post Office Account I Use of reference data in the Data Warehouse ‘Access to DW reference data DW
Reference Data
Management
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 59 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0058
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation) Main Job Functions It Functions & Data Access Systems Accessed
Reference Data Kick off the transfer of validated reference data of I (Oracle role: user_change_control) HS:RDMC
‘Change Manager classes 2 to 5 to TMS when all required
dependencies have been met.
RDMC Loader Manually initiated load of reference data files to I (Oracle role: user_loader) HS:RDMC
RDMC
RDMC user Query and report on reference data, so read only I (Oracle role: user_reports) HS:RDMC
access
RDMC access Sets up users and assigns them their roles (Oracle role: user_administrator) HS:RDMC
administrator
Post Office Account Security and Cryptographic key roles
Post Office Account I Maintains the records of security tokens and their I Maintenance and audit functions at the ACE server ACE server
Security Manager PINs and users.
Generating or oblaining cryptographic keys and I Also viewing current situation re keys (KMA) and I KMA, CAW
Cryptographic Key
Manager
organising their distribution,
generating certificates to certify keys (CAW)
Cryptographic Key
Custodian
Initial installation of cryptographic keys where this
needs to be done manually. Periodic update of
these keys.
Installing keys where needed (interfacing PC (Data Centre
and remote), KMA, (CAW), VPN. Always local user, not
remote.
See IT functions
column
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 60 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0059
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
Cryptographic Key
Handler (Note 3)
Handling part of a split cryptographic key when
this needs to be re-installed e.g. when a system is
rebooted.
Loading part key (normally from floppy) during load, so
no logon, no individual authentication.
‘As key custodian
PO Key Recovery I Initiating recovery of a Post Office key from the I Authorised functions at KMA KMA
Help Desk afier a Post Office Manager has lost his
(part of SMC team I PN
leader role) =.
KMA Data ManagerI Maintain validity of data within KMA database e.g. I Authorised functions at KMA KMA
specify new client where keys are to be sent (but
no key management roles)
Auditor Roles
Post Office Account
Business Function
Auditor
Overall auditing of the Post Office Account
solution
(though not Post Office outlets directly, as there are
records of Post Office activity at the Post Office Account
central site.)
The Business Function Auditor mainly uses information
from the archive server and information extracted from
other systems, though has limited access to other systems.
Archive server,
exceptionally,
correspondence
servers, host
applications ete
Post Office Account
Prosecution Support
User
Provision of audit data in support of investigations
and litigation,
Information extracted from the archive server and
supporting data extracted from other systems though has
limited access to other systems.
Archive server and
corporate problem
management
systems
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 61 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0060
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
Post Office Account
Security Event
Auditor
‘Auditing the security of the Horizon system
including monitoring, investigating incidents,
reporting ete
Operational and management logs of business transactions
including Riposte journal for events at Post Office outlets
and host application logs
System logs of activities at Horizon systems such as user
logon and administration and other security relevant
events including system, network and _ firewall
management.
Logs at relevant Post Office Account internal systems.
Archives of these at the archive server retrieved from
archive media there.
Manual records associated with IT access.
Many events are collected centrally using Tivoli (via
Patrol and Openview where needed). The technician
monitoring the systems management workstation will alert
the Security Event Auditor of specified types of
significant events. However, some event records will
remain in local audit logs.
Most except Post
Office outlets
Post Office — Ltd.
Auditor
‘Auditing operation of a Post Office
Authorised Riposte functions after authentication using
one shot password
Post Office outlets
only
Post Office Lid.
Emergency Manager;
Post Office Ltd.
Investigator
Taking the role of an Emergency Manager who
may take over from the manager afier suspected
fraud or when a Post Office is closed down or
transferred to a different manager.
Post Office start up functions
Authorised Riposte functions after authentication using
‘one shot passwords
Post Office outlets
only
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 62 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0061
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation) Main Job Functions It Functions & Data Access Systems Accessed
External Auditor A Post Office Ltd. or NAO Auditor auditing the I External auditors have (indirect) access via Post Office I None
operation of Post Office Account Account Auditors, rather than direct access to the Horizon
systems. There are some differences in data available to
different External Auditors.
OCMS Roles with Data Centre access
OCMS users (Post Handle calls from Post Office Account suppliers I Query and update access to OCMS. OCMS
Office Account) and Post Office outlets forwarded from Horizon
system help desk. Queries and limited updates to
OCMS depending on call
‘Auto-configuration I OCMS staff managing the data going through the I Query access plus update as permitted by ACDBiclient I ACDB
user (Post Office auto-configuration database (ACDB). This includes
Account) some update access.
ACDB data ‘Administering the central services site information I Query access plus update as permitted by ACDB/client I ACDB
administrator in the ACDB.
Tnstallation engineer I Start-up Post Office outlets ‘Auto-configuration application only PO links to boot
server
System and Operational Management and support
Operational Management
‘Computer Operator
Local operation of the machine such as media
handling.
On SequeniSolaris, the ability to run pre-defined jobs,
such as back-ups.
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 63 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0062
POL00400790
POL00400790
Ref: RS/POL/003
FUJITSU Horizon Access Control Policy Version: 78
FUJITSU SERVICES.
Commercial In Confidence Date: 14/04/2005
Role (organisation) Main Job Functions Ti Functions & Data Access Systems Accessed
‘On N¥Microsoll, media handling only, including archive
media
Operational Management of the operating system. Access to required operating system functions. All SeqSolaris;
management! On SequentSolaris, any action needed concemed I On SequentSolaris, this can allow use of ROOT, UNIX I #!! NFMicrosoft
System Administrator I O° atSo i : niaihensdbdees (except PO);
d with replication between campuses and local I commands and Oracle dba functions under controlled
(Cote Services) 3 aa all Solaris
archiving, conditions (see 5.3)
Job scheduling (SequentSolaris & NFMicrosof) I G.ccational monitoring/management using Patrol
using Maestro workstation, I OPsrationa
Code updates when required quickly (prior to 7
update via configuration management) and
authorised
Security Management I Administering UNIX/NFMicrosoll user I User administration and related functions All SeqSolaris;
(Cote Services) information, including group membership for all NFMicrosoft (not
users; also, on SequentSolaris, in secure menu PO);
system. Solaris
Administering Oracle database administrator users
and — associated roles and privileges.
Security monitoring
Secure menu Configuration of the secure menu system, I Pre-defined agreed functions SeqSolaris
administrator including addition of new functions
(SequentSolaris only)
Sysiem Monitoring I Monitoring the operational system. Patrol via an appropriate workslation SeqSolaris
(SequentSolaris only)
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 64 of 72
I KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0063
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
Engineer
Hardware diagnostics and repair
Access to diagnostics and, if needed, data on suspect
hardware
All systems except
PO
Base Installation and
configuration
Initial installation and configuration the base
system - SequentSolaris and Oracle databases.
Later updates to these.
As job function for Data Centre systems and Post Office
Account managed systems, except POs where there is a
special installation engineer
Dynix 3rd line Operational management _of UNIX, which can include ROOT access under controlled I SeqSolaris
support ‘SequentSolaris by UNIX staff when Core Services I conditions
cannot cure problem.
Database monitor Monitoring Oracle databases Read only access; on Oracle, use of SQL*Plus, svrmgr ‘SeqSolaris
Operational Oracle database administrator for database IDba functions for specified _ applications I SeqSolaris
management/ structure - setting up views, space allocation etc. I (CORE_SERVICES_DBA role)
Database
administrator
Oracle database 3rd I Operational management of Oracle on I Read only access; Oracle dba and limited UNIX functions I SeqSolaris
line support
SequentSolaris when Core Services cannot cure
problem.
Archive
Managing the audit archives
Audit archives via archive client
Archive server
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 65 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0064
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
Administration
System Management — SMC roles
System Management
Centre
Unit functions
System management activities are:
planned system management actions, for example,
the distribution of software or the implementation
of new Post Office outlets.
monitoring the system and taking action when this
is needed.
resolving technical problems passed on by the
Horizon System Help Desk
They also handle PO Key Recovery.
SMC/HEFHSH
technician or
technical specialist
Monitoring the system - software distribution, the
auto-configuration process and other system
management events.
For software distribution, select targets for
distribution from those authorised and report on
progress.
Run pre-defined, pre-allocated tasks.
Raise alarms on pre-defined conditions
Tivoli/Oracle facilities for authorised functions.
NFMicrosofi/UNIX tools)
(No
Pre-defined Tivoli tasks can be used for a variety of
system management tasks
administration at the Correspondence servers.
including Riposte
Tivoli servers via
Tivoli client
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 66 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0065
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
SMC/HE-HSH
technical team leader
For software distribution, authorise targets for
distribution, change priorities or cancel distribution
and report on progress.
Other system management tasks as SMC
technician.
Authenticating users at the Post Office using one-
shot passwords.
Assisting in Post Office Key Recovery.
Tivoli/Oracle facilities for authorised functions.
NFMicrosoft/UNIX tools)
(No
For one-time password authentication, special security
system with access to special application only
For PO Key Recovery, application at KMS
Tivoli servers via
Tivoli client;
(KMA for PO
recovery)
SMC MSS technical
support
Handle receipt of software and auto-configuration
information.
Configure Tivoli event management — configure
the view of events by others and task event
relationships and add new Sentry monitors.
Create Tivoli tasks and allocate to SMC
technicians.
System administration of the SMC workstations
and Tivoli servers (NFMicrosoft and UNIX
systems) including backup/recovery.
‘Access to the ISDN files on the boot server in
order to provide live support
Tivoli/Oracle facilities for authorised functions.
Authorised NFMicrosof/UNIX tools
Tivoli servers via
Tivoli client
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 67 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0066
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
SMC Security
Manager
User administration — adding SMC and other users
to the SMC domain and to Tivoli. Allocating users”
rights e.g. roles, groups.
Tivoli and OS user and role administration
Tivoli servers via
Tivoli client
Sofiware Distribution
Software Distributor
Initiates transfer of software to the depot/ Tivoli at
the Data Centre for distribution to the operational
system after authorisation by CS Release Manager.
Functions at signing server to initiate transfer
Signing Server at
Post Office
Account project
site
Network Management
Network Technician I Monitoring the network Specified Open View and Cisco Works/CiscoView I NMS
(Core Services) functions and the NMS only. (No direct UNIX access)
Monitoring the network. ‘Open View and Cisco Works network management I NMS
Network Manager
(Core Services)
Updating router configuration information e.g.
Post Office information e.g. Fujitsu Services Core
Services address
Access Lists of permitted addresses, protocols, and
ports.
Updating information about routers available when
needed (including confirming bringing a_mended
functions, but no direct UNIX access at the NMS.
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 68 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0067
I FUsiTsu
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation) Main Job Functions Tt Functions & Data Access ‘Systems Accessed
‘one back on line — see below)
Network Configuring NMS including Open View e.g. ‘Open View configurer functions only (no UNIX access) _ I NMS
Management ;
Configurer (Core what to display to whom
Services) actions to be taken on certain events
Configuring Tivoli Event Adapter
Network Security I Maintain user information for those users permitted I User administration functions NMS
Manager (Core to use this system — both UNIX users and Open
Services) View users.
Local auditing of network management activities at
this system
Cisco support nih Tine support of routers Telnet access to routers Routers
Firewall
Management
Firewall Manager
Maintains the firewall configuration and policy
data
Defined as N¥Microsofi & Enterprise centre user;
Authenticated with token to N¥Microsoft workstation,
and authenticated to the Enterprise Centre application.
Checkpoint FW-1
via Enterprise
ManagerCentre on
Solaris system
Cisco PIX &
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 69 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0068
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref: RS/POL/003
Version: 7.0
Date: 14/04/2005
Role (organisation)
Main Job Functions
It Functions & Data Access
‘Systems Accessed
FWSM via Cisco
XXX
Firewall Monitor
Read access to alerts, logs and the rule base
as above:
as above
Technical Help Desk and Application and other Support
Horizon Systems
Help Desk
Receiving technical queries from all IT users of
Post Office Account (internal and external) and
answering queries on these calls.
‘Answering some technical queries and forwarding
other calls on to the appropriate 2nd line support
unit. Note, this includes forwarding calls on PO
key and password recovery to SMC.
These users have no access to the main Data Centre and
other operational systems.
They have access to supporting services such as
Powerhelp for call handling and special versions of Post
Office Account (Post Office) applications (without real
data etc) to assist answering calls from Post Office staff.
Internal systems
only
Application support
user
Supporting applications on SequentSolaris - both
Oracle applications and Access services.
Read only access to event logs and other relevant files and
databases. (This does not include the Post Office counters)
Tivoli server access is restricted to pre-authorised tasks to
extract diagnostic info for POs
Access is managed and supported using SSH client via
Terminal Server.
(Oracle MONITOR role on SequentSolaris)
Most
N¥Microsofi;
SeqSolaris
test rigs
‘Application support
manager
Supporting applications as above, plus correcting
data when required and authorised under controlled
As above, plus controlled write access to application data
using SSH client via Terminal Server.
as above
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 70 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0069
FUJITSU
FUJITSU SERVICES.
Horizon Access Control Policy
Commercial In Confidence
Ref:
Version:
Date:
RS/POL/003
7.0
14/04/2005
Role (organisation) Main Job Functions Tt Functions & Data Access ‘Systems Accessed
conditions.
(Oracle SSC role on SequentSolaris)
Other hardware and system support
EMC Handling problems with Symmetrix discs ‘Access t0 EMC disc controller (and to dises) using special I EMC
EMC client
©Copyright Fujitsu Services Ltd 2005
[I KEYWORDS \* MERGEFORMAT I
Commercial In Confidence Page: 71 of 72
POL00400790
POL00400790
POL-BSFF-0227460_0070
POL00400790
POL00400790
SO RS/POL/003
FUJITSU Horizon Access Control Policy Venn he
PATS SERVICES Commercial In Confidence Date: 14/04/2005
Notes:
This table does not include the Software distribution related roles at the Configuration Management
system, as the CM is not on the secure LANs covered by the ACP. These Roles are:
* CS Release Manager (authorising software (new software and fixes), configuration~—— (Formatted: Bults and Numbering
information etc. for release (after testing at the test rigs).
Configuration librarians (maintaining the library of software at the Configuration
Management system and initiating signing and distribution of software after authorisation).
*__The Key Handler role needs to be performed on-site whenever systems are rebooted, so is
generally performed by the organisation at that site e.g. Post Office Ltd. at their Outlets.
# There are associated manual processes to authorise some of the actions above and to liase
with other Post Office Account units involved in software distribution and auto-
configuration. For example:
«Team Leaders and SMC Managers can authorise software distribution.
Only SMC Managers can authorise creation of new Tivoli tasks.
All changes distributed via Tivoli first go through the standard Configuration Management system
with its associated processes for change control, testing and authorising release.
©Copyright Fujitsu Services Ltd 2005 Commercial In Confidence Page: 72 of 72
I KEYWORDS \* MERGEFORMAT I
POL-BSFF-0227460_0071