Fe)
FUJITSU
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Document Title:
Document Reference:
Document Type:
Release:
Abstract:
Document Status:
Author & Dept:
External Distribution:
Approval Authorities:
Fujitsu. Services Post Office Account Information Security
Management System (ISMS) Manual
SVM/SEC/MAN/0003
MANUAL
Not Applicable
An approach and framework to implementing, maintaining,
monitoring and improving information security on the POA
APPROVED
ciIso
Mark Pearce, Head of Information Security [Post Office Limited]
Name Role Signature Date
Brad Warren ciso n/a
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED
PageNo: of 1
FUJ00232652
FUJ00232652
(oe) POA Information Security Management System (ISMS) Manual
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0 Document Control
TABLE OF CONTENTS
0 DOCUMENT CONTROL........cscsssssssesssesssesessssssssssssesssesscasscseseeeenesteeseeseneneerasaseeee 2
0.1 Document Control 4
0.2 Review Details 4
0.3 Associated Documents (Internal & External) 5
0.4 Abbreviations 5
0.5 Glossary 6
0.6 Changes Expected 6
0.7 Copyright 6
1 INTRODUCTION........cccssssssssssseseseeseessssrscssssessssssessseseesasseeneaeseanscetsensnsssosansenseoees 7
2 INFORMATION SECURITY POLICY..........:ccecssssssssssssseeseessssssesersenseesseenseseeseceren 7
3 ISMS DOCUMENT STRUCTURE.
OBJECTIVES OF THE ISMS.
441 Objective Measures & Effectiveness 10
5 ORGANISATION AND SCOPE.
5.1 POA Organisation 12
5.2 Management Commitment 12
5.3 Statement of Scope 13
5.3.1. Excluded from Scope: 13
5.4 Boundaries and Interfaces 13
5.5 External Parties 15
5.6 Other Fujitsu Business Units. 15
6 INFORMATION SECURITY RISK ASSESSMENT..........cscsssssssssssssssensseseeenenenes 15
6.4 Risk Management Approach (Methodology & Tools) 15
6.2 Risk Treatment Plan 17
6.3 Risk Treatment Options 17
6.4 Statement of Applicability 18
7 ORGANISING INFORMATION SECURITY........s:ssssscssssssssssessensestesesesssseeeessensenee 19
7.1.1. Information Security Management Review 20
7.1.2 Information Security Service Review 20
7.2 Key ISMS Documents and Records 20
8 KEY PERSONNEL.
8.1.1 Fujitsu Services POA Delivery Executive 21
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVMISECIMANT0003
CONFIDENCE) Version 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 2of1
FUJ00232652
FUJ00232652
(oe) POA Information Security Management System (ISMS) Manual
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
8.1.2 Chief Information Security Officer (CISO) 21
8.1.3 Quality & Compliance Manager 22
8.1.4 Staff Responsibilities 23
8.1.5 Other Responsibilities 23
9 COMPLIANCE AND REPORTING.
9.1 ISO/IEC 27001 Compliance Audits 24
9.2 Reporting 24
9.3 Supporting Post Office Ltd Compliance 24
9.4 Legal Compliance 25
10 COMMUNICATION AND AWARENESG..............00+
11. SECURITY OPERATIONG........
11.1 User Administration 25
11.2 Administration of Changes 25
11.3 Acceptance into Service 25
11.4 Analyse Security Logs 26
11.5 Anti-Virus and Malicious Software Management 26
11.6 Security Incident Management 26
11.7. Cryptographic Key Management 27
11.8 Information Retrieval and Prosecution Support 27
11.9 Physical Access Control 27
12 BUSINESS CONTINUITY MANAGEMENT.
13 ELECTRONIC MAIL.
14 APPENDIX A-ASSET TYPEG......
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 3of1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.1 Document Control
Version No. Summary of Changes and Reason for Issue Associated Change -
CP/PEAK/PPRR
Reference
4 Initial Draft
02 19/02/08 Updated with information from service description
0.2 19/02/08 Issued for Review
1.0 30/04/08 Issued for Approval after updating with review comments
14 30/04/09 Review Amendments
12 14/12/09 Updates to reflect HNG-X
13 16/12/09 Risk Approach updates
14 Review and update
15 8/04/10 Update following review following organisational changes. And
initial meeting with BSI
16 01/06/10 Changes arising from Document Review
17 16/06/2010 Changes from Quality Review
18 24/06/2010 Additional Risk Management Changes
2.0 21/07/2010 Issued for Approval following review comments
24 30/08/2011 Update after annual review
22 26/05/2012 Review of ISMS Manual
23 02/11/2012 Interim review of updated ISMS — draft
24 04/12/2012 Following document review
25 14/12/2012 Revised as per Bill Membery comments
3.0 21-Dec-2012 I Approval version
0.2 Review Details
Review Comments by :
Review Comments to :
Mandatory Review
Delivery Executive
Brad Warren
James Davidson
Chief information Security Officer (CISO)
Brad Warren
Quality and Compliance Manager
Bill Membery
Optional Review
Client Executive Gavin Bell
Commercial Director Tim Healy
Security Operations Manager Donna Munro
Issued for Information
Please rest
istribution list to a minimum
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 4of1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
2
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Head of Information Security, POL Mark Pearce
(* ) = Reviewers that returned comments
0.3 Associated Documents (Internal & External)
Reference Version Date Title Source
PGM/DCM/TEM/0001 2.0 16-03-07 POA HNG-X Generic Master Dimensions
(00 NOT REMOVE) Document Template
SVMISECIPRO/0033 2.0 14/06/10 Risk Management Procedures Dimensions
SVMISEC/MAN/0001 at 05/09/11 POA Statement of Applicability Dimensions
SVM/SEC/POL/0003 60 08/09/11 POA information Security Policy Dimensions
MP3 70 24/05/20 I Fujitsu Property and Physical Security CafeVik
12 Master Policy
cMP6 75 03/07/20 Fujitsu Legal Compliance Master CafeVik
12 Policy
cMP20 22 26/06/20 Fujitsu Security Master Policy CafeVik
12
cMP2t 34 03/10/20 I Fujitsu Intellectual Property Master CafeVik
1 Policy
cMP27 211 17/08/11 Fujitsu Risk Management Master CafeVik
Policy
CMP31 7.0 01/03/20 I Fujitsu Business Continuity Master CafeVik
12 Policy
Fujitsu (UK&l) Security Policy 1.0 11/05/12 Fujitsu Services Security Manual CafeVik
Manual
Unless a specific version is referred to above, reference should be made to the current approved versions of the documents.
0.4 Abbreviations
Abbreviation Definition
IS Information Governance
ISMR Information Security Management Review
iSMS Information Security Management System
NCN Non-Conformity Notice
POA Post Office Account
ToR Terms of Reference
Fujitsu Fujitsu Services POA,
ciso Chief information Security Officer
RTP. Risk Treatment Plan
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVM/SEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: Sof
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
isP Information Security Policy
SOA Statement of Applicability
ARQ Audit Request Query
SLA Service Level Agreement
OLA Operational Level Agreement
0.5 Glossary
Term Definition
0.6 Changes Expected
Within 6-12 months re-issued following Information Security Management review [internal] audit
0.7 Copyright
© Copyright Fujitsu Services Limited 2012. All rights reserved. No part of this document may be
reproduced, stored or transmitted in any form without the prior written permission of Fujitsu Services.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 6 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1 Introduction
Information is an asset which, like other important business assets, has value to an organisation
and consequently needs to be suitably protected. Information security protects information from
a wide range of threats in order to safeguard customers and staff, ensure business continuity,
minimise business damage and maximise operational efficiency.
Information can exist in many forms. It can be printed or written on paper, stored electronically,
transmitted by post or using electronic means, shown on films, or spoken in conversation.
Whatever forms the information takes, or means by which it is shared or stored, it should always
be appropriately protected and is subject to the provisions of this policy document.
Information security is characterised here as the preservation of:
e Confidentiality: ensuring that information is accessible only to those authorised to have
access;
e Integrity: safeguarding the accuracy and completeness of information and processing
methods;
e Availability: ensuring that authorised users have access to information and associated
assets when required.
Information security is achieved by implementing a suitable set of countermeasures, including
policies, practices, procedures, organisational structures and technical measures. Therefore by
using an Information Security Management System (ISMS), this provides a systematic approach
to managing sensitive company information so that it remains secure. It also encompasses
people, processes and IT systems
2 Information Security Policy
1. The purpose of this policy is to define how Information Security is managed, within the
framework of this ISMS
2. The purpose of Information Security Management is to provide an appropriate level of
protection for information assets from relevant threats, whether internal or external,
deliberate or accidental. The implementation of this policy is important to maintain our
integrity as a supplier of services to stakeholders.
3. It is the policy of the POA to ensure that:
a. The requirements of ISO/IEC 27001:2005 are effectively addressed
b. Information will be protected against unauthorised access.
c. Confidentiality of information will be maintained.
d
Information will not be disclosed to unauthorised persons through deliberate or
careless action.
e. Integrity of information is assured through protection from unauthorised modification.
f. Information is available to authorised users when needed.
g. Regulatory and legislative requirements will be met.
h. Information security training will be provided to all staff.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVMISECIMANT0003
CONFIDENCE) Version 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 7 of
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
oo
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
4. This policy is set within the context of the ISMS and interfaces the following Fujitsu Services
Master Policies:
Property and Physical Security [CMP3]
Legal Compliance [CMP6)
Security Master Policy [CMP20
Property and Physical Security [CMP3]
Legal Compliance [CMP&
Intellectual Property [CMP21
Risk Policy [CMMP27:
Business Continuity [CMP34
Fujitsu_(UK & 1) Security Policy Manual
Any member of Staff failing to adhere to the Security Policy and associated procedures will
render themselves liable to disciplinary action in accordance with Fujitsu Conduct Guidelines
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 8 oft
FUJ00232652
FUJ00232652
(oe) POA Information Security Management System (ISMS) Manual
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
3 ISMS Document Structure
ISMS
Manual
Risk Assessment Methodology
Risk Identification “STREAM”
Risk Analysis
Risk Treatment Evaluation
Risk Register
mi>7»ovr7O0
Pp
°
ie
1
o
it
iS
Vs
& Audit Reports
is Incident Reports
°I Education Records
is Minutes....etc...etc
D
uU
R
5 Information Security
Management Forum (ISMF)
Information Security Management
Review (ISMR)
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVMISECIMANT0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: oft
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
2
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
4 Objectives of the ISMS
The objectives of the ISMS are to:
1. Provide an information security framework within which the programme is developed,
delivered and implemented to all relevant areas of the business;
2. Provide an organisational and responsibility framework for security activities and
allocate security roles and responsibilities;
3. Identify risks associated with the provision of the POL Service, through formal risk
assessment techniques, and prioritise and implement appropriate controls and security
measures;
4. Ensure appropriate security and business continuity procedures and controls are in place
to support Services provided;
5. Provide a basis for review, governance, assessment and improvement of the ISMS;
6. Ensure that information security controls are appropriate to the sensitivity of the
information processed and stored;
7. Ensure contractual, legal & regulatory compliance across the scope of Service provision;
8. Identify the security awareness and education requirements for employees and
subcontractors.
41 Objective Measures & Effectiveness
No Objective Measures Measurement
4 I Amanagement system, based on an Demonstrated through _the I Existing and management approved
information security risk approach, ongoing maintenance of the ISMS I information security management system,
exists to establish, implement, operate, I per registration to I based on a viable risk assessment
monitor, review, maintain and improve I 1S027001:2005, under _ the I methodology (STREAM), with attendant
information security. auspices of the Plan, Do, Check I records
Act cycle, and through the review
of audit coverage & results;
corrective actions; —_ security
incidents; risk assessment and
reviews
2 _ I Anorganisational framework has been I Demonstrated through * Information Security Policy, approved by
established, and approved by POA, to. I appointment of appropriately Account Director (Version 5)
identify and allocate security roles and I competent personnel identified;
responsiblites. who are in post (with relevant and I * SMR (Quarterly ) and ISMF (Monthly)
approved TORS) Minutes (8 senior managers invited)
The organisational framework is I * PMO Records — 300+ Personnel on
under constant _—senior I Account
management review, with records I . personal Terms of Reference
maintained by PMO and security
roles and responsibilities are
subject to regular review & update
by the ISMF and ISMR.
3 _ I A formal risk management process has _I A fully documented risk + STREAM risk assessment tool and
been established whereby relevant risks_I management process including a_I associated records.
will have been identified, measured and I control framework, risk registers
appropriate controls and and associated risk + STREAM Dashboard
countermeasures implemented treatment/security improvement I ionthly risk assessment meeting
plans which are reviewed on a
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED
Page No: 10 of 1
fee)
FUJITSU
CONFIDENCE)
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
FUJITSU RESTRICTED (COMMERCIAL IN
regular basis.
Demonstrated through the risks
being reviewed on a regular (at
least monthly) basis as part of the
Business Review Process and
shown to be effective (+ risk
mitigations closed off); linkage to
managed change processes,
incident management and audit;
STREAM dashboard
Controls relevant to the identified asset
risks are in place
Demonstrated through, for
example, the completeness of BC
plans, together with associated
review schedules/tests. Assigned
asset owners, asset registers,
test schedules and scripts which
are subject to regular review and
test (as applicable)
+ ISMS Document set
+ Approved Risk Management Process
(SVM/SEC/STD/0006);
+ STREAM Records in respect to asset
classes, asset owners, risks etc
‘An Information Security Management
Forum (ISMF) has been approved and
established to oversee the review,
governance, assessment and
improvement of the ISMS
Demonstrated through schedule
(at least monthly) of meetings;
+ Tn POA top level forum is the Information
Security Management Review —
records/minutes of quarterly and weekly
meetings; evidencing top management
commitment and attendance
+ ISMR Terms of Reference
A Statement of Applicability (SoA) has
been prepared that describes the control
objectives and controls that are relevant
and applicable to the organisation
The SoA, which can be affected
by changing business
circumstances, is reviewed at a
minimum on an annual basis, and
updated where applicable.
SoA Version 1 (Dimensions), managed
through STREAM updates
The handling of information will be in
strict compliance with all relevant
contractual, legislative and regulatory
requirements.
Training, Awareness and
Communication programs are
established to ensure all
stakeholders are apprised of the
requirements. The requirements
themselves are visited on a
regular basis to ensure currency.
Demonstrated throught audit
results and incident reviews and
records of those who have
undergone Fujitsu services and
POA training
+ Fujitsu Corporate manages new mandatory
Security Awareness Training Programme
+ All joiners/movers/leavers now managed
through Operational Security
Re- introduction of Security at Induction,
communications and briefings. [Ref Security
Improvement Plan November 2012]
All personnel who are assigned
responsibilities defined in the ISMS
have documented records of training,
skills, experience and qualifications,
Demonstrated through
maintenance and regular review
of staff records to ensure
compliance with ISMS. Ongoing
CBT training is monitored and
reported, with relevant records
maintained. Appraisal processes
are designed to determine
training/skills needs
+ Staff Records (inc training and
qualifications); skills database, appraisal
system for training and developmental needs.
©Copyright Fujitsu Services Ltd 2012
UNCONTROLLED IF PRINTED
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Ref SVMISECIMANT0003
Version: 3.0
Date: 21-Dec-2012
PageNo: 11 of 1
FUJ00232652
FUJ00232652
(oe) POA Information Security Management System (ISMS) Manual
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5 Organisation and Scope
5.1 POA Organisation
The diagram below represents the POA Account organisation structure. Detailed organisation
charts are maintained by PMO.
Gavin Bell I James Davidson
ChentEsecutive every Executive
Business Support Functions
bcs [ee
— ooo
Manager I
brrseere en Geen ieee Gee See I
1 ' 1 1 1 I
1 ' ' ' ' 1
[a ana werden 1 ean bobo 1
I Pestioseiee! pestle! [rowan Dect \ \ \ \ !
Horo ot ot '
[Pete Newsome Pete Thompson [amt pte 1 1 1 i 1
anes Change I Headof Hosting & -I se 1 1 t 1 1
t ! i ' 1 i)
' '
' 1
1
1
i)
1
i
eet
i
t
i
Brad warren ChrisBridgland Jayne Armtrong
Graham Welsh Head I security HR Soureing
} oe I Ls sce
— Bryony carter Tie Healy
I Tom Gornat males psec
5.2 Management Commitment
POA management is committed to Information Security. This is demonstrated by:
® appointment of CISO to POA as a member of the Extended Leadership Team reporting
directly to the Delivery Executive
e review and approval of this ISMS Manual which describes the establishment,
implementation, operation, monitoring, review, maintenance and improvement of the ISMS;
e review and approval of the POA Information Security Policy
e the provision of resources and approval of roles and responsibilities for information security,
including ensuring adequate skills and competencies;
* ongoing communications and awareness activity; and
« Inclusion of Security on both the Quarterly Quality Review and ELT and Programme Risk
board.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVMISECIMANT0003
CONFIDENCE) Version 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 12 of 1
FUJ00232652
FUJ00232652
(oe) POA Information Security Management System (ISMS) Manual
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.3 Statement of Scope
The operation and maintenance of the Post Office Account (POA) on-shore and off-shore
services provided by Fujitsu to Post Office Ltd (POL) and incorporating the Horizon on Line
Service and POL Financial Systems (SAP and Management Information). In accordance with
the Statement of Applicability Version 8
(Associated asset types are recorded in Appendix A (15).
5.3.1. Excluded from Scope:
Activities, processing, and management carried out by PO Ltd users, or non-Fujitsu assets (not
managed by POA) located at PO Ltd sites, e.g. Post Office Branches, Mobile Offices or PO Ltd.
3rd party sites.
Communications to Post Office clients; where such connections are the responsibility of PO Ltd.
or its clients as defined by the contract.
POA services provided to RMG (Royal Mail Group rather than PO Ltd),
5.4 Boundaries and Interfaces
Fujitsu UK&l have recently reorganised to deliver its services more in line with our customer's needs.
The top level Fujitsu organisation is shown below with the relevant Service Lines e.g. Business
Application Services, Hosting & Network Services, End User Services and Technology Product Group.
Fujitsu Post Office Account [POA] interfaces with these service lines to provide the services required to
support delivery to Post Office. The Delivery Executive for POA reports into the head of Business
Application Support service line - BAS — but interfaces with area of H&NS, TPG for delivery as well as
the Functions that support Fujitsu UK&lI delivery across the board as indicated in the POA org chart
headed by the Delivery Executive.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 13 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
oo
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UK & Ireland Region
2
Lead on sales and
demand generation
a
Regina Moran
Republic (Account National,
ofireland 0 Security 2
pa (Account Service Lines ~
Sector ce aligned to how our —
customers buy TT
Functions /
shared services
teams
EllaBennett. I i Davia Roberts
name I GRO] fe comme chet pertne I GR
Steve Clayton
Finance
eStrategy Resouces I = Offices
I Assurance
POA Delivery Executive
James Davidson
ogramme wer Lead oo
virector Graham it
Ewan hill Welsh lap ta ots Mark Amold
Newsome
HNS Tower Lead S Tower Lead
Peter
Thompson Mark Gordon
Key. Denendencies
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISECIMANT0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 14 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
H&NS provides Data Centres which are used to host, manages and operates business critical IT
systems for Fujitsu corporate and customers’ businesses.
Fujitsu Group Properties manage the secure building environment and the supporting sub
components, such as the mechanical and electrical systems, resilience of the environment and the
management of building security including media destruction services.
Fujitsu Group Security provides the systems for a) security vetting, and b) the processing, analysis and
reporting of security incidents, including those pertaining to information security.
Human Resources provide the systems for ensuring starters and leavers are processed correctly thus
ensuring all relevant aspects of security are fulfilled, e.g. passes, laptop etc, issued and recovered.
Supply and Lifecycle Services manage and control the relationships with our key services suppliers.
Engineering Services provide advice and guidance as well as incident management and resolution on
servers, desktop and peripherals at a customer's site where such support cannot be provided remotely
5.5 External Parties
POA will create and maintain a register of external parties with connections to Services provided
to PO Ltd.
In accordance with Section 6.4 of the POA Information Security Policy security requirements
must be agreed, documented and defined in agreements with any external parties, who require
access to POA information or processing facilities. This agreement may be in the form of an
external contract or internal operational level agreement.
Audits will be carried out periodically by POA to confirm that compliance to POA security
requirements. POA may accept ISAE 3402 or BSI 1SO027001 registration as evidence of
compliance all or part of the POA security requirements where the scope of the external audit
includes all aspects of services provided to POA.
In addition Section 10.8 of the POA Information Security Policy provides the guidance and
controls on the security requirements for exchange of information between external parties.
5.6 Other Fujitsu Business Units.
For the purpose of the POA ISMS other Fujitsu business units will be treated as external parties
as per section 4.5 above.
6 Information Security Risk Assessment
Risks shall be identified, assessed and reviewed as described below and shall be generally
managed in accordance with the Fujitsu Services Business Management System (BMS) Risk
Management Master Policy.
6.1 Risk Management Approach (Methodology & Tools)
Risk management is a continuous and iterative process which underpins the ISO/IEC 27001
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 15 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
fee)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
\ Risk _\
[ Assessment J]
I Risk
Security v Management
Requirements Plan Reports
Contractual v Initial Risk Profile
Requirements
Security Residual Risk
1s027001 Control Do et Improvements & Profile
Asignment Risk
PCI DSS Treatment Scope of
Applicability
POL Policy and A
‘Standards Check . Risk Treatment
Plans
Legislation \
\ Control
- ) Assessment
POA has selected the Acuity Stream risk management tool to manage:
« Risk Assessment;
e Control Assignment;
e Control Assessment;
e Security Improvements and Risk Treatment and
e Risk Management Reporting and Dashboard.
The workflow for Acuity Stream is demonstrated in the diagram below
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 16 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
fee)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
———————
Reporting
pyr
ruce I oxjeatves
=
ccbechas
Geosrty Dom esl Rak Assessment
Chace complance Repertng
Information security risks are based upon the identified Information assets and supporting assets
of the functions / services within scope. A list of the identified asset classes can be found in
Schedule B.
62 Risk Treatment Plan
For all risks where the residual risk is identified within Acuity Stream as amber / red an action will
be recorded, for further containment to reduce the residual risk to an acceptable level. These
actions when consolidated into a report will be considered as the risk treatment plan (RTP).
The risk treatment report will identify for each risk requiring treatment:
e its pre-action data is recorded from the risk register;
e the risk option is decided
e risk treatment action[s] are determined and recorded;
* post action scoring is undertaken
¢ next review / milestone dates are documented
The RTP is subject to regular review by the POA CISO/ISMF, in conjunction with the risk
owners.
6.3 Risk Treatment Options
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 17 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
There are several options available to senior management when considering what to do about
identified risks. The chosen option (or mix of management techniques) will depend on the
nature and level of the risk.
The key options are:
e Risk Acceptance:
For low-frequency, low-impact risks, where the cost of control is greater than the potential
risk, CU management will choose to accept such risks.
° Risk Avoidance:
Where an activity generates a risk, and the CU has the option to cease the particular activity
or to conduct the process in a different way, then they may choose to do so in order to avoid
the risk concerned.
e Risk Reduction/Mitigation:
Where the level of risk is unacceptable, management will employ controls in order to
manage that risk down to acceptable levels, either by mitigating the impact, or reducing the
vulnerability/likelinood. Lower impact risks will be kept under review to ensure that the trend
is not increasing, or the cumulative impact is not unacceptable.
¢ Risk Transfer:
In circumstance of potential catastrophic loss, with low probability (such as complete loss of
data centre), management will opt to transfer the risk to other parties, facilities or services.
6.4 Statement of Applicability
The ISMS Statement of Applicability illustrates the:
1) control objectives and controls selected together with the reasons for their selection;
2) control objectives and controls currently implemented; and
3) exclusion of any control objectives and controls and the justification for their exclusion.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVMISECIMANT0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 18 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
2
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
7 Organising Information Security
The information security organisation within POA is, under the leadership of the CISO.
Post Office Account — Security
Brad Warren
Chief information
‘Security Officer
haa oo
(ie 5 Seleieteteiaieie teteieieteteieted .
1 L i 1
Donna Munro Vacancy Dave Haywood I Howard Pntchara
ompliance & I }
‘Security Architect I Security HP&BB.
Assurance
om I t
Security Operations I Risk Ci
‘Andy Dunks
ba
Penny Thomas
Security
=) Operations
Li Centre
The CISO is accountable to the Delivery Executive for management of all information security
matters within the Account and scope of this registration; The CISO is a member of the ELT and
senior management level Risk and Quality review boards where he shall report on security, risk
and compliance issues. The CISO is the senior account representative on the Post Office ISMF
and maintains contact with the Fujitsu Security Management Forum (SMF) and Security Delivery
practice and CISO through line management responsibilities in H&NS.
Information security liaison between Post Office Ltd and POA is conducted through the
Information Security Management Forum (ISMF), whose core membership comprises the POA
CISO, Security Operations Manager and Post Office Ltd Head of Information Security and other
representatives.
At Both the POA Quality and Risk boards and ISMF information security reports, risks, metrics
and incidents are considered. The Quarterly Quality and Security Review are considered the
acceptance body for POA account security policies. Minutes are taken of actions and decision
for both these forums and are stored on POA SharePoint.
The CISO is a member of both forums and as such acts as liaison between both of the
information security oversight bodies.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 19 of 1
2
FUJITSU
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
7.1.1
Information Security Management Review
Management review of Information Security is undertaken by the CISO and through reporting
and review of RISK and associated Policies and Documentation through the monthly ELT
meetings and the Quarterly Quality and Security Board. Senior management attendance is
mandated and must be achieved in order for the board's activities to be authorised.
Terms of Reference for the Quarterly Quality and Security Board are detailed in
RMGA/PGM/MGT/STD/2066
The POA Senior Management Team is responsible for:
e Approval for strategies and master policies supporting the Objectives.
e Identifying and reviewing metrics measuring the effectiveness of Security activities
across the POA
« Ownership of Security Policy, ISMS and sign off of any other relevant CCDs e.g. for
compliance etc
Information Security Service Review
Regular reviews of the POA Information Security Service are conducted through the ISMF,
which is attended both by the POA CISO and the PO Ltd. Security Manager. Document and
Record Management
All documents required by the ISMS are controlled through the Fujitsu Control of Documents
Policy
Records are established and maintained to provide evidence of conformity to requirements and
the effective operation of the ISMS.
7.2 Key ISMS Documents and Records
The following key documents support the ISMS:
Document Location Retention
Description
ISMS Manual (this Dimensions Life of the ISMS
document)
Statement of Dimensions Life of the ISMS.
Applicability
POA Information Dimensions Life of the ISMS.
Security
Management
Forum TOR's
Risk Registers STREAM/Sharepoint Life of the ISMS.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIALIN Ref: SVMISECIMANT0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 20 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
2
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Risk Treatment Dimensions/Sharepoint Life of the ISMS
Plans
Integrated Sharepoint Current year +1
Assessment
Schedule [IAS]
Audit Reports Sharepoint 7 years
Reports of TS 7 years
Security Incidents
ISMF Minutes SharePoint Life of the ISMS
Information Sharepoint: POA Life of the ISMS
Security Monthly Secured Share
Report
8 Key Personnel
All staff have a responsibility to protect POA assets and some play a specific role in the running
and management of its ISMS.
Full details of key Fujitsu Services POA Security responsibilities are contained within the
Information Security Policy. In summary the key roles and associated responsibilities are as
follows:
8.1.1 Fujitsu Services POA Delivery Executive
The information security-related responsibilities of the Fujitsu Services POA Director include:
e¢ Overall control and assignment of information security responsibilities throughout the
Fujitsu POA;
« Sponsor of adequate resources for information security;
e Assignment management for the Chief Information Security Officer; (CISO);
e Appointing an experienced security professional responsible for managing and
coordinating security across the complete POA domain in the CISO role.
8.1.2 Chief Information Security Officer (CISO)
The CISO is accountable for design, implementation and delivery from within the POA Security
function. This includes strategy, planning, resourcing and management of the security
programme to support the ISMS and the other major security obligations in the POA.
Responsibilities include:
* owner of the Fujitsu Services POA Information Security Policy;
e point of engagement and escalation for all areas of POA and Fujitsu's operations and
management with regards to the POA security function
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 21 of 1
2
FUJITSU
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
overall design of risk management and assurance approach, including deciding the
criteria for risk treatment and reporting/escalation where necessary;
ensuring the security organisation and roles are properly structured and resourced;
direction of security resources within the Security Operations, Risk Management and
Governance activity;
authority for approving POA Security Policies, Procedures and Risk Management
documentation;
managing and directing the security functions relationships with the Post Office;
to ensure that compliance with all contractual and other obligations are maintained in
conjunction with the Quality and Compliance function.
Also by co-ordinating Security Operations [through the Security Operations Manager] to:
ensuring that security incidents are recorded and investigated;
monitor compliance with the POA Information Security Policy;
ensuring all POA Staff are screened in line with contractual requirements, FS Group
Policy and this policy;
ensure that security relevant events are recorded;
ensure that system audit trails are analysed on a regular basis;
analysis and evaluation of information security risks as presented through Change
Management process; deliver security data, metrics and operational issues to / from the
ISMF;
manage delivery of Security Services to the Post Office and internally as described
and/or amended by the contract and other agreements;
audit and manage compliance with POA security policies and procedures;
deliver security induction and awareness activities to the POA.
8.1.3 Quality & Compliance Manager
The information security-related responsibilities of the Fujitsu Services Quality & Compliance
Manager include:
Facilitate and support the introduction of new quality standards and/or regulatory
requirements providing SME knowledge
Support the Change Process through reviewing and impacting Change Proposals from a
Quality and Compliance Perspective.
Represent POA Quality and Compliance at the Joint Audit Board Meeting and ensure
Fujitsu actions recorded, distributed to owners and cleared in a timely manner.
Report to the ISMF on Quality & Compliance activities for POA. And provide advice and
guidance relating to Quality and Compliance issues
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 22 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
¢ Facilitate the POA Quarterly Quality & Security Management Meetings. Ensure
Stakeholders are aware, informed of progress and internal issues are resolved quickly
« Manage the network of POA Quality Leads/SME’s to improve quality and embed
standards and continuous improvement
e Ensure remediation plans are on track and report progress to POA Leadership Team
e Ensure all business proposals are impacted for Quality and Compliance perspective
« Owns and maintains the Integrated Audit Schedule
8.1.4 Staff Responsibilities
All POA Staff have an Information Security related objective to ensure awareness of their
security responsibilities and security procedures. Security Induction Training ensures all staff
know where to find security procedures, are familiar with their contents, and understand their
own responsibilities for compliance.
The information about which staff should be aware includes:
Physical security controls and visitor procedures
Clear desk policy, careful communications and storage
Protecting Fujitsu documents and media and protecting POA information
Reporting security incidents
Responsibilities for the protection of personal data
Acceptable use of Fujitsu equipment, Internet and email
Working at home and out of the office
8.1.5 Other Responsibilities
The following table identifies other key roles, responsibilities and, where appropriate, authority
levels and training requirements:
ROLE RESPONSIBILITIES AUTHORITY COMPETENCIES
Asset Owners Management & control of the Executive & line General ISMS
asset for which they have management Awareness + BMS
primary ownership
Line Management I Commitment to ISMS Executive & line General ISMS
Reporting and investigation of management Awareness + BMS.
security incidents, contribution
to BC plans, testing and lessons
learnt
9 Compliance and Reporting
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 23 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9.1
9.2
9.3
ISO/IEC 27001 Compliance Audits
In support of the ISO/IEC 27001 compliance requirements, and to provide ongoing assurance of
compliance, regular compliance audits (Health Checks) will be conducted. As directed by the
CISO, the scope and terms of reference for each of these audits will be determined in advance
and agreed with the manager of the area(s) to be audited.
For each ISO/IEC 27001 control within the scope of the ISMS the following is reviewed:
Clear, accepted responsibility for the aspect of Information Security which is subject to that
control;
Confirmation from the organisation that the relevant control is in place, documented and
effective;
Documentary evidence (records/logs etc. in either electronic or hardcopy format), which can be
inspected to confirm the controls are in place and functioning as intended. Inspection is on a
sampling basis.
All findings are logged on the Fujitsu Services Assessment Database and updated as action is
taken.
All audits will be carried out by suitably trained auditors with auditing qualifications e.g. /ISO/IEC
27001 Lead Auditor/ Auditor.
Audits are carried out as part of the POA Integrated Audit Schedule, managed by the Quality and
Compliance function. Additional audits are carried out on a regular basis by the FS Manage
Information Security Process Champion and Fujitsu Services Business Assurance. As part of
ISO/IEC 27001 registration, independent external audits will be conducted as determined by the
audit body.
Reporting
Monthly security reports are produced for the ISMF which include data and details in relations to
security services and Operational Security issues, incidents, events and data. In addition the
CISO reports on a monthly basis to the ELT and Quarterly Quality and Security Board on issues
of Business and Security Risk and any issues with security organisation and effectiveness.
A subset of data will also be represented in the POA Dashboard.
Supporting Post Office Ltd Compliance
The POA CISO is responsible for supporting Post Office Ltd in its compliance to information
security regulatory and contractual information security requirements, through:
e Ensuring agreed information security controls are managed and effective
« Completing security questionnaires from POL and any of its clients e.g. LINK
« Participating, following a formal written request from POL, in routine audits such as
those conducted by POL's Internal Audit team or as part of an overall audit of POL’s PCI
compliance.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 24 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9.4 Legal Compliance
The Fujitsu Services Corporate Legal Department monitors legislation which is applicable to the
Fujitsu UK & I business. They will provide information, advice and guidance to the UK & I
Divisions to ensure corporate compliance is maintained with statutory requirements.
Within Core Division, the Information Assurance Group publish and maintain the Fujitsu UK&l
[corporate] Security Policy Manual and all the related sub-policies specific to the use of
corporate assets and corporate network activity.
CMPO06 provides a specific policy statement on the review of processes against current
legislation and standards and CMP05 details applicable Policies and Standards relevant to IT
processes.
10 Communication and Awareness
The POA Induction process for new joiners includes security induction and awareness material
that is appropriate both as a reminder of Fujitsu Security Policy and responsibilities and those
specific areas of information security especially relevant or specific to the account.
The induction material will be reviewed and updated by the Security Operations team within the
security function. In addition the CISO, Delivery Executive or Security Operations Manager will
issue security notices and reminders on a needs basis.
11 Security Operations
11.1 User Administration
The Security Operations Team will be responsible for:
e The administration, issuing and audit of Two Factor authentication used by system
administrators and support staff accessing the Live Service;
e Ensuring that Fujitsu users of POL Services are validated (BS + Experian checks) before
being given access to the live Service.
The Security Operations Manager is responsible for ensuring that these tasks are carried out in
accordance with the Security Policy and for authorising physical access rights requiring strong
authentication for secure access.
11.2 Administration of Changes
Operational Change Management is the responsibility of the Change Management Team within
Service Management.
The Security Operations Team is responsible for reviewing change requests and assessing the
impact of changes for compliance with Security Policy and Controls and for any impact on the
Confidentiality, Integrity and Availability of Services. They are supported in the technical aspects
of these assessments by the Technical Security Architect.
11.3 Acceptance into Service
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 25 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Responsibility for accepting new Services rests with the Service Introduction Manager who is
responsible for ensuring that new services that have identified security requirements have been
addressed and any assurance undertaken to the satisfaction of the CISO as delegated to the
appropriate authority for the applicable governance mechanism. The process shall ensure that
the security elements of Acceptance into Service have been met and this will be approved via
the Security Operations Team.
11.4 Analyse Security Logs
The Security Operations Team is responsible for providing a number of security event
management and firewall event analysis activities:
e Managing and operating the audit mechanisms and security event management system
(including firewall events) to monitor, detect, track, record and report events that might
threaten the security of the Service Infrastructure (security weaknesses). This includes
the review of security event filter to optimise performance;
e Regularly analysing audit trails to identify trends and to assist the investigation of
security incidents/breaches;
e Establishing and monitoring adequate firewall policies / rule bases based on the output
of risk assessments as appropriate;
«© Where potential attacks, or areas of vulnerability, are identified ensuring prompt
investigation and providing advice for any remedial action (as part of security incident
management) to minimise the impact of any security breach.
Any successful attacks will be subject to the POA Customer Service Incident Management
Process.
11.5 Anti-Virus and Malicious Software Management
The Operational Security team provides a number of anti-virus and malicious software
management activities. For HNG-X, Sophos/ESET AV offers a level of protection against known
malware.
Managing the distribution of updated anti-virus software across the live estate to protect the
Services from malicious software, including regular ‘Signature’ updates to identify and cleanse
new and emerging virus strains;
Configuring, and maintaining, alerting mechanisms and event filters to provide automatic
notification and prompt virus incident response (in accordance with security incident response
procedures);
Regular checking of emerging viruses and other malicious software to determine any required
defensive measures;
11.6 Security Incident Management
The Operational Security Team participate in the POA Customer Service Incident Management
Process (SVM/SDM/PRO/0018) and POA Customer Service Problem Management Process.
(SVM/SDM/PRO/0025) with regard to Security related Incidents and Problems.
The Operational Security Manager is the prime point of contact for information security related
events, incidents and breaches and is responsible for communicating relevant security incident
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 26 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
Fe)
FUJITSU ‘
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
details to POL, as well as attending the monthly ISMF meeting to review information security
incidents.
11.7 Cryptographic Key Management
The Operational Security Team provide a key management service to control the certification
and distribution of cryptographic key material used to protect the confidentiality and integrity of
Post Office business data. This consists of three primary activities:
Managing cryptographic key suppliers;
Manual cryptographic key management - creating, distributing, auditing and replenishment of
manual cryptographic keys;
Managing an automated Key Management System (KMS) - creating, distributing and
replenishment of cryptographic material as well as assisting support teams with error resolution
and problem management related to the KMS.
The KMS is a critical business system and as such is subject to service optimisation and the
provision of business continuity arrangements.
An actual, or suspected, compromise of any keys (including PIN Pads) will be treated as a
security incident and managed accordingly. In particular, key change mechanisms will be
invoked. If a key is identified compromised a corrective action plan will be carried out in
accordance to the agreed correct action response for that key.
An actual, or suspected, compromise of any keys (including PIN Pads) will be treated as a
security incident and managed accordingly. In particular, key change mechanisms will be
invoked.
11.8 Information Retrieval and Prosecution Support
The Security Operations Team is responsible for the management of the day-to-day extraction of
transaction and event data from the audit system, the analysis of supporting information and the
provision of associated investigation / prosecution support. This requires close co-operation with
Audit and Investigation staff in Post Office Ltd, the provision of witness statements and reports,
and possible attendance at Court to give evidence.
Data extracted can be in response to either Transaction Record Queries, or Audit Record
Queries, including APOP Voucher Queries (Reference document SVM/SDM/SD/0017).
Activities under this section constitute a Service to Post Office Ltd in support of their
investigation and prosecution activities. It is not intended to represent an audit activity of user
activity for security risk purposes.
11.9 Physical Access Control
The Security Operations Team is responsible for the administration, issue and control of the
Fujitsu Services (Post Office Account) Ltd Horizon Security Passes. All staff that require access
to a Post Office branch to provide support and maintenance will need to be issued with a Horizon
Security Pass. The Horizon Security Pass allows employees of the Post Office Account (POA)
to be identified as those who have been successfully vetted by Post Office Limited (POL).
In addition access to Fujitsu sites, offices and rooms used in the execution of business in the
POA are requested and managed through Site Facilities and Fujitsu Group Security processes.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 27 of 1
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
fee)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
12 Business Continuity Management
Comprehensive Business Continuity Management is in place within POA and associated
documentation can be found in Dimensions.
13 Electronic Mail
Information is transmitted in accordance with Fujitsu Services (and where appropriate POL)
policies and procedures for the use and management of email systems.
©Copyright Fujitsu Services Ltd 2012 FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
UNCONTROLLED IF PRINTED Page No: 28 of 1
2
FUJITSU
FUJ00232652
FUJ00232652
POA Information Security Management System (ISMS) Manual
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
14 Appendix A — Asset Types
The Asset, together with owners, are documented within the Acuity Stream Database. All assets are
grouped by Asset Class. The table below contains the Asset Classes currently configured in Stream.
Details of full assets and their ownership can be output from Acuity Stream.
AssetClassName
I Description
3rd Party
3rd Party Service
Internal 3rd Party
Application
Customer
Counter
FS Corporate Systems
External Connection
Ops Function / Team
Non Ops Function/Team
ISMS
Location / Room
Media
Network
Organisation
Platform
Pcl DSS
Peripherals
PinPad
Site
3rd Party organisation
Services provided by 3rd Parties
Other Fujitsu Business Units
Business & Support Applications
Customer
Post Office Counters
External Connections to 3rd Parties and Clients
Operational Functions / Teams
Staff with non operational roles
POA ISMS Scope
Locations - includes Rooms and facilities
Mobile Storage Devices of any kind
Communications Infrastructure
Organisational Unit
Information System (Hardware and Operating System)
PCI DSS Scope
Other Peripherals Devices attached to platforms or end user devices
Counter Pin Pad for card payment
Buildings
©Copyright Fujitsu Services Ltd 2012
UNCONTROLLED IF PRINTED
FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVMISEC/MAN/0003
CONFIDENCE) Version: 3.0
Date: 21-Dec-2012
Page No: 29 of 1