FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Originator & Dept:
Contributors:
Internal Distribution:
External Distribution:
Approval Authorities:
Service Description for Implementation and maintenance of
security policy and procedures
Customer Services Specification
N/A
A description of the Implementation and maintenance of the
security policy and procedures
For Approval
Graham Hooper / Pete Sewell, Fujitsu Services Customer Services
Graham Hooper / Pete Sewell
(For Originator to distribute following approval)
(For Document Management to distribute following approval)
(See PA/PRO/010 for Approval roles)
Name Position Signature Date
(Martin Riddell Director of Customer Service
Sue Lowther Post — Office InformationI
Security Manager
© 2002 Fujitsu Services
SECURITY CLASSIFICATION Page: I of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
0.0 Document Control
0.1 Document History
\Version No. Date [Reason for Issue (Associated
(CP/PinICL
0.1 19/12/01 Initial Draft
(0.2 23/12/02 IMasons’ comments on v0.1
0.3 1/12./02 ‘Sue Lowther (POL) comments on version 0.2
0.4 31/12/02 IGraham Hooper / Masons’ comments on Version 0.3
1.0 6/01/2003 Issued for Approval
0.2 Review Details
Review Comments by: [Date
Review Comments to: [Originator
Mandatory Review Authority Name
[Director of Customer Service artin Riddell
Post Office Information Security Manager Sue Lowther
Optional Review / Issued for Information
( * ) = Reviewers that returned comments
0.3. Associated Documents
Reference Version [Date Title Source
IPA/TEM/001 7.0 2" April 2002 Fujitsu Services Document PVCS
(Template
IRS/POL/002 ‘Security Policy PVCS
IRS/FSP/001 Security Functionalpycs
specification
IRS/FSP/003 ‘Statements on Securit:
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 2 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
Objectives and Methods for the
Protection of Siemens Metering,
(Code and Data
IBP/POL/002 Post Office Counters Informationlpost Office Ltd
System Security Policy
IBP/ION/002 ‘A code of Practice for Postpost Office Ltd
Office Information System:
‘Security
IRS/CSD/001 \dss/itstds Departmental IT Securit
‘Standards
IRS/PRD/004 Security Incident Management [pyCs / Pos
(Office
IBP/SPE/nnn BS Definition PVCs
IRS/POL/003 ‘Access Control Policy IPVCS
Unless a specific version is referred to above, reference should be made to the current
approved versions of the documents.
0.4 Abbreviations/Definitions
(Abbreviation
Definition
0.5 Changes in
this Version
\Version
Changes
0.6 Changes Expected
\Changes
© 2002 Fujitsu Services
SECURITY CLASSIFICATION
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Page: 3 of I
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
0.7
1.0 SERVICE SUMMARY....
2.0 SERVICE PRINCIPLES...
3.0 SERVICE DEFINITION...
3.1
3.2
3.3
3.4
3.9
3.10 INFORMATION RETRIEVAL AND AUDIT...
3.11 SUBJECT INFORMATION REQUESTS...
4.0 SERVICE AVAILABILITY.
5.0 SERVICE LEVELS AND SERVICE TARGETS....
6.0 SERVICE DEPENDENCIES & POST OFFICE RESPONSIBILITIES....
6.1
6.2
7.0 DOCUMENTATION.
Table of Contents
SECURITY ORGANISATION AND MANAGEMENT... . sees . sesseeeeeeeee 7
COMPLIANCE MONITORING AND AUDIT. .....ccsssssssssssssssssssseesessssssnsssnsssseeneseesssiunnnnnnsneceeeesenenenees 7
CRYPTOGRAPHIC KEY MANAGEMENT. .......-:sscssssssesssssssessssessnssssensnnsesessnneseennnsseeennnseeeennnseesessssee 8
SECURITY EVENT MANAGEMENT AND FIREWALL EVENT ANALYSIS. 9
SYSTEM AND PHYSICAL ACCESS CONTROL..... .. 10
ANTI-VIRUS AND MALWARE MANAGEMENT... 10
SECURITY INCIDENT REPORTING AND PROBLEM MANAGEMI
SYSTEM SECURITY CHANGE MANAGEMENT ll
SECURITY AWARENESS AND TRAINING...
SERVICE DEPENDENCIES. 19
Post OFFICE ‘SPONSIBILITIES. 19
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 4 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
1.0 Service Summary
This Security Management Service provides a wide range of security-related activities that
assists the establishment and maintenance of an ISO17799 compliant infrastructure, supports
legal and contractual obligations and minimises and controls liabilities to Fujitsu Services,
Pathway and Post Office Ltd. The service monitors operations and introduces specific
protective security controls on a risk assessment basis to maintain the integrity, availability and
confidentiality of information used and produced by the various Services and the support
environment.
Fujitsu Services’s overarching obligations for delivering and continuing to provide a secure
system are set out in Clause 8 of the Agreement.
The elements of the Security Management Services are as follows:
¢ Implementation and maintenance of security policy and procedures
© Compliance monitoring and audit
e Cryptographic key management
¢ Security event management and firewall event analysis
e System and physical access control
e Anti-Virus and malware management
¢ Security incident reporting and problem management
e System security change management
e Security awareness and training
e Audit data retrievals and prosecution support
¢ Subject Information Requests management
Each of these services are described in Section 3.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 5 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FU.
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
FUJ00001743
}J00001743
2.0 Service Principles
2.1.1
The following service principles will apply in the provision of the Security
Management Service. Security Management staff will:
a)
b)
c)
be appropriately trained to carry out the service;
provide the appropriate balance between contractual and legal obligations and the
need to maintain delivery of the various Services;
be responsive to prevailing threats and vulnerabilities. Resource is therefore
allocated on a flexible, risk management basis.
The Fujitsu Services’ Information Security Manager shall be responsible (but may
nominate a representative to act on his behalf) for:
a)
b
c)
d)
e)
co-operating with the Post Office Information Security Manager in the
development of Post Office’s network banking automation security policy as
specified in paragraph 7.3.1 of Schedule 2 (Policies and Standards);
establishing Fujitsu Services's revised security policy as specified in paragraph 7.3.2
of Schedule 2 (Policies and Standards);
Communicating to the Post Office Information Security Manager the identity of the
persons authorised to receive sensitive security-related material (including
cryptographic key components) on behalf of Fujitsu Services;
receiving from the Post Office Information Security Manager the identity of the
persons authorised to receive such security-related material on behalf of Post
Office;
liaising with the Post Office Information Security Manager in the manner described
in the CCD entitled "Security Incident Management" and paragraph 7.4.2 of
Schedule 2 (Policies and Standards); and
f) liaising with the Post Office Information Security Manager and security representatives of
other parties involved in the End to End Banking on such security-related matters as may
be agreed.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 6 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
3.0 Service Definition
3.1. Security Organisation and Management
3.1.1 This element of the service provides a number of organisational and management
activities required for compliance with ISO17799:
e Co-ordination of security activities and prioritises activities according to risk;
e Input to contractual and liability issues and assessments of the security impact of
new service requirements and the associated processes necessary to implement
them;
e Creation and maintenance of security-related procedural and process
documentation to assist compliance and help maintain correct operation by staff;
e Regular reviews of other Pathway documentation to provide appropriate security
input and compliance to the requirements of ISO9001;
e Management of ISO17799 gap analysis, preparation of plan for implementation in
accordance with agreed TOR and monitoring of corrective actions.
3.1.2 Fujitsu. Services’s obligations for the establishment of an organised security
infrastructure, compliant to IS017799 are set out in Schedule 2 — paragraphs 4.1.1 to
4.1.3.
3.1.3. Fujitsu Services’s obligations for compliance with Post Office security standards are
set out in Schedule 2 — paragraph 4.1.4
3.1.4 Fujitsu Services’s rights and obligations with regard to the security and processing of
Personal Data are set out in Schedule 2 — paragraphs 2.4 to 2.8.
3.1.5 Fujitsu Services’s rights and obligations with regard to the processing of Personal
Data are set out in Schedule 2 — paragraph 2.4.6.
3.2. Compliance monitoring and audit
3.2.1 This element of the service provides a number of compliance monitoring and audit
activities required for compliance with ISO17799:
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 7 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
e Undertaking of periodic physical security and system security audits of
operational sites on a risk management basis to provide ongoing assurance of
compliance to security policies and procedures. Activities include reviews of
operational processes, provision of reports covering IT, environmental, physical,
personnel security etc. and the monitoring of identified corrective actions;
e Provision of advice and guidance on issues affecting personnel security within
Fujitsu Services including the investigation of personnel security issues and staff
vetting queries.
3.3. Cryptographic key management
3.3.1 This element of the service provides a number of cryptographic key management
activities:
¢ Management of the automated Key Management System (KMS) for the creation,
distribution and installation of required cryptographic material to the live estate.
Maintenance of periodic key replacement for all Branches;
e Operation of functionality & configuration changes to the automated service to
optimise service;
¢ Management of KMS event logging and incident handling to assist 1“, 2", 3 and
4" line support in error resolution and problem management;
e¢ Management of the manual cryptographic estate by maintaining the creation,
distribution, auditing and periodic replacement of cryptographic keys within
agreed timescales;
e Supplier management of cryptographic key suppliers;
¢ Provision of contingency arrangements for Key Management Service to maintain
continuation of service in the event of absence etc.
3.3.2 PIN Pads
The use of PIN Pads and the associated cryptographic management shall be supported by the
NBS. PIN Pads shall comply with the requirements of ISO 9564. Fujitsu Services's
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 8 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
key management for any key directly or indirectly protecting the secrecy of PIN
values (together, "PIN Encryption Keys") shall comply with ISO 11568 Parts I to 3
The key management scheme used between each PIN Pad and the rest of the Post
Office Service Infrastructure shall be the DUKPT scheme as described in section 4.7
and Appendix A of the ANSIX9.24-1998 standard. Moved to Schedule 2 paragraph
10.6.1 3.3.3 In the event of an actual or suspected key compromise in respect of a
PIN Encryption Key used within the Post Office Service Infrastructure, Fujitsu
Services shall implement key change mechanisms in accordance with the principles
stated in ISO 11568 Parts 1 to 3. Where the actual or suspected compromise affects
a key shared with the NBE the parties’ obligations in respect of key change
mechanisms shall be as documented in the CCD entitled “NBE — Horizon
Application Interface Specification” (NB/IFS/008).
3.4 Security event management and firewall event analysis
3.4.1 This element of the service provides a number of security event management and
firewall event analysis activities:
¢ Management of audit mechanisms to monitor detect and record events that might
threaten the security of the Horizon system and associated services;
© Operation of the Security Event Management system utilising the Systems
Management system to track and report events of security significance and daily
monitoring of the system to identify relevant events and logging of details;
e Regular analysis of audit trails to identify new features and vulnerabilities
introduced by new systems to facilitate trend analysis and to assist the
investigation of security breaches;
¢ Reviewing security configurations of event filters to optimise efficiency and
minimise security weaknesses;
¢ Undertaking risk assessments to establish adequate firewall policies / rulebases
and the subsequent monitoring of events generated by the system;
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 9 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
¢ Analysis of firewall event logs using trend analysis software to identify the
presence of any potential attacks or of areas of vulnerability and the provision of
advice for any remedial action;
¢ Prompt investigation and remedial action in order to minimise the impact of any
security breach.
3.5 System and physical access control
3
in
This clement of the service provides a number of system and physical access controls:
¢ Management of the process for validating that Users of the Horizon system are
authorised before being permitted access to the live network;
¢ Management of the allocation and auditing of SecurID tokens where used to
validate that Users who access the live system from locations remote from the
Data Centres do so via secondary token authentication. Undertaking of supplier
management of tokens and licencing costs.
3.6 Anti-Virus and malware management
3.6.1 This element of the service provides a number of anti-virus and malware management
activities:
¢ Management of the distribution of updated anti-virus software across the live
estate to maintain protection of the service from malicious software;
¢ Initial configuration of alerting mechanisms and event filters to provide automatic
notification and prompt virus incident response;
e Provision of regular DAT updates to identify and cleanse new and emerging virus
strains;
e Daily checks of emerging viruses and other malicious software to inform threats
and determine the required defensive measures;
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 10 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
¢ Provision of event monitoring and incident response via normal incident handling
procedures. Analysis of details to understand the threat and inform corrective
actions.
3.6.2 Protection against malicious software for NBS
Fujitsu Services shall provide protection against malicious software as set out in
paragraph 8.1 of the CCD entitled “NBS Definition”.
3.7 Security incident reporting and problem management
3.7.1. This element of the service provides a number of security incident reporting and
problem management activities:
¢ Provision of a central point of contact for all security-related issues;
e Investigation and reporting to Post Office of any actual or potential threats or
breaches that may have a material effect on the Services in accordance with
agreed procedures;
e Provision of ongoing liaison with Post Office and support to the Fujitsu Services’
Security Board as defined in the CCD entitled “Pathway Security Policy”
(RS/POL/002).
3.8 System security change management
3.8.1 This element of the service provides a number of system security change management
activities:
e Management of security compliance with agreed change processes and the
assessment of the business and security impact of PinICLs and other problem
management systems including the provision of options for resolution and
containment of security and business risk;
e Assessment of the business and security impact of change proposals and the
assessment and approval/rejection of security related operational change proposals.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 11 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FU.
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
FUJ00001743
}J00001743
3.9 Security awareness and training
3.9.1
This element of the service provides a security awareness programme for Fujitsu
Services and relevant Post Office personnel. The service covers the provision of
periodic awareness activities and training including induction training, presentations
and briefing notes and input to magazines, journals and other periodicals.
3.10 Information Retrieval and Audit
3.10.1 For the purpose of this paragraph 3.10
“Banking Transaction Record Query” means a Record Query in respect of a
Banking Transaction which the Data Reconciliation Service has reconciled or has
reported as an exception, the result or records of which are subsequently queried or
disputed by Post Office or a third party;
“Audit Record Query” means a Record Query which is not a Banking Transaction
Record Query and which relates to Transactions;
“Old Format Query” means the extraction of records created before
commencement of NB Pilot (Soft Launch) relating to Transactions (other than
Banking Transactions) meeting the Search Criteria, such extraction being limited to
the following specific types of information/data fields: the ID for the User logged-on,
Counter Position ID, stock unit reference, Transaction ID, Transaction start time and
date, Customer Session ID, mode (e.g. serve customer), product number and
quantity, and sales value;
“Period One” means, in respect of each Transaction the period of 90 days
commencing on the date of that Transaction;
“Period Two” means, in respect of each Transaction the period commencing the day
after expiry of Period One for that Transaction, expiring the earlier of the date:
a) 18 months (in the case of Transaction records created before
commencement of NB Pilot Soft (Soft Launch)) or 7 years (in the case
of Transaction records created after commencement of NB Pilot Soft
(Soft Launch)), after the records of that Transaction were first created;
or
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 12 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
b) of completion of transfer of Post Office Data (including the record of
that Transaction) in accordance with Schedule 22.
“Query Day” means each date against which an Audit Record Query or an Old
Format Query is raised;
“Record Query” means the extraction of records created after commencement of
NB Pilot (Soft Launch) in accordance with the terms of this paragraph 3.10 relating
to Banking Transactions (and, in the case of Audit Record Queries relating to all
Transactions) meeting the Search Criteria, such extraction being limited to specific
types of information/data fields as follows:
e in the case of an Audit Record Query - the ID for the User logged-on,
Counter Position ID, stock unit reference, Transaction ID, Transaction
start time and date, Customer Session ID, mode (e.g. serve customer),
product number and quantity, and sales value; and
e in the case of a Banking Transaction Record Query - Banking Transaction
ID, Banking Transaction type, receipt date, receipt time, the reason code
(in the case of a discrepancy) and DRSH sub-value(s) (eg CO Confirmation,
C1 Confirmation, NB Decline); and
“Search Criteria” means:
e in the case of an Audit Record Query or Old Format Query either of:
a) date or dates (not exceeding 31 consecutive days), time-range, Branch
and PAN (or equivalent identifier); or
b) date or dates (not exceeding 31 consecutive days), time-range and
Branch; and
e inthe case of a Banking Transaction Record Query either of:
a) date, time-range, Branch and PAN; or
b) date, time-range and Branch,
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 13 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Fujitsu Services
Service Description for the Security Management
Service
COMMERCIAL IN-CONFIDENCE
Ref: CS/SER/016
Version: 1.0
Date: 06-JAN-2003
to be specified for each individual Record Query or Old Format Query (as
applicable).
3.10.2
Fujitsu Services shall have access (such access being restricted to properly authorised
Fujitsu Service staff) to records of each Banking Transaction during Period One and
Period Two.
3.10.3
a)
Limits and target times for Record Queries
The table below sets out the limits on Record Queries and/or Old
Format Queries which Fujitsu Services shall be obliged to carry out and
the target times for carrying out each Record Query and/or Old Format
Query:
1) Limits on
[Transaction Record Queries
Banking
2) Aggregate Limits 01
‘ormat Queries
(3)
Audit Record Queries and oe
Limits on Old Format,
[Period One [Period Two
[Period One and Period Two
[Period One and Period Two
Limits [900 per year (o
la rolling year
ibasis) with no
more than 126
lin any calendar
month
vith
than
no
14 in
100 per year (on al
rolling year basis)
‘alendar month
Subject to paragraph 3.10.6 below]
the limit per year (on a rolling yea
3) shall be the first of th
following to be reached: (i) 330 (inI
aggregate) Audit Record Querie:
nd Old Format Queries; or (ii
4620 Query Days, and the limit per
calendar month shall be the first off
the following to be reached (i) 46)
‘in aggregate) Audit Record QueriesI
nd Old Format Queries, or (ii) 650
ery Days
mor
any
[The limit per year (on a rolling year,
basis) shall be the first of the
following to be reached: (i)
150 Old Format Queries; or (ii) 70
Query Days, and the limit pe
alendar month shall be the first of th
following to be reached: (i) 7 Old
cormat Queries; or (ii) 98 Query
ays.
(Target
[Time
Ss MSU Days I7 MSU Days
Subject to paragraph 3.10.4 below
nd applicable only in respect o}
[Audit Record Queries, 7 working}
lays (for queries of 14 or less days’
duration) and 14 working days (for
jueries of greater than 14 days’
luration).
{Subject to paragraph 3.10.4 below, 14)
working days (for queries of 14 or less
ldays’ duration) and 28 working days
for queries of greater than 14 days”
\duration).
b)
The limits set out in columns numbered I and 2 in the table above and
the provisions of this paragraph 3.10 relevant in connection with the
© 2002 Fujitsu Services
SECURITY CLASSIFICATION
Page: 14 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services
FUJ00001743
FUJ00001743
Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
c)
4)
e)
3.10.4 Where:
a)
b)
application of those limits shall apply with effect from commencement
of NB Pilot (Soft Launch)
The limits set out set out in the column numbered 3 in the table above
and the provisions of this paragraph 3.10 relevant in connection with
the application of those limits shall apply with effect from the date of
approval by both parties of the CCN which introduces the NBS
(CCN850) and shall cease to be applicable 18 calendar months after the
commencement of NB Pilot (Soft Launch).
For the purpose of applying the limits in column 3 from the date of
approval by both parties of the CCN which introduces the NBS
(CCN850), the equivalent of Old Format Queries (and associated
Query Days) carried out in the 12 months prior to that date shall count
towards the annual limit (on a rolling year basis) and the equivalent of
Old Format Queries carried out in the calendar month in which the NBS
CCN is approved (prior to the date of such approval) shall count
towards the limits for that month.
For the purpose of applying the limits in columns 2 and 3 after
commencement of NB Pilot (Soft Launch), any Old Format Queries
(and associated Query Days) carried out in the 12 months prior to
commencement of NB Pilot (Soft Launch) shall count towards the
annual limits (on a rolling year basis) and Old Format Queries carried
out in the calendar month in which NB Pilot (Soft Launch) commences
(prior to that commencement) shall count towards the limits for that
month.
anew Audit Record Query or Old Format Query is received by Fujitsu
Services or Post Office requires analysis of an existing Audit Record
Query or Old Format Query; and
a member of Fujitsu Services’s personnel is needed to deal with that
new or existing Audit Record Query or Old Format Query; but
© 2002 Fujitsu Services
SECURITY CLASSIFICATION Page: 15 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
c) that person is unavailable due to his or her attendance at court or other
proceedings in connection with an Audit Record Query or Old Format
Query,
the target times specified in paragraph 3.10.3 shall not apply to that new or existing
Audit Record Query or Old Format Query referred to in paragraph 3.10.4 (a) which
Fujitsu Services shall instead deal with as soon as reasonably practicable.
3.10.5 For the avoidance of doubt, the limits set out in paragraph 3.10.3 in respect of
Banking Transaction Record Queries shall not apply in respect of reconciliation
incident management and settlement reporting carried out as a function of the Data
Reconciliation Service.
3.10.6 Post Office may at any time on three months’ notice (such notice expiring no earlier
than commencement of NB Pilot (Soft Launch) vary the aggregate limits of Audit
Record Queries and Old Format Queries which Fujitsu Services is required to carry
out as specified in column numbered 2 in the table in paragraph 3.10.3,
3.10.6.1 between
a) the limits specified in paragraph 3.10.3; and
b) the following substitutes for those limits (applicable on the same
basis): 550 Audit Record Queries or 7700 Query Days per
year on a rolling year basis, and 77 Audit Record Queries or
1078 Query Days per calendar month;
3.10.6.2 and between
a) the substitute limits set out in paragraph 3.10.6.1(b); and
b) the following substitutes for those limits (applicable on the same
basis): 800 Audit Record Queries or 11200 Query Days per
year on a rolling year basis, and 112 Audit Record Queries or
1568 Query Days per calendar month,
and in each case Fujitsu Services’s charges in respect of dealing with
any Audit Record Queries and/or Old Format Queries up to the limits
as varied in accordance with this paragraph shall be as specified in
Schedule 10.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 16 of I
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
3.10.7 Post Office shall submit:
(a) Banking Transaction Record Queries to the Horizon System Help Desk
which will pass the Record Query to Fujitsu Services’s customer service
management support unit; and
(b) Audit Record Queries and Old Format Queries to Fujitsu Services’s
customer service security prosecution support section.
Fujitsu Services shall accept Record Queries and Old Format Queries only from
properly authorised Post Office staff.
3.10.8 Litigation Support
Where Post Office submits an Audit Record Query or Old Format Query, at Post
Office’s request Fujitsu Services shall, in addition to conducting that query:
a) present records of Transactions extracted by that query in either Excel
95 or native flat file format, as agreed between the parties; and
b) subject to the limits set out below:
(i) analyse:
. the appropriate Fujitsu Service’s Help Desk records for
the date range in question;
. Branch non-polling reports for the Branch in question;
and
. fault logs for the devices from which the records of
Transactions were obtained
in order to check the integrity of records of Transactions extracted by that
query,
(ii) request and allow the relevant employees of Fujitsu Services to
prepare witness statements of fact in relation to that query, to
the extent that such statements are reasonably required for the
purpose of verifying the integrity of records provided by Audit
Record Query or Old Format Query, and are based upon the
analysis and documentation referred to in this paragraph 3.10.8;
and
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 17 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
(iii) request and allow the relevant employees to attend court to give
evidence in respect of the witness statements referred to in (ii)
above,
provided that:
(iv) Fujitsu Services’s obligations set out in (i) and (ii) above shall
be limited, in aggregate, to dealing with a maximum of 150 (in
aggregate) Record Queries and Old Format Queries per year
(on a rolling year basis); and
(v) Fujitsu Services’s obligations in the case of provision of
witnesses referred to in paragraph (iii) above shall be to provide
witnesses to attend court up to a maximum (for all such
attendance) of 60 days per year (on a rolling year basis).
For the avoidance of doubt the target times set out in paragraph 3.10.3
for dealing with Audit Record Queries and Old Format Queries shall
not apply in respect of Fujitsu Services’s obligations under paragraph
3.10.8.(b).
3.10.9 Any information requested beyond that available by Record Query and/or any witness
statements or witness attendance beyond that available in accordance with this
paragraph 3.10 shall be agreed on a case by case basis and shall be dealt with in
accordance with the Change Control Procedure.
3.10.10 Sensitive Card Data included in records of Banking Transactions extracted by Record
Query and provided to Post Office (but, for the avoidance of doubt, not that included
in records for Transactions extracted for Audit Record Queries in respect of any other
Post Office Service) shall be in the encrypted form in which they are held by the NB
System.
3.10.11 Audit Access
Reasonable access to the audit trail of Banking Transactions for Post Office auditors
for audit purposes shall be by request (and reasonable notice to) Fujitsu Services’s
Audit Manager.
3.11 Subject Information Requests
3.11.1 The management and provision of responses in respect of Subject Information
Requests will be as defined in Schedule 2.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 18 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
4.0 Service Availability
4.1 The Service will be available between the hours of 08:00 to 17:30 Monday to Friday
excluding all Bank and public holidays.
5.0 Service Levels And Service Targets
5.1 Relevant SLA targets relate primarily to Audit Record Queries, which are defined in
Section 3 of this document and Subject Information Requests which are defined in
Schedule 2.
6.0 Service Dependencies & Post Office Responsibilities
6.1 Service Dependencies
6.1.1 The dependencies on the provision of Information Retrieval and Audit are set out in
Section 10 of this document CS/SER/016.
6.1.2 The dependencies on the provision of Subject Information Requests are set out in
Schedule 2 - paragraph 2.4.10.
6.2 Post Office Responsibilities
6.2.1 Post Office’s security — related responsibilities as set out in Schedule 16.
6.2.2 Post Office’s authority and obligations with regard to compliance with the Data
Protection Act are set out in Schedule 2 — paragraphs 2.4 to 2.5.
6.2.3. Post Office responsibilities with regard to Subject Information Requests are set out in
Schedule 2 - paragraphs 2.4.9 and 2.4.12.6.2.4 Post Office responsibilities with
regard to the provision of an Information Security Manager are set out in Schedule 4
7.0 Documentation
7A The CCDs applicable to the service are:
a. Security Policy (RS/POL/002);
b. Security Functional Specification (RS/FSP/001);
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 19 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00001743
FUJ00001743
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
c. Security Incident Management (RS/PRD/004);
d. Statements on Security Objectives and Methods for the Protection of Siemens
Metering Code and Data (RS/FSP/003);
e. Post Office Counters Information System Security Policy (BP/POL/002);
f. Acode of Practice for Post Office Information Systems Security (BP/ION/002);
g. Departmental IT Security Standards (RS/CSD/001).
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 20 of 1
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)