FUJITSU
POA Operations Incident Management Procedure
FUJ00080244
FUJ00080244
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Author & Dept:
Internal Distribution:
External Distribution:
Security Risk
Assessment Confirmed:
Approval Authorities:
Name Role
POA Tower Lead BAS
Nana Parry
POA Operations Incident Management Procedure
Procedure Definition
Not applicable
This document describes the POA Operations Incident Management
Procedure
APPROVED
Tony Wicks — POA Operations
Peter Thompson, Nana Parry, Tony Atkinson, Steve Bansal, Steve
Gardiner, Steve Parker, Leighton Machin, Sathish Ramalingam, Mandy
Jones, David Cooke, Andy Hemingway, Gaby Reynolds, Victoria Hancock,
Yannis Symvoulidis, Roger Stearn, Catherine Obeng, Kumudu Amaratunga,
Sandie Bothick, Bill Membery, Chris Harrison
Antonio Jamasb, POL Business Continuity Manager
Dave King, POL Security Manager
Yes
See Dimensions for record
Mandy Jones
POA HSD Operations Manager
Note: See Post Office Account HNG-X Reviewers/Approvers Role Matrix (PGM/DCM/ION/0001) for guidance.
‘©Copyright Fujitsu Services Ltd 2013
FUJITSU RESTRICTED (COMMERCIALIN _ Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: tof 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
fe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL.
0.1 Table of Contents.
0.2 Document History.
0.3 Review Details.
0.4 Acceptance by Document Review.
0.5 Associated Documents (Internal & External
0.6 Abbreviations.
0.7 Glossary..
0.8 Changes Expected..
0.9
0.10
fl
11
1.2
1.3 Process Rational
1.4 Mandatory Guideline: 10
2 INPUTS.
3
3.1
3.2
4 RESOURCES
4.1 Roles.......
5 PROCESS FLOW.
5.1 Level 1 Incident Management Process...
5.2. Level 2 Incident Management Processe:
5.2.1 Step 1: Incident Detecting, Recording and Initial Classification.
5.2.2 Step 2: Assign Priority and Initial Support.
5.2.3 Step 3: Investigation and Diagnosis.
5.2.4 Step 4: Resolution and Recovery.
5.2.5 Step 5: Incident Closure..
5.2.6 I Step 6: Ownership, Monitoring, Tracking and Communication.
6 OUTPUTS.
7 STANDARDS.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
oO
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
8 CONTROL MECHANISMS.
9
9.1
9.2
9.3 Changes.
9.4 POL Incident Handli
9.5 IT Incidents.
9.5.1 Incident Definiti
9.5.2 — Incident Categorie:
9.5.3 Examples of IT Incidents.
9.5.4 Containment...
9.6 Reporting...
9.7 _ Investigation.
9.7.1 Policy...
9.7.2 POL Security / Investigation Tear
9.7.3 External Investigator.
9.7.4 Evidence Rules.
9.7.5 Process......
9.8 REMEDIAL ACTION.
9.8.1 On Completion of report.
9.8.2 Completion of Investigation.
9.8.3 UNIRAS Reporting
9.9 TRENDS & AUDITING.
9.9.1 Frequency...
Appendix B Security Incident Process flow.
Appendix C Security Incident Report Template.
Appendix D Contacts...
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 3of 1
FUJITSU
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00080244
FUJ00080244
0.2 Document History
Version No. Date Summary of Changes and Reason for Issue Associated Change -
CP/PEAK/PPRR
Reference
0.1 16/10/06 First draft taken from CS/PRO/074. Updated to
include HNG-X document references.
Security Management appendix added
Incident Management Process modified to reflect
current working practises. Hardware and Network
Call priorities referenced
Problem Management escalation changed to
SDM rather than Problem Initiator.
1.0 06/11/06 Updated with comments following review of v0.1.
Issued for approval
1.1 02/03/07 Security Annex has been updated.
2.0 Updated with comments following review of v1.1
Issued for approval
241 14/04/09 Document updated names & job descriptions.
Acceptance section added.
22. 16/04/2009 I Version 2.1 is corrupt
2.3 10/06/2009 I Updated to incorporate PCI DSS and comments
received from Connie G Penn.
3.0 28/07/09 Issued for approval
3.1 03/08/09 Updated to incorporate further comments
received from Paul Halliden
4.0 03/08/09 Issued for approval
44 13/06/11 Updated to include clarified incident priority
definitions and changed personnel names.
4.2 30/06/11 Updated with comments following review of v4.1
5.0 06-Jul-2011 I Approval version
5.1 23-Jan-2012 I Update to include POLSAP and Security updates
5.2 24-Oct-2013 I Major update to align with Business Assurance
Management procedures and for organisational
changes.
6.0 13-Nov-13
Incorporated changes for Sarah Hill HSD and
issued for approval.
0.3 Review Details
‘©Copyright Fujitsu Services Ltd 2013
FUJITSU RESTRICTED (COMMERCIALIN _ Ref.
CONFIDENCE) Version:
Date:
Page No:
‘SVM/SDM/PRO/0018
6.0
13-Nov-2013
4of1
FUJITSU
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00080244
FUJ00080244
Review Comments by
Review Comments to Tony Wicks
Mandatory Review
Role
Name
POA Tower Lead BAS
Nana Parry
POA Lead Problem and Major Incident Manager
Steve Bansal
POA HSD Operations Manager
Mandy Jones
POA Acceptance Manager David Cooke
Optional Ri
Role Name
POA Infrastructure Operations Manager Andy Hemingway
POA Business Continuity Manager
Sathish Ramalingam
POA Lead SDM End User Services
Leighton Machin
POA POLSAP and Online Services SDM
Gaby Reynolds
POA Credence and Sales force SDM
Victoria Hancock
POA SDM Networks Roger Stearn
POA SMC Manager Catherine Obeng
POA Security Manager Kumudu Amaratunga
POA SDM HSD Sandie Bothick
POA Quality Compliance and Risk Manager Bill Membery
POA Lead SDM Online Services
Yannis Symvoulidis
POA Problem Manager Steve Gardiner
POA Engineering SDM Chris Harrison
Post Office Ltd
Security Manager
Dave King
Business Continuity Manager
Antonio Jamasb
(*) = Reviewers that returned comments
‘©Copyright Fujitsu Services Ltd 2013
FUJITSU RESTRICTED (COMMERCIALIN _ Ref.
CONFIDENCE) Version:
Date:
Page No:
‘SVM/SDM/PRO/0018
6.0
13-Nov-2013
5of1
FUJ00080244
FUJ00080244
HITS POA Operations Incident Management Procedure
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.4 Acceptance by Document Review
The sections in this document that have been identified to POL as comprising evidence to support
Acceptance by Document review (DR) are listed below for the relevant Requirements:
POL NFR DR _ Internal FS POL Document Document Section Heading
Acceptance Ref NFR Reference Section Number
SEC-3166 SEC-3285 9.5.2 Incident Categories
0.5 Associated Documents (Internal & External)
Referen Version Date Title source
PGM/DCM/TEM/0001 Fujitsu Services Post Office Account I Dimensions
(D0 NOT REMOVE) HNG-X Document Template
CSIFS/008 POAIPOL Interface Agreement for the I pycs
Problem Management Interface
SVM/SDM/SD/0025 POA Problem Management Process Dimensions
CS/PRO/110 POA Problem Management Database I pycs
Procedures
PAIPRO/001 ‘Change Control Process Pvcs
CS/QMS/001 Customer Service Policy Manual Pvcs
‘SVM/SDM/SD/0001 ‘Service Desk — Service Description Dimensions:
‘SVM/SDM/SD/0023 Horizon System Helpdesk Call Enquiry I Dimensions
Matrix and Incident Prioritisation
CSIREQIO2S Horizon HSD 7 SMC: Requirements I pycs
Definition
SVM/SDM/PRO/0001 POA Customer Service Major Incident I Dimensions
Process
266/FRMIHSD/001 HSD Business Continuity Plan SharePoint
‘SVMI/SDMIPLA/1048 ‘SMC Business Continuity Plan Dimensions
SVMI/SDM/SD/0002 Engineering Service Description Dimensions
‘SVMI/SDM/PLA/0031 ‘Security Business Continuity Plan Dineneions
HSD SCT 455 Incident Management Process (HSD I Hsp
Service Control Team)
C-MSv1.3 Manage Incidents Process BMS
Unless a specific version is referred to above, reference should be made to the current approved
versions of the documents.
0.6 Abbreviations
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: Gof 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure ~
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
iti
Advice & Guidance
BCP Business Continuity Plan
BMS Business Management System
ciso Chief Information Security Officer
CPP Common Point of Purchase
FI Forensic Investigator
HSD Horizon Service Desk
ICR Initial Case Report
IMT Incident Management Team
Iso International Standards Organisation
ITIL Information Technology Infrastructure Library
KA Knowledge Article also known as KEL
KEDB Known Error Database
KEL Known Error Log (in the context of this document, this is a workaround and diagnostic
database) (Theses are also known as Knowledge Articles.)
MSU Management Support Unit
NBSC Network Business Support Centre
OLA Operational Level Agreement
OMDB Operational Management Database
ORF Operational Review Forum
oTl Open Teleservice Interface
Pcl Payment Card Industry
PCI DSS Payment Card Industry Data Security Standard
PO Post Office
POL Post Office Limited
PSE Product Support Engineers
RFC Request For Change
POA Post Office Account
SAN Storage Area Network
SAP Systems, Applications and Products (in Data Processing)
SDM(s) Service Delivery Manager(s)
SDU Service Delivery Unit
SLT Service Level Targets
SMC ‘Systems Management Centre
SMT Service Management Team
SRRC Service Resilience & Recovery Catalogue
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN _ Ref: SVMISDMIPROI0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: of 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure ~
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
ssc ‘System Support Centre
TS Triole for Services
UNIRAS Unified Incident Reporting & Alerting System
VIP VIP Post Office, High Profile Outlet
0.7 Glossary
Term Definition
Common Point __of I A location identified by card schemes as a single point where a number of stolen cards
Purchase were used before the card was involved in fraudulent activity.
KELs and KAs Note that different support teams refer to knowledge database information as either
Knowledge Articles or Known Error Log. Where within this document KELs are
referred to the reader can also consider them as Knowledge Articles.
Peak The Incident Management System used by POA 3” and 4" line support teams and
other capability units involved in HNGX releases. It is linked with the TfS call
management system
0.8 Changes Expected
en
0.9 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every effort
is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused) sustained as a
result of any error or omission in the same.
0.10 Copyright
© Copyright Fujitsu Services Limited 2013. All rights reserved. No part of this document may be reproduced, stored or
transmitted in any form without the prior written permission of Fujitsu Services.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 8 of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Pe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1 Introduction
1.1 Owner
The owner of the Incident Management process at the local POA account level is the Fujitsu POA
Service Delivery Manager responsible for Incident Management within the POA account.
2) Objective
The objective of this document is to define the procedure for Incident Management in the POA
environment. The procedure is the local implementation of the Fujitsu corporate Incident Management
process (C-MSv1.3). Reference to process in this document is within the context of the corporate
document C-MSv1.3. For the purpose of this document an Incident is defined as:
“Any event which is not part of the standard operation of a service and which causes, or may cause, an
interruption to, or a reduction in, the quality of that service.”
The quality of the service includes the protection of the confidentiality of business, personal and card
data as defined by the POA Information Security Policy (SVM/SEC/POL/0003).
The document applies to all Incidents raised by the POA HSD or by SMC (out of hours or from systems
monitoring tools), where they are related to the Fujitsu outsourcing contract. N.B calls presented to POA
HSD / SMC that should be placed with the NBSC are transferred/ referred from POA HSD / SMC to
NBSC.
The scope of the process is from the receipt of an incident by the HSD / SMC, through to the successful
workaround or resolution of the incident.
For clarity, it should be noted that the HSD / IMT are responsible for managing/owning Incidents during
business hours, while SMC assume this responsibility out of hours.
The key objectives of the process are (C-MSv1.3)
Log, track and close all types of incident requests
Respond to all types of incident requests.
Restore agreed service to the business as soon as possible
Resolve incidents within the target timescales set for each priority level within the Service Level
Agreement(s)
Resolve a high number of requests at first contact
Ensuring incident priorities are linked to business priorities
Keeping the user informed of progress
Reduced unplanned downtime
Improved Customer satisfaction
1.3 Process Rationale
The primary goal of the Incident Management process is to restore normal service operation as quickly
as possible, thereby minimising adverse impact to the business. In turn, this ensures the highest level of
service quality and availability. Normal service operation is defined here as service operation within
Service Level Targets (SLT).
This process takes account of the requirements of improved service to be delivered to POL, through the
introduction of the HSD / SMC. The implementation of the IMT is documented and is aimed at
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
delivering improved understanding and communication between POL and POA leading to an increase in
the perceived service level within POL.
1.4 Mandatory Guidelines
It is important to maintain a balance between:
a) Allowing the technical teams the right amount of time to diagnose and impact an incident
b) Avoiding unnecessary alerting of the customer
c) Assessing which incidents are major
The following guidelines should be adhered to.
e During the HSD IMT Core Hours (Monday — Friday 08:00 - 18:00 and Saturday 08:00 - 14:00)
the HSD IMT should be the first point of operational contact between Fujitsu and the end user.
Outside these hours the SMC acts as the first point of contact.
e Any activity detailed in this document which is assigned to the HSD IMT is handed over to the
SMC outside the HSD IMT Core Hours.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 10 of 1
FUJITSU
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
2 = ‘Inputs
The inputs to this process are:
e All Incidents reported by Contact with the HSD / SMC. Contact is defined as voice or Tivoli Alert as
the methods of communication with the HSD / SMC and fall into the following categories:
°
°
°
°
°
°
Business process error
Hardware or software error
Request for information e.g. progress of a previously reported Incident
User complaint
Network Error
Logging via HNG-X web interface
e Severity and SLT information.
e Evidence of an Error.
e System Alerts received automatically from transaction monitoring tools. Due to the urgent nature of
some of these alerts, they may be dealt with directly by SSC, with an update of workaround or
resolution supplied to HSD / SMC. It should be noted that these alerts enter the process at step 3,
and are not subject to steps 1 & 2 of this process.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 11 of 1
FUJITSU
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
3
Risks and Dependencies
3.1 Risks
The following define the risks to the successful delivery of the process:
Break in the communications chain to third parties. Mitigation is to invoke escalation procedures.
Non-availability of the HSD / SMC Incident Management System. Mitigation is given in the HSD /
SMC Business Continuity Plan.
Non-availability of the OTI links to core & external service desk tools.
Lack of information given to the HSD / SMC regarding changes, POL Business updates, request for
changes, status of Problems etc. Processes must be followed to lessen this risk, such as the
Change Management and Problem Management Processes.
Unavailability of sufficient support unit staff
Unavailability of sufficient tools for Incident diagnosis
Non-availability of KEL or call management systems
The provision of inadequate staff training within the HSD / SMC, SDU’s or 3” party suppliers
Unavailability of systems for evidence gathering.
3.2 Dependencies
This process is dependent on:
Effective Incident handling by the HSD / SMC
The known error information being available and kept up to date with all errors as the root cause
becomes known to Problem Management
« Knowledge database kept up to date with POL business and services knowledge
e Fujitsu infrastructure support of the HSD / SMC tools
e Appropriate training plans / skills transfer of desk agents.
« Appropriate training needs to include hardware, software and networks support staff, SDU’s and 3°
party suppliers
e Effective routing of calls to SDUs and third parties
e Effective escalation procedures and the maintenance thereof within Fujitsu, POL and third parties
e Governance of Incident / Problem Management procedures
e Effective feedback to POL through Service Management ORFs, contributing to end user education
and reduced Incident rates.
e — Internal feedback to improve the Incident / Management Process.
* SLT and OLA knowledge and understanding across all Fujitsu and 3 party support
e POA, SDU and 3” party consistent co-operation in incident identification and resolution
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013,
PageNo: 12of 1
POA Operations Incident Management Procedure
Pe)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00080244
FUJ00080244
4 Resources
The resources required for this process are:
« Process Owners
e Incident Management Team
e Service Management Team
« HSD/SMC
« ssc
« SDUs
e Call Management System
« Peak
e Despatch 1
e TIVOLI
e Additional remote Management, Operational and Diagnostic tools
« Detailed Process and Procedure documentation
4.1 Roles
The main roles required by the process are:
e Incident Manager - To drive the Incident Management process, monitor its effectiveness and
make recommendations for improvement. The key objective is to ensure that service is
improved through the efficient resolution of Incidents.
e Service Desk Agent - To provide a single point of contact for users, dealing with the
management of routine and non- routine Incidents, Problems and requests
e Incident Resolver - To accurately diagnose and resolve Incidents and Problems within SLA, and
to assess, plan, build/test and implement Changes in accordance with the Change Management
Process. This role will typically be fulfilled by the support teams and service delivery units.
Detailed definitions of each role include activities and key performance indicators are in the Fujitsu
“Service Management Process Roles and Responsibilities” (C-MSv_roles).
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN __ Ref
CONFIDENCE) Version:
Date:
Page No:
‘SVM/SDM/PRO/0018
6.0
13-Nov-2013
13 of 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5 Process Flow
5.1 Level 1 Incident Management Process
il
. > Incident Detecting, recording and initial
5 classification
=
o
D
g
&
= v
oI
2
= 2
2 << J idI Assign priority and initial support *
G
z
=
G
=
FS yo
ro
2 Py
€ 3 =
jg < > ee2
o E Investigate and diagnose L__ +I 8 5
8 ae
D So
€ s=
S ¢ =8
i g
2 55
2 <——1_ +! 4. I 8 <
2 Resolution and recovery 26
5 S
=
cs
Ee <«
o
o v
=
8 6
>I Incident closure
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPROI0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013,
PageNo: 140f 1
FUJ00080244
FUJ00080244
HITS POA Operations Incident Management Procedure ~
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.2 Level 2 Incident Management Processes
5.2.1 Step 1: Incident Detecting, Recording and Initial Classification
Responsible: HSD / SMC, users, SDU’s, Service Management
\ ( \ ( Service >
SDU _— (system) { conronen J
I
ad
Contact received
at HSD/SMC
aa Yes
<Existing call or >
~ query?
y No
2 o Record Contact,
all
Management advise caller of
pe incident number
14 P
Classification of call - ~ Yee
established _-Caller satisfiea— q >
Error Incident - Advise & “with response? >> Contact ended )
Guidance - Out of Scope - — —.—
Quality ~
J No
15
Advise caller of Call
Reference Number and
action according to
classification
\ I
¥ ¥ ¥v
Incident poe Out of Scope Quality le!
‘ t ‘
A Advise caller of
To Incident Answer enquiry Escalation
Management and close or refer So eee risotto Procedure for
process step 2 to POL NBSC eae cela POL NBSC.
¥ ¥ ¥
I To step To step I To step To step
2 5 ) 5 by
1 Incident Detecting, Recording and Initial Classification
Step I Current l Activities l Accountability
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013
PageNo: 15 of 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure ~
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
No Situation/input Responsibility
eft Incident See specifics
information An Incident is received through contact (see definition in Section 2.0 under Activiti
provided above) with the HSD / SMC from:
Users
Fujitsu SDUs
POA IT Service Management
Third Parties
Fujitsu Service Delivery Management
Post Office Ltd, including POL Information Security
For Ownership, Monitoring, Tracking and Communication by the HSD/HSD
IMT/SMC/SSC see section 5.2.6 below
1.2 Incident HSD, HSD Ih
information / The caller may be enquiring about an existing Incident. Details are SMC, WAKO
details provided I provided and if the response is satisfactory, contact is ended, moving the OOH
incident to step 5. If the caller is not satisfied with the response, the
relevant Escalation Procedure is invoked. In cases of Incidents that are
either taking an above average time (for this type of Incident) to resolve or
involve multiple SDU’s, the HSD / SMC alerts the relevant Service Delivery
Manager to provide focused management of the Incident.
1.3 New incident HSD, HSD IN
details from For a new Incident, Contact details are recorded if not system generated. SMC, WAKO
Incident Initiator I Details taken are dependent upon the error reported. Typically they may OOH
include:
The user’s name and unique ID number
Location and contact details
Alternative contact details (where appropriate)
Hardware details as appropriate
Software error details, including application use at point of failure where
known
Business and User Impact
Description of Incident
Location access times
Caller assessment of the priority of the incident.
1.4 Classify the HSD, HSD IN
incident Classification of Call determined as one of the following: SMC, WAKO
Error Incident — invoke Incident Management Process Step 2 OOH
Quality — record details of complaint or compliment and invoke the relevant
Escalation Procedure.
Advice & Guidance — Cold Transfer to NBSC.
Out of scope - if the call is not within scope for the services provided by
Fujitsu advise the caller of the correct number or refer to POL NBSC and
close incident.
1.5 Provide Incident I The caller is advised of call reference number and the incident follows the I HSD, HSD Ih
Reference process as appropriate for the nature of the call. SMC, WAKO
OOH
5.2.2 Step 2: Assign Priority and Initial Support
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 16 of 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure ~
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Responsible: HSD / SMC
2
Collect additional
incident
information trom
contact
2.2
Assign Severity
Level & Priority
“a5 ll vex Trigger Alert IMT
a (hist Follow Frrocess” Sone
“ee SVM/SDM/
PROOOt
No
24
Check KEDB for
matching entries
ves uti
incident >
‘ten?
Yes Apply resolution or
Workaround
a Link call to Master
Incident / E110
status of Incident . nal E
2.7
Attempt 1*Line
with help from PSE's
Yes
qv
Link eallto Waster
Raise incident Incident Record to
record and pass to inform SOU of
sou additional
To Step To Step
3 3)
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013,
PageNo: 17 of 1
FUJITSU
FU,
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00080244
1JO00080244
2 Assign Priority and Initial Support
Step I Current Situation I Activities ‘Accountability!
No I /nput A
Responsibility
2.1 Further The HSD / SMC agent collects additional information in order to determine HSD, HSD IN
incident the nature, impact and urgency of the Incident. SMC, WAKO
information OOH
requested
2.2) Severity and Call Severity is assigned based on the impact and urgency as per the criteria I HSD, HSD IN
Priority in the table below. Call Priority for Hardware and Network calls is assigned SMC, WAKO
allocated in accordance with the Priority matrix as detailed in Engineering Service OOH
Description (SVM/SDM/SD/0002), a copy of which each agent should have
on their desk. (See the following table in this section.)
2.3 Is Major If the incident is considered a Major Incident as defined in HSD, HSD IN
Incident trigger I SVM/SDM/PRO/0001 Major Incident Process, the Major Incident Procedures I SMC, WAKO
met? are invoked. OOH
24 Check Known I The HSD/ SMC agent then attempts to resolve the Incident using the HSD, HSD IN
Error resources available. This starts by interrogating the HSD / SMC knowledge SMC, WAKO
Database or is I database to find all information related to the Incident symptoms. If the OOH
there a known I Incident is routine, i.e. there is a predetermined route for resolution, then the
resolution? Incident is resolved on the call or referred to the relevant SDU using the HSD
/ SMC Support Matrix.
2.5 Provide user If the Incident is not routine, the HSD / SMC agent checks for Known Errors HSD, HSD IN
with KEL listed in the SSC KEL against records relating to the Incident symptoms. If a I SMC, WAKO
details if match is found, the agent informs the caller of the workaround or resolution OOH
applicable available.
2.6 Check for If there is no match in HSD / SMC knowledge database or the SSC KEL, the I HSD, HSD IN
Parent HSD / SMC Incident Management System stack is checked for current SMC, WAKO
incident? incidents outstanding. If a match is made, the caller is then advised of the OOH
status of the incident and the master record is updated to reflect the current
occurrence.
2.7 Liaise with If no match is made against the HSD / SMC Incident Management System HSD, HSD IN
PSE to seek stack, the HSD / SMC continues with first line resolution of the Incident SMC, WAKO
incident assisted by the Product Support Engineers (PSE’s). IMT are appraised of the I OOH
resolution position.
2.8 Refer to If the PSE’s cannot resolve the Incident, it is referred to the relevant SDU HSD, HSD IN
Support Matrix I using the HSD / SMC Support Matrix. IMT are appraised of the position. For I SMC, WAKO
and transfer to I Hardware calls, the caller is given an indication of engineer arrival time, OOH
appropriate based on the SLA associated with the priority of the call.
SDU
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 18 of 1
FUJITSU
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Severity I Importance I Definition
1 Critical e BUSINESS STOPPED, a Post Office unable to trade (where engineering
cover available), unable to process any business, or central system
failure which will result in a number of Post Offices being unable to
process work.
* Causes significant financial loss (as agreed between POL and POA
Operations)
e Results in data corruption or unrecoverable data loss.
2 Major e BUSINESS RESTRICTED, a Post Office restricted in its ability to transact
business e.g. 50% of counters unable to trade or trading with restricted
business capability.
e Has an adverse impact on the delivery of service to a number of end
users.
e Causes a financial loss that impacts POL and/or POA reputation (as
agreed between POL and POA Customer Services)
e Ifa PCI Major Incident process is invoked
3 Medium e NON-CRITICAL, a Post Office working normally but with a known
disability, e.g. an interim solution (workaround) has been provided.
e Ifa PCI Minor Incident process is invoked
e Has a minor adverse impact upon the delivery of service to a small
number of end users
4or5 Low e ~~ Non-urgent
e Insignificant and usually cosmetic error, either a trivial documentation
error or spelling error on the system.
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 190f 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.2.3 Step 3: Investigation and Diagnosis
Responsible: SDU’s
From
Step2/
31/32
a rw inesiste IMT let POA SOM
ss > ‘and diagnose —
ef) comeeae pattem likely to produce
I a Problem
parties I
‘Step 3
[Toate]
4
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
Page No: 200f 1
FUJITSU
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
3 Investigation and Diagnosis
Step I Current Activities ‘Accountability!
No Situation/Input Responsibiity
3.1 Second line The referred SDU investigates and diagnoses the Incident, based on Second Line
support stage. information already taken by the HSD / SMC, together with any new SDU
SDU information. The SDU also coordinates where sub-contract third parties are
investigation involved. If the Incident has no associated KEL, or it is complex and
9 involves multiple SDU’s, or if it has been unresolved for an extended
period, the IMT will alert the POA Service Delivery Manager to the
existence of a pattern likely to produce a Problem.
3.2 Out of hours SMC should check the OLA documentation to determine if out of hours SMC
Support support is available for the Service impacted. In the event that out of hours
smc support is available, SMC will discuss incidents with the Duty Manager, who
in turn will discuss incidents with the line of business SDM.
5.2.4 Step 4: Resolution and Recovery
Responsible: SDU’s
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013,
PageNo: 21 of 1
FUJITSU
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00080244
FUJ00080244
I From
Step 3 /
Step 4
Werkeround or
Resolution
42
Resolve Incident —
Mester Incident
Record remains
Passincident back
toservice desk,
indudng
desaiiption of
KEL produced /
updated
IMT to det POA SOM
tothe existence of a
patter likely to
produce a Problem
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN __ Ref SVMISDMIPRO/0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013
PageNo: 22 of 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure ~
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
4 Resolution and Recovery
Step I Current Activities ‘Accountability!
No Situation/Input aa
Responsibility
44 SDU SDU investigates the incident, diagnose the cause and possibly identify and I SDU
investigates produce either a workaround or resolution.
incident
following local
processes
42 Provide The SDU then either applies the workaround or resolution or passes it to the I SDU and HS
resolution HSD / SMC to implement. The Master Incident Record (if one exists) HSD IMT, SI
remains open at this point.(The incident should be set to resolved in this WAKO1 OOF
step (awaiting the User’s agreement it can be closed in section 5.1)
43 SDU seek The SDU checks the workaround or resolution has been successful. HSD/ I SDU and HS
confirmation of I SMC are responsible for updating details recorded in HSD / SMC knowledge I HSD IMT, SI
resolution database, from details supplied via the KEL created by SSC. HSD / SMC WAKO1 OOF
update KELs if I knowledge database should be identical to SSC KEL in relation to
applicable. Application Software, but may also contain additional information.
44 IMT looks for If this is a Parent Incident, i.e., it has a number of child incidents linked to it, I HSD IMT
Child Incidents I or where there is a probability that proactive action is required to prevent
or incident further occurrences of this Incident the IMT will alert the POA SDM to the
trends existence of a pattern likely to produce a Problem
45 Invoke incident I The Incident is then passed to the IMT or HSD / SMC to manage the closure I HSD, HSD IN
closure SMC, WAKO
processes OOH
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPROI0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013,
PageNo: 2300f 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.2.5 Step 5: Incident Closure
Responsible: HSD / SMC
Closure from geen
Escalation 4 aie
Process oe
y 5.1
No / Caller agrees
Incident
resolved?
Yes
v
To Step yo
3.1 Close call record )
5
5 INCIDENT CLOSURE
Step I Current Activities Accountability / Responsibility Next
No I Situation!
Input Step
5.1 I IMT For incident raised by the IMT for the I HSD IMT End
managed POLSD the IMT will liaise with the
incidents POL Service Desk and POA Duty
Manager on the closure of the
incident. If closure is not agreed the
incident shall be returned to the SDU
to be reworked.
5.2 I HSD/SMC I The incident may now be closed with HSD, SMC, WAKO1 OOH End
managed the agreement of the originator. If
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 2400f 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Pe)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
incidents closure is not agreed the incident shall
be returned to the SDU to be
reworked.
5.1.6 Step 6: Ownership, Monitoring, Tracking and Communication
Responsible: HSD / SMC, SSC
Throughout the Incident, the HSD / SMC retains ownership for monitoring and keeping the call raiser
informed of progress, unless the incident is specifically software related, in which case SSC hold the
responsibility for confirming details of closure.
The HSD / SMC manages the complete end-to-end Incident process.
Activities include:
Regularly monitoring the status and progress towards resolution of all open Incidents
Note Incidents that move between different specialist support groups, indicative of uncertainty and
possibly a dispute between support staff
Give priority for Incident monitoring to high-impact Incidents
Keep affected users informed of progress without waiting for them to call, thus creating a pro-active
profile
Monitors SLT and escalates accordingly. If an Incident has no associated KEL or, it is complex and
involves multiple SDU's, or if it has been unresolved for an extended period, IMT will alert the POA SDM
to the existence of a pattern likely to produce a Problem.
Updating HSD / SMC TfS Knowledge Articles from information supplied from SSC KEL. This may be
applied as a direct copy or amended for use by the agents, dependant upon the technical complexity of
the update.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 25 of 1
FUJITSU
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
6
Outputs
The outputs from this process are:
A Problem referred to the Service Delivery Manager with line of business responsibility, where there
have been one or more Incidents for which the underlying cause is unknown
An update to the Knowledge Database
A workaround or permanent resolution for a hardware, software or network error
An answer to a question from a user
The receipt and onward transfer of information received by the HSD / SMC.
A service improvement recommendation.
Change of operations procedures.
Change of Business Continuity Plan (BCP) priorities and documentation.
Where appropriate:
Monthly Report on all PCI minor incidents
ICR (Initial Case Report)
Record in the Incident Security Log
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013
PageNo: 26 of 1
FUJ00080244
FUJ00080244
(oe) POA Operations Incident Management Procedure
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
7 Standards
This Process conforms to:
e Process Management and Control PA/PRO/038
e ITIL Best Practice
* BS15000
« BSg9001
e¢ BS/ISO IEC 27001
« IEC 17799:2005
e¢ PCI DSS version 1.2
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013
PageNo: 27 of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
oO
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
8 Control Mechanisms
The contractual measures that apply to this service are described in the Horizon HSD / SMC Service
Description (SVM/SDM/SD/0001)
This covers service availability, service principles, service definition, incident prioritisation, service
targets and limits and HSD / SMC performance reporting.
In addition, internal measures may apply for specific productivity and service improvement activities.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 28 of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Fe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9 Appendix A: Security Incident Reporting
9.1 Scope
This annex outlines the process regarding the investigation, and reporting of all security incidents
concerning the HORIZON Network and all IT equipment.
9.2 Aim
The aim of these instructions is to ensure that details of all IT related security incidents are reported to
one central point and that any follow up investigations are managed in an efficient and auditable manner.
9.3 Changes
These work instructions are primarily for use by HORIZON Service Desk Staff, the POA Security Team,
the POL Security Team, and SSC staff. Approval from POL is to be gained before any significant
changes to the work instructions are implemented. All readers are encouraged to propose changes to
Work Instructions, in writing, to the POA Security Manager.
All incident documentation is subject to review and update by the business continuity and information
security teams as part of the lessons learnt process following an incident and following the annual review
of the incident process as part of business continuity.
9.4 POL Incident Handling Guidance
All POL incidents will still be handled in accordance with existing POL guidelines. This document does
not replace these, or, indeed, replace any part of the content - rather it lays down the POA framework
under which the work is carried out.
9.5 IT Incidents
9.5.1 Incident Definition
9.5.1.1 An information security Incident is: "an adverse event or series of events that compromises
the confidentiality, integrity or availability of Fujitsu Services Post Office Account information or
information technology assets, having an adverse impact on Fujitsu Services and/or Post Office Ltd
reputation, brand, performance or ability to meet its regulatory or legal obligations." This will also extend
to include assets entrusted to Fujitsu including data belonging to Post Office Ltd, its clients and its
customers.
9.5.2 Incident Categories
Incidents can be categorised in many ways, they can occur alone or in combination with other incident
categories and can vary significantly in severity and impact. It is important that all incidents are
recognised and acted upon.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 290f 1
FUJITSU
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9.5.2.1
For the purpose of illustrating the impact of incidents two levels of severity have been
defined (Note: in practice the assessment may be less straightforward):
A MINOR incident will normally have limited and localised impact and be confined to one domain,
resulting in one or more of the following:
e Loss or unauthorised disclosure of internal or sensitive material leading to minor
exposure, or minor damage of reputation
e Loss of integrity within the system application or data, leading minimal damage of
reputation; minimal loss of customer / supplier / stakeholder confidence; negligible cost
of recovery
e Loss of service availability within the domain, leading to reduced ability to conduct
business as usual; negligible loss of revenue; minimal loss of customer / supplier /
stakeholder confidence; negligible cost of recovery
e Individual attempts to breach network security controls shall be treated as a minor
security breach.
e Subject to discussions with the POA Duty manager due to high volume of calls relating
to the same type of incident it may well be a requirement to follow the POA Major
Incident Process (SVM/SDM/PRO/0001) following the advice from the POA Duty
Manager.
A MAJOR incident will have a significant impact on the Network Banking Automation Community
resulting in one of more of the following:
e Loss or unauthorised disclosure of confidential or strictly confidential material, leading to
brand or reputation damage; legal action by employees, clients, customers, partners or
other external parties
e Loss of integrity of the applications or data, leading to brand or reputation damage; loss
of customer / supplier / client confidence; cost of recovery
e Loss of service availability for applications or communications networks, leading to an
inability to conduct business as usual; loss of revenue; loss of customer / supplier / client
confidence; cost of recovery
e Aconcerted attempt or a successful breach of network security controls shall be treated
as a major security breach.
NB. For a Major Incident the POA Major Incident Process (SVM/SDM/PRO/0001) should be followed.
9.5.3. Examples of IT Incidents
e Theft of IT equipment / property, including software
e Malicious damage to IT equipment /property, including software
e Theft or loss of Protectively Marked, caveat or sensitive IT Data.
e Actual or suspected attacks on the Fujitsu Services POA Network or Information
System.
e Potential compromise of systems or services at the Data Centre through evidence
retrieved and presented by Police or POL's card acquirer.
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013
PageNo: 30 of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Pe)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Attacks on Fujitsu Services Post Office Account personnel via Information Systems. (I.e.
Harassment, Duress
e Malicious/offensive/threatening/obscene emails.
« Obscene phone calls
e Breaches of software licensing
¢ Virus attack and other malicious code attacks
e Hacker attacks
¢ Terrorist attacks
¢ Insider attacks
« Competitive Intelligence gathering (Unethically)
e Unauthorised acts by employees
e Employee error
¢ Hardware or software malfunction
e Suspected Fraudulent Activity
e Specific compromise of card data.
The above list is a non exhaustive list of examples. Any other IT related incidents
reported, will be considered and passed to the appropriate authority for action.
9.5.4 Containment
Whenever an Incident is identified which presents a serious threat to conduct normal business it should
be contained and isolated as quickly as possible. This will mean Platforms that appear to have suffered
virus attack or other malicious code attack need to be quarantined immediately to prevent further
spread. It may also be necessary to isolate network connections that appear to be the source for Denial
of Service threats or where they have been subjected to suspected hacking attack.
If the incident relates to card data, the environment may be subject to a Forensic Investigation imposed
by POL's merchant acquirer. In this instance log data will need to be reviewed and analysed.
9.6 Reporting
9.6.1.1 Anyone reporting a security Incident should be encouraged to notify their Line Manager in
the first instance. The Line Manager will gather as much detail of the incident as possible, following
company procedures. He or she will undertake an initial local investigation into the incident, ensuring
that in the case of missing equipment or materials that they have not just been misplaced. Information
gathered will be entered into the initial case report template (ICR).
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 31 of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Pe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9.6.1.2 If the severity of the Incident is considered as Minor but warrants further investigation the
Line Manager should immediately log a call with the Horizon Service Desk, stating that they are
reporting a security incident, giving brief details. Please note that in certain cases there may be
circumstances where no details of a sensitive nature should appear on the call log. Having logged the
call and obtained a call reference number, the Line Manager may then continue with the investigation,
and act as a liaison between the person reporting and all concerned parties. Once logged, the
investigation will thereafter be referred to by the Call Number.
9.6.1.3 All Incidents reported to the Service Desk with a call reference and even when classified as
Minor should still be forwarded to POA Security Management to determine if there is a Security Impact.
It is important that for any incident investigated the correct procedures are adopted regarding evidence,
as the information collected and recorded may be used for evidential purposes at a later date
9.6.1.4 If the severity of the Incident is considered as Major the Incident details must be reported
directly to the POA Security Manager immediately. Contact details are available on Café VIK.
Depending on the type of Incident and the severity of the incident POA Security will make the decision to
escalate the details to the POL Security. In the case of Data Centre incidents specifically Security will
also inform the Data Centre Manager if this has not already been done. Regardless of the severity of the
incident, when a compromise in card data occurs the incident must be reported to POL Security so that
POL can comply with it's contractual obligations with it's card acquirer.
9.6.1.5 In the event of a Major Incident Security trigger for Fujitsu Services Property, the POA
Security Manager MUST inform the Group Property Security Team who will be alerted either by
telephone on a 24/7 basis or the next working day via our Incident Reporting process and the actual or
potential impact of the incident dictates which route is followed.
The Group Property Security Team then take responsibility for interfacing into the corporate process by
entering reports on to the corporate system
9.6.1.6 In all cases relevant details should only be recorded and discussed as necessary between
the person investigating or Line Manager dealing with it and any relevant parties who need to be
included in the investigation. Information on any incident must not be passed to anyone who is not
directly involved with the investigation without the authority of POA Security Manager and the POL Head
of Information Security.
9.6.1.7 Once a call is raised with the SSC the call will then be placed on the call stack of the POA
Security Team, who will monitor the incident, assist or advise the Line Manager if required, and be
available to take over the investigation should the need arise, but always be able to respond, within 2
hours of the initial call being made. (Minor Incidents (during normal working hours of between 9am and
5pm) and Major Incidents at all times.)
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 32of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Pe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9.7 Investigation
9.7.1 Policy
Although all security incidents will initially be reported to the POA Security Manager in order to have one
point of contact for all parties, some or all of the investigation requirements may be passed to one or
more of the following for further action. The decision of delegation will be determined by the POA
Security Manager in association with POL Information Security Incident Manager.
9.7.2 POL Security / Investigation Team
9.7.2.1 In the event that the reporting of an incident is passed to POL Security or the Investigation
Team, all details of the investigation, and final outcome or reference details, should be recorded on the
initial case report (ICR) and details will be recorded in the security Incident Log. It is important that for
any incident investigated the correct procedures are adopted regarding evidence, as the information
collected and recorded may be used for evidential purposes at a later date.
9.7.2.2 In the event that the POA Security Manager takes ownership of an investigation, he will
report the results to POL Head of Information Security and POL's Business Continuity Manager.
9.7.2.3 During any investigation the Investigator must comply with the appropriate legislation and
compliance requirements and regulatory or standard requirements.
9.7.2.4 All initial investigations should be carried out at the earliest opportunity and any queries
should be directed to POA Security Manager. Investigation must be reliable, stand up to scrutiny and
potential cross-examination and evidence must be properly obtained, recorded and time stamped.
9.7.3. External Investigator
9.7.3.1 Should it be considered necessary the incident might be passed to an external Investigator
or forensics team, who will ensure that any data required for evidential purposes is captured and
investigated using a systematic approach which ensures that an auditable record of evidence is
maintained and can be retrieved. In some cases, where a compromise to card data is involved, two
Forensic Investigation teams may be involved. One team operating on behalf of POL gathering the
required audit logs to use to analyse and investigate the problem. A second Forensic Investigations team
may be imposed to investigate on behalf of the card acquirer and card schemes. In all incidences where
a Forensic Investigation is involved, the Forensic Investigators will be shadowed by POL's Legal and
Security Teams.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 330f 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Pe)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9.7.4 Evidence Rules
9.7.4.1 Rules of Evidence
Before undertaking security incident investigation and computer forensics it is essential that investigators
have a thorough understanding of the Rules of Evidence. The submission of evidence in any type of
legal proceedings generally amounts to a significant challenge, but when computers are involved the
problems are intensified. Special knowledge is needed to locate and collect evidence, and special care is
required to preserve and transport evidence. Evidence in computer crime cases differs from traditional
forms of evidence in as much as most computer related evidence is intangible and is in the form of
electronic pulse or magnetic charge, hence the need to use specialist teams. That said the information
collected and recorded from the Operational areas is equally important and must be recorded with due
care and diligence.
9.7.4.2 Types of Evidence
Many types of evidence can be offered in court to prove the truth or falsity of a given fact.
The most common forms of evidence are Direct, Real, Documentary and Demonstrative.
Direct Evidence
Direct evidence is oral testimony whereby the knowledge is obtained from any of the witness's five
senses and is in itself proof or disproof of a fact in issue. Direct evidence is called to prove a specific act
such as an eye witness statement.
Real Evidence
Real evidence also known as associative or physical evidence is made up of tangible evidence that
proves or disproves guilt. Physical evidence includes such things as tools used in the crime, and
perishable evidence capable of reproduction etc. The purpose of physical evidence is to link the suspect
to the scene of the crime. It is that evidence that has material existence and can be presented to the
view of the court and jury for consideration.
Documentary Evidence
Documentary evidence is presented to the court in forms of business records, manuals, printouts etc.
Much of the evidence submitted in a computer crime case is documentary evidence.
Demonstrative Evidence
Demonstrative evidence is evidence used to aid the jury. It may be in the form of a model, experiment,
chart or an illustration offered as proof.
9.7.5 Process
In most cases response to a reported incident the initial investigation will be carried out by a nominated
investigator normally the POA Security Manager or his nominated deputy. POA and POL Security
Teams will be on hand to provide backup and assistance if required. When seizing evidence from a
computer related crime the investigator will collect any and all physical evidence such as the personnel
computer, peripherals, notepads and documentation etc., in addition to computer generated evidence.
There are four types of Computer generated evidence:
e Visual Output on a monitor
e Printed evidence on a plotter
e Printed evidence on a printer
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 34of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
fe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Film recordings on such digital media as disc, USB stick, log files, tape or cartridge, and optical
representation on either CD or DVD.
The investigator will endeavour to obtain as much original evidence as possible. In the event of a court
appearance the court prefers the original evidence rather that a copy but will accept a duplicate if the
original is lost or destroyed or is in the possession of a third party who cannot be subpoenaed.
9.7.5.1 Following the initial investigation and where considered appropriate, the investigator will
report to/ liaise with the local Police and/or other external Agencies; this will only be done following
consultation with the POL Head of security and POL Head of Information Security or substitute.
9.7.5.2 Copies of the initial and follow up reports will be submitted to relevant authorities and details
of all investigations will be held on file by the POA Security to aid any subsequent trend analysis.
9.8 REMEDIAL ACTION
9.8.1 On Completion of report
When the final report of an investigation has been completed, it should be passed to the relevant
authority for follow up action, the results of which should be referred back to the POA Security Manager.
9.8.2 Completion of Investigation
When an investigation is closed the POA Security Manager will ensure all details of the investigation
have been recorded and can be made available for subsequent future analysis.
9.8.3. UNIRAS Reporting
On call closure, the POA Security Team will complete and notify UNIRAS where required. Thereafter the
incident will be reviewed to identify the lessons learnt and the processes and relevant documentation will
be updated as appropriate.
9.9 TRENDS & AUDITING
9.9.1 Frequency
9.9.1.1 POA Security Team will carry out a monthly check of all investigations and create a
summary report highlighting all incidents to the POL Head of Information Security.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 35 of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9.9.1.2 The report will highlight any trends or weaknesses which may need to be raised at future
Information Security Management Forums (ISMF).
9.9.1.3 Details from the monthly reports may also be considered suitable for Line Managers.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
Page No: 36 of 1
FUJ00080244
FUJ00080244
POA Operations Incident Management Procedure
Pe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Appendix B_ Security Incident Process flow
Management of a Security Incident
Internal Units I
Eg Datacentres 1
Incident raised Incident raised A
‘with NBSC with HED/ SMC fe
© Resohe /4-No_< Seeury <RE —o—Resote
5 <a ~
fe}
e
2
Q
Ss Minor Yes
>
o
Major
7
Inform Fujtsu
Securty
Inform Operational
‘Security Manager Hi
for awareness i
Out of Hours
Major t
Tnform Duty
Inform POSD } [ ees
8 Y
8 Evaluate &
fe} Escalate
oe
a ’
e : :
=
o Waal ¥ ¥
Business I [ManagementI [infrastructure] [Engineering &
Continuty Team 2 Networks Others
Ss
5
as —
as Securty
2c I Fy
Si
Pare
Note: This diagram has only been provided an overview of the relationship between incident processes
and the HNG-X Business Continuity Security Plan. Included for guidance purposes only.
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref. ‘SVM/SDM/PRO/0018
CONFIDENCE) Version: 60
Date: 13-Nov-2013
PageNo: 37 of 1
FUJ00080244
FUJ00080244
HITS POA Operations Incident Management Procedure
) FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Appendix C Security Incident Report Template
Identification
Transition: Incident ID
Period: From: I I To: Reported:
Manager: Date:
Operational Security Report Overall Status:
Incident Details
Further Action
Lessons Learnt & Recommendations for Future Actions
Appendix D_ Contacts
Security Incidents
‘©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIALIN Ref. SVMISDMIPRO/0018
CONFIDENCE) Version: 6.0
Date: 13-Nov-2013
Page No: 38 of 1
POA Operations Incident Management Procedure
Pe)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00080244
FUJ00080244
e Kumudu Amaratunga — _I(Operational Security Manager)
Major Incident Manager Contact Details
« Steve Gardiner —
* Steve Bansal +
GRO
Out of Hours Duty Manager Contact Details
* Tony Wicks -!
OOH Duty Manager Pager {. + between the hours:
17.30 - 09.00 Monday PM to Thursday AM
17.00 - 09.00 Friday PM to Monday AM
Outside these times, please contact the Major Incident Manager
Note: Names and phone numbers are correct at the time of document issue and subject to change. In
the event of difficulties refer to the Fujitsu Services Global Address List for the latest details.
POA Service Delivery Manager Contact Details
The Post Office Account service delivery contact details can be found on the Post Office Account Share
Point under Operations > BCP in a folder named Post Office Account Service Delivery Contact Details
©Copyright Fujitsu Services Ltd 2013 FUJITSU RESTRICTED (COMMERCIAL IN Ref.
CONFIDENCE) Version:
Date:
Page No:
‘SVM/SDM/PRO/0018
6.0
13-Nov-2013
39 of 1