FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Originator & Dept:
Contributors:
Internal Distribution:
External Distribution:
Service Description for the Security Management Service
Customer Services Specification
N/A
A description of the Implementation and maintenance of the
security policy and procedures
APPROVED
Bill Mitchell / Pete Sewell, Fujitsu Services Customer Services
Bill Mitchell / Pete Sewell
(For Originator to distribute following approval)
(For Document Management to distribute following approval)
Approval Authorities: (See PA/PRO/O10 for Approval roles)
Name
Position Signature Date
Dave Baldwin
Director, Customer Service,
Post Office Account
Sue Lowther
Post Office Information
Security Manager
© 2002 Fujitsu Services
COMMERCIAL IN CONFIDENCE Page: I of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
0.0 Document Control
0.1 Document History
Version No. I Date Reason for Issue Associated
CP/PinICL
0.1 19/12/01 Initial Draft
0.2 23/12/02 Masons’ comments on v0.1
0.3 31/12./02 Sue Lowther (POL) comments on version 0.2
0.4 31/12/02 Graham Hooper / Masons’ comments on Version 0.3
1.0 6/01/2003 Issued for Approval
Ll 27/10/04 Draft for agreement following changes to Audit Data
Retrieval limitations.
1.2 30/11/04 Amendment following receipt of comments from
document review.
2.0 02/12/04 For Approval
0.2 Review Details
Review Comments by :
Review Comments to :
Mandatory Review Authority Name
Director of Customer Service Dave Baldwin*
Infrastructure Service Manager Richard Brunskill*
CS Security & Risk Pete Sewell
Neneh Lowther*
Penny Thomas*
Commercial Contract Manager Hilary Forrest
Operations & Support Services Manager Carl Marx
Post Office Information Security Manager Sue Lowther
Post Office Casework Manager Graham Ward*
Optional Review / Issued for Information
(* ) = Reviewers that returned comments
© 2002 Fujitsu Services COMMERCIAL IN CONFIDENCE Page: 2 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
0.3 Associated Documents
Reference Version I Date Title Source
PA/TEM/001 7.0 2" April 2002 Fujitsu Services Document PVCS
Template
RS/POL/002 Security Policy PVCS
RS/FSP/001 Security Functional I pycs
specification
RS/FSP/003 Statements on Security
Objectives and Methods for the
Protection of Siemens Metering
Code and Data
BP/POL/002 Post Office Counters I post Office Lid
Information System Security
Policy
BP/ION/002 A code of Practice for Post I post Office Ltd
Office Information Systems
Security
RS/CSD/001 dss/itstds Departmental IT — Security
Standards
RS/PRD/004 Security Incident Management I pycs / Post
Office
BP/SPE/nnn NBS Definition PVCS
RS/POL/003 Access Control Policy PVCS
Unless a specific version is referred to above, reference should be made to the current
approved versions of the documents.
0.4 Abbreviations/Definitions
Abbreviation Definition
ccD Contract Controlled Document
TOR Terms of Reference
NBS Network Banking Service
ID Identification
SLA Service Level Agreements
© 2002 Fujitsu Services
COMMERCIAL IN CONFIDENCE
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Page: 3 of 16
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
0.5 Changes in this Version
Version Changes
Ll Minor amendments to correct formatting and grammatical text to aid
understanding.
1.2 Amendment to Section 3.10 following receipt of comments from document
review.
2.0 Minor changes and typo’s identified by review
0.6 Changes Expected
Changes
None
© 2002 Fujitsu Services COMMERCIAL IN CONFIDENCE Page: 4 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
0.7 Table of Contents
1.0 SERVICE SUMMARY.......
2.0 SERVICE PRINCIPLES.....
3.0 SERVICE DEFINITION...
3.1 SECURITY ORGANISATION AND MANAGEMENT... cose secceeeeeeeeeneeeeeee 7
3.2 COMPLIANCE MONITORING AND AUDIT .0.:.s:sccssssssssssssssssssesssssnsseseesessstsnsnnsnnseceeeeeeee sescsssssssssssees B
33 CRYPTOGRAPHIC KEY MANAGEMENT 8
3.3.1 PIN Pads...
3.4 SECURITY EVE MANAGE AND FIREWALL EVENT ANAL S 9
3.5 SYSTEM AND PHYSICAL AC CONTROL
3.6 ANTI-VIRUS AND MALICIOUS SOFTWARE MANAGEMENT.
3.6.1 Protection Against Malicious Software for NBS
3.7 SECURITY INCIDENT REPORTING AND PROBLEM MANAGEME}
3.8 I SYSTEM SECURITY CHANGE MANAGEMENT.
3.9 SECURITY AWARENESS AND TRAINING...
3.10 INFORMATION RETRIEVAL AND AUDIT.
3.11 SUBJECT INFORMATION REQUESTS
4.0 SERVICE AVAILABILITY.
5.0
6.0 SERVICE DEPENDENCIES & POST OFFICE RESPONSIBILITIEG...........s0000+ 16
6.1 SERVICE DEPENDENCIES
6.2 Post OFFICE RESPONSIBILITIES.
7.0 DOCUMENTATION...
7A CCDs 16
© 2002 Fujitsu Services COMMERCIAL IN CONFIDENCE Page: 5 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
1.0 Service Summary
This Security Management Service provides a wide range of security-related activities that
assists the establishment and maintenance of an ISO17799 compliant infrastructure,
supports legal and contractual obligations and minimises and controls liabilities to Fujitsu
Services, Pathway and Post Office Ltd. The service monitors operations and introduces
specific protective security controls on a risk assessment basis to maintain the integrity,
availability and confidentiality of information used and produced by the various Services
and the support environment.
Fujitsu Service’s overarching obligations for delivering and continued provision of a
secure system is set out in Clause 8 of the Agreement. The elements of the Security
Management Services are described as follows:
e Implementation and maintenance of security policy and procedures
¢ Compliance monitoring and audit
e Cryptographic key management
e Security event management and firewall event analysis
e System and physical access control
e Anti-Virus and malicious software management
e Security incident reporting and problem management
« System security change management
e Security awareness and training
e Audit data retrievals and prosecution support
e Subject Information Requests management
Each of these services is described in Section 3.
2.0 Service Principles
2.1.1 The following service principles will apply in the provision of the Security Management
Service. Security Management staff will:
a) be appropriately trained to carry out the service;
b) provide the appropriate balance between contractual and legal obligations and the
need to maintain delivery of the various Services;
c) be responsive to prevailing threats and vulnerabilities. Resource is therefore
allocated on a flexible, risk management basis.
2.1.2. The Fujitsu Services’ Information Security Manager shall have overall responsibility
for the management of the service, but may delegate a suitable representative to act on
his behalf, for:
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 6 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
a) co-operating with the Post Office Information Security Manager in the
development and operation of Post Office’s network banking automation security
policy as specified in paragraph 7.3.1 of Schedule 2 (Policies and Standards);
b) establishing Fujitsu Service’s security policy as specified in paragraph 7.3.2 of
Schedule 2 (Policies and Standards);
c) Communicating to the Post Office Information Security Manager the identity of
the persons authorised to receive sensitive security-related material (including
cryptographic key components) on behalf of Fujitsu Services;
d) receiving from the Post Office Information Security Manager the identity of the
persons authorised to receive such security-related material on behalf of Post
Office;
e) liasing with the Post Office Information Security Manager in the manner described
in the CCD entitled "Security Incident Management" and paragraph 7.4.2 of
Schedule 2 (Policies and Standards); and
f) liasing with the Post Office Information Security Manager and _ security
representatives of other parties involved in the End to End Banking on such
security-related matters as may be agreed.
3.0 Service Definition
3.1 Security Organisation and Management
This element of the service provides a number of organisational and management activities
required for compliance with ISO17799:
¢ Co-ordination of security activities and prioritises activities according to risk;
e Input to contractual and liability issues and assessments of the security impact of new
service requirements and the associated processes necessary to implement them;
e Creation and maintenance of security-related procedural and process documentation
to assist compliance and help maintain correct operation by staff;
e Regular reviews of other Pathway documentation to provide appropriate security
input and compliance to the requirements of IS09001;
© Management of ISO17799 gap analysis, preparation of plan for implementation in
accordance with agreed TOR and monitoring of corrective actions.
3.1.1 Fujitsu Service’s obligations for the establishment of an organised security infrastructure,
compliant to IS017799 are set out in Schedule 2 — paragraphs 4.1.1 to 4.1.3.
3.1.2 Fujitsu Service’s obligations for compliance with Post Office security standards are set out
in Schedule 2 — paragraph 4.1.4.
3.1.3 Fujitsu Service’s rights and obligations with regard to the security and processing of
Personal Data are set out in Schedule 2 — paragraphs 2.4 to 2.8.
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 7 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
3.1.4 Fujitsu Service’s rights and obligations with regard to the processing of Personal Data are
set out in Schedule 2 — paragraph 2.4.6.
3.2 Compliance Monitoring and Audit
This element of the service provides a number of compliance monitoring and audit
activities required for compliance with ISO17799:
3.2.1 Undertaking of periodic physical security and system security audits of operational sites
on a risk management basis to provide ongoing assurance of compliance to security
policies and procedures. Activities include reviews of operational processes, provision of
reports covering IT, environmental, physical, personnel security etc. and the monitoring of
identified corrective actions;
3.2.2 Provision of advice and guidance on issues affecting personnel security within Fujitsu
Services including the investigation of personnel security issues and staff vetting queries.
3.3. Cryptographic Key Management
This clement of the service provides a number of cryptographic key management
activities:
« Management of the automated Key Management System (KMS) for the creation,
distribution and installation of required cryptographic material to the live estate.
Maintenance of periodic key replacement for all Branches;
¢ Operation of functionality & configuration changes to the automated service to
optimise service;
© Management of KMS event logging and incident handling to assist 1“, 2", 3" and 4"
line support in error resolution and problem management;
e Management of the manual cryptographic estate by maintaining the creation,
distribution, auditing and periodic replacement of cryptographic keys within agreed
timescales;
¢ Supplier management of cryptographic key suppliers;
e Provision of contingency arrangements for Key Management Service to maintain
continuation of service in the event of absence etc.
3.3.1 PIN Pads
The use of PIN Pads and the associated cryptographic management shall be supported by
the NBS. PIN Pads shall comply with the requirements of ISO 9564. Fujitsu Service’s
key management for any key directly or indirectly protecting the secrecy of PIN values
(together, "PIN Encryption Keys") shall comply with ISO 11568 Parts 1 to 3.
The key management scheme used between cach PIN Pad and the rest of the Post Office
Service Infrastructure shall be the DUKPT scheme as described in section 4.7 and
Appendix A of the ANSIX9.24-1998 standard. Moved to Schedule 2 paragraph 10.6.1
3.3.3.
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 8 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
In the event of an actual or suspected key compromise in respect of a PIN Encryption Key
used within the Post Office Service Infrastructure, Fujitsu Services shall implement key
change mechanisms in accordance with the principles stated in ISO 11568 Parts I to 3.
The actual or suspected compromise affects a key shared with the NBX the parties’
obligations in respect of key change mechanisms shall be as documented elsewhere.
3.4 Security Event Management and Firewall Event Analysis
This element of the service provides a number of security event management and firewall
event analysis activities:
«© Management of audit mechanisms to monitor detect and record events that might
threaten the security of the Horizon system and associated services;
* Operation of the Security Event Management system utilising the Systems
Management system to track and report events of security significance and daily
monitoring of the system to identify relevant events and logging of details;
e Regular analysis of audit trails to identify new features and vulnerabilities introduced
by new systems to facilitate trend analysis and to assist the investigation of security
breaches;
e Reviewing security configurations of event filters to optimise efficiency and minimise
security weaknesses;
e Undertaking risk assessments to establish adequate firewall policies / rule bases and
the subsequent monitoring of events generated by the system;
e Analysis of firewall event logs using trend analysis software to identify the presence of
any potential attacks or of areas of vulnerability and the provision of advice for any
remedial action;
* Prompt investigation and remedial action in order to minimise the impact of any
security breach.
3.5 System and Physical Access Control
This element of the service provides a number of system and physical access controls:
e Management of the process for validating that Users of the Horizon system are
authorised before being permitted access to the live network;
© Management of the allocation and auditing of SecurID tokens where used to validate
that Users who access the live system from locations remote from the Data Centres do
so via secondary token authentication. Undertaking of supplier management of tokens
and licensing costs.
3.6 Anti-Virus and Malicious Software Management
This element of the service provides a number of anti-virus and malicious software
management activities:
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 9 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
«© Management of the distribution of updated anti-virus software across the live estate to
maintain protection of the service from malicious software;
e Initial configuration of alerting mechanisms and event filters to provide automatic
notification and prompt virus incident response;
e Provision of regular DAT updates to identify and cleanse new and emerging virus
strains;
¢ Daily checks of emerging viruses and other malicious software to inform threats and
determine the required defensive measures;
© Provision of event monitoring and incident response via normal incident handling
procedures. Analysis of details to understand the threat and inform corrective actions.
3.6.1 Protection Against Malicious Software for NBS
Fujitsu Services shall provide protection against malicious software as set out in paragraph
8.1 of the CCD entitled “NBS Definition”.
3.7 Security Incident Reporting and Problem Management
This element of the service provides a number of security incident reporting and problem
management activities:
¢ Provision of a central point of contact for all security-related issues;
e Investigation and reporting to Post Office of any actual or potential threats or
breaches that may have a material effect on the Services in accordance with agreed
procedures;
e Provision of ongoing liaison with Post Office and support to the Fujitsu Services’
Security Board as defined in the CCD entitled “Pathway Security Policy”
(RS/POL/002).
3.8 System Security Change Management
This element of the service provides a number of system security change management
activities:
e Management of security compliance with agreed change processes and the assessment
of the business and security impact of PinICLs and other problem management
systems including the provision of options for resolution and containment of security
and business risk;
e Assessment of the business and security impact of change proposals and the
assessment and approval/rejection of security related operational change proposals.
3.9 Security Awareness and Training
This element of the service provides a security awareness programme for Fujitsu Services
and relevant Post Office personnel. The service covers the provision of periodic awareness
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 10 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
activities and training including induction training, presentations and briefing notes and
input to magazines, journals and other periodicals.
3.10 Information Retrieval and Audit
3.10.1 For the purpose of this paragraph:
“Banking Transaction Record Query” means a Record Query in respect of a Banking
Transaction which the Data Reconciliation Service has reconciled or has reported as an
exception, the result or records of which are subsequently queried or disputed by Post
Office or a third party;
“Audit Record Query” means a Record Query which is not a Banking Transaction
Record Query and which relates to Transactions;
“Old Data” means the extraction of records created before the 3" January 2003, but not
earlier than the 18" May 2002 before which data was automatically deleted, relating to
Transactions, other than Banking Transactions meeting the Search Criteria, such
extraction being limited to the following specific types of information/data fields: the ID
for the User logged-on, Counter Position ID, stock unit reference, Transaction ID,
Transaction start time and date, Customer Session ID, mode (e.g. serve customer),
product number and quantity, and sales value, Entry Method, State, IOP Ident, Result,
Foreign Indicator
“Period One” means, in respect of each Transaction the period of 90 days commencing
on the date of that Transaction;
“Period Two” means, in respect of each Transaction the period commencing the day after
expiry of Period One for that Transaction, expiring the earlier of the date:
a) seven (7) years in the case of Transaction records up to and including the
18" May 2002 if created before commencement of the NB Pilot Soft (Soft
Launch),
b) of completion of transfer of Post Office Data (including the record of that
Transaction) in accordance with Schedule 22.
“Query Day” means each date against which an Audit Record Query or an Old
Format Query is raised;
“New Data” means the extraction of records created on and following the 3" January
2003 in accordance with the terms of this paragraph 3.10 relating to Banking
Transactions (and, in the case of Audit Record Queries relating to all Transactions)
meeting the Search Criteria, such extraction being limited to specific types of
information/data fields as follows:
e in the case of an Audit Record Query - the ID for the User logged-on, Counter
Position ID, stock unit reference, Transaction ID, Transaction start time and date,
Customer Session ID, mode (e.g. serve customer), product number and quantity,
and sales value, Entry Method, State, IOP Ident, Result, Foreign Indicator; and
e in the case of a Banking Transaction Record Query - Banking Transaction ID,
Banking Transaction type, receipt date, receipt time, the reason code (in the case
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 11 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
of a discrepancy) and DRSH sub-value(s) (e.g. CO Confirmation, C1 Confirmation,
NB Decline); and
e In all cases an ‘Event Log’ will also be produced and provided with the Audit
Record Query, detailing; GroupID, ID, Date, User, SU, EPOSSTransaction.T and
EPOSSTransaction.Ti.
“Search Criteria” means:
e inthe case of an Audit Record Query of either:
a) date or dates (not exceeding 31 consecutive days), Branch FAD and PAN (or
equivalent identifier); or
b) date or dates (not exceeding 31 consecutive days), and Branch FAD Code; or
in the absence of a FAD Code the full Branch Postal Address; and
e inthe case of a Banking Transaction Record Query of either:
c) date, Branch FAD Code and PAN; or
d) date and Branch FAD Code,
To be specified for each individual Record Query or Old Format Query (as
applicable).
3.10.2 Fujitsu Services shall have access (such access being restricted to properly authorised
Fujitsu Service staff) to records of each Banking Transaction during Period One and
Period Two.
3.10.3 Limits and Target Times for Record Queries
a) The table below sets out the limits on New and Old Format Queries which
Fujitsu Services shall be obliged to carry out and the target times for carrying out
each Audit Record Query:
a Q)
Limits on Banking Transaction I Limits on Audit Record Queries carried out by Security
Record Queries carried out by and Risk for Post Office
MSU
Period One Period Two Period One and Period Two
Limits I 900 per year 100 per year Subject to paragraph 3.10.6 below, the limit per year (on a
(on a rolling (on a rolling rolling year basis) shall be the first of the following to be
year basis) year basis) reached; (i) 720 Audit Record Queries consisting of Old or
with no more with no more I New Data or; (ii) 15,000 Query Days.
than wen ihn " m nth The limit per calendar month, allowing a ‘burst rate’ of
month endar calendar mon! 14% shall be the first of the following to be reached: (i)
100 Audit Record Queries, or (ii) 2100 Query Days
subject to the constraints of the agreed annual limits above.
[Target [5 Days, this [7 Days, this I Subject to paragraph 3.10.4 below and applicable only in I
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 12 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
Time task will be task will be respect of Audit Record Queries, consisting of data archived
carried out carried out with effect from the 4" Jan 2003, 7 working days (for
within
MSU, within MSU queries of 14 or less days’ duration) and 14 working days
(for queries of greater than 14 days’ duration).
Subject to paragraph 3.10.4 below and applicable only in
respect of Audit Record Queries consisting of data archived
between the 18 May 2002 up to the 3“ Jan 2003, 14
working days (for queries of 14 or less days’ duration) and
28 working days (for queries of greater than 14 days’
duration)
3.10.4 Where:
b) The limits set out in column number I in the table above and the provisions of
this paragraph 3.10 relevant in connection with the application of those limits
shall apply.
c) The limits set out set out in the column 2 in the table above and the provisions
of this paragraph 3.10 relevant in connection with the application of those
limits shall apply with effect from the date of approval by both parties of this
document.
d) For the purpose of applying the limits in column 2 in the table above from the
date of approval by both parties of this document, the equivalent Audit Record
Queries (and associated Query Days) carried out in the 12 months prior to that
date shall count towards the annual limit (on a rolling year basis).
e) For the purpose of applying the limits in column 2 in the table above from the
date of approval by both parties of this document, the equivalent of Audit
Record Queries carried out in the calendar month in which this document is
approved (prior to the date of such approval) shall count towards the limits for
that month.
a) a new Audit Record Query is received by Fujitsu Services or Post Office
requires analysis of an existing Audit Record Query: and
b) a member of Fujitsu Service’s personnel is needed to deal with that new or
existing Audit Record Query; but
c) that person is unavailable due to his or her attendance at court or other
proceedings in connection with an Audit Record Query,
d) the target times specified in paragraph 3.10.3 shall not apply to that new or
existing Audit Record Query referred to in paragraph 3.10.4 (a) which Fujitsu
Services shall instead deal with as soon as reasonably practicable.
3.10.5 For the avoidance of doubt, the limits set out in paragraph 3.10.3 in respect of Banking
Transaction Record Queries shall not apply in respect of reconciliation incident
management and settlement reporting carried out as a function of the Data Reconciliation
Service.
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 13 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
3.10.6 Post Office may at any time on three months’ notice vary the aggregate limits of Audit
Record Queries which Fujitsu Services is required to carry out as specified in column
numbered 2 in the table in paragraph 3.10.3, between
a) the limits specified in paragraph 3.10.3; and
b) the following substitutes for those limits (applicable on the same basis): 1020
Audit Record Queries or 21250 Query Days per year on a rolling year basis,
and a maximum, allowing a ‘burst rate’ of 14%, of 142 Audit Record Queries or
2975 Query Days per calendar month
and between
c) the substitute limits set out in paragraph 3.10.6 (b) above, and;
d) the following substitutes for those limits (applicable on the same basis): 1500
Audit Record Queries or 31250 Query Days per year on a rolling year basis,
and a maximum, allowing a ‘burst rate’ of 14%, of 210 Audit Record Queries or
4375 Query Days per calendar month
In each case Fujitsu Service’s charges in respect of dealing with any Audit Record Queries
up to the limits as varied in accordance with this paragraph shall be as specified in
Schedule 10.
3.10.7 Post Office shall submit:
a) Banking Transaction Record Queries to the Horizon System Help Desk which
will pass the Record Query to Fujitsu Service’s customer service management
support unit; and
b) Audit Record Queries and Old Format Queries to Fujitsu Service’s customer
service security prosecution support section.
Fujitsu Services shall accept Record Queries and Old Format Queries only from properly
authorised Post Office staff.
3.10.8 Litigation Support
Where Post Office submits an Audit Record Query or Old Format Query, at Post Office’s
request Fujitsu Services shall, in addition to conducting that query:
a) present records of Transactions extracted by that query in either Excel 95,
Excel 97 or native flat file format, as agreed between the parties; and
b) subject to the limits set out below:
(i) analyse:
. the appropriate Fujitsu Service’s Help Desk records for the
date range in question;
. Branch non-polling reports for the Branch in question; and
. fault logs for the devices from which the records of
Transactions were obtained
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 14 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
c) in order to check the integrity of records of Transactions extracted by that
query;
(ii) request and allow the relevant employees of Fujitsu Services to
prepare witness statements of fact in relation to that query, to the
extent that such statements are reasonably required for the purpose
of verifying the integrity of records provided by Audit Record
Query or Old Format Query, and are based upon the analysis and
documentation referred to in this paragraph 3.10.8; and
(iii) request and allow the relevant employees to attend court to give
evidence in respect of the witness statements referred to in (ii)
above,
d) provided that:
(iv) Fujitsu Service’s obligations set out in (i) and (ii) above shall be
limited, in aggregate, to dealing with a maximum of 150 (in
aggregate) Record Queries and Old Format Queries per year (on a
rolling year basis); and
(v) Fujitsu Service’s obligations in the case of provision of witnesses
referred to in paragraph (iii) above shall be to provide witnesses to
attend court up to a maximum (for all such attendance) of 60 days
per year (on a rolling year basis).
For the avoidance of doubt the target times set out in paragraph 3.10.3 for
dealing with Audit Record Queries and Old Format Queries shall not apply
in respect of Fujitsu Service’s obligations under paragraph 3.10.8.(b).
3.10.9 Any information requested beyond that available by Record Query and/or any witness
statements or witness attendance beyond that available in accordance with this paragraph
3.10 shall be agreed on a case by case basis and shall be dealt with in accordance with the
Change Control Procedure.
3.10.10 Sensitive Card Data included in records of Banking Transactions extracted by Record
Query and provided to Post Office (but, for the avoidance of doubt, not that included in
records for Transactions extracted for Audit Record Queries in respect of any other Post
Office Service) shall be in the encrypted form in which they are held by the NB System.
3.10.11 Audit Access. Reasonable access to the audit trail of Banking Transactions for Post
Office auditors for audit purposes shall be by request (and reasonable notice to) Fujitsu
Service’s Audit Manager.
3.11 Subject Information Requests
The management and provision of responses in respect of Subject Information Requests
will be as defined in Schedule 2.
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 15 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
FUJ00176273
FUJ00176273
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 2.0
COMMERCIAL IN-CONFIDENCE Date: 2" Dec 2004
4.0 Service Availability
The Service will be available between the hours of 09:00 to 17:30 Monday to Friday
excluding all Bank and public holidays.
5.0 Service Levels and Service Targets
Relevant SLA targets relate primarily to Audit Record Queries, which are defined in
Section 3 of this document and Subject Information Requests which are defined in
Schedule 2.
6.0 Service Dependencies & Post Office Responsibilities
6.1. Service Dependencies
6.1.1 The dependencies on the provision of Information Retrieval and Audit are set out in
Section 10 of this document CS/SER/016.
6.1.2 The dependencies on the provision of Subject Information Requests are set out in
Schedule 2 - paragraph 2.4.10.
6.2 Post Office Responsibilities
6.2.1 Post Office’s security — related responsibilities as set out in Schedule 16.
6.2.2 Post Office’s authority and obligations with regard to compliance with the Data Protection
Act are set out in Schedule 2 — paragraphs 2.4 to 2.5
6.2.3. Post Office responsibilities with regard to Subject Information Requests are set out in
Schedule 2 - paragraphs 2.4.9 and 2.4.12.6.2.4 Post Office responsibilities with
regard to the provision of an Information Security Manager are set out in Schedule 4.
7.0 Documentation
7.1 CCDs
The CCDs applicable to the service are:
a) Security Policy (RS/POL/002);
b) Security Functional Specification (RS/FSP/001);
c) Security Incident Management (RS/PRD/004);
d) Statements on Security Objectives and Methods for the Protection of Siemens
Metering Code and Data (RS/FSP/003);
e) Post Office Counters Information System Security Policy (BP/POL/002);
f) A code of Practice for Post Office Information Systems Security (BP/ION/002);
g) Departmental IT Security Standards (RS/CSD/001).
© 2004 Fujitsu Services COMMERCIAL IN-CONFIDENCE Page: 16 of 16
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)