FUJ00174422 - Email from Stephen Long to Duncan Tait, Gavin Bounds and cc’ing Zara Tasarkan re: Post Office Account - Ernst & Young Audit

Evidence on official site

FUJ00174422
FUJ00174422

From: Long Stephen[/O=EXCHANGE/OU=ADMINGROUP1/CN=RECIPIENTS/CN=LONGS]
Sent: Wed 01/06/2011 10:55:00 AM (UTC)

To: Tait Duncanf, . 4
Ce: Tasarkan Zara GRO
Subject: Post Office Account - Ernst & Young Audit

Duncan/Gavin,

The audit referred to in Mike Young’s mail was part of the annual audit carried out on Post Office by the Royal Mail
Group auditors Ernst & Young. The following summarises the main observations as they relate to Fujitsu.

Ernst & Young observations (March 2011)

Ernst & Young recognised in their audit that Post Office had reaped considerable commercial benefit from Fujitsu’s
shared services model; however, Ernst & Young’s expectations were for Fujitsu to evidence controls that are designed
to govern named individuals.

In general, Ernst & Young were satisfied with the robust user management processes for HNG-X system access.
However, observations were made of the user management processes, specifically with regard to the segregation of
duties between developer and system administrator roles. It was also recommended that a review of privilege access
is undertaken and that the processes around user management are strengthened.

The findings of the audit have been discussed at the monthly Executive Review and a joint Audit Governance Board
has been convened to manage the remedial activity through to completion. Fujitsu are currently working with Post
Office to evaluate the controls of the audit standard recommended by Ernst & Young (SAS70 - a US-based standard)
and are considering encompassing some of these controls, if they add value, to the remit of the existing ISO 27001
certification.

Recommendation Summary

High

Improve governance of outsourcing application management
Segregation of duties within the manage change process
Strengthen the change management process

Review of privileged access

Medium

Imp
F

Low

Improvements to logical security settings

Strengthen the password parameters

Review of generic privileged accounts

Improvements to the problem and incident management process

We are currently organising the meeting with Paula and Mike; obviously I will provide a fuller brief in good time for
that meeting.

Regards,

Stephen
Stephen Long
Account Director, Royal Mail Group

Private Sector Division

Fujitsu
22 Baker Street..London.W1U 3BW
GRO.

Bw Please consider the environment - do you really need to print this email?

FUJ00174422
FUJ00174422