FUJ00176538
FUJ00176538
From: Gauntlett, Paul[/o=ExchangeLabs/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=20fad69c 1 be54161 9bbf58bbefdae198-Gauntlett,]
Sent: Fri 03/12/2021 10:25:10 AM (UTC)
To: Browell, Steven{_
Barnes, Geraldg_
Subject: RE: PCI meeting where audit archive gaps was raised
Hi Steve,
Below is the text that was present in ARC PCI Migration - Requirements Capture - WIP - Cloud Office - Confluence
atlassian.net) at the time of the discussion with John & Dean. The background statement was deleted following the
discussion due to the request for a more detailed statement
Data over 10 years old is inconsistent across the 2 Belfast servers therefore, in addition to copying all IRE11 data,
IRE19 data > 10 years old must be retained and serviced by its own SQL DB
NOTE: This requirement disappears once data is no longer required to be kept for longer than 7 years.
Background: Originally the 2 servers were deployed in an active-active configuration with both gathering. Horizon
transaction data for each transaction ended up being copied into two files with different names. Each of these files
would have other transactions too from other FADs but the order of things would not be the same in each.
Normally each file was saved by an audit server. These files were not copied between the audit servers. So normally
each audit server had a separate copy of each transaction though in totally different files. Just now and again there
would be some failure and only one of the files was produced and so for a few transactions an ARQ would work
properly on only one of the audit servers (nil return on the other). This practice desisted and now only one audit
server actively gathers and all its files are copied to the other audit server each evening.
From: Gauntlett, Paul
Sent: Friday, December 3, 2021 10:00 AM
Boardman, Phil {7 >; Barnes, Gerald
meeting where audit archive gaps was raised
Hi Steve
* This week we have been running daily sessions with POL to discuss requirements the “Tactical” PCI Audit
solution — the migration of Belfast Audit to AWS Card Data Environment
* The issue was first raised on Monday in the 13:00 session with John Nelis POL PM and Alex Wood POL Tech
Lead
© The context was discussing the scope of the data migration due to audit data over 10 years old being
inconsistent across the two Belfast Servers.
© This requirement had been identified as an output of a requirement capture session between myself
and Gerald last week
* On the Tuesday session @ 14:00 Dean Bessel joined the call. I had no prior warning he would be on the call
© Also present were myself, Gerald and John Nelis and Andy Frodsham an amazon Cloud Architect.
0 John asked Andy to drop off the call temporarily which he did.
© Dean then explained he was head of horizon risk controls and wanted to get more background detail on
the issue
© Interestingly at that juncture I said it would be sensible to record the call, and started the recording,
however Dean said his preference was not to record at this juncture and so I obliged by stopping the
recording
FUJ00176538
FUJ00176538
© I have 15 seconds of recording confirming this request. A Tactical PCI Audit Requirements - Session 3-
20211130 _140210-Meeting Recording.mp4
© At the time we had documented a couple of sentences in this document ARC PCI Migration -
Requirements Capture - WIP - Cloud Office - Confluence (atlassian.net) which lacked depth.
© The subsequent conversation covered the issue in a lot more substance with Gerald providing historical
background
oO Asaresult at the end of the discussion it was agreed Fujitsu needed to document the
history/background in more detail.
oO We were told this could be done in the requirement doc or in an email
0 John mentioned producing a “problem statement” but it wasn’t a firm request.
o John it was his intention to take the statement, once received, to POL legal so a decision could be made
on the scope of data that was required to be migrated
© No minutes were taken. Other subjects were discussed after Dean left the call. To be clear the purpose
of the meeting was to discuss ALL requirements.
© The historical data issue was discussed first and Dean dropped off once he had enough verbal detail
¢ After that Gerald and I got together to produce the statement I sent you.
© This was sent to you and Phil Boardman on Wednesday, December 1, 2021 11:51 AM
Regards Paul
From: Browell, Steven ¢ __
Sent: Friday, December 3, 2021 9:16 AM
;oardman, Phil ; Barnes, Gerald
audit archive gaps was raised
Do any of you know more info on the PCI meeting where the audit archive gaps came up?
I’m hoping to better understand
. When was the meeting?
. Who attended the meeting?
. What was said on this subject in the meeting?
. Who described this subject from Fujitsu at the meeting?
. Are there any documented minutes from the meeting?
. Have there been any subsequent emails or call since the meeting on this subject?
. What actions were assigned at the meeting in relation to this subject?
Steve Browell
Post Office Account
Management Consultant & CISO
Fujitsu Enterprise & Cyber Security
Fujitsu Services, Trafalgar House, Temple Court, Risley, Warrington, Cheshire, WAS 6GD, United Kingdom
E-mail: Steven Browell
© £/VinIe\c-
Planned leave: 18 December 2021 — 04 January 2022
Mob:!
FUJ00176538
FUJ00176538