Audit Trail Break — Pathway Position
Problem was initially identified as an incomplete TMS audit trail for the period 8" to 14"
August 2000. This was caused by coincidental DLT failure at both datacentres. Pathway could
therefore not meet Requirement 699 and 829 in respect of these dates — specifically RFI 8
could not be met in full.
Subsequent investigation by Pathway identified that Correspondence Server backup tapes that
may have covered the period were still available. It was known to be possible to reconstitute
the TMS audit trail from these backup tapes.
Recovery action was instigated in August culminating in full scan of the backup tapes during
November. Scanning activity confirmed that whilst were not able to recover all of the data in
the period, 66% was recoverable.
In respect of RFI 8 (the request that highlighted the existence of the break) the unrecoverable
period is from 19:27 on Sunday 6 August until 16:09 on Monday 7 August. This compares to
the original reported break of 8 August to 14 August inclusive (late hoarding caused late
reporting of the problem).
The normal expiry for all of this audit data is 14 February 2002.
There are two options:
Rebuild the audit trail from the 66% available data on the Correspondence Server backup
tapes and provide data for RFI 8 within the constraints outlined in the previous bullet. Hold the
backup tapes up to normal expiry pending any further RFIs for that period which will be dealt
with on a per-RFI basis.
Rebuild in its entirety the audit data and place into the audit archive. The current estimate for
this work is 18 days effort spread over an elapsed period of 36 working days.
Our recommendation is for Option I for the following reasons:
Completion of the 66% recovery is unlikely to be achieved before normal expiry of the data;
Skills required to undertake the recovery work are those required to deal with normal RFI
work;
Based on an analysis of RFI metrics we believe that POL Security and Investigations are
dealing with matters more current than August 2000 and are therefore unlikely to require more
data from this particular period.
FUJ00176294
FUJ00176294
FUJ00176294
FUJ00176294
Audit Trail Break - August 2000
Day / Date Cluster 1 Cluster 2 Cluster 3 Cluster 4
s T U VWX ¥ s T U VW xX ¥ Z/}S T U VW X Y s T U VW xX ¥
Z Z Z
Saturday 5"
Sunday 6"
Monday 7"
Tuesday 8"
Wednesday 9"
Thursday 10"
Friday 11"
Saturday 12"
Sunday 13"
Monday 14"
Tuesday 15"
Key:
Green Data exists in current Audit Trail at EITHER Bootle OR Wigan
Yellow Data missing in Audit archive but readable/reconstitutable from backup tapes
Red No hope of recovering data due to damaged OR unreadable backup tapes