FUJ00176754
FUJ00176754
From: Holmes Jan R[/O=ICL/OU=UKSOUTH FEL01/CN=RECIPIENTS/CN=HOLMESJ]
Sent: Thur 31/01/2002 4: 2 PM (UTC)
To: Lenton-Smith Colin, 5 Hooper Graham Jt
Subject: Data Centre Report
Attachment: Consignia Report-Horizon-v1c.doc
Colin, attached to this email is a report that my POL counterpart, Rashpal Dhesi, is proposing to circulate to a very
imposing distribution list. He is waiting for my comments before doing so and I do not propose giving them until we have
agreed the approach between us.
I am embarrassed by this since my wish to be open with Rashpal and share information of interest has resulted in this
situation. Still, a lesson learned?
The History
Graham and I conducted an audit of the Data Centres and the Belfast Operations Centre during October 2001. In the
light of the broken audit trail issues Rashpal asked if he could attend the Data Centre element as an observer. I floated
this by ISD, Graham (and I think I even mentioned it to you) and we agreed to extend the invitation. I made it clear to
Rashpal that his role was as an observer and that he would not be contributing to the audit directly although he could talk
to me about the outcomes and interviews at the time. At report time Graham and I (and I think you again) agreed to
share the Data Centre elements with Rashpal on the grounds that he had been present, had seen what we had seen and
could draw his own conclusions anyway. We did take the precaution of removing the Belfast Operations Centre stuff from
the report as Graham felt that it was too sensitive to share.
The Response
Today I received the attached document. It contains a cut down copy of much of the text from my report that I shared
with Rashpal. In itself it doesn't't represent a threat to us since it clearly demonstrates an effective approach to audit and
the manner in which the corrective actions are being addressed has been very good. The issue here is about the
distribution list and the agenda that is being played out.
The Considerations
1. None of the POL Audit Reports that I have previously seen delve into this level of detail.
2. I cannot conceive of any normal reason why any of this exalted distribution list would be interested in this level of
detail.
3. I'm not sure that POL can copy text verbatim from a ‘Commercial in Confidence’ Pathway document and put it into one
of their own.
4. He hasn't formed an opinion as to whether the nature of the findings are significant or not which would qualify the
absolute nature of the recommendations that were written for ISD and Pathway's benefit.
5. He has been positive about our continued monitoring of the CAP items and his continued monitoring of us through the
Quarterly Audit & Security Panels (next meeting provisionally booked for 11th February in FELO1)
The Consequence
I'm not sure because I do not know what agenda is being played. However, if anybody were to get this inside POL, cold
and without the context being set, they could think that we had a real security problem in the Data Centres.
The Recommendations
I propose to reply to Rashpal in the following manner :
1. Although I knew he was going to produce a report I (foolishly) assumed it would be limited to POL Internal Audit and
relevant to the broken audit trail aspects only.
2. The proposed distribution of this report was not discussed nor agreed by me before or after the audit was completed,
and was certainly not expected. It could have influenced our decision to invite him and would certainly have influenced
the final copy report that he received.
3. We do not agree with his distributing the report in its current state to the named distribution list on grounds of :
a. Level of detail inappropriate to role.
b. Relevance to recipient's role - other than Mike Hannan's who will pass it Keith Baines et al in order to bash us
on the head with it.
4. We consider that Paras 2.1 to the end are not relevant inside POL since they relate to detailed operations within the
Data Centres.
5. I would expect him to express an opinion to his management rather than just relay our audit report.
6. In future I shall be implementing the full rigours of the Joint Working Framework defined in the Horizon System Audit
FUJ00176754
FUJ00176754
Manual (IA/MAN/005) whenever we have any other joint working.
I have a speaker ‘phone on my desk in AO and I think it would be useful for the three of us to have a conversation before
I reply. I'll be in KIDO1 tomorrow.
Jan Holmes
Quality & Audit Mi
KIDO1
FELO1
Mob :/