FUJ00156868
FUJ00156868
oO ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Document Title: ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
Document Reference: TBC
Document Type: Process
Release: Not applicable
Abstract: This document establishes the need to enhance the current audit
storage process and equipment
Document Status: Draft
Author & Dept: Pete Newsome
External Distribution: POL Security Team
Security Risk TBC
Assessment Confirmed
Approval Authorities:
Name Signature
James Davidson CS Director See Dimensions for record
Brad Warren cs CISO
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ION/0001) for guidance on who should approve.
© Copyright Fujitsu Services Limited FUJITSU RESTRICTED (COMMERCIALIN per.
2012 CONFIDENCE)
Version: 141
UNCONTROLLED IF PRINTED OR LOCALLY Date: 03 Sept 13
STORED PageNo: 10f8
FUJ00156868
FUJ00156868
(oe) ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL. .2
0.1 Table of Contents.
0.2 Document History.
0.3 Review Details.
0.4 Associated Documents (Internal & External
0.5 Abbreviations.
0.6 Glossary.
0.7. Changes Expected.
0.8 Accuracy.
0.9 Security
isk Assessmen
INTRODUCTION
1 Background...
.2 Reasons for Enhancement.
2 PROJECT APPROACH.
2.1 Guiding Principles.
2.2 Project Strategy.
2.2.1 Stage 1
2.2.2 Stage 2.
2.2.3 Stage 3.
© Copyright Fujitsu Services Limited FUJITSU RESTRICTED (COMMERCIALIN per.
2012 CONFIDENCE)
Version: 141
UNCONTROLLED IF PRINTED OR LOCALLY Date: 03 Sept 13
STORED
PageNo: 2 0f 8
FUJ00156868
FUJ00156868
oO ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
0.2 Document History
Version No. Date Summary of Changes and Reason for Issue
Associated Change -
CP/PEAK/PPRR
Reference
0.4 03-Sept Initial Draft
0.3 Review Details
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ION/0001) for guidance on completing the lists below. You
may include additional reviewers if necessary, but you should generally not exclude any of the mandatory
reviewers shown in the matrix for the document type you are authoring.
Review Comments by
'n & POADocumentManagement GRO
Review Comments to Pete.newsome¢é
Mandatory Review
Role Name
Security Operations Manager Kumudu Amaratunga
POA Quality Manager Bill Membery
Role Name
Gareth Jenkins Audit Data Specialist
Alex Kemp Hosting and Networks Lead
Issued for Information — Please restrict this
distribution list to a minimum.
Position/Role Name
(*) = Reviewers that returned comments
0.4 Associated Documents (Internal & External)
Reference Version Date Title Source
PGM/DCM/TEM/0001 I 7.0 3 Jun 2011 POA HNG-X Generic Document Dimensions
(DO NOT REMOVE) Template
DEV/GEN/MAN/0015 I 3.1 8 Feb 2011 Audit Extraction Client User Manual Dimensions
SVM/SDM/SD/0017 3.1 Service Description for the Security I Dimensions
© Copyright Fujitsu Services Limited FUJITSU RESTRICTED (COMMERCIALIN per.
2012 CONFIDENCE)
Version: 141
UNCONTROLLED IF PRINTED OR LOCALLY _ Date: 03 Sept 13
STORED PageNo: 30f8
FUJ00156868
FUJ00156868
oO ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Management Service
SVM/SEC/POL/0003_ I 5.2 POAA Information Security Polity Dimensions
SVM/SEC/PRO/0017 I 1.1 14 Feb 2012 Management of the Litigation I Dimensions
Support Service
CRIFSP/006 Audit Trail Functional Specification Dimensions
DEV/APP/SPG/0020 I 2.5 HNG-X Audit Server Support Guide Dimensions
DEV/APP/SPG/0016 I 3.1 8 Feb 2011 Audit Extraction Client Support Guide I Dimensions
TBC Audit Offline Storage Replacement
Project Approach
Unless a specific version is referred to above, reference should be made to the current approved
versions of the documents.
0.5 Abbreviations
Abbreviation Definition
ARQ An Audit Record Query that is not a Banking Transaction Record Query and
which relates to Transactions
AUW Audit Workstation
BQ Banking Record Query
cs Customer Services
POL Post Office Limited
POLIA Post Office Limited Internal Audit
POA Post Office Account
0.6 Glossary
Term Definition
Audit Record Query An Audit Record Query that is not a Banking Transaction Record Query and
(ARQ) which relates to Transactions.
Audit Record Query The form used by POL to request detailed transaction data.
Form
Banking Record Query I A Record query in respect of a Banking Transaction which the Data
Reconciliation Service has reconciled or has reported as an exception, the
result or records of which are subsequently queried or disputed by Post
Office Ltd or a third party.
Branch Code A Post Office outlet unique identifier
Prosecution Civil or criminal court or statutory tribunal proceedings related to
transactions or fraudulent actions conducted at a Post Office Outlet
0.7 Changes Expected
© Copyright Fujitsu Services Limited FUJITSU RESTRICTED (COMMERCIALIN per.
2012 CONFIDENCE)
Version: 141
UNCONTROLLED IF PRINTED OR LOCALLY Date: 03 Sept 13
STORED PageNo: 40f8
FUJ00156868
FUJ00156868
oO ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
a
0.8 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained as a result of any error or omission in the same.
0.9 Security Risk Assessment
Security risks have been assessed and it is considered that there are no security risks relating specifically to this
document.
© Copyright Fujitsu Services Limited FUJITSU RESTRICTED (COMMERCIALIN per.
2012 CONFIDENCE)
Version: 141
UNCONTROLLED IF PRINTED OR LOCALLY Date: 03 Sept 13
STORED PageNo: 50f8
FUJ00156868
FUJ00156868
oO ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
1 Introduction
1.1 Background
One of the key services provided by Fujitsu under the HNG-x contract is the Audit provision. This
service provides Audit data stored by an approved and legally tested procedure. The integrity of data
retrieved for audit purposes is guaranteed at all times from the point of gathering, storage and retrieval
to subsequent despatch to the person making the request. Controls have been established that provide
assurances to Post Office Ltd Internal Audit (POLIA) that this integrity is maintained.
Approval of this document will sign off the project approach. This will allow the project to commence with
appropriate project sign offs at each designated project stage.
Further details on the audit process are available in Audit Trail Functional Specification document.
1.2 Reasons for Enhancement
It is important to state that the current process described in 1.1 Background will not be changed by this
enhancement. However the current storage used for the audit data has the following constraints:
e The current storage technology is at the end of normal service life
e Ongoing support will cost more and is not guaranteed for the rest of the HNG-x Contract period
e Fujitsu see an unacceptable risk to the Prosecution Service without adequate support in place
for all system components
e At the current rate of transactions it is expected the current storage will be full by summer 2014
e In addition, the Transition Support Service (TSS) CCN, due to be signed in September 2013,
extendsthe operational window to March 2017 from the current termination in March 2015. This
extension means the current storage arrangements need to be extended to meet this new
requirement.
Fujitsu therefore recommends that new storage is introduced under the current service arrangements in
line with agreed strategy for storage under the Belfast Refresh Project aligned to TSS. A workshop
between Post Office Technical and Security Teams and Fujitsu will be arranged to sign off the technical
solution.
2 Project Approach
2.1 Guiding Principles
The following principles will be applied:
e The project planned will not change the current approved process for storing and retrieving audit
data.
The introduction and usage of the new storage will at appropriate stages be health checked by
external agents. In addition, Fujitsu is seeking a legal opinion from external counsel to confirm
the rules of legal admissibility of evidence that any changes to the current storage system will
need to take account of.
© Copyright Fujitsu Services Limited FUJITSU RESTRICTED (COMMERCIALIN per.
2012 CONFIDENCE)
Version: 141
UNCONTROLLED IF PRINTED OR LOCALLY Date: 03 Sept 13
STORED PageNo: 60f8
FUJ00156868
FUJ00156868
oO ENHANCING AND PROLONGING THE HNG-x AUDIT FACILITY
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
2.2 Project Strategy
The project will be completed in three stages:
2.2.1 Stage1
The following activities are planned:
1. The new storage will be introduced in both Belfast data centres.
2. Once the storage is live all new audit data will then be stored on both the old and new storage.
3. Asecurity health check and penetration test will be conducted and the new storage solution
signed off for the storing the new transaction data when all actions and observations (if any) are
mitigated.
4. The new data feed to the old storage will be switched off and the new storage will become the
data store for the audit data.
2.2.2 Stage2
The following activities are planned:
1. The existing audit data on the old system will be copied to the new storage.
2. Avsecurity health check test will be conducted and the recall of the existing audit data on the new
storage solution will be signed off when all actions and observations (if any) are mitigated.
3. The new storage becomes the primary operational store for all audit data
2.2.3 Stage3
At this point the following alternatives are available:
Recommended solution:
Decommission the old storage in order to save ongoing maintenance costs for the old storage and
mitigate the end of life state of the old storage.
Optional if Post Office has a business need or requirement:
Extend support on the old storage as a back up facility for old cases (this shall be subject to an
additional charge to Post Office as we will be maintaining additional sources of the existing audit
data).
© Copyright Fujitsu Services Limited FUJITSU RESTRICTED (COMMERCIALIN per.
2012 CONFIDENCE)
Version: 141
UNCONTROLLED IF PRINTED OR LOCALLY Date: 03 Sept 13
STORED PageNo: 7 of8