FUJ00087871
FUJ00087871
"Matthew.Lenton¢_
Jonathan Gribbe
J>, Michael Wharton
, Andrew Parsot
Subject: RE: Queries arising out of Dr Worden's evidence - URGENT [WBDUK-AC.F1ID123944863]
Sent: Tue 6/25/2019 8:05:22 AM (UTC)
Jonny,
We will come back to you this morning.
Matthew Lenton
Post Office Account Document Manager
Business & Application Services
Fujitsu
Lovelace Road, Bracknell, Berkshire, RG12 8SN
Phone
Email ONG,
Web: https://ww.fujitsu.com/global/
From: Jonathan Gribben i.
Sent: Tuesday, June 25, 2019 8:25 AM
To: Lenton, Matthew <
Cc: Lucy Bremner jichael Wharton
Ibbett, Dave ¢ Andrew Parsons <
Subject: Queries arising out of Dr Worden's evidence - URGENT [WBDUK-AC.FID123944863]
Importance: High
Dear all,
Please would you let me know when you'll be in a position to respond to my emails below and attached — Post Office's closing
submissions must be filed and served by midday on Thursday and in order to make use of the information requested we really do
need it ASAP today (because the draft must be reviewed and approved by a number of people).
Kind regards
Jonny
Jonathan Gribben
Managing Associate
Womble Bond Dickinson (UK) LLP
Manage your e-alert preferences
womblebonddickinson.com
DICKINSON Y) (in)
FUJ00087871
FUJ00087871
From: Jonathan Gribben
Sent: 24 June 2019 09:58
To: 'Matthew.Lent
Ce: Lucy Bremner
“
i>; Michael Wharton
Subject: RE: Queries arising out of Dr Worden's evidence -
Importance: High
Dear all,
I attach a document containing some queries for Fujitsu that relate to Post Office's closing submissions.
Please would you respond to the queries in the document and send it back to me as soon as possible today. Please would you also
respond to the follow-up question below about privileged user logs post-2015.
Kind regards
Jonny
From: Jonathan Gribben
Sent: 20 June 2019 08:11
To: 'Matthew.Lenton¢
Cc: Lucy Bremnet L. >; Michael Wharton
<michael.whartont.. 3 ParkerSP pete.newsome Dave.Ibbett@~~
Subject: RE: Queries arising out of Dr Worden's evidence - URGENT [WBDUK-AC.FID123944863]
Matthew,
Thank you for the responses, which we are discussing with Counsel.
One immediate follow up point — the question about privileged user logs is whether there is anything useful in the logs from 2015 to
the present day. Your response relates to the pre-2015 logs. Please would you let me know if there is anything worth looking at or
referring to in the 2015 to present day logs.
Kind regards
Jonny
From: Matthew.Lento:
Sent: 19 June 2019 1.
To: Jonathan Gribben
Cc: Lucy Bremne!
<michael.wharto ; Parker:
Subject: RE: Queries arising out of Dr Worden's evidence - URGENT [WBDUK-AC.FID123887118]
Jonny,
Please see the responses added below, and the attachments to which they refer.
Matthew Lenton
Post Office Account Document Manager
Business & Application Services
Fujitsu
Lovelace Road, Bracknell, Berkshire, RG12 8SN
Phoné
Email:
Web: https://www. gi -
From: Jonathan Gribben
FUJ00087871
FUJ00087871
Sent: Tuesday, June 18, 2019 12:15 PM
To: Newsome, Pete
} Lenton, Matthew! bbett, Dave
I Katie Simmond:
Hi all,
One more request:-
- Controls around remote access — Green took Worden to some examples of the two pairs of eyes policy not being
followed:-
o OCP 21918 (raised by and monitored by Anne Chambers)
© OCP 23896 (raised by and monitored by Anne Chambers)
o OCP 26361 (raised by and monitored by Vishnu Ramachandran)
Is there a reason why the policy was not followed in these examples?
[Lenton, Matthew] In his cross-examination PG has been incorrectly interpreting the information in the “Monitored by” section of
OCPs. His interpretation is that this records the name of the person who witnessed the change in the context of the “four eyes”
rule, when in fact, the “Monitored by” field was used to record the person or team that would monitor the effect of the OCP, in
particular where the OCP would affect the live service. See CS/PRD/019 2.2.
The “four eyes” rule was (and is) only mandated for changes that impact the financial integrity of the system. The change vehicle
for these was (in the vast majority of cases) an OCR which will record the name of the person who witnessed the change in the
context of the “four eyes” rule. Where an OCP was used, the name of the person who witnessed the change would be explicitly
recorded in one of the updates since the OCP system did not have a specific field for this purpose.
See CS/PRD/O019: Section 2.2: on the use of “Monitored by”: “Complete the “Responsibility for Monitoring” box. This should
specify the name of the person(s) or team(s) who have the responsibility for monitoring the effect of the OCP once implemented. In
particular the monitoring should be checked that there is NO detrimental effect on the “Live Service”. If necessary the details of the
monitoring to be undertaken can be specified in the “Details & Purpose of Change” section.”
CS/PRD/019: Section 6.0:
On the differences between the OCP and OCR processes and how they are used:
“The OCR process involves the correction of customer data on the live system, and because user data is involved, requires different
approvals and auditing
Only the SSC has the authority to make changes to the data on the system, and therefore only SSC staff can action an OCR.
In most cases, an OCR does not involve the financial integrity of the system. Under these circumstances one of the SSC Manager,
the Support Services Manager or the Customer Service Duty Manager can approve an OCR. If the data to be changed has a
financial impact on Post Office, then approval must also be given by a senior Post Office Manager.
When an OCR has been approved, and has been actioned, it is necessary for two users of the OCP system to confirm that the work
has been done — an actionee and a witness. The actionee will always be an SSC staff member, the witness can either be an SSC staff
member or a development staff member.”
On the specific OCPs above:
a) OCP 21918 (raised by and monitored by Anne Chambers)
Actioned by Anne on 03/03/2009 09:32.
As explained above, this would be a manual process as the OCP does not have a witness field (the OCRs do).
Looking at the OCR relating to the same Peak (PC0175821) you can see the Witness field used:
Approval
Approved by Mik Peach (19/02/2009 12:29) for POA SSC Support
FUJ00087871
FUJ00087871
Action
Actioned by Catherine Obeng (02/03/2009 17:16) for POA SSC Support
Witness
Witnessed by Anne Chambers
The evidence is still attached to the Peak and we can see that the inserted messages are recorded there (before insertion and the
resultant messages afterwards).
These messages have the identifier tag (<Comment:PC0175821>) attached to demonstrate where that have been created.
There is also an email chain which shows that Anne will contact the SPM before and after the correction, which is scheduled to be
done at the quietest time of day.
Overall we believe that such a substantial change would have been witnessed but there is no proof on the OCP that it was,
however the SPM was kept in contact while the change was made and all changes have been recorded on the Peak to allow them
to be reviewed.
b) OCP 23896 (raised by and monitored by Anne Chambers)
Raised by Anne on 16/10/2009, actioned by Anne on 28/10/2009
This change is for a migration object and is not financially affecting so does not need to be witnessed.
¢) OCP 26361 (raised by and monitored by Vishnu Ramachandran)
Vishnu raised the OCP on 14/04/2010
Ed Ashford actioned the OCP on the same day.
His output is shown in the OCP:
Ed Ashford (Core Services Unix Support) wrote at 14/04/2010 18:32: Change committed after confirming output with
development.
Kind regards
Jonny
Jonathan Gribben
Managing Associate
Womble Bond Dickinson (UK) LLP.
d:
m:{
t
e:
Manage your e-alert preferences
womblebonddickinson.com
DICKINSON ¥)
From: Jonathan Gribben
FUJ00087871
FUJ00087871
Sent: 18 June 2019 12:07
To: pete.newsomet
Dave.Ibbettf
Dave.Ibbett;
Hi all
There are some points arising out of Robert's evidence last week that we'd like some further information on please:
- Service audits eg F/1041 attached:
© [1] Is there a document setting out how the control objectives are decided/defined. It was put to Worden that Fujitsu
define the control objectives. It would be helpful to know to what extent, if at all, this is true and if so, what process
was undertaken to select these control objectives.
[Lenton, Matthew] Yes, that is correct, as stated in the letter from Ernst & Young contained in the report says: “Fujitsu is also
responsible for providing the services covered by the Description, specifying the control objectives, identifying the risks that threaten
the achievement of the control objectives, selecting the criteria stated in the Assertion and designing, implementing and documenting
controls to achieve the related control objectives stated in the Description.” It goes on to state “A reasonable assurance
engagement of this type also includes evaluating the overall presentation of the Description, the suitability of the control objectives
stated therein and the suitability of the criteria specified by the service organisation and described in the Assertion.” So E&Y check
and confirm that the definition of the control objectives is suitable.
The objectives setting was however done in discussion with and by agreement with Post Office: the attached document “2011-10
SAS70 Audit presentaion BM.pptx” is an early presentation (we believe it to be an internal presentation to the then Fujitsu
Account leadership, but it shows the process) putting the case for providing a SAS70/ISAE3402 report, and which shows that the
controls would be based on those that other standards-based audits had reported on previously; a more fully worked out update
was presented to POL on the attached “2012-09 POA EY ISAE3402 Update for PO Ltd”.
© [2] Which provisions of the service audits are relevant to remote access (privileged users, SSC inserting transactions
etc.). It was put to Worden that the service audits do not cover issues that are relevant to remote access. Any
control objectives that do address aspects relevant to remote access would be useful.
[Lenton, Matthew] In the report that you attached, Control Objectives 10, 11, 13 are relevant.
- Privileged User Access logs - Is there anything worth looking at or referring to in the PUA logs from 2015 to present? Is
there a way of demonstrating that privileged users have not edited or deleted transaction data or added transaction data.
[Lenton, Matthew] We don’t believe that the logs help here because up to July 2015 we only logged obtaining and relinquishing
privilege.
- _APPSUP - which table(s) could it write to?
[Lenton, Matthew] The short answer is that the APPSUP role can do anything to any schema in the branch database. A detailed
list is in the attachment “APPSUP_role.txt”.
- The Transaction Correction Tool - please review the questions and answers set out on Day 20, pages 159 to 160. Is what
Worden says here true? If not, why not?
[Lenton, Matthew] Please see comments appended to the attached version of the transcript.
As the deadline for closing submissions is fast approaching, please would you get back to me by midday tomorrow. If you think that
is going to be an issue, please let me know ASAP.
Kind regards
Jonny
Please consider the environment! Do you need to print this email?
The information in this e-mail and ly is authorised s this e-mail and
any attachments. If you are not
publication or copying
nation, distribution,
hibited and may be u e 0 : n our website.
FUJ00087871
FUJ00087871
Any files attached to this e-mail will have been checked by us with virus detection software before transmission. Womble Bond Dickinson (UK) LLP accepts no liability for any loss or dan
which may be caused by software viruses and you should carry out your own virus che
ecks before opening any attachment.
Content of this email which does not relate to the official business of Womble Bond Dickinson (UK) LLP, is neither given nor endorsed by it.
«J and Wales under number 0317661. Our registered office is 4 More London
This email is sent by Womble Bond Dickinson (UK) LLP which is a limited liability partnership re;
: ner to refer to a member of the LLP, or an employee or consultant who is of equivalent
Riverside, London, SEI 2AU, where a list of mi
standing. Our VAT registration number is GB12
mes is open to inspection. We use the term
Womble Bond Dickinson (UK) LLP is a member of Womble Bond Dickinson (Intemational) Limited, which consists of independent and autonomous law firms providing services in the US, the UK,
and elsewhere around the world. Each Womble Bond Dickinson entity is a separate legal entity and is not responsible for the acts or omissions of, nor can bind or obligate, another Womble Bond
Dickinson entity. Womble Bond Dickinson (Internati wt further details.
Womble Bond Dickinson (UK) LLP is authorised and regulated by the Solicitors Regulation Authority
Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu
EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW;
PFU (EMEA) Limited, (registered in England No 1578652) and Fujitsu Laboratories of Europe Limited (registered in
England No. 4153469) both with registered offices at: Hayes Park Central, Hayes End Road, Hayes, Middlesex, UB4 8FE.
This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be
privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.