FUJ00171971
FUJ00171971
PATHWAY/CONSIGNIA AUDIT & SECURITY PANEL
MEETING NOTES : Meeting #1
18" June 2001 at ICL Warwick
Charles Leighton [CL] PON Security Investigations
Gary Potts [GP] PON Internal Audit
Jan Holmes [JH] Pathway Internal Audit
Graham Hooper [GH] Pathway Security
1. [JH] outlined objective of ASP which is a continuance of the Audit Panel used to
good effect during the earlier stages of Horizon. To provide an opportunity for
informal but professional exchanges between the PON and Pathway in the
closely related areas of Audit and Security.
2. An Agenda had been circulated and the meeting proceeded on that basis.
3. OBCS Audit. [GP] reported that the report had been delivered to BA and a
copy to me on June 15" — confirmed on return to office. BA had been made
aware of PON/Pathway dissatisfaction at their lack of assistance. [GP] stated
that he did not expect to repeat the exercise, contrary to previous thinking
4, Encrypted Data. [JH] explained current Pathway position based on meeting in
Pathway are review of PON Security Requirements for Network Banking.
Certain data fields will be held encrypted on Horizon and will be archived on the
audit DLTs encrypted. If the data is retrieved for PON it will be passed to them
encrypted and no decryption capability is being considered.
Action : IGP/CL) to consider implications and come back to us.
[CL] stated that he believed that prosecution number should fall once NB is
implemented and anticipated using Network Banking Engine for most data
retrievals to do with NB.
5. Broken Audit Trail. [GH/JH] explained background to this problem. [JH]
explained how audit solution works, ie two independent archives at two separate
locations; DLTs not copies of each other but independently written.
[JH] explained that we are to introduce ‘read-after-write’ activity to DLTs once it
has been approved through the Release Management Forum.
[GH] identified that we are exploring the possibility that data might still exist on
CS backup tapes — we would need to understand if the data exists and what has
to be done to re-constitute the audit archive.
Auction : {GH to provide audit data for week before and week after break using original REL
criteria.
Action « JH) to check up what has/ can be done to CS backup and report back to (GP).
[JH] confirmed that we cannot guarantee that further problems of this nature
will not occur in the future. A programme of DLT reading would only provide
assurance that the tape could be read at that moment in time.
[GP] requested that he should be given access to Data Centres to verify tape
handling procedures. [JH] confirmed that [GH/JH] would be visiting Data
Centres in September as part of audit programme.
10.
Auction : Sue Kinghorn to request that {GP} accompany as observer.
NB Requirements. [GP/CL] confirmed their knowledge of the Security
Requirements additional document to main requirements.
Witness Statements & Data Extractions. [GH/CL] agreed that the Witness
Statements issue was an emerging requirement and currently difficult to bound.
Discussion around what degree of system integrity is required to support
Witness Statement. [GH] concerned that early prosecutions will be the most
demanding until case law has been established.
Auction : {CL} to provide {GH) with details of two potential contentious cases that might
require statements.
The number of retrievals for SI was discussed. [CL] confirmed that the 50
proposed in CCN579 (now withdrawn) would not be sufficient. [CL] expressed
some interest in secondary data sources for preliminary searches/extractions. Eg.
SSC support databa:
Auction : {CL} confirmed that he has also prepared quantified requirements and needs to
investigate what is happening within PON Commercial.
Aletion : {CL} to check. possible linkage of these requirements with Network Banking with
Richard Cowan.
joint Audits. [GP] does not anticipate anything this side of Christmas.
Access to [GH/JH]. Concern raised by [GH] that he’d been approached
directly by Kevin Thompson from BA.
Action : [CL} to have word with BA that all requests to be input via PON.
Any Other Business. [GH] raised question of One Shot Password. [GH] had
been approached by ?? in PON who wanted to understand Pathway’s position
on OSP. However, OSP is actually owned by PON. [CL] acknowledged that
changes were underway with trials in place at Birmingham and the NEast.
Action : (CL) to investigate how trials are progressing.
Date of Next Meeting : September before DC visit. To be arranged nearer
time.
FUJ00171971
FUJ00171971