To: Newsome, Pete,
From: Mark Underwood
Sent: Wed 6/14/2017 4:40:33 PM (UTC)
Subject: RE: Privileged users report
Sorry, no — but we can do anytime before 1pm — do any times in the morning work for you?
Mark
Mark Underwood
Head of Portfolio: Legal, Risk &
Governance
2017 Winner of the
Global Postal Award Ground Floor
for Customer 20 Finsbury Street
Experience London EC2Y 9AQ
-
Mobile number _
From: pete.newsom
Sent: 14 June 2017 17:
To: Mark Underwood:
Subject: RE: Privileged users report
Can you make it 2.00?
Sent from my Windows Phone
FUJ00087243
FUJ00087243
From: Mark Underwood
Sent: 14/06/2017 17:24
To: Newsome, Pete; Godeseth, Torstein
Subject: RE: Privileged users report
Thanks, in the interim I will put a placeholder in our diaries for 10am
Mark
Mark Underwood
Head of Portfolio: Legal, Risk &
Governance
2017 Winner of the
Global Postal Award Ground Floor
for Customer 20 Finsbury Street
Experience London EC2Y 9AQ
Mobile number!
From: pete.newsome{
Sent: 14 June 2017 17:23
To: Mark Underwoodes! Torstein.O.Godeseth'
Subject: RE: Privileged users report
FUJ00087243
FUJ00087243
Mark
lam but not sure about Torstein. Will try to make contact.
Pete
Sent from my Windows Phone
From: Mark Underwood
Sent: 14/06/2017 17:17
To: Newsome, Pete; Godeseth, Torstein
Subject: RE: Privileged users report
Thanks Pete — are you and Torstein available on Monday am for a call with Deloitte to bottom this out?
Mark
Mark Underwood
Head of Portfolio: Legal, Risk &
Governance
2017 Winner of the
Global Postal Award Ground Floor
for Customer 20 Finsbury Street
Experience London EC2Y 9AQ.
From: pete.newsomet _ _GRO }
Sent: 14 June 2017 10:31
To: Mark Underwood} Torstein.O.Godeseth
Subject: RE: Privileged users report
Mark
Just a thought after our meeting. We are in danger of doing the impossible again which is proving a negative has not happened.
Suggest we pick up next week when Torstein has the data and we can sample to find MSCs.
Pete
Pete Newsome
Account Manager
Post Office Account, Fujitsu UK&l
Web: http://uk fujitsu.com’
Web: uk.fujitsu.com
I £I¥in/e\c-
& Fujitsu named as
Responsible Business
of the Year
FUJ00087243
FUJ00087243
Fujitsu is proud to partner with Action for Children
I-ClO: Global Intelligence for the ClO. Fujitsu's online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
sé Please consider the environment - do you really need to print this email?
From: Newsome, Pete
Sent: Tuesday, June 13, 2017 2:55 PM
To: 'Mark Underwoo GRO } Godeseth, Torstein ¢ “GRO_
Mark
My understanding for Torstein to confirm would be:
Once stored in the audit trail the data cannot be deleted until 7 years is complete (Due to the Eternus protection) the further 3
years would need direct access and are only purged in order so no records would exist.
Once Torstein has the log data next week we will be able to initially do a sample on the data to check for appropriate
documentation to validate the access.
{ will call Torstein so that he can verify.
Pete
Pete Newsome
Account Manager
Po i unt, Fujitsu UK&l
We
Web: uk. fujitsu.com
S Fujitsu named as
Responsible Business
of the Year
Fujitsu is proud to partner with Action for Children
\-ClO: Global Intelligence for the ClO. Fujitsu's online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
vA Please consider the environment - do you really need to print this email?
From: Mark Underwood,
Sent: Tuesday, June 13, 2017 1:01 PM
To: Newsome, Pete <__
Subject: RE: Privileged users report
Godeseth, Torstein <.
Thanks Pete,
It may be helpful if I provide some context. To date I think we have established the following:
FUJ00087243
FUJ00087243
- Although it is possible, it is not a line of enquiry of any real merit. Further, any such action would leave an audit trail of
some type.
However, to make as strong an argument as possible and based upon a previous statement by Fujitsu that it is not possible to
delete or switch off the audit log without ‘breaking’ the application, we need to test the following:
1. Whether there are any recordings on the audit log of deletions being made by the privileged user community
2. Even if there are, by also checking that all ‘log ons’ have been for recognised legitimate pieces of work — this provides
reassurance that any such deletions have been for legitimate reasons
3. That it would not have been possible to delete anything without leaving an audit trail by simply switching off the audit log
—as this would crash the application and therefore immediately trigger investigation.
This is why we need to ascertain / test, definitively, whether or not it is possible to delete / switch off the audit log. If it transpires
that it is, then the value of “1” and “2” falls away.
So —is it possible to delete_or switch off the audit log without breaking the application?
lf Torstein is on leave and unavailable, please put this question to Gareth.
Mark
Mark Underwood
Head of Portfolio: Legal, Risk &
Governance
2017 Winner of the
Global Postal Award Ground Floor
for Customer 20 Finsbury Street
Experience London EC2Y 9AQ.
Mobile numbe:
From: pete.newsome}
Sent: 13 June 2017 09:40
Mark
I have had the following reply from Torstein.
I don't think this question makes any sense. Given that the collection of the audit is decoupled from the application I can't see how
the application is in any way affected by the audit.
What seems to me to matter is whether any audit is missing or not; so far there is no indication that any is missing.
We hope to check this next week when we have the Super User login audit data available to back up this argument.
Pete
Pete Newsome
Account Manager
Post Office Account, Fujitsu UK&l
FUJ00087243
FUJ00087243
Web: http://uk.fujitsu.com
Web: uk.fujitsu.com
I £IVin[e\c-
$
Fujitsu named as pg
. . THE
Responsible Business sixn
of the Year
Fujitsu is proud to partner with Action for Children
-CIO: Global Intelligence for the ClO. Fujitsu's online resource for ICT leaders
Sponsors of the 2015 Rugby World Cup
BS Please consider the environment - do you really need to print this email?
From: Mark Underwood GRO )
Sent: Monday, June 12, 2017 8:07 PM
To: Westbrook, Mark (UK - Manchester)
4 fel
Cc: Newsome, Pet
Subject: RE: Privileged users report
Importance: High
is (UK - Leeds)
Norman, Russell
Pete,
Re the below: I understand that Torstein is now on leave until next week. In his absence, could you please ask Gareth to take a look
at the below question? Without a definitive answer about whether or not it is possible to ‘delete’ the audit log without breaking the
application, we are unable to wrap this piece of work up, and prepare our defence.
Mark
. Mark Underwood
Head of Portfolio: Legal, Risk &
Governance
2017 Winner of the
Global Postal Award Ground Floor
for Customer 20 Finsbury Street
Experience London EC2Y 94Q
Mobile number} _
From: Westbrook, Mark (UK - Manchester):
Sent: 09 June 2017 10:11
To: Torstein.O.Godeseth' Keating, Lewis (UK - Leeds)
Ce: pete.newsome! GRO 3 Mark Underwood Russell.Norman
Subject: RE: Privileged users report
Hi Torstein,
Thanks.
FUJ00087243
FUJ00087243
Could they not delete the infringing log off when they were next logged on legitimately?
I’m also a little confused with how this sits with the point that turning the audit trail off ‘breaks the application’ -
what audit trail being turned off breaks the application? Are we saying just log on or log offs, or broader than
that?
As I’m sure you can appreciate, getting this right and the facts around it is key for the case BD are trying to build.
Cheers,
Mark
Mark Westbrook
Senior Manager I Deloitte LLP
D: M:
deloitte.co.uk
From: Torstein.O.Godesetht
Sent: 09 June 2017 10:02
To: Westbrook, Mark (UK - Manchester) i.
Cc: pete.newsome} } Mark Underwood,
Subject: RE: Privileged users a
Keating, Lewis (UK - Leeds) <:
>; Russell.Normani
Mark,
Prior to July 2015 Logons and Logoffs were audited.
Given that you have to be logged on to carry out any actions I can’t see how a superuser would be able to delete the ‘logoff’ from
the audit trail, so I think there would be a trace in the shape of instances of loggoffs without corresponding logons.
Regards etc
Torstein
From: Westbrook, Mark (UK - Manchester); GRO. i
Sent: Monday, June 5, 2017 5:42 PM
To: Keating, Lewis (UK - Leeds)
Subject: RE: Privileged users report
GRO ob
Just for further clarity - i.e. does the key point around deletion activity by superusers leaving a trace in the
system only apply from July 2015 onwards?
Thanks,
Mark
Mark Westbrook
From: Keating, Lewis (UK - Leeds)
Sent: 05 June 2017 17:37
To: Torstein.O.Godeseth
Cc: Westbrook, Mark (UK - Manchester)
Subject: Privileged users report
FUJ00087243
FUJ00087243
Hello
We are penning our response to POL on the Privileged users report work and have one area to validate with you.
We asked a questions about audit logging of Super-user access and we understand that:
- post July 15 all super-user activity is logged, including any DELETE actions
- pre July 15 the only logging in place was of super-user log on / log off’s.
© itis possible to obtain these and match them to MSCs validating these accesses.
Thanks
Lewis
Lewis Keating
Manager
Risk Advisory
IMPORTANT NOTICE
This communication is from Deloitte LLP, a limited liability partnership registered in England and Wales with registered number 0C303675. Its registered office is 2 New Street Square, London
ECAA 382, United Kingdom. Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee
(“DTTL"). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to clients. Please see www.deloitte.com/about to
learn more about our global network of member firms.
This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please
“and destroy this message immediately. Email communications cannot be guaranteed to be secure or free from error or viruses. All emails sent to or from a
email account até securely archived and stored by an external supplier within the European Union.
Deloitte LLP does not accept any liability for use of or reliance on the contents of this email by any person save by the intended recipient(s) to the extent agreed in a Deloitte LLP engagement
contract.
Opinions, conclusions and other information in this email which have not been delivered by way of the business of Deloitte LLP are neither given nor endorsed by it.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu
EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW;
PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu Laboratories of Europe Limited (registered in
England No. 4153469) both with registered offices at: Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.
FES SI CI SISO I ICICI GICICICICICGI ACEC ICICI GI I C31 8 9 I 31 2 8 I C5 28 2 I IRR A CSCO oR RR A ICAO oR I COE
This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient,
you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in
error, please contact the sender by reply email and then delete this email from your system. Any views or opinions
expressed within this email are solely those of the sender, unless otherwise specifically stated.
POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: Finsbury Dials, 20 Finsbury
Street, London EC2Y 9AQ.
REC RR A OCR RR RR ACCOR RC RR A CORR A RR A CORR ROR A CORR ROE GRO A COR RR AO
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu
EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW;
PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu Laboratories of Europe Limited (registered in
England No. 4153469) both with registered offices at: Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu
FUJ00087243
FUJ00087243
EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW;
PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu Laboratories of Europe Limited (registered in
England No. 4153469) both with registered offices at: Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu
EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW;
PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu Laboratories of Europe Limited (registered in
England No. 4153469) both with registered offices at: Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu
EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW;
PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu Laboratories of Europe Limited (registered in
England No. 4153469) both with registered offices at: Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.