FUJ00176516
FUJ00176516
From:
Sent:
To:
Ce:
Subject:
All,
Browell, Steven[/O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP
(FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=3D3D7C6D3423416C862CDAOE068EF742-
BROWELL, ST]
Fri 03/12/2021 5:06:30 PM (UTC)
Kemp, Alexi
Barnes,
]
I; Holmes, Alanf
Muir, Jason” “tj; Baker, Geoff
CONFIDENTIAL - Notes from our catch up earlier - ARQ focused
Below are my working notes. They are NOT a final outcome. Yellow text is where I am unsure on accuracy. Actions at
the bottom. Do not share this email please.
ARQs - could we have shared a response to POL that had missing data as it was absent in the audit archive
Summary
.
Detail
Yes. However, if we did, it would have been shown within the ARQ response shared with POL [to be
confirmed]
Each ARQ is run by POA SecOps from a secure room using a bespoke AE client retrieval application
An ARQ is fulfilled by a query executing within the Query Manager
The Query Manager checks for the correct sequencing of JSNs
JSNs are assigned by the counter and constantly advance as each transaction is processed
JSNs are not reset, but after extended periods - perhaps c15 years - JSNs can loop back to start their
counter again
The ARQ query options are FAST or SLOW
The ARQ query will run against one of the 2 Audit Archives (they are assumed to be identical)
SLOW has always been available
roduced in HNG-X R2 2011 by CP to
this is when Windows event logs I
POA SecOps use the FAST query by default
A FAST ARQ query will abort if the sequence of JSNs has gaps
A SLOW ARQ query will handle both gaps and duplicates in JSNs
OW query has looked for gaps and duplicates sin, [date when the documentation said we did
perhaps in DEV/INF/ION/0001 or DES/APP/HLD/0029]
The POA SecOps is alerted on the AE client screen when it has collated the result set to confirm if there
are/are not any gaps or duplicates
ARQ Detais I Pletal CitoiaI Audit Tracks I Fitering Vaidation and Query I Pre-ent ier]
i
x} Stetus
Sort completed
2432:1
24329
3424321
3424321
3424321
3424321
342432:2
342432:3
324324
342432:4
342432::5
2708341
2708342
2708342
2TBHB
1186101
5134436
4933158
4339600
4770713
{shower in red)
DUPLICATES FOUND
(how in bie)
SEER ASSISTANCE
FROM
AUDIT SUPPORT
DUPLICATES -NONE I
FUJ00176516
FUJ00176516
If POA SecOps is alerted to gaps, and this is pre-HNG-X, they should rerun the SLOW query against the
other archive as it is unlikely that BOTH archives will have gaps [this relies on POA SecOps deciding to
do this and could be subject to human error]
If POA SecOps is alerted to gaps, and this is HNG-X OR the second run against a pre-HNG-X archive, they
should raise an Incident as this is not expected [this relies on POA SecOps deciding to do this and could
be subject to human error]
The gaps/duplicates alert will appear on the Summary tab of the Excel extract the AE Client creates
The POA SecOps team record the details of the ARQ requested by POL and also the type of query run
FUJ00176516
FUJ00176516
(FAST/SLOW) and the archive against which the result set was derived. Notes can also be added. We
have records going back to 2004 in an old MS Access database, from 2014 we have good excel records.
Our ability to access to MS Access databases has been an issue in the past as the version of MS Access
the database was created in isn’t compatible with modern versions of Windows
* POA no longer retain copies of ARQ responses sent to POL - they are permanently deleted once
confirmed as received
« ARQresponses used to be saved on a secure drive which is held in the secure room. The NAS drive died
around 2017, and around the same time a PCI audit finding advised us that we should no longer be
keeping the ARQ spreadsheets as they contain PAN numbers, so we stopped storing them and deleted
the spreadsheets once POL confirmed they had received a copy. We also around the same time deleted
any copies of old ARQ spreadsheets we could find except for any that we were told to keep as a result of
the litigation.
So we need to:
1. Gerald - Check whether checking for gaps has always been in the SLOW query used by POA SecOps -
and if not, state the applicable dates it was [this will tell us if we have always known about this and have
always been notifying POL - and will give us an idea if we were doing this prior to 2007 for which we no
longer have records]
2. Gerald - Confirm that the gap checking applies to both pre-HNG-X extracts and HNG-X extracts
Gerald - confirm when the FAST query was introduced
4. Gerald - summarise what the FAST event checks are [so we can be clear why this query came into
existence]
5. Geoff/Jason - Collate the POA SecOps ARQ records from the earliest date to the present so it can be
looked at (will include converting an old version of MS Access)
6. Geoff/Jason - Check the POA SecOps ARQ records to see if any have notes stating gaps were present
[this will overtly show examples where we have alerted POL]
7. Geoff - check if there are any notes in the secure rooms that refer to gaps that we may want to check
8. Geoff - Identify the secure drive holding previous ARQ responses - may be controlled by Matt Lenton.
We will need to provide very careful controls on the sharing of this data if it is deemed ‘sensitive’
a. SSC - identify the earliest and latest ARQ response dates on the secure drive [we will
know the period for which we can provide more confident views - and this should go back
prior to 2007]
b. SSC - run a query against the data to find any files with "Gaps Found" on any Summary
tabs [this will tell us ranges of dates when POL were alerted to gaps]
9. Geoff/Jason - Confirm that POA SecOps will re-run a query for gaps pre-HNG-X and will raise a ticket
for gaps in a second run for pre-HNG-X or any gaps at all for HNG-X. Write this into the Work Instruction
»
Steve Browell
Post Office Account
Management Consultant & CISO
Fujitsu Enterprise & Cyber Security
Fujitsu Services, Trafalgar House, Temple Court, Risley, Warrington, Cheshire, WA3 6GD, United Kingdom
OAOMoOS
Planned leave: 18 December 2021 — 04 January 2022