FUJ00086970
FUJ00086970
Post Office Limited
IT component of management letter
for the year ended 25 March 2012
i] ERNST & YOUNG
Quality In Everything We Do
FUJ00086970
FUJ00086970
1. Overview
The table below lists the IT observations identified during the audit. Further details are contained
in the tables on the following pages. As Post Office management reviews these observations,
management should assess the collective impact of these observations, together with other
findings from within the organisation.
1. Privileged access
User administration process
. Change management process
. Periodic user access reviews and monitoring controls
. Generic privileged accounts
. Password parameters
NilolalaRlolnr
. Logical security settings
FUJ00086970
FUJ00086970
2. Detailed observations
Ref I Observation Location I Background Recommendation Management Comment
1 Privileged IT We reviewed privileged access to IT functions We recommend that management
access including access to user administration functionality conducts a review of privileged access to
across the in-scope applications and their supporting I IT functions across the in-scope
infrastructure. Whilst we noted some reduction on applications and thein,supporting
the number of accounts assigned with privileged infrastructure to determine whether the
access to POLSAP, the following observations level of;privileged access granted is
identified last year remained open at the time of our I appropriate. Where access is deemed to
review: be inappropriate, this access should be
POLSAP revoked)immediately.
For POLSAP. accounts associated to the
e The following seven dialog and service generic :
SAP_ALL and SAP_NEW profiles,
accounts were found to be assigned to the
SAP_ALL and SAP_NEW profiles within the Management should revisit the need to
POLSAP production environment (PLP-400): grant this level of privileged access to the
o ADMINBATCH production environment. Access to
o BASISADMIN accounts with the SAP_ALL and
© DDIC (assigned to the SAP_ALL profile only) I SAP_NEW profiles should only be used
o OTUSER when needed.
o SAP*
o SOLMANPLMS500 Where privileged POLSAP accounts are
o WF-ADMINy used to configure and run scheduled jobs,
management should consider creating
Users with SAP_ALL access have unrestricted system accounts to run scheduled jobs so
access to POLSAP, including the capability to manual login is not allowed and individual
process and approve financial transactions. The I dialog accounts to configure scheduled
SAP_NEW profile provides general access to jobs in order to promote accountability.
new profiles and authorisations which are
included in a new SAP release. Where it is unavoidable to remove
SAP_ALL and SAP_NEW access, it is
recommended that a periodic review of
the activities executed by the accounts
granted permanent SAP_ALL and
* The SAP* and DDIC accounts were not locked.
This does not meet recommended practice of
removing all profiles from SAP* and locking both
FUJ00086970
FUJ00086970
«the SAP* and DDIC accounts. We also noted
that the SAP* account had a last login date
during the audit period and that the DDIC
account is associated to the S_A.SYSTEM
privileged profile.
Refer to Appendix A for detail on the accounts
identified to have privileged access to POLSAP.
HNGX
We understand that Fujitsu has undertaken actions
to investigate some of the inappropriate privileged
access identified from last year’s audit, however the
prior year observations noted below for HNGX were
still valid at the time our review.
e There are inappropriate system privileges
assigned to the APPSUP role and
SYSTEM_MANAGER role at the Oracle
database level on the Branch Database server
(BDB) supporting HNGX.
«There is inappropriate privilegedaccess atthe
Oracle database level on the Transaction
Processing System/server (DAT) supporting
HNGX:
o Systenyprivileges assigned to the APPSUP
role and OPS$TPS account are
inappropriate.
o The following accounts associated to the
DBA role are no longer required:
= CFM_DBA
= SPLEX_ROLE_BOTH.
o The following accounts have inappropriate
SAP_NEW access is performed to gain
assurance that no inappropriate or
unauthorised activity has been performed
which may adversely impact the financial
statements.
Management should implement
monitoring controls to help ensure that
controls operated by the third party
service providers are in place and are in
operation, for example, monitoring of
appropriateness of access to privileged
users/profiles.
FUJ00086970
FUJ00086970
© access to user administration functionality
through the Admin access parameter ‘ADM
is set to yes’:
= OPS$TPS
= SPLEX_ROLE_BOTH.
Unrestricted access to privileged IT functions
increases the risk of unauthorised/inappropriate
activities which may lead to the processing of
unauthorised or erroneous transactions.
User
administration
process
Our examination of the processes for the creation,
modification and removal of users’ access showed
the following:
HNGX
« There was no evidence to support the
authorisation of the creation of one user account
selected for our walkthrough.
* The termination date for the leaver we selected
for our walkthrough was 06/05/11 whilst the
request to remove the access was raised only on
06/09/11, four months after the leaving date.
e Based on our reconciliation ofthe Fujitsu
terminated employee listing to the Active
Directory listing which controls access to the
HNGxX estate, we noted one terminated
employee whose Active Directory account
remained active.
e There was no evidence to support the
authorisation of the removal of an Active
Directory group membership for one user
account selected for our walkthrough.
We recommend the following
improvements:
HNGX
Strengthen the existing user
administration processes within Fujitsu so
‘that documentation supporting the
request, approval and set-up of access to
the HNGX estate is retained.
POLSAP
Strengthen the existing user
administration process for cash centre
users so that (i) documentation
supporting the request, approval and
set-up of temporary assignment of
access to cash centre users is retained
(ii) cash centre managers are made
aware that permanent access
modifications should follow the
standard user administration process
for supply chain users, where an
authorised SAP ADS access request
form is completed. Furthermore,
management should consider
implementing a monitoring control to
ensure that the process implemented
for assigning temporary access to cash
centre users is being adhered to.
FUJ00086970
FUJ00086970
POLSAP
We found a POL employee who left on 04/06/11
but the account remained active up to 23/09/11.
Further investigation showed that this delay was
caused by late notification from the line
manager.
As we observed in the 2010/11 audit, POL cash
centre managers are granted limited access to
user administration in POLSAP through
transaction SU07 allowing them to assign cash
centre profiles to users within their depot. As
such there is a lack of segregation of duties
between the authorisation and granting of access
to cash centre users.
In response to our comments last year, POL has
implemented a process whereby a form is
required to authorise the temporary assignment
of roles to cash centre users and’a monthly
review is performed to check that roles assigned
to cash centre staff do notcreate a segregation
of duties conflict.
However, based.on our walkthrough and,testing
samples of 27/new and modified user access to
POLSAP, we noted 17 users (16 POL users, one
Steria user) where the line manager or cash
centre manager authorising/confirming
appropriateness of accessyalso had access to
user administration on POLSAP.
Based on our sample of 25 instances of new and
modified user access to POLSAP, we noted that:
o The new process noted above was
implemented on 01/10/11. For one out of two
e Implement a monitoring process
around the activities of privileged
users (i.e. cash centre managers with
access to SU01). Where part of the
user administration process is
controlled by third party service
providers, management should ensure
adequate monitoring controls are in
place to help ensure the controls
operateas intended.
HNGX and POLSAP
e Strengthen the revocation of access
process. such that IT is notified in a
timely manner when a terminated
employee no longer requires access to
POLSAP and the HNGX estates.
Consideration should be given to the
HR ‘department sending a list of
terminated employees to the IT
department on a periodic basis, e.g.
weekly or fortnightly. This is in
addition to the line manager notifying
the IT department of the terminated
employee. All documentation
supporting this process should be
retained.
FUJ00086970
FUJ00086970
o cash centre modifications which took place
after this date, we noted that this form had
not been retained.
co For one cash centre user modification the
line manager stated that the role had been
assigned permanently, in which case the
modification of access should have followed
the supply chain user administration process
rather than the process for assigning
temporary roles to cash centre users.
e Based on our reconciliation of the Fujitsu and
Post Office terminated employee listings to the
POLSAP user listing we noted four terminated
employees whose user accounts remained
active.
Refer to Appendix B for details of the accounts noted
above.
Failure to maintain appropriate documentation for the
user administration process increases the risk that
accounts with excessive or inappropriate privileges
may exist, therefore increasing the risk of
unauthorised/unnecessary access to systems.
Furthermore, this risk is increased by inadequate
segregation of duties between the approval and
setup of access as well as failure to remove
terminated employees’,access promptly.
Change
management
process
We reviewed the processes,implemented to
determine that all program changes are appropriately
authorised, tested and approved prior to
implementation into the production environment for
the applications in scope. Whilst we noted some
improvements on the process compared to last year,
some of the points raised last year have not been
fully remediated. Specifically, we noted the following
Management should seek to enhance the
current change management
process/policy further to include:
* The level of documentation to be
retained to evidence that POL is
involved in authorisation, testing and
approving changes made to the
FUJ00086970
FUJ00086970
POLSAP
Based on a sample of 17 changes made to the
POLSAP production environment during the audit
period we noted:
For six changes, whilst we were able to obtain
evidence that the changes had been tested by
Fujitsu, the name of the person who performed
the testing was not recorded
For four changes, whilst we were able to obtain
evidence of approval from the POL Change
Control team, the name of the person who
approved the change to go live from POL was
not recorded
For two changes, we noted that POL initiated the
change but the name of the Product and Branch
Accounting (P&BA) team member who logged
the call was not recorded
For one change, we were unable to obtain
evidence that the change had been authorised
by POL or Fujitsu prior to development
For one change, we were unable to obtain
evidence that ityhad been approved by POL prior
to deployment into the production environment.
Whilst we have been advised that POL is not usually
involved in testing fixes or maintenance changes, we
have noted from the samples of changes made to
POLSAP that POL has tested one out of ten changes
of this nature.
HNGX
applications. In particular, evidence to
support the individual from POL or
third party service provider
authorisation, testing and approval of
the change prior to deployment should
be retained to promote accountability.
This will provide management
reasonable assurance that program
changes being implemented into the
production environment have been
authorised, tested and approved prior
to deployment. Please note that all
documentation should be retained.
Definitions of the responsibilities of all
parties involved in the authorisation,
testing and approval of changes
deployed. into the production
environment, based on the nature of
the.change. There is a need for POL
to increase their involvement in the
change management process,
specifically business user testing of
fixes and maintenance changes to the
in scope applications. The change
management policy documentation
should also describe the overall
manage change process
Management should implement
monitoring controls to help ensure that
controls operated by the third party
service providers are in place and are
in operation.
FUJ00086970
FUJ00086970
Based on our walkthrough and testing samples of 11
back end changes, 11 counter changes and six
manual changes made to the live HNGX estate
during the audit period, we noted the following:
e For two manual changes and three back end
changes, although POL approval was recorded in
the Manage Service Change (MSC) system prior
to implementation, the name of the member of
the POL Change Control team who provided the
approval was not recorded.
e For 28 changes we were unable to obtain
evidence of testing performed by POL where 19
changes relate to maintenance changes made by
Fujitsu (e.g. anti-virus updates, standard platform
build, branch/router configurations, security
upgrades, infrastructure changes)
e For one change we were unable to obtain
evidence of testing performed by Fujitsu.
e For one change we were unable to obtain
evidence of POL approval prior to:
implementation in the live environment.
There is an increased risk that unauthorised and
inappropriate changes are.deployed if they are not
adequately authorised, tested and,approved. prior to
migration to the production environment and
documentation supporting these controls is not
retained.
Periodic user IT In the 2010/11 audit we recommended Management should consider the
access improvements to the periodic user access review implementation of a POL owned periodic
reviews and process and monitoring controls. Whilst we have review of appropriateness of access to in-
monitoring noted the efforts by management to strengthen the scope applications and their supporting
controls control environment this year, we noted opportunities I infrastructure. The implementation of this
to improve the process further. review will assist in the identification of
inappropriate access and potential
FUJ00086970
FUJ00086970
HNGX
Whilst we have been advised that there is a new
process in place this year for the periodical review of
the appropriateness of access assigned to the HNGX
estate, we understand that this is based on a
database that records access granted and
terminated, rather than on user access listings
generated directly from Active Directory, which
diminishes the effectiveness of the control.
Our user appropriateness review identified one user
account that no longer required access to HNGX
(refer to Appendix C).
POLSAP
Whilst we note that there is a process in place to
review the appropriateness of P&BA and Supply
Chain users’ access to POLSAP onva periodic basis,
sufficient evidence of the review has not been
retained.
Conflicts in segregation of duties and excessive or
inappropriate access to financial systems may arise
if a regular re-validation of user access is not
performed.
segregation of duties conflicts. In addition,
this will act as an additional control to help
detect users that no longer require access
to the financial applications.
The following outlines how this process
may be implemented:
e User listings,containing all active
users anditheir access levels to be
generated by IT and.emailed to
relevant department managers
whereby they provide responses
detailing:
© Whether the current access of
their employees is in line with
their job,role
.o. Whether any users require their
access be modified or removed.
Where additional access is
required requests should be made
through the existing user
modification process. Where
access is required to be removed,
flagging these users and providing
comments is sufficient. These
responses should be actioned by
IT on a timely basis.
e All documentation to support the
operation of these controls should be
retained, including:
o Emails to managers requesting
responses
o Responses from managers
detailing whether changes are
required (responses should be
FUJ00086970
FUJ00086970
o provided whether changes are.
required or not)
o Overall signoff on the completion
of the review from management.
The above review should include all user
accounts including those privileged user
accounts owned.by IT and vendors. In
addition, the individual responsible for
performing the review should have limited
access to the application in, order to
prevent the review of their own access.
ln'terms of monitoring privileged access,
management should specifically consider
implementing a periodic review of users
with privileged/access to IT functions
within the HNGX estate.
Evidence to support the operation of the
above monitoring controls for privileged IT
access should also be retained to support
accountability and provide assurance to
POL management.
Generic
privileged
accounts
Our review of privileged access to the in-scope
applications and theirsupporting infrastructurelast
year revealed individuals sharing password to
multiple generic’ privileged accounts. The same
observation remains valid this year at the time of our
review:
« The password to the privileged SYSTEM account
on the Oracle database.on the BDB and DAT
servers supporting HNGX is known to four of the
11 members of the IRE11 TST DBA team and
the password to the same account on the XID
and R3D servers supporting SAP XI and
Management should consider a review of
generic privileged accounts across the in-
scope applications and their supporting
infrastructure to determine whether such
accounts can be replaced with individual
user accounts to promote accountability.
Management should also consider
implementing monitoring controls to help
ensure robust security practices are in
place particularly those operated by third
party service providers.
FUJ00086970
FUJ00086970
POLSAP applications is known to the three
members of the SAP Basis team.
The password to the privileged DBA account on
the Oracle database on the BDB and DAT
servers supporting HNGX is known to the RMGA
Unix team and four of the 11 members of the
IRE11 TST DBA team respectively. The
password to the DBA account on the XID and
R3D Oracle database servers supporting SAP XI
and POLSAP applications is known to the three
members of the SAP Basis team.
The password to the privileged SYS default
account on the Oracle database on the BDB and
DAT servers supporting HNGX is known to four,
of the 11 members of the IRE11 TST DBA team
respectively. The password to the SYS account
on the XID and R3D Oracle database servers
supporting SAP XI and POLSAP applications is
known to the three members of the SAP Basis
team.
The password to the default privileged
Administrator account on the Active Directory
server controlling access to the HNGX estate
was known.to the,nine members of the IRE11 NT
team.
Furthermore, the password/to the following
accounts with the SAP_ALL and SAP_LNEW
privileged profiles on POLSAP is known to the
three members of the Fujitsu Basis Consultants
team:
o ADMINBATCH
o BASISADMIN
FUJ00086970
FUJ00086970
OTUSER
SAP*
SOLMANPLMS500
DDIC (assigned to the SAP_ALL profile only)
WF-ADMIN.
00000
The use of generic accounts undermines
accountability and can lead to unauthorised access
to financial data.
Password
parameters
We reviewed the password configurations for the in-
scope applications and the infrastructure supporting
these applications. Whilst our examination revealed
some improvements to the observations raised from
last year’s audit, the following observations remain
open:
e We reviewed the password configurations for the
in-scope applications against Fujitsu’s RMGA
Security Policy and Post Office's Information
Security Guide. We noted the following password
parameters have not been defined:
RMGA Security Policy
« Reset accountlockout counter
* — Idle session timeout
Post Office Information Security Guide
* Account lockout threshold
« Reset account lockout counter
« Account lockout duration
* — Idle session timeout.
We also noted that there are password setting
weaknesses within the RMGA Information
Security Policy:
Whist we acknowledged that password
weaknesses. in the applicationy operating
system and database level/are mitigated
to somesextent by the network Active
Directory password controls, the following
is still recommended to further strengthen
the control environment
a) Review and update the ‘RMG
Information Security Policy’ to meet
the recommended generally-accepted
practice password settings outlined
below. Management should also
consider having only one policy
document outlining the password
guidelines that apply to both HNGX
and POLSAP
b) Configure all network, application and
supporting infrastructure components
in line with the policy requirements.
For infrastructure supporting the
applications in scope, where the
critical authentication level is at the
POLSAP application layer or Active
Directory, management should
consider the risk of unauthorised
access to the financial data by
FUJ00086970
FUJ00086970
o Number of passwords that must be used
prior to using a password again is defined as
‘Re-use of the same password must not be
permitted for either a specified time or until
at least 4 other passwords have been used’
o Account lockout duration is defined as ‘the
user must be locked out for at least 30
minutes or until reset by an administrator’
There are password setting weaknesses within
the POLSAP application:
o Minimum password length is 6 characters.
This does not meet RMG Information
Security Policy guideline of a minimum of 7
characters
© Idle session time out is set to 3600 seconds.
This does not meet the recommended
setting of 1800 seconds or less
© Table logging is not enabled (ixe.,rec/client =
OFF). This does not meet the recommended
setting of ON
There are password setting weaknesses at the
Linux operating system/level on boththe
application servers supporting POLSAP\(R3A)
and HNGX (BAL) :
o Minimum password length is 5 characters.
This does not meet RMGA Information
Security Policy guideline of a minimum of 7
characters
o Maximum password age is set at 99999
days. This does not meet RMGA Information
Security Policy guideline that passwords
must expire in 30 days
o Minimum password age is set to 0 days. This
c) privileged accounts on the Oracle
database and Linux operating system
password length
Password Recommended
setting configuration
Minimum 6 - 8 characters
Complexity
Alphanumeric
including special
characters and
upper/lower case
Frequency, of
forced password
90 days or less
on attempts
allowed before
lockout
changes
Number of 5 (Should be
passwords that higher if
must be used passwords
prior to using a changed more
password again frequently)
Initial log-on uses I Enabled
a one-time
password
The number of 3-5 invalid
unsuccessful log attempts
Account lockout
duration
Forever until
manually
unlocked
FUJ00086970
FUJ00086970
o does not meet the recommended setting of 1
day
o Account lockout after failed login attempts is
not set. This does not meet the RMGA
Information Security Policy guideline of 3
failed login attempts
o Password history is not set. This does not
meet the recommended setting of 5
passwords
o Idle session timeout is not set. This does not
meet the recommended setting of 30
minutes. Note: This setting only applies to
the POLSAP R3A platform
There are password setting weaknesses on the
Windows 2003 Active Directory Controller
supporting HNGX:
o Account lockout threshold is set to 6 failed
login attempts. This does not.meet the
RMGA Information Security Policy guideline
of 3 failed login attempts
© Account lockout reset counter.is set to 30,
minutes. This does»not meet the,
recommended setting of 60 minutes,
o Account lockout duration is set to 30
minutes. This does not meet the
recommended setting whereby an
Administrator is required’to unlock the
account
There are password setting weaknesses at the
Oracle database level on the database servers
supporting POLSAP (R3D)and SAP XI (XID) and
on the branch database server (BDB) and
transaction processing system server (DAT)
Idle session
timeout
Account lockout
reset counter
30 minutes
60 minutes
Management should consider
implementing monitoring controls to help
ensure robust security settings are in
place particularly those,operated by third
party service providers.
FUJ00086970
FUJ00086970
e — supporting HNGX :
°
Minimum password length is not set. This
does not meet the RMGA Information
Security Policy guideline of a minimum of 7
characters
Password composition is not set. This does
not meet the RMGA Information Security
Policy guideline of alphanumeric
Frequency of forced password changes does
not meet RMGA Information Security Policy
guideline of 30 days or less
The number of unsuccessful log on attempts
allowed before lockout is set to set to 10.
This does not meet the RMGA Information
Security Policy guideline of 3 failed login
attempts
Account lockout duration is not defined. This
does not meet recommended practice of at
least 5 days for the Oracle database
The number of passwords that must.be used
prior to using a password again is not set.
This does not meet the recommended
setting of 5. passwords
Idle session timeout is not set. The does not
meeting the recommended setting of 30
minutes
Refer to Appendix D for further details.
Weak password settings increase the risk of
unauthorised access to financial processing and
data.
Logical IT Our review last year of the logical security settings Management should consider the
security for the infrastructure supporting the applications in following:
16
FUJ00086970
FUJ00086970
settings
scope identified certain logical security weaknesses.
From our review this year, we noted that these
weaknesses are still valid. These include:
e For the Oracle database supporting SAP XI (XID)
and the Branch Database server (BDB), and
Transaction Processing System server (DAT)
Oracle databases supporting HNGX, we noted
that the password for the LISTENER.ORA file
has not been enabled and the password entry
does not contain an encrypted value.
¢ The default Administrator account on the Active
Directory server controlling access to the HNGX
estate (ACD) has not been disabled.
Inadequate system security settings increase the risk
of unauthorised access to financial data.
e Setting an encrypted password for the
LISTENER.ORA file on all Oracle
databases supporting the in-scope
applications
e Disabling the default Administrator
account and create’a new
Administrator account with a strong
passwords
Management should alsoconsider
implementing monitoring controls to help
ensure robust security settings are in
place, particularly those operated by third
party service providers.
Appendix A
Review of privileged access
The following observation was noted as a result of our review of privileged access across all in-scope applications:
Application: POLSAP
The following 7 dialog and service accounts were identified to be assigned privileged profiles:
FUJ00086970
FUJ00086970
User ID Valid from I Valid through I User I User User I Last Logon I Last logon Privileged Profiles
date date Type I group Lock Date time
03.07.2008 I 31.12.9999 A SUPER ic} 18:12:2011 07:12:13 SAP_ALL, SAP_NEW
03.10.2008 I 31.12.9999 A SUPER ie) 20.12.2011 19:26:20 SAP_ALL, SAP_NEW
25.06.2008 I 31.12.9999 A SUPER i¢) 08.03.2010 09:17:27 SAP_NEW, S_A.SYSTEM
29.04.2010 I 31.12.9999 Ss SUPER 0 24.03.2011 10:47:55 SAP_ALL, SAP_NEW
25.06.2008 I 31.12.9999 A__I SUPER 0 92.05.2011 00:00:00 SAP_ALL, SAP_NEW
12.03.2010 I 31.12.9999 Ss SUPER ie) 20.12.2011 19:23:59 SAP_ALL, SAP_NEW
20.11.2007 I 31.12.9999 A SUPER ie) 10.08.2005 09:18:25 SAP_ALL, SAP_NEW
Appendix B Strengthen the user administration process
The following observations were identified as a result of our review of the user administration process across the in-scope applications:
Application: POLSAP
The following 24 POL cash centre managers have limited access to SU01:
SAP ID Name, Job Title User Group
ne David J Adams, Processing Manager ETNA HOUSE
Savarimuthu Alex, Processing Manager ETNA HOUSE
Robert Bailie, Processing Manager BELFAST
Palbinder Boora, Processing Manager BIRMINGHAM
Eric Brown, Processing Manager GLASGOW
Pat Conlon, Processing Manager HEMEL_BUREAU
Eileen Currie, Processing Manager BELFAST
Paul Denton, Processing Manager LEEDS
Bryan Flynn, Processing Manager MANCHESTER
Chris Flynn, Processing Manager MANCHESTER
John Graven, Processing Manager MANCHESTER
Michael Gregory, Processing Manager ETNA HOUSE
Steve R Howard, Centre Manager HEMEL” BUREAU
Martyn Hughes, Processing Manager BIRMINGHAM
Simon Inwin, Processing Manager POL 1254
MCINT E8833 John Mcintosh, Processing Manager GLASGOW
Richard Monk, Processing Manager HEMEL
Richard Monk, Processing Manager HEMEL_BUREAU
Daksha Parmar, Processing Mahager MIDWAY
Gillian Margaret Ponter, Processing Manager MIDWAY
Martin Pressland, Processing Manager POL 1254
Melanie C Steele, Processing Manager LEEDS
Timothy Wall, Processing Manager POL 1254
Andrew Woolven, Service Desk Analyst UK 1114
FUJ00086970
FUJ00086970
Application: POLSAP
We noted that the cash centre line manager providing approval or confirmation of appropriateness for the following new and modified users out of a sample
of 27 tested had limited access to SU01:
FUJ00086970
FUJ00086970
User Name Full Name New User or Modification? Date Manager Providing Confirmation and also has access to SU01
Meg Brooks New User (POL) 15/11/2011 Patrick A J ConlonyProcessing Manager
Pradeep Banduni Modified User (Steria) 23/09/2011 Shanmugam Sundarajan, Offshore User Admin
Dave Fielding Modified Users (POL) 13/06/2011 John Graven; Processing Manager
Wendy R Haywood Modified Users (POL) 31/10/2011 Daksha»Parmar, Processing Manager
Max Holmes Modified Users (POL) 08/06/2011 John Graven, Processing Manager
Yakalu llunga Modified Users (POL) 26/04/2011 Steve Howard, Bureau de Change & Coin Centre Operations Manager
Douglas Lawson Modified Users (POL) 27/07/2011 Eri¢Brown, Operational Support Manager, Glasgow Cash Centre & Glasgow CViT Depot
tan Martin Modified Users (POL) 29/09/2011 Daksha Parmar, Processing Manager
Gordon McAllister Modified Users (POL) 17/10/2014 Eric Brown) Operational Support Manager, Glasgow Cash Centre & Glasgow CViT Depot
Helen McNeil Modified Users (POL) 23/09/2044 Eric Brown, Opérational Support Manager, Glasgow Cash Centre & Glasgow CViT Depot
Ruta Montvidaite Modified Users (POL) 12/09/2011 Yohn Graven, Processing Manager
Gail Oates Modified Users (POL) 22/09/2014 John Graven, Processing Manager
Sharon Pantlin Modified Users (POL) 15/09/2011 Timothy Wall, Processing Manager
Angela Rossi Modified Users (POL) 26/08/2011 Timothy Wall, Processing Manager
Mohammed Ahmed _I Modified User (POL) 08/08/2011 Timothy Wall, Processing Manager
David Brockett Modified User (POL) 25/07/2014 Eric Brown, Operational Support Manager, Glasgow Cash Centre & Glasgow CViT Depot
Jennifer Wiliams New User (POL) 25/10/2011 John Graven, Processing Manager
20
FUJ00086970
FUJ00086970
Application: POLSAP
Based on our sample of 25 new and modified user access requests to the POLSAP application we noted:
« For the following cash centre user modification, which took place after the new process was implemented on 01/10/11 whereby a form is required to
authorise the temporary assignment of roles to cash centre users, this form was not retained:
User Name Full Name Job Title
Wendy Haywood Midway Cash Centre
« For the following cash centre user access modification the line manager stated thatthe role;had been assigned permanently, in which case the
modification of access should have followed the Supply Chain user administration process:
User Name Full Name Job Title
e
Sharon Pantlin London East Cash Centre
Application: POLSAP
Based on our walkthrough of the removal of access process for the POLSAP application, we noted that access to POLSAP was not revoked until over 3
months after the termination date of the following leaver:
User Name Full Name Job Title
John Allcock CHD, Birmingham Merlin Coin
Pa)
Application: POLSAP
Based on our reconciliation of the Fujitsu and Post Office terminated employee listings to the POLSAP user listing we noted the following four terminated
employees’ whose user accounts remained active:
User Name Full Name
Job Title
Keith Spencer
Customer Service Consultant
Stuart Moore
Dartford CIT Manager
Robin Hayes
Birmingham CIT
Vijay Samplay
North Inventory Team
Application: HNGX
Based on our walkthrough of the new user, modified user and removal of access processes on the HNGX estate, we noted the following:
No evidence to support the authorisation for the creation of the following new,user account:
.
User ID User Name
Job Title
Active Directory Group
Alan Flack
Release Manager
SMC Users
No evidence to support the authorisation,of the removal of.an Active Directory group membership for the following modified user account:
UserID I User Name
Job Title Active Directory Group
whi.
Wayne Bragg
SSC Support Engineer MSS
FUJ00086970
FUJ00086970
iS
«Access to HNGX was not revoked until four months after the termination date of the following leaver:
User ID
User Name
Job Title
Active Directory Group
John Ballantyne
SSC Support Engineer
smc technicians
ssc
SMC Users
emdb equipment admin
virtualserveroperators
Application: HNGX
FUJ00086970
FUJ00086970
Based on our reconciliation of the Fujitsu RMGA terminated employee list to the Active Directory listing controlling access to HNGX, we noted the following:
e Access to HNGX was not revoked for the following leaver:
User ID User Name Job Title Active Directory Group
David Wilcox Technical Manager rdt
Pathway
rdmcgroup
23
Appendix C Implement periodic user access reviews and monitoring controls
The following observation was identified as a result of our review of appropriateness of user access to the HNGX estate:
Application: HNGX
FUJ00086970
FUJ00086970
One out of a sample of 25 Active Directory accounts tested one account belonged to an employee whose access to the HNGX estate was no longer required:
User ID
User Name
Job Title
Active Directory group
Martin Tonge
Customer Solution Architect
SMC Technicians
Appendix D Strengthen the password parameters
FUJ00086970
FUJ00086970
We noted the following password weaknesses as part of our review of password settings across the in-scope applications and their supporting infrastructure:
Platform/Technology
(Application)
Password
Parameter
Recommended
Practice
RMGA
Information
Security Policy
Current Setting
POLSAP (Application
Level)
Idle session time out
1800 seconds /
30 minutes
15 minutes
Noted from RSPARAM report via transaction code SE38:
tdisp/gui_auto_logout = 3600
R3A/Linux (POLSAP)
BAL/Linux (HNGX)
Minimum password
length
6 — 8 characters
7 characters,
Noted from etc/login.defs file:
PASS_MIN_LEN = 5
Maximum password 90 days 30 days Noted from etc/login.defs and etc/pam.d/system-auth files:
age PASS_MAX_DAYS = 9999
Minimum password 1 nla Noted from etc/login.defs and etc/pam.d/system-auth files:
age PASS_MIN_DAYS = 0
Number of failed 3 - Sfailed login I 3 failed login Noted from etc/pam.d_login file:
login attempts before I attempts: attempts pam_tally.so is not defined
account lockout
faillog file does not exist
Password history 5 4 Noted from etc/pam.d/system-auth file:
password sufficient —_/lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
R3A/Linux (POLSAP) Idle session time out I 1800 second / 15 minutes Noted from etc/profile file:
3P minutes TMOUT is not defined
TIMEOUT is not defined
ACD/Windows (HNGX) Number of failed 3-5 failed login I 3 failed login Noted from the Password Policy defined in Active Directory:
login attempts before I attempts attempts Account lockout threshold = 6 failed login attempts
FUJ00086970
FUJ00086970
account lockout
duration
administrator
reset
Account lockout 60 minutes 30 minutes
reset counter
Account lockout Until Until administrator
reset
Account lockout reset counter = 30 minutes
R3D/Oracle (POLSAP)
XID/Oracle (SAP XI)
BDB/Oracle (HNGX)
DAT/Oracle (HNGX)
Minimum password
6 — 8 characters
7 characters
Noted from the DBA_PROFILES table:
length Password verify function is set to NULL.
Password Alphanumeric Alphanumeric Noted from the DBA_PROFILES table:
Complexity including special Password verify function is set to NULL.
characters and
upper/lower
case
Password expiry 90 days 30 days orJess Noted from the DBA_PROFILES table:
Password_life_time = UNLIMITED.
Number of failed 3 - 5 failed login I 3 failed login Noted from the DBA_PROFILES table:
login attempts before I attempts. attempts Failed_login_attempts = 10
account lockout
Account lockout 5 daysoor less Unit administrator Noted from the DBA_PROFILES table:
duration reset Password_lock_time = UNLIMITED
Password history 5 4 Noted from the DBA_PROFILES table:
Password_reuse_max = UNLIMITED
Idle session time out I 30 15 minutes Noted from the DBA_PROFILES table:
IDLE_TIME = UNLIMITED
Appendix E
Strengthen the change management process
26
FUJ00086970
FUJ00086970
Application: POLSAP
Based on a testing sample of 17 changes made to the POLSAP production environment during the audit period we noted the following:
«Six changes where the name of the person who performed the testing was not recorded.
Transport Date Description
PLDK913168 03/06/2011 AB: CR2223 TT -> POLSAP interface change 170511
PLDK913389 28/10/2011 AB: Trading Statement - Reverse Docs v3.0
PLDK913166 25/11/2011 AB: CMS Billing Undo fix because of master data 120511
PLDK913205 25/11/2011 AB: CMS Bank Holiday change DC 100611
PLDK913427 25/11/2011 AB: Trading Statement line 34 fix
PLDK913263 08/12/2011 FI-FY_Variant_ZL_Local Scheme(by week) till 2015-16
« Four changes where, whilst we were able to obtain evidence of approval from the POL Change Control team, the name of the person who approved the
change to go live from POL was not recorded:
Transport Date Description
PLDK913323 21/10/2011 AB: CR 2206 Flexible plannig screen changes v1.0
PLDK913342 21/10/2011 AB: CR 2206 Flexible plannig screen changes v2.0
PLDK913398 11/11/2011 BS SJ PR4783843 Auth added to Z:L9999:POESSPROPOSE
PLDK913427 25/11/2011 AB: Trading Statement line 34 fix
e For one change, we were unable to obtain evidence that the change had been authorised by POL or Fujitsu prior to development
FUJ00086970
FUJ00086970
Transport Date Description
PLDK913263 08/12/2011 FI-FY_Variant_ZL_Local Scheme(by week) till 2015-16
« For one change, we were unable to obtain evidence that it had been approved by POL prior to deployment into the production environment
Transport Date Description
PLDK913263 08/12/2011 FI-FY_Variant_ZL_Local Scheme(by week) till2015-16
Application: HNGX
Based on our walkthrough and testing samples of 11 back end changes, 11 counter changes and six manual changes made to the live HNGX estate during
the audit period, we noted the following:
« For two manual changes and three back end changes, although POL approval was recorded in the Manage Service Change (MSC) prior to
implementation, the name of the member of the POL Change Control team,who provided the approval was not recorded.
Baseline Type Date Description
MS_SEC_UPD_W2K3_KB2538814_CONFIG_NA_D001, Back end 03/10/2011 I Infrastructure Patches - Microsoft Security
Update
RHEL_4_5_32_64_SEC_UPD_NA_D016-D015A Back end 09/10/2011 I Infrastructure Patches - Microsoft Security
Update
POA:SOL_10_PATCHES_PRIMEPOWER,.GROUP1_ Manual N/A Infrastructure Security - Anti-Virus update
CONFIG_NA_D020-D019
POA:WIN_TEM_SWPACKAGE_0506_D005-D004. Manual N/A Tivoli Endpoint Manager Upgrade
MS_SEC_UPD_XP_W2K3_KB2476687_CONFIG_NA_D001 I Back end I 03/04/2011 I Microsoft Security Update
e For 28 changes we were unable to obtain evidence of testing performed by POL.
28
Baseline Type Date Description
WIN_NCO_PROBEWIN_CFG_0410_D043 Back End 03/04/2011 I Infrastructure Event Monitoring - Configuration
Change
MS_SEC_UPD_XP_W2K3_KB2478960_CONFIG_NA_D001 I Back End 04/04/2011 I Infrastructure Patches - Microsoft Security
Update
QVAS_RHL_CONFIG_0300_D005 Back End 01/06/2011 I Infrastructure Event Monitoring - Configuration
Change
SOP_AV_WIN_APP_95_NA_D012 Back End 03/06/2011 I Infrastructure Security - Anti-Virus update
LIVE_PLATFORM_SET_PRODUCT_TAGS_NA_D260. Back End 17/06/2011 I Change to branch router configurations
LIVE_PLATFORM_SET_PRODUCT_TAGS_NA_D264 Back End 03/07/2011 I Infrastructure Event Monitoring - Configuration
Change
SOP_AV_WIN_APP_95_NA_D018 Back End 13/07/2011 I Infrastructure Security - Anti-Virus update
LINUX_32BIT_24_ACQUIRE_V820_CONFIG_INT14_D009- I Back End 04/08/2011 I Standard Platform Build
DO08A
MS_SEC_UPD_W2K3_KB2538814_CONFIG_NA_.D001 Back End 03/10/2011 I Infrastructure Patches - Microsoft Security
Update
RHEL_4_5_32_64_SEC_UPD_NA_D016-D015A, Back End 09/10/2011 I Infrastructure Patches - Microsoft Security
Update
COUNTER_X0500 65_1 ( COUNTER APP 65_1) Counter 21/09/2011 I Counter Release - Multiple Fixes
COUNTER_X0500 65_1 ( COUNTER_APP3LIB 65,1) Counter 21/09/2011 I Counter Release - Multiple Fixes
COUNTER_X0500 65_1 ( COUNTER_APP_LIB 65_1) Counter 22/09/2011 I Counter Release - Multiple Fixes
CNIM2_APP 61_7 Counter 18/10/2011 I Counter Release - Multiple Fixes
COUNTER_APP 68_1 Counter 22/11/2011 I Counter Release - Multiple Fixes
COUNTER_APP 68_1 Counter 22/11/2011 I Counter Release - Multiple Fixes
FUJ00086970
FUJ00086970
For
For
COUNTER_X0500 65_1 (COUNTER_DATA 65_1) Counter 21/09/2011 I Counter Release - Multiple Fixes
COUNTER_APP 68_1 Counter 22/11/2011 I Counter Release - Multiple Fixes
PROBE_HB UP Counter 01/07/2011 I Netcool monitoring probe
PPINPAD_OPEN 41_2Il Counter 27/07/2011 I Pinpad hardware replacement
HNGX_QOS 61_2 Counter 01/07/2014 I Maintenance Fix - Quality of Service
Monitoring
COUNTER_HOUSEKEEPING 56_1 Counter 27/07/2011 I CounterRelease - Multiple Fixes
POA:SOP_AV_NT4_APP_NA_D059 Manual n/a Infrastructure Security - Anti-Virus update
POA:SOP_AV_NT4_APP_NA_D053 Manual nla Infrastructure Security - Anti-Virus update
POA:SOP_AV_NT4_APP_NA_D047 Manual na Infrastructure Security - Anti-Virus update
POA:SOL_10_PATCHES_PRIMEPOWER_GROUP1_ Manual n/a Infrastructure Security - Anti-Virus update
CONFIG_NA_D020-D019
POA:WIN_TEM_SWPACKAGE_0506_D005-D004 Manual n/a Tivoli Endpoint Manager Upgrade
MS_SEC_UPD_XP_W2K3_KB2476687_CONFIG_NA_D001 I BackEnd I 03/04/2011 I Microsoft Security Update
one change we were unable to obtain evidence of testing performed by Fujitsu.
Baseline Type Date Description
POA:SOP_AV_NT4_APP_NA_D047 Manual n/a Infrastructure Security - Anti-Virus update
one change we were unable to obtain evidence of POL approval prior to implementation in the live environment.
Baseline Type Date Description
FUJ00086970
FUJ00086970
SOP_AV_WIN_APP_95_NA_D012
Back end
03/06/2011
Infrastructure Security - Anti-Virus update
FUJ00086970
FUJ00086970
31