Thomas Penny _
FUJ00155371
FUJ00155371
Subject:
Location:
Start:
End:
Show Time As:
Recurrence:
Meeting Status:
Required Attendees:
Updated: Audit Strengthening CP Review/Refresh
Sorting Room - RMGA TEAM ONLY (2nd Floor - Room 03)
Wed 26/11/2008 11:30
cass ene
(none) POH D
Not yet responded
Evans Steve (FELO1); Sewell Peter (FELO1); Hodgkinson Allan AJ; Thomas Penny
Audit Strengthening CP Review/Refresh
Sorting Room - RMGA TEAM ONLY (2nd Floor - Room 03)
Attached: my precis with Alan's comments
Plus a standard ARQ form....
Standard_Fuj_ARQ Audit_Str_CP_Preci
_WS_V7 .doc (1... (v0 1-AH).d... _
HNGx CP - Strengthen the HNGx Audit Solut
messages.
is of Coulter Event
n, and enable analy:
Originator: Alan Holmes
Change Owner: Pete Sewell
Technical Sponsor: Alan Holmes
The Audit System_and ARQ (Audit Record Queries) Service
= We are contractually obliged to support the Prosecution Support Service via CS, and provide
historical extracts of data from the Audit archive (7yrs data), used in legal proceedings often
to prove accusations of fraud against Postmasters.
= The completeness of the data extracts provided is assumed, and witness statements state as
much (see last page).
* The service has worked by providing extracts of Riposte messagestore data only.
* This service (worth the best-part of the annual £850k security revenue - PS) will remain to
2015 and beyond.
Problem
* — PCO152376 highlighted that in certain error conditions in the EOD process Riposte cannot be
relied upon to write a consistent set of messages to the local store.
* This particular issue has been fixed (Dev: PC01 64429 / Release: PC0165710, currently being
distributed to Live), out 1
is very probable that similar stin the Horizon:syster
* Therefore the process of providing data now needs to include the extraction and cross-
= The statements currently asserted in Witness Statement cannot be guaranteed in all cases
(even after this CP) (see example on last page) but this CP seeks to strengthen the process and
allow us toreliably identify where the assertion can.or cannot be made.
Current Process
* Many manual steps, requiring great care and skill from individual resources, obvious potential
for human error .
= Data distributed or transferred over too many platforms/media: inherently insecure.
= Tactical solution, post PCO 152376 has introduced further manual steps.
Solution
* Manual process needs to be automated wherever possible-for a permanent HNGx solution
ters sed during
Reduce the steps in the process, and over time allow the gefinement of
* We cannot totally automate the process: we require permanent skilled part-time resource to
perform the events-analysis
lof 2
Confidential
v0.1
Last printed: 10/12/2008 13:48:00, _
Last saved: 24/10/2008 16:00,
~ { Deleted: process and
_{Beteted: 00/00/0000 00:00:00
Deleted: 24/10/2008 15:32
FUJ00155371
FUJ00155371
‘Comment [AH4]: Its inore
than ‘assumed’ or at least s0.we
thought.
‘The Riposte sequence numbers are
checked for gaps & from this we
assert thatthe extract shows a'tra
e& complete representation of
what happened at the branch
Comment [AH2]: Also worth
stressing that we can’t
retrospectively-fix the data held in
the Audit archive
Deleted: to both txn and
HNGx CP - Strengthen the HNGx Audit Solution, and enable analysis of Counter Event
messages.
Originator: Alan Holmes
Change Owner: Pete Sewell
Technical Sponsor: Alan Holmes
Costs
© “Current costs (of skilled resource, Scheduled to I
o Extraction, filtering, manual work - 1.5d/ week
© Event extraction, checking and analysis — 2d/week (currently performed by Gareth
Jenkins/Anne Chambers)
=" Strengthening and Automation of process via this CP
o 5Smd
= Ongoing costs (Post CP)
© Extraction, filtering, manual work - 0.5d/ week
© Event extraction, checking and analysis ~ 2d/week (performed by identified
resource), possibly reducing to Id/week as filters are extended
Benefit/Risk
+. Strengthen the process or weaken the witness statement in all cases
If we cannot better identify where data integrity can or cannot be guaranteed, then we are in
breach of contract and may:
© Be fined heavily
© Not be able to offer the ARQ service, or will undermine confidence in the.service.
* We need to reduce the reliance on current skilled resource, and make the process imminently
transferable
#* Reduce on-going cost of the parts of the process which are manual, and automate the use of
filters'to allow that reduction to continue
Witness Statement extract:
‘An audit of all information handled by the TMS is taken daily by copying all new messages to archive
media. This creates a record of all original outlet transaction details including its origin - outlet and
counter, when it happened, who caused it to happen and the outcome. The TMS journal is maintained
at each of the Fujitsu Services Data Centre sites and is created by securely replicating all transaction
records that occurred in every Outlet. They therefore provide the ability to compare the audit track
record of the same transaction recorded in two places to verify that systems were operating correctly.
Records of all transactions are written to audit archive media.
Confidential 2of2
v0.1
Last printed: 10/12/2008 13:48:00,
Last saved: 24/10/2008 16:00, ———s—i‘(‘stststséssSC—ststCtCtititCtititi
FUJ00155371
FUJ00155371
Deleted: 00/00/0000 00:00:00
Deleted: 24/10/2008 15:32
FUJ00155371
FUJ00155371
by \hags
Witness Statement Sit.
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a)
‘and 5B, MC Rules 1981, r 70)
ee
‘Statement of
Age if under 18 Over 18 (If over 18 insert ‘over 18")
This statement (consisting of _ pages each signed by me) is true to the best of my knowledge and belief
and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully
stated in it anything which I know to be false or do not believe true.
Dated the day of 2008
Signature
I have been employed by Fujitsu Services, Post Office Account, formally ICL Pathway Ltd
since DATE as an Information Technology (IT) Security Analyst responsible for audit data
extractions and IT Security. I have working knowledge of the computer system known as
Horizon, which isa computerised accounting system used by Post Office Ltd. 1am authorised
by Fujitsu Services to undertake extractions of audit archived data and to obtain information
regarding system transactions recorded on the Horizon system.
Horizon’s documented procedures stipulate how the Horizon System operates, and while I am
not involved with any of the technical aspects of the Horizon System, these documented
processes allow me to provide a general overview.
At each Post Office there are counter positions that have a computer terminal, a visual display
unit and a keyboard and printer. This individual system records all transactions input by the
counter clerk working at that counter position. Clerks log on to the system by using their own
unique password. The transactions performed by each clerk, and the associated cash and
stock level information, are recorded by the computer system in a stock unit. Once logged on,
I IAll transactions performed by the clerk must be record in the computer and are.”
accounted for within the user's allocated stock unit.
i i i: Red
I The Horizon system provides a number of daily and weekly records of all transactions input.”
Signature Signature witnessed by
CSOITA (Side A) Version 7.0 0308
FUJ00155371
FUJ00155371
Witness Statement
(CJ Act 1967, 59; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of
into it. It enables Post Office users to obtain computer summaries for individual clients of Post
Office Limited e.g. Alliance & Leicester. The Horizon system also enables the.clerk to produce
a periodic balance of cash and stock on hand combined with the other transactions performed
in that accounting period, known as a trading period.
Where local reports are required ‘these are.accessed from a button on the desktop menu. The
user is presented with a parameter driven menu, which enables the report to be customised to
requirements. The report is then populated from transaction data that is held in the local
database and is printed out on the printer. The-system also allows for information to be
transferred to the main accounting department at Chesterfield
The Post Office counter processing functions are provided through a series of counter
applications: the Order Book Control Service (OBCS) that ascertained the validity of DWP
order books before payment was made, this application ceased in June 2005; the Electronic
Point of Sale Service (EPOSS) that enables Postmasters to conduct general retail trade at the
counter and sell products on behalf of their clients; the Automated Payments Service (APS)
which provides support for utility companies and others who provide incremental in and out
payment mechanisms based on the use of cards and other tokens and the Logistics Feeder
Service (LFS) which supports the management of cash and value stock movements to and
from the outlet, principally to minimise cash held ovemight in outlets. The counter desktop
service and the office platform service on which it runs provides various common functions for
transaction recording and-settlement as well as user access control and session management.
j and then replicated [nctinghagme nt
automatically to databases on all other counters within a Post Office outlet. The information is
then forwarded over ADSL (Asymmetric Digital Subscriber Line)or other communication.
service, to databases on a:set of central Correspondence Servers at the Fujitsu Services data
centres. This is undertaken by a messaging transport system within the Transaction
Management Service (TMS). Various systems then transfer information to Central Servers that
control the flow of information to various support services. Details of outlet transactions are
normally sent at least daily via the system. Details are then forwarded daily via a file transfer
Signature Signature witnessed by
csotta Version 6.0 0/08
FUJ00155371
FUJ00155371
Witness Statement
(CJ Act 1967, $9; MC Act 1980, ss 5A(3)(a) and 58, MC Rules 1981, r 70)
Continuation of statement of
service to the Post Office accounting department at Chesterfield and also, where appropriate,
to other Post Office Clients.
formation handled by the TMS is taken daily by copying all new messages to.”
archive media. This creates a record of li original outlet transaction details including its origin _...--[ Fe ping Red
- outlet and counter, when it happened, who caused it to happen and the outcome. The TMS.
journal is maintained at each of the Fujitsu Services Data Centre sites and is created by
securely re ction records that occurred in every Outlet. They therefore provide
the ability to compare the audit track record of the same transaction recorded in two places to
verify that systems were operating correctly. Records of all transactions are written to audit
archive media.
‘Ants, Highlight
_.-{ Formatted: Marching Red
Ants, Highlight
_--{ Formatted: Marching Red
Ants, Highlight
The system clock incorporated into the desktop application on the counter visual display units
is configured to indicate local time. This has been the situation at (INSERT PO), Branch Code
(INSERT) since (INSTALLATION DATE) when the Horizon system was introduced at that
particular Post Office.
The Horizon system records time in GMT and takes no account of Civil Time Displacements,
thus during British Summer Time (BST) (generally the last Sunday in March to the last Sunday
in October), system record timings are shown in GMT — one hour earlier than local time (BST).
When information relating to individual transactions is requested, the data is extracted from the
Signature ‘Signature witnessed by
soma Version 6.0 09106
FUJ00155371
FUJ00155371
Witness Statement
(CJ Act 1967, 89; MC Act 1980, ss 5A(3)(a) and 5B, MC Rutes 1981, r 70)
Continuation of statement of
audit archive media via the Audit Workstations (AW's). Information is presented in exactly the
same way as the data held in the archive although it can be filtered depending upon the type of
information requested. ;The integrity of audit de qu e In
age. al to subsequent
ching Red
_-{ Formatted: Mar
~~ Lants, Highlight
-{ Formatted: Marching Red
Ants, Highlight
During audit data extractions the following controls apply :
1. Extractions can only be made through the AWs which exist at Fujitsu Services,
Lovelace Lane, Bracknell, Berkshire and Fujitsu Services, Sackville House, Brooks
Close, Lewes, East Sussex. These sites are both subject to rigorous physica! security
controls appropriate to each location. All AWs are located in a secure room subject to
proximity pass access within a secured Fujitsu Services site.
2. Logical access to the AW and its functionality is managed in accordance with the
Fujitsu Services, Post Office Account Security Policy and the principles of ISO 17799.
This includes dedicated Logins, password contro! and the use of Microsoft Windows NT
security features.
3. All extractions are logged on the AW and supported by documented Audit Record
Queries (ARQ's), authorised by nominated persons within Post Office Ltd. This log can
be scrutinised on the AW.
4. Extractions are only made by authorised individuals.
5. Upon receipt of an ARQ from Post Office Ltd they are interpreted by CS Security. The
details are checked and the printed request filed.
6. The required files are identified and marked using the dedicated audit tools.
7. Checksum seals are calculated for audit data files when they are written to audit
archive media and re-calculated when the files are retrieved.
8. To assure the integrity of the audit data while on the audit archive media the checksum
seal for the file is re-calculated by the Audit Track Sealer and compared to the original
value calculated when the file was originally written to the audit archive media. The
resutt is maintained in a Check Seal Table.
Signature ‘Signature witnessed by
csotta Version 8.0 08/08
FUJ00155371
FUJ00155371
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 58, MC Rutes 1981, r 70)
Continuation of statement of
9. The specific ARQ details are used to obtain the specific data.
10. The files are copied to the AW where they are checked and converted into the file type
required by Post Office Ltd.
11. The requested information is copied onto removal CD media, sealed to prevent
modification and virus checked using the latest software. It is then despatched to the
Post Office Ltd Casework Manager using Royal Mail Special Delivery. This ensures
that a receipt is provided to Fujitsu Services confirming delivery.
ARQ(NUMBER) was received on (DATE) and asked for information in connection with the Post
Office at (NAME), Branch code (NUMBER). I produce a copy of ARQ(NUMBER) as Exhibit
(INITIAL/NUMBER). I undertook extractions of data held on the Horizon system in accordance
with the requirements of ARQ(NUMBER) and followed the procedure outlined above. I
Produce the resultant CD as Exhibit (INITIAUNUMBER). This CD, Exhibit (INITIAUNUMBER),
was sent to the Post Office Investigation section by Special Delivery on (DATE).
The report is formatted with the following headings:
ID — relates to counter position
User — Person Logged on to System
SU — Stock Unit
Date — Date of transaction
Time — Time of transaction
Sessionld — A unique string relating to current customer session
Txnid — A unique string relating to current transaction
Mode — e.g. SC which translates to Serve Customer
ProductNo — Product Item Sold
Qty — Quantity of items sold
SaleValue — Value of items sold
Entry method - Method of data capture for Transactions.(0 = barcode, 1 = manually
keyed, 2 = magnetic card, 3 = smartcard, 4 = smart key)
State - Relates to OBCS
Signature Signature witnessed by
cSotA ‘Version 6.0 08/08,
Witness Statement
(CJ Act 1967, s9; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r 70)
Continuation of statement of
IOP - Order Book Number — OBCS only
Result ~ Order Book Transaction Result - OBSC only
Foreign Indicator — Indicates whether OBCS payment was made ata local or foreign
outlet (0- Local, 1- Foreign). The foreign indicator defaults to a ‘0’ for all manually
entered transactions - OBCS only
The Event report is formatted with the following headings:
Groupid —- FAD code
ID — relates to counter position
Date — Date of transaction
Time — Time of transaction
User — Person Logged on to System
SU — Stock Unit
€POSSTransaction.T — Event Description
EPOSSTransaction.Ti — Event Result
AFOR MULT! ATA PROVIDED BOTH BEFORE AND AFTER 24 JANUARY 2006
(FROM ARQ562/0506) INCLUDE THE FOLLOWING PARAGRAPH. FOR DATA
PROVIDED WEF 24 JANUARY 2006 AND FROM ARQ562/0506 DELETE THIS PARA
BUT INCLUDE THE ADDITIONAL HEADINGS BELOW )
in January 2008 a change was made to the ori ry to include adgitio:
fecords from the raw audit dais. In particular, this refined query now includes Getalls of
[activity Logouts, Authority Logouis and Failed Logins. It should be noted that nd
ranges were made to the original Audit data but just fo the selection of records fron]
i Audit for presentation to Post Office Limited in the ARQ Spreadsheet. ARQs LI
put Aut — User who out the
ityEvent. User — User wi ie
Signature. ‘Signature witnessed by
cSo1tA ‘Version 6.0 08/08
FUJ00155371
FUJ00155371
Formatted: Not Highlight
FUJ00155371
FUJ00155371
Witness Statement
(CJ Act 1967, 59; MC Act 1980, ss 5A(3)(a) and 5B, MC Rules 1981, r70)
Continuation of statement of
.-{ Formatted: Marching Red
Ants, Highlight
Any records to which I refer in my statement form part of the records relating to the business of
Fujitsu Services. These were compiled during the ordinary course of business from
information supplied by persoris who have, or may reasonably be supposed to have, personal
knowledge of the matter deat with in the information supplied, but are unlikely to have any
recollection of the information or cannot be traced. As part of my duties, I have access to
these records.
Signature Signature witnessed by
cso11a Version 6.0 08/06