Keith Baines f \ ,
Post Office Counters Ltd I I
20-23 Greville Street I i
ECIN 885 POH=8800 I
22™ February 2000
Dear Keith
POCL ACCESS TO'AUDIT INFORMATION
I refer to your letter of 11" January regarding: POCL’s right of access to the
transaction audit trail for security investigations. As I have been involved in the
design and development of Pathway’s solution in relation to audit, and am therefore
much closer to:the detail, I respond on Tony’s behalf.
POCL is entitled to access the transaction audit trail to support investigations to the
extent provided by the Codified Agreement, the relevant CCDs‘and other referenced
documents. In summary, Pathway maintain a transaction audit trail for the required
period of eighteen months and allow members of Post Office Internal Audit (POIA)
access to that audit trail in accordance with the agreed procedures and subject to
known limitations which I describe below.
The issue we are concemed with has arisen for two reasons. First, a POCL
organisation other than POIA, that is Post Office Network National Security Team
(PONNST) has requested access to the transaction audit trail to support security
investigations. Second, (RONNST) recently indicated (in November last year) that it
would require: “a few hundred transaction/ event logs to be provided during‘a full
year”, which has never been previously raised as, and Pathway does not consider it to
be, a contractual requirement.
The parties have agreed that, broadly there are two types of audit, “operational” and
“commercial”, both of which are well documented and understood. The audit access
being requested by PONNST falls into the operational audit category, and more
particularly into the audit category which covers access to the archived audit trail
(derived from the TMS journal) which is held centrally at the Pathway data centres.
Clause 801.3 relates to commercial audit access and for this reason (amongst others
which I expand upon below) cannot be used as'justification for PONNST ’s-request.
The starting point for development of the operational audit procedures, and the
supporting technical architecture, was the provisions of the Codified Agreement, and
in particular, requirement/solution 699 (which you mention in your letter).. The
relevant requirements are expressed at’a high level and in order to work out the detail
of Pathway’s solution, the necessary operational procedures and system requirements,
representatives of Pathway and POCL (as well as the PDA as was, and the DSS)
formed the Joint Audit panel (JAP). The JAP met on numerous occasions, over the
two year period (approximately) leading up to CSR Acceptance, to discuss POCL’s
FUJ00121103
FUJ00121103
(and DSS’) audit requirements and Pathway’s solution. Numerous draft documents
were prepared by Pathway, comments received from all parties and the documents
revised accordingly. The two most important documents resulting from this work
were the Audit Trail Functional Specification (ATFS) dated 01/07/99 (a CCD now
referred to in solution 699) and the Horizon System Audit Manual (HSAM). These
documents provide the detail of the audit solution, describing audit access rights, the
manner in which audit requests are raised and processed and the technical components
of the audit process.
Section 1.2.2 of the ATFS describes how Pathway coiitrols audit access by the use. of
“individual roles” allocated to individuals within POCL. It also provides that rights
of access may only be changed via Change Control. Section 1.2.3 describes access
control and the various “roles” in more detail, referring in relation to “POCL auditor
roles” to further definition contained in the HSAM.
The HSAM makes clear in:sections 10.3.1, 11.1.2 and 11.2.1 that “Requests for
Information” relating to the audit trail data held centrally at the Pathway data centres
may only be raised by “ POCL Auditors” who are nominated individuals within
POIA. The significance of this is twofold. Firstly, Pathway agreed with POCL that
POIA, not PONNST, should be entitled to central access to the transaction audit trail,
because that was what POCL wanted. Second, it was POIA which articulated prior to
CSR Acceptance POCL’s detailed operational audit retrieval requirements, including
the likely: frequency of audit requests to support investigations.
The number of requests for audit data which POIA indicated would normally be
required to support investigations of-all kinds, including fraud, was of the order of 10
to 20 per year. The procedures for central access to audit data which the parties
agreed, and Pathway’s technical solution which supports those procedures, were
based upon these requirements. They will not support the “few hundred” retrieval
requests which PONNST now consider will be necessary. Even if POCL had stated a
requirement for a few hundred retrieval requests prior to CSR Acceptance, Pathway
would not have agreed to it, as it goes beyond “reasonable access to the audit trail
provided by the TMS journal” referred to in solution 699.
The. fact that we are taking the line that PONNST’s requirement was not agreed to at
an operational level and is outside the scope of the Codified Agreement should come
as no surprise. The possibility of providing a“ POCL investigation service” to fulfil
much the same requirement was contemplated in March last year, when terms of
reference for a paid study into such a service were put forward by PONNST for
consideration by Pathway. PONNST did not proceed with the study, but the fact
remains that the requirement was recognised as being additional.
POCL appear to be asserting that the procedures for operational audit access which
the parties have developed jointly and agreed, to meet the Requirement, and which
were tested as part of Acceptance, contain a gap. This logically raises the question
whether this gap constitutes a gap in the Requirement (as expanded in the CCD’s) or
in the solution that has been developed. The fact is that the procedures and the
technical solution have been “ Accepted”. The acceptance process involved POCL
FUJ00121103
FUJ00121103
FUJ00121103
FUJ00121103
carrying out reviews of the ATFS and the HSAM, and various site visits to witness
the audit data retrieval facility in action. All were satisfactorily completed as
recorded in the“ Acceptance Closure Report for Audit — Phase 2”. This indicates that
POCL were satisfied with the completeness of the developed solution.
Clause 801.3 is intended to cover the situation where POCL suspects that Pathway is
involved in fraudulent activity or “third parties” in the sense of Pathway’s
subcontractors or agents. This is in line with POCL’s rights of access to Records for
“commercial” audit generally, and would encompass Records relating to the
performance of the POCL Services, not the operation of them, which is what the
transaction audit trail relates to. This is clear from the definition of “Records” which
are the records “relating to the performance of the POCL.Services". Paragraph 6.2 of
Schedule A03 which relates to charges for assistance with investigations under Clause
801.3 points the same way by referring to the “Contractor or the Contractor's
agents”.
With reference to the third paragraph of your letter, Pathway is not saying POCL is
not entitled to access the transaction audit trail, just that:such access must be in
accordance with the procedures which have been agreed and accepted, and within the
technical and resource related limitations imposed by the use of those procedures.
Different procedures or requests in excess of previously predicted limits, should be
the subject of a Change Request and we will impact that as part of the usual CCN
process. You already have our proposal, on a without prejudice basis, to deal with
PONNST’s immediate data retrieval needs.
Yours sincerely
Martyn Bennett
Director, Quality & Risk Management
Ce: Tony Oppenheim
Jan Holmes