FUJ00089798
FUJ00089798
To: Andrew Parsons[andrew.parsor,
Ce: Newsome. Petelnete.newsome: G RO
Dave[Dave.Ibbett
From: Lenton, Matthew[/o=Fujitsu Exchange Organization/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT )/cn=Recipients/cn=87f95ed0a28548a8bd569f2ch6f]
Sent: Fri 3/8/2019 3:31:24 PM (UTC)
Subject: RE: URGENT = FW: APPSUP.
RE: Action requests Remote Access
4]; Jonathan Gribben[jonathan.gribbe ; Ibbett,
Andy,
I noticed that the emails that Dave Ibbett (email below) and I (attached) sent yesterday had some contradictory statements, which I
will clarify here.
1. Asaresult of PCO208119, the script to create new SSC users was changed to no longer grant the DB_MONITOR role, and to
add the SSC role by default. This contradicts what was stated in the email below, and I have corrected it as highlighted.
Dave Haywood has confirmed that his understanding of that was mistaken and we have had the script that made this
change reviewed for confirmation.
2. The process was changed so that the APPSUP role was not invoked by the DBA team when creating new SSC users, but
would only henceforth be granted on an as needed basis when authorised by Security Operations. At this point, the ability
for existing SSC users to switch themselves into the APPSUP role without prior authorisation was not yet revoked.
The ability for SSC users to switch themselves into the APPSUP role without prior authorisation was removed from existing users in
August 2016; as to the reasons why this took so long, we don’t have an explanation for the delay between the recognition of the
preference for removing the role from being a permanent role for SSC, and that change actually being executed. Two things to
note about PCO0208119 however are 1) that was not originally raised in order to cover off this particular issue, and that original
purpose of the Peak was indeed closed off, and 2) that it appears that it was closed incorrectly, so that it instead of it being routed
to Unix DBA as suggested by the penultimate entry, it was instead closed. Following an audit in August 2016 a new Peak was raised
(PC0253156) in order to follow up the task to remove the APPSUP role.
As has been stated on previous occasions, even when SSC had the ability to switch into the role themselves, it was always a
conscious decision to do so (so the role was never a permanently applied state) and the switch into it was always audited.
Matthew Lenton
Post Office Account Document Manager
Business & Application Services
Fujitsu
Lovelace Read, Bracknell, Berkshire, RG12 8SN
GRO
From: lbbett, Dave <Dave.Ibbe'
Sent: Friday, March 8, 2019 7:13 AM
To: Andrew Parsons <andrew.parsons:
Cc: Newsome, Pete <
Lenton, Matthew <Matthew.Lenton, ; Jonathan Gribben
Hi Andy,
The Feedback below shows that we had a 2 stage fix rather than just the one extended one. Not sure if you have made these audits
available.
According to Peak PC0208119, the initial change was produced as baseline UNIX_SUPPORT_UTILS_0622_D018-D017 and targeted
at Release HNG-X 06.22. The change appears to have been delivered (after passing testing) into the production environment on 20
May 2012 under release Peak PCO216786. The change ensures that new users in the SSC are [i IOT given the
database DB_MONITOR role.
Deloitte and PCI audits highlighted the APPSUP database role and Peak PC0253156 was raised in August 2016 to remove the
APPSUP role from existing users. This was completed under MSC 043J0451867 by October 2016.
FUJ00089798
FUJ00089798
Regards,
Dave.
From: Andrew Parsons [mailto:andrew.parson§
Sent: 07 March 2019 13:49
To: Lenton, Matthew <Matthew.Lentot
Cc: Jonathan Gril i an.gribbeg
Newsome, Pete <pete.newsome ; Ibbett, Dave
Matthew
One follow-up question on APPSUP, which I think maybe for Dave Haywood (?7).
I've attached the relevant Peak. Could Dave (or someone at FJ) explain why it took 4 years for this issue to get resolved?
We suspect that Cs will attack FJ on this Peak, saying that FJ knew SSC had more access permissions than they should have had
and that FJ were dilatory in fixing that issue. If there is an explanation for why it took so long that would be good? Or an
explanation for why it doesn't matter that it took so long?
Thanks
Andy
Andrew Parsons
Partner
Womble Bond Dickinson (UK) LLP.
andrew parsong
Stay informed: sign up to our e-alerts
womblebonddickinson.com
))) WOMBLE
BOND
DICKINSON vO
Please consider the environment! Do you need to print this email?
The information in this e-mail and any aftachments.is.eonfidential and may be legally privile;
attachments. If you are not dave. ibbet i
publication or copying of this commu
and protected by law. dave.ibby only is authorised to access this e-mail and any
soon as possible and delete an nauthorised use, dissemination, distribution,
lawful. Information about how we use personal data is in our Privacy Policy on our website
Any files attached to this e-mail will have been checked by us with virus detection software before transmission. Womble Bond Dickinson (UK) LLP accepts no liability for any loss or damage
which may be caused by software viruses and you
jould carry out your own virus checks before opening any attachment.
Content of this email which does not relate to the official business of Womble Bond Dickinson (UK) LLP, is neither given nor endorsed by it
This email is sent by Womble Bond Dickinson (UK) LLP which is a limited liability partnership registered in En ind Wales under number 0C317661. Our registered office is 4 More London
Riverside, London, SE1 2AU, where a list of members’ names is open to inspection. We use the ferm partner to refer toa member of the LLP, or an employee or consultant who is of equivalent
standing. Our VAT registration number is GB1233936.
Womble Bond Dickinson (UK) LLP is a member of Womble Bond Dickinson (International) Limited, which consists of independent and autonomous law firms providing services in the US, the UK,
and elsewhere around the world. Each Womble Bond Dickinson entity is a separate legal entity and is not responsible for the acts or omissions of, nor can bind or obligate, another Womble Bond
Dickinson entity. Womble Bond Dickinson (Intemational) Limited does not practice law. Please see www.womblebonddickinson.com/legal notices for further details.
FUJ00089798
FUJ00089798
Womble Bond Dickinson (UK) LLP is authorised and regulated by the Solicitors Regulation Authority