FUJ00155272
FUJ00155272
Fe)
FUJITSU COMPANY IN CONFIDENCE
HNG-X CHANGE PROPOSAL CP NO:
CP TITLE: HNG-X CPnnnn - Enable analysis of Horizon DATE RAISED: 13 Oct 2008
Counter event messages within the HNG-X Audit solution
REQUIRED IMPLEMENTATION’ PURCHASE DATE: (ddim/yy) I ORIGINATOR: Alan Holmes
ANTICIPATED CP CLOSURE / COMPLETION DATE: (mmm- CHANGE OWNER: Pete Sewell
yyy)
TECHNICAL SPONSOR: Alan
DATE BY WHICH CP TOBE IMPACTED: (da/mm/yy) Holmes
CP CLASSIFICATION: ‘Budget Holder Approval for Impacting:
FAST-TRACK/URGENT/ROUTINE/FOR INFORMATION* (Emel or Hard Copy Signature)
(‘strikethrough as applicable)
DAB Required: Yes/No (Strikethrough as Date DAB Authorised:
applicable)
LIFECYCLE STAGE:
Stage 1 : Strategic Approval Stage 4 : Solution Specification
Stage 2 : Start Up-& Feasibility Stage 5 : Solution Build & Test
Stage 3 : Requirements Analysis Stage 6 : Implementation
(strikethrough as applicable) Not Applicable
RELATED Change Request/Request for Work Package: N/A
RELATED PEAKs: PC0152376
RELATED HORIZON CPs: N/A
RELATED HNG-X CPs: N/A
Impact statements must consider all transitional states between Horizon and HNG-X, as well as the
final HNG-X solution.
Description of Change Proposed:
The Audit system supports a service (the Prosecution Support Service) whereby POL can request an
extract of historical data that is held within the Audit archive. Typically this requires retrieval of
archived Riposte transaction data. The data, as returned to POL, is often used to support legal
proceedings where, say, a postmaster is accused of fraud. In such cases, we must also provide a
witness statement with the audit data which attests to its provenance and integrity.
Historically, the Horizon Audit service has relied solely on the retrieval & analysis of archived Riposte
message store data when servicing POL audit data requests for Horizon branch transaction data. A
recent issue (PC0152376) has identified a deficiency in this approach. In certain failure scenarios, it
is possible that the Horizon counter may write an inconsistent set of messages to the local message
store. This casts a doubt over the overall integrity of the resulting transaction data.
When a Horizon counter hits one of the above mentioned failure scenarios, an NT event message is
written to the local event log. This event is captured by Sysman & relayed to the central Sysman
events database. This event data is subsequently written to the Audit archive. A tactical solution has
been incorporated into the Horizon Audit retrieval process to provide a short term remedy to this
problem. For every branch Riposte data retrieval, the archived events generated by counters at the
branch are also analysed to identify any possible occurrences of problems which might adversely
affect the integrity of the transaction data.
The current Horizon tactical solution has a number of deficiencies viz:
» It is a largely manual process which is error prone & time consuming.
It involves moving large volumes of data between the Audit server and workstation
» It requires local & insecure storage of event audit data, invalidating certain statements made
within the current witness statement
» Ithas no DR mechanism in the event of DR from BRAO1 to LEW02
v
‘©Copyright Fujitsu Services Ltd 2007 COMPANY IN CONFIDENCE Ref. PGMICHM/TEM/0001
Version: V1.0
Date: 17-NOV-07
UNCONTROLLED IF PRINTED Page No: 1 of 3
FUJ00155272
FUJ00155272
oO
FUJITSU COMPANY IN CONFIDENCE
Whilst we believe that we will have to live with this tactical solution for the remaining life of the
Horizon Audit system, a permanent solution for the HNG-X Audit solution is required which addresses
the above deficiencies. In outline, this will require the following:
> Amending the HNG-X Audit server (ARC) and workstation (AUW) applications to
automatically retrieve and filter Events data when performing Horizon branch data retrievals.’
» Amending the HNG-X Audit server (ARC) and workstation (AUW) applications to
automatically retrieve and filter Events data when performing HNG-X branch data retrievals.”
»® Introduce Prosecution Support process changes around the operation of the amended system
& the production of witness statements.
> Identify suitable skilled & committed resources to perform any manual analysis required.
> Identify all ongoing operational costs associated with operating the revised service.
Acceptance Criteria and Methods (Functional and Non Functional):
Testing will be required to ensure that all suspect counter events are extracted by the system and
presented to the Audit workstation user for further analysis
Reason for Change and Justification for Required Date (above):
While we do not believe that (due to time constraints) it is practicable to introduce this change into
Horizon, it is required to ensure the viability of the ongoing Prosecution Support service within HNG-
x.
The changes will be required to be present within the initial live version of the HNG-X Audit system at
Weekend D
' The HNG-X Audit solution will need to support the retrieval & analysis of Horizon branch audit data for seven
years
* While there is no reason to believe that the HNG-X counter will suffer the same deficiencies as the Horizon
counter, it is advisable that similar checks are performed in both environments
‘©Copyright Fujitsu Services Ltd 2007 COMPANY IN CONFIDENCE Ref. PGMICHM/TEM/0001
Version: V1.0
Date: 17-NOV-07
UNCONTROLLED IF PRINTED Page No: 2of 3
FUJ00155272
FUJ00155272
Fe)
FUJITSU COMPANY IN CONFIDENCE
Consequences if Not Approved:
We are obliged to present, and vouch for the integrity of, Audit data that is fit for purpose — i.e.
admissible as evidence in court. If this change is not approved, we will need to continue operating
the current Horizon tactical process for the lifetime of HNG-X. This raises the following issues:
» Weare liable to service penalty payments If we cannot provide dependable audit data and
witness statements when requested by POL
> There is a risk of prosecution support service suspension if there is any interruption to the
current tactical process
» Will require ongoing allocation of resource (??? Man days per month) to operate the current
tactical process.
> Data integrity issues inherent within the current process need to be addressed by weakening
the content of the witness statement
Platforms (Physical) Affected: (insert identity and details of all platforms requiring software update by this CP - where
known)
>» ARC —Audit Server
» AUW - Audit Workstation
Business Applications Affected: (insert identity and details of all Applications requiring update by this CP - where
known)
> Audit Server retrieval application
» Audit workstation client application
External Impact Assessment Distribution: (insert contact details and additional rows as required)
Name: Organisati: Contact No:
Impact on Royal Mail Group Account: (insert additional rows as required)
Resource Grade Man-days Non Labour Cost (£)
TOTAL
Documents Affected: (insert additional rows as required)
Document Reference Title Current Version
‘©Copyright Fujitsu Services Ltd 2007 ‘COMPANY IN CONFIDENCE Ref. PGMICHM/TEM/0001
Version v1.0
Date: 17-NOV-07
UNCONTROLLED IF PRINTED Page No: 3 of 3