FUJ00086948
FUJ00086948
@
Audit Steering Group
September 22"¢ 2011
O
Post Office®
FUJ00086948
FUJ00086948
Agenda 2
Confirm previous minutes
Status update of E&Y 2011 findings resolution activities
Update on preparation for 2012 E&Y audit
Progress on consolidated Frameworks approach
RAID log actions update
RAID log risks update
AOB
N QO a FF WRrY >
O
Post Office®
FUJ00086948
FUJ00086948
Agenda Title
Minutes from Previous Meeting
Discussion held around the contractual need for Fujitsu to
undertake the audit work. Agreed that this is within the contract
for Fujitsu to support audit work but the definition of what is
‘reasonable’ required and actioned in the RAID log (ACGBOO01).
In terms of efficiency we discussed the possibility of getting one
auditor to cover off the needs of many audits through a
framework agreement. This may work initially for the ISQ.,
potentially PCI audits plus RMG and need to discuss the
possibility of the E&Y audit inclusion. Actianed in the RAID log
(ACGBO10)
In terms of POL testing Fujitsu's cornpliance with the
recommendations from the audit and to embed that in BAU the
best method would be to include these ‘reporting’ needs to the
existing PCI reporting spreadsheet that is part of the Service
Review Book. POL to add the reporting needs from the
recommendations to this spreadsheet. Actioned in the RAID log
(ACGBO11)
The CISP (POL information security policy) and the Audit
Framework needs to be aligned and also the Fujitsu Security
Policy. This is actioned in the RAID (ACGBO12)
Post Office®
O
FUJ00086948
FUJ00086948
®
Status update 2011 findings
i. High Iimprove governance of
outsourcing application This will be resolved by a number of activities. The following two points
management as POL is represent progress against the E&Y findings.
responsible for the A set of BAU Review Reports are being defined by PO Ltd for Fujitsu to
governance, risk and control feport against to monitor the findings. These will be our controls, reported
framework over business eriodically, against the user administration controls. F/C 31% October for
critical systems and needs to fompletion and inclusion in the security review board (BAU).
Ihave assurance over their An Audit Steering Group has been established within POL (Fujitsu
design and operating represented) and has now met on three occasions (monthly). (Complete)
effectiveness. pe next points are strategic actions for the longer term approach.
Additionally, is to incorporate where possible the IT General Controls
required by E&Y into an audit framework solution along side the existing
ramework for ISO 27001, 20000 & 9000. PCI and LINK. This will bring
much more efficiency to the audit process for all parties. This is a longer
‘erm initiative as part of a strategic plan.
POL and Fujitsu will determine the end to end process for change and
identify the risk areas and controls we have in those areas. This will be
lutilised initially by the Ernst & Young auditors but also maintained thereafter
for control purposes. This again is a longer term initiative for the strategic
Kdirection.
Finally, and not part of the E&Y findings, there is a corporate dashboard
being developed between POL and Fujitsu that is currently with POL for
iews.
Post Office®
Item 2
FUJ00086948
FUJ00086948
®
2. High Segregation of duties within
he change management
process needs to be
mproved. The logical and
organisational controls need
‘0 be in place to separate
he development and
migration of changes.
This is part of the Overall review of User Management and Fujitsu are on
larget with the Project Plan. Including in this is the backend SAP
pplications. Active Directory is included here with the exception of
ACACS+ for networks which is a separate service improvement
rogramme. F/C 31% October 2011
A register of all users on the POL account has been created and created
nto an access database. (Complete)
The process for administering this process is out for review within Fujitsu
nd once signed off will be cascaded through the POL account. F/C 31*
ctober 2011
The Change Management system has been updated and now includes
AP changes. In addition PO Ltd agrees Operational Changes as part of
AU (Complete)
A set of BAU Review Reports are being defined by PO Ltd for Fujitsu to
report against to monitor the findings. These will be our controls, reported
periodically, against the user administration controls. F/C 31% October 2011
O
Post Office®
Items 3 & 4
FUJ00086948
FUJ00086948
®
B. High
Strengthen the change
management process to
ensure that all programme
changes are appropriately
authorised, tested and
lapproved prior to
mplementation.
Complete for Fujitsu
The Change Management system has been updated to include PO Ltd
greement to Operational Changes. An Internal Share Point system is now
n place for this area within Fujitsu. (Complete)
POL has implemented a solution to centralise the approval for all changes.
Complete)
A Rough Order of Magnitude (ROM) process has been introduced by
usiness Change and regular Business Change meetings are held with PO
td. (Complete)
POL need to test that this remedial work is appropriate. This will be
erformed through the RMG audit forecast last week October 2011.
POL is reviewing how we can test maintenance and fixes. The review is
ikely to require dedicated resource that will be part of a longer term
nitiative. Review F/C mid October
POL review of
test still under
consideration
Requires testing
to confirm
lappropriateness
4. High
IT functions including access
‘o user administration
functionality across Horizon
pn-line and POLSAP
Review of privileged access t
This is part of the Overall review of User Management and Fujitsu are on
larget with the Project Plan. Including in this is the backend SAP
pplications. Active Directory is included here with the exception of
ACACS+ for networks which is a separate service improvement
rogramme. F/C 31% October 2011
A set of BAU Review Reports are being defined by PO Ltd for Fujitsu to
eport against to monitor the findings. These will be our controls, reported
eriodically, against the user administration controls. F/C 31% October 2011
The processes for the management of SAP Accounts in cash centres has
een implemented by POL (Complete)
Post Office®
FUJ00086948
FUJ00086948
®
Items 5&6
b. Medium Implement periodic
luser access reviews _ This is part of the Overall review of User Management and Fujitsu are on
land monitoring larget with the Project Plan. Including in this is the backend SAP
controls for Horizon onfapplications. Active Directory is included here with the exception of
ine and POLSAP to ACACS+ for networks which is a separate service improvement
Kietermine that user rogramme. F/C 31% October 2011
laccess is appropriately} The process for administering this process is out for review within Fujitsu
granted. nd once signed off will be cascaded through the POL account. F/C 31*
ctober 2011
A set of BAU Review Reports are being defined by PO Ltd for Fujitsu to
eport against to monitor the findings. These will be our controls, reported
eriodically, against the user administration controls. F/C 31% October 2011
The processes for the management of SAP Accounts in cash centres is in
he process of being implemented by POL (Complete 09/09/11)
(6.Medium Strengthen the user
administration process This is part of the Overall review of User Management and Fujitsu are on
or the granting, larget with the Project Plan. Including in this is the backend SAP
modification and pplications. Active Directory is included here with the exception of
removal for POLSAP ITACACS+ for networks which is a separate service improvement
land the authorisation programme. F/C 31% October 2011
for modified users in The process for administering this process is out for review within Fujitsu
Horizon on-line nd once signed off will be cascaded through the POL account. F/C 31*
ctober 2011
A set of BAU Review Reports are being defined by PO Ltd for Fujitsu to
eport against to monitor the findings. These will be our controls, reported
eriodically, against the user administration controls. F/C 31% October 2011
The processes for the management of SAP Accounts in cash centres is in
he process of being implemented by POL (Complete 09/09/11)
O
Post Office®
FUJ00086948
FUJ00086948
®
Items 7 & 8
7. Low Improvements to
logical security settingsA review of Architectural documents is being undertaken and will continue
for the infrastructure fs part of BAU and Fujitsu’s Document Management Process. (Complete)
supporting Horizon on-fThe implementation of a Pen Test Regime is required as part of BAU.
ine and POLSAP (Contractually this is not a requirement on Fujitsu but a CCN has now been
lagreed for a call off budget. Date to be determined when the PEN test will
be undertaken. This is an internal Fujitsu resource to be assigned. The
Scoping of new projects has, where applicable, included PEN tests as a
requirement.
8. Low [The RM Group
Information Security The Amendment of Post Office Account Security Policy is completed and
Policy requires pout for review with both Fujitsu and POL On approval a cascade will be sent
Strengthening for ‘0 all users advising them of changes to the policy and a set of guidelines
Password parameters, provide. F/C 31° October 2011.
complexity, frequency The robustness of the password strength across Active Directory will be
lof change etc. ncluded in the scope of the Pen Test (see point 7).
O
Post Office®
Items 9 & 10
FUJ00086948
FUJ00086948
®
problem and incident
management process
io ensure they are
classified correctly.
9. Medium Review of generic
privileged accounts as f This is part of the Overall review of User Management and Fujitsu are on
here is evidence of _ farget with the Project Plan. Including in this is the backend SAP
multiple generic lapplications. Active Directory is included here with the exception of
privileged accounts [TACACS+ for networks which is a separate service improvement
land passwords were programme. F/C 31% October 2011
being shared. A set of BAU Review Reports are being defined by PO Ltd for Fujitsu to
eport against to monitor the findings. These will be our controls, reported
eriodically, against the user administration controls. F/C 31% October 2011
All user management on the POL Account is now administered through
[The POL Account Security Operations Team in accordance with the User
janagement Procedure (Complete)
10. Low improvements to the
PThe problem and incident management document / process has been
reviewed and updated. Need to discuss with Service Management in POL
heir needs from this process and the potential for a report from the
ramework solution. (Complete for documentation)
PA Review of this area is regularly undertaken in most of the audits of the
Account and any remedial actions found are rectified.
Post Office®
O