FUJ00155998
FUJ00155998
ISMF Security Meeting Minutes
Fe)
FUJITSU COMMERCIAL in CONFIDENCE
Document Title: ISMF Security Meeting Minutes (JAN 09)
Document Reference: SVM/SEC/MAM/0003
Document Type: MAM
Release: Not Applicable
Abstract: ISMF Security Meeting Minutes
Document Status: REGISTERED
Author & Dept: Howard Pritchard,
External Distribution: Sue Lowther, Dave King, Alan Simpson
Approval Authorities:
Name Role Signature Date
Howard Pritchard ciso
Note. See Royal Mail Group Account HNG-X Reviewers/Approvers Role Matrix (PGM/DCM/ION/0001) for
guidance.
©Copyright Fujitsu Services Ltd 2009 ‘COMMERCIAL in CONFIDENCE Ref (SVMISECIMAMI0003)
Version: (v8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: 1 of 13.
FUJ00155998
FUJ00155998
ISMF Security Meeting Minutes
Fe)
FUJITSU COMMERCIAL in CONFIDENCE
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL.
0.1 Table of Contents.
0.2 Document History
0.3. Review Details...
0.4 Associated Documents (Internal & External).
0.5 i
0.6
0.7. Changes Expecte:
0.8 Accuracy.
0.9 Copyright.
DIARY / MEETING / ACTION NOTES.
1 INTRODUCTION
1.1 Previous Minutes.....
2 ISSUES FOR DISCUSSION...
2.1. 18027001 Compliance /Registration.
2.2 IG Monthly Report.
2.3. Security Policy..
2.4 Service Description.
2.5 ISMS Manual.
2.6 Risk Treatment
improvement plan..
2.10 Incident Response Plan.
2.11 PCI Progress...
3 ACTIONS.
4 DECISION REGISTER
5 CLOSED ACTIONS.
©Copyright Fujitsu Services Ltd 2009 ‘COMMERCIAL in CONFIDENCE Ref (SVMISECIMAMI0003)
Version: (v8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: 2 of 13.
ISMF Security Meeting Minutes
Fe)
FUJITSU
COMMERCIAL in CONFIDENCE
FUJ00155998
FUJ00155998
0.2 Document History
VersionNo. Date Summary of Changes and Reason for Issue Associated Change -
CP/PEAK/PPRR
Reference
4 April Initial Draft
1.0 30 April 08 Approved
2.0 30 May 08 Approved
3.0 2Sep 08 Approved
4.0 1 Oct 08 Distributed For Information Only
5.0 24 Oct 08 Approved
60 20-Nov-08 Approved
7.0 18-Deo-08 Approved
80 20-Jan-09 Update from Jan 09 ISMF
81 19-Feb-09 Final Update Jan 09
0.3 Review Details
Review Comments by NIA
Review Comments to
Mandatory Review
Role
Name
(authors name) & RMGADocumentNanagement!
Optional Review
Role Name
Issued for Information Please restrict this
distribution list to a minimum
Position/Role Name
(*) = Reviewers that returned comments
0.4 Associated Documents (Internal & External)
Reference Version Date Title Source
PGM/DCM/TEM/0001 I 2.0 16-Apr-07 (Document Title) Dimensions
(DO NOT REMOVE)
‘SVM/SEC/MAN/0003 ISMS Manual Dimensions
©Copyright Fujitsu Services Ltd 2009 COMMERCIAL in CONFIDENCE Ref: (SVM/SEC/MAM/0003)
Version: (V8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED Page No: 3 of 13
FUJ00155998
FUJ00155998
ISMF Security Meeting Minutes
Fe)
FUJITSU COMMERCIAL in CONFIDENCE
Unless a specific version is referred to above, reference should be made to the current approved
versions of the documents.
0.5 Abbreviations
Abbreviation Definition
RMGA Royal Mail Group Account
POL Post Office Ltd
FS Fujitsu Services
IsMS Information Security Management System
ISMF Information Security Management Forum
SoA Statement of Applicability
IG Information Governance
RTP Risk Treatment Plan
RMG Royal Mail Group
RTM Risk Treatment Matrix
RAG Red Amber Green
IRP Incident Response Plan
PCI Payment Card Industry
SIP Security Improvement Plan
0.6 Glossary
0.7 Changes Expected
The ISMF is an ongoing Forum whereby new and updated information is provided through discussion points
from both POL and RMGA
0.8 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained as a result of any error or omission in the same.
0.9 Copyright
© Copyright Fujitsu Services Limited 2009. All rights reserved. No part of this document may be reproduced,
stored or transmitted in any form without the prior written permission of Fujitsu Services.
©Copyright Fujitsu Services Ltd 2009 ‘COMMERCIAL in CONFIDENCE Ref (SVMISECIMAMI0003)
Version: (v8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: 4 of 13.
FUJ00155998
FUJ00155998
(oe) ISMF Security Meeting Minutes &
FUJITSU COMMERCIAL in CONFIDENCE
DIARY / MEETING / ACTION NOTES
Present: POL: FS:
Sue Lowther (SL) Brian Pinder (BP)
Paul Halliden (PH) Pete Sewell (PS)
Apologies Howard Pritchard (HP)
Dave King Apologies
Neneh Lowther(NL)
1 INTRODUCTION
As part of the ongoing Meetings between POL and Fujitsu, this ISMF provides the forum to
update, introduce and resolve matters under the IG Security Banner where applicable.
1.1 Previous Minutes
The previous minutes were reviewed and where applicable historical items were closed and
removed to the Closed action section No other corrections were made.
2 ISSUES FOR DISCUSSION
2.1 1S$027001 Compliance /Registration
HP stated that the monthly compliance reporting is progressing and that further macros have
been added to the spreadsheet to provide assurances both internally and to POL. To further
provide assurance, prior to issuing the compliance report ( monthly pack), HP reviews the Audit
Progress report against the compliance areas.
PH then raised a point around the Audit assessment and specifically Event Monitoring. It was
discussed that there are inconsistencies around the Audit Progress report and the Security
Project plan. Without this, assurances cannot be given to POL;
ACTION: PS to provide the different types of Events to be monitored
ACTION: PS to work with colleagues for a presentation to both RMGA and POL at tbc on the
19" Feb to look at events
Conference room to be booked
ACTION: HP to speak with BE/MK with regards inconsistencies with Project Plan
2.2 IG Monthly Report
No issues were reported in the December reporting pack. HP stated that the monthly reporting
pack will be continuously reviewed to provide assurances to POL.
©Copyright Fujitsu Services Ltd 2009 ‘COMMERCIAL in CONFIDENCE Ref (SVMISECIMAMI0003)
Version: (V8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: Sof 13.
FUJ00155998
FUJ00155998
ISMF Security Meeting Minutes
Fe)
FUJITSU COMMERCIAL in CONFIDENCE
SL asked about the Prosecution witness statement. PS stated that a full investigation happened
and the outcome was to change the Witness Statement, as the original Statement was not
providing the correct Legal witness content. As part of this, a full analysis is happening with
regards past queries.
PS also stated that the Root Cause analysis was around code bug.
This will further be explained once all information has been gathered In Next months Information
Pack.
2.3. Security Policy
After the Security policy had been amended, this was then provided to POL at the latter end of
December 08 for review and comment. PH provided these comments back to BP. It was decided
that due to the type of comments received, HP asked for a conference call to discuss the point
and to make sure that the comments were understood. Actions were taken away from the
meeting where by BP sent several emails off within Fujitsu. HP was under the impression that
the document had been returned to POL on the 15 Jan 09. But after conversation with BP by
phone, this was corrected. BP has to provide updated document and comments week beginning
26 Jan 09.
HP then discussed the idea of providing a high level Security Policy (Summary) for the RMGA
Users to read and accept rather than reading the full Policy. PH stated that as long as the
contractual Security Policy did not change then it appeared like a good idea for a high level
policy.
2.4 Service Description
As the document is up for approval, PH stated that there appeared to be a couple of
discrepancies around Document references to Horizon and not HNG-X
PS stated that the document has been sent out for approval.
2.5 ISMS Manual
No Information added on this months Forum
2.6 Risk Treatment Plan, ISMS Scope, Risk Assessment
There have been several concerns with regards the RTP and Risk Management Approach
process.
To this end POL have asked for a workshop to understand via a walk through process of how the
Risk Management approach works.
ACTION: BP to arrange Walkthrough meeting
With regards to the Off shoring piece of work, PH asked why the Risk treatment plan does not
show the off shore actions. HP stated that this will be put back in under closed.
ACTION: BP to put Offshore RTP back into spreadsheet as closed
©Copyright Fujitsu Services Ltd 2009 ‘COMMERCIAL in CONFIDENCE Ref (SVMISECIMAMI0003)
Version: (v8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: 6 of 13.
FUJ00155998
FUJ00155998
ISMF Security Meeting Minutes
fee)
FUJITSU COMMERCIAL in CONFIDENCE
2.7. Risk Management Approach
Although this document had been reviewed and amended certain areas of the document do not
align to the overall process. AS per 2.6 (Above) PH as requested a walkthrough of the process
2.8 HNG-x
ACTION: OUSTANDING: SL will be sending an email to HP/ BM / JS, and CM to find out what
risk methodology they're actually using to identify the risks.
Due to discussions, PH provided the following statement with regards the current Risk
methodology used within the Post Office.
The Royal Mail Group set the policy for Post Office in this area. The preferred tool is under
review but the front runner is one of the versions of CRAMM
2.9 Security improvement plan
HP asked if the Secure email had been resolved, as it was understood that Bill Membery had
provided DK the information for completion. SL stated that she would speak to DK for an update
ACTION 35: HP to discuss Secure Email issues with BM and DK. HP to confirm DK has emailed
Bill with update.
PH queried why a risk on the SIP was RED and the only one left (relates to Event Monitoring).
After the discussion around this, it was agreed that the risk should be downgraded to amber as it
is work in progress. This also relates to the ongoing work with Event Monitoring, which is to be
presented to the client on 19" February 2009
2.10 Incident Response Plan
It was stated that a meeting had been arranged for the 22" January in Bracknell to discuss the
Incident management process and its component flow charts (i.e. PCI). The main point of the
meeting is to clarify the one document against multiple process documents and to provide
actions to close off
A workshop will be held on 22" January to discuss and agree the final output.
2.11 PCI Progress
In lieu of the PCI Bi-monthly meetings, there have been a series of PCI Workshops to provide
support to POL in readiness to the up and coming Audit in April.
AOB
Q PCI Scans
The test will be scoped against the PCI standards for Pen Testing.
©Copyright Fujitsu Services Ltd 2009 ‘COMMERCIAL in CONFIDENCE Ref (SVMISECIMAMI0003)
Version: (V8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: 7 of 13.
FUJ00155998
FUJ00155998
ISMF Security Meeting Minutes
Fe)
FUJITSU COMMERCIAL in CONFIDENCE
HP Stated that Fujitsu would be doing regular tests, but wouldn't be scoping against PCI. SL
stated that the PC! Quarterly scan are not as onerous as the monthly scans that happen internal
to POL, therefore if required SL to discuss with HP the scope
FUTURE MEETINGS
ISMF Security Review 19" February 09 11.00 Wigan Conference Room — Re-arranged to
BRAO1 — Room 114
ISMF Security Review 19th March09 11.00 BRAO1
©Copyright Fujitsu Services Ltd 2009 ‘COMMERCIAL in CONFIDENCE Ref (SVMISECIMAMI0003)
Version: (v8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: 8 of 13.
.
FUJITSU
ISMF Security Meeting Minutes ”
COMMERCIAL in CONFIDENCE
3
ACTIONS
No & Date Action Actionee Due Date
01-20/01/09 ACTION: PS to provide the different types of Events to be monitored NB Further PS 19 Feb 09
discussion also to be had with Graham Allen and Jim Sweeting, but further work will
require John Bradley's input.
02-20/01/09 ACTION: PS to work with colleagues to create slides to be presented to both RMGA and I PS 19 Feb 09
POL at Wigan on the 19" Feb
Conference room to be booked
03-20/01/09 ACTION: HP to speak with BE/MK with regards inconsistencies with Project Plan HP 23 Jan 09
04-20/01/09 ACTION: BP to arrange Walkthrough meeting around Risk management Approach I BP TBA
05-20/01/09 ACTION: BP to put Offshore RTP back into spreadsheet as closed BP 23 Jan 09
18- 4/09/08 Cascade to go out to POL staff re non-authorised email addresses being used by POL I PH/SL 20 Nov 08
employees PH to discuss with SL. SL to confirm?
SL stated that this had been discussed. HP asked that in lieu of a cascade that SL could
provide Fujitsu with an email statement with regards the email
35 21/10/08 HP to discuss Secure Email issues with BM and DK. HP to confirm? HP 20 Nov 08
‘©Copyright Fujitsu Services Ltd 2009
UNCONTROLLED IF PRINTED
COMMERCIAL in CONFIDENCE Ref. (SVMISEC/MAMI0003)
Version: (v8.1)
Date: 19-Feb-2009
PageNo: 9 of 13,
FUJ00155998
FUJ00155998
.
FUJITSU
ISMF Security Meeting Minutes
COMMERCIAL in CONFIDENCE
4
No & Date Decision
No & Date Action Actionee Due Date
01- 4/09/08 Review content structure of the IG Monthly Report SL 17 Oct 08
Og 008 Revise graph Axis (1) & Distribution list (2) for the report as agreed to include DK and AS of NE 9 Sep 08
POL. Action Closed
06- 4/09/08 Minutes from the Service Description doc review to be sent to PS PH 9 Sep 08
10- 4/09/08 Draft changes to Risk Assessment (on email) awaiting approval from POL Awaiting review SL 8 Sep 08
comments sent out
13- 4/09/08 I Migration Meeting to be arranged at POL London 25" Sep SL 5 Sep 08
16- 4/09/08 I SL to chase up DK as CSC needs to respond to BM to resolve outstanding actions SL 17 Oct 08
17- 4/09/08 I The original Effective Disconnect meeting arranged for June was cancelled, SL to confirm SL 17 Oct 08
current status with Connie Penn
19- 4/09/08 I To review with Doc Management issues with the slow process HP 17 Oct 08
20- 4/09/08 Issue re problems around access via web logic where bypassing of user authentication process HP 17 Oct 08
is possible. See AOB 3 HP will seek assurance from FJS for POL
21- 4/09/08 List of documents under discussion to be sent to POL indicating current status NL 17 Oct 08
03- 4/09/08 I Review what details are included into the Monthly Report. Still under review for finalisation. HP 17 Oct 08
More text to be added to support the graph. CLOSED 21/10
©Copyrigt
UNCONTROLLED IF PRINTED
Date: 19-Feb-2009
PageNo: 10 of 13
FUJ00155998
FUJ00155998
.
FUJITSU
ISMF Security Meeting Minutes
COMMERCIAL in CONFIDENCE
‘SCopyrig
conformation and sign off. Scope approved. Closed
04- 4/09/08 I Provide comments and potential resolution for Security Policy within 10 days and once HL HP 16 Sep 08
issues addressed and agreed with POL submit for approval Document to be amended and re-
issued at version 2.6. CLOSED 21/10
05- 4/09/08 I Service Description has been submitted to POL for review CLOSED 21/10 Ps 16 Sep 08
11- 4/09/08 On receipt of above (10) document to be amended, references made to SEC3087 & 3110 BP 17 Oct 08
removed and document resubmitted to POL for approval no change CLOSED 21/10
12- 4/09/08 I Risk Management Approach Doc to be amended and sent to POL for review no change BP 17 Oct 08
CLOSED 21/10
14- 4/09/08 I Risk Treatment Matrix to be included in the IG Security Monthly package PH to identify all Risks I BP/NL 9 Sep 08
moved to the Risk Improvement Plan / HP to respond as to why CLOSED 21/10
15- 4/09/08 I Discuss / agree way forward with secure email HP to discuss with BM following CCB Monday HP/BM 17 Oct 08
CLOSED 21/10 new action
22 30/09/08 I Update the Incident Log with details of Service Issue reported in August CLOSED 21/10 PS 01 Oct 08
24 30/09/08 I Provide a list of documents to POL (Julia) showing the status of documents due for both NL 20 Oct 08
Informal and Formal reviews CLOSE 21/10
25 30/09/08 I Issue the ISMS Scope (SVM/SEC/MAN/0002) to POL for formal review CLOSE 21/10 BP/NL 20 Oct 08
38 21/10/08 HP to provide the Risks for the Offshore activity. Closed. HP. 20 Nov 08
These are now included in the RTM in the monthly report pack.
07- 4/09/08 ISMS Manual Extra approval column to be added to the Document List to check ISMS I NL 20 Nov 08
status and issue status This information will provided monthly to POL within the IG
report. Closed. New document list to be provided with monthly report pack.
08- 4/09/08 Risk Treatment Plan reissued version 2.1 15/10 and this now is waiting for POL to I SL 20 Nov 08
formally review. RTP now approved. Closed
09- 4/09/08 ISMS Scope Doc: POL comments to be addressed and the sheet returned for POL I Bp 20 Nov 08
UNCONTROLLED IF PRINTED
Version: (v8.1)
Date: 19-Feb-2009
PageNo: 11 of 13.
FUJ00155998
FUJ00155998
.
FUJITSU
ISMF Security Meeting Minutes
COMMERCIAL in CONFIDENCE
29 21/10/08 HP to provide an Issues report on all Horizon platforms which will be carried over into I Hp 20 Nov 08
HNGX. HP to confirm?
30 21/10/08 HP to review the process of how to introduce new Risks to POL and subsequently onto I Bp 20 Nov 08
the Risk Treatment Matrix. BP to confirm?
31 21/10/08 BP to introduce RAG status to the Risk Treatment Matrix. Actioned. Closed BP 20 Nov 08
32 21/10/08 BP Add Sue Lowther as mandatory reviewer to the Risk Management Approach BP 20 Nov 08
Actioned Closed
33 21/10/08 BP Amend the 1.4 flowchart section Actioned and also amend the associated wording to I BP 20 Nov 08
support the diagram in section 1.3. (WIP) Issue the Risk Management Approach for DONE
formal Review. To do a desktop review on completion.
34 21/10/08 HP to report back with progress on security Migration risks. Migration Risk register HP 20 Nov 08
obtained - currently filtering security data. To include it in the RTMatrix monthly HP to
agree and obtain security data.
36 21/10/08 SL to provide collective POL review comments for IRP SL to confirm? Actioned. Closed. I gL 20 Nov 08
FJ to respond to comments DONE
37 21/10/08 BP to discuss with Fiona re item 2.14.3 to discuss and identify possible acceptance I BP. 20 Nov 08
points within the clearance process. Draft process doc issued to FW for review. DONE
‘©Copyright Fujitsu Services Ltd 2009
UNCONTROLLED IF PRINTED
COMMERCIAL in CONFIDENCE Ref. (SVMISEC/MAMI0003)
Version: (v8.1)
Date: 19-Feb-2009
PageNo: 12 of 13
FUJ00155998
FUJ00155998
FUJ00155998
FUJ00155998
(ce) ISMF Security Meeting Minutes &>
FUJITSU COMMERCIAL in CONFIDENCE
I 38 18/12/08 I HP to determine payment options HP 48 DEC 08
©Copyright Fujitsu Services Ltd 2009 COMMERCIAL In CONFIDENCE Ref (SVMISEC/MAMI0003)
Version: (V8.1)
Date: 19-Feb-2009
UNCONTROLLED IF PRINTED PageNo: 13 of 13