FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Document Title:
Document Reference:
Document Type:
Release:
Abstract:
Document Status:
Author & Dey
Internal Distribution:
External Distribution:
Security Risk Assessment
Confirmed.
HNG-X Support Services Business Continuity Plan
‘SVM/SDM/PLAJ0001
Plan
Release Independent
This plan provides a summarised description of the HNG-X support
service.
This document also details the planned actions which can be taken
to minimise the risk of one or more of these services not being
available.
Approved
Changdev Pawashe, Business Continuity
Tony Atkinson, Steve Parker, Alex Kemp, Leighton Machin, Andy
Hemingway, Andrew Gibson, Craig Rogers, Ed Ashford
Anna Schofield, Disaster Recovery Analyst, Post Office Account,
ATOS. APPROVED Versions only
YES, secutity risks have been assessed, see section 0.9 for details.
‘Alex Kemp ‘Senior Operations Manager
This Business Continui
lan is one of four. If the POA Duty Manager (or other authorised person) is
unable to find the failed infrastructure service or components in this plan they are mandated to refer to
SVM/SDM/PLA/0002 the HNG-X SERVICES BUSINESS CONTINUITY PLAN.
In the unlikely event of an HNG-X Security violation the POA Duty Manager (or other authorised person) is
referred to SVM/SDM/PLA/0031 the HNG-X Security Business Continuity Plan.
A fourth Business Continuity plan SVM/SDM/PLA/0030 the HNG-X Engineering Business Continuity Plan
has been produced to specifically cover the Engineering Service provided by Fujitsu Services Field
Maintenance Services.
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
CONFIDENCE)
Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 1 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL
0.2 Document History
0.3. Review Details
0.5 Abbreviations
0.6 Glossary
0.7 Changes Expecte:
0.8 Accuracy ..
0.9 Security Risk Assessment
1.0 INTRODUCTION.
41.1 Using this document.
1.2 Business Continuity Plans for HNG-X..
2 SCOPE
3 OWNERSHIP AND OPERATION
4 SERVICE FUNCTIONALITY
41 Services Overview.
4. Infrastructure Sub-services .. 26
4.1.2 Operational Support Sub-Services .. 26
42 yeti ‘Support Services .. 26
42. The Security Management Service... snail
4. by, 1 Security Strategy .... 27
4.2.1.1.1 Application........... 28
4.2.1.1.2 Data... 28
4.2.1.1.3° Operating ‘System - 28
4.2.1.1.4 Network... a _ - = seven 2B
4.2.1.2 Data Integrity and Confidentiality. 7 avenensenesee 7 sveneneceenenseneneasecee ee.
4.2.1.3 Audit Server (ARC) 7 30
42.14 — Active Directory Domain Controller (ACD) 31
4.2.1.5 Security Domains (DOX) 32
4.2.1.6 Firewall Security Manager (NFM) 33
4.2.1.7 Domain Name System (DNS) 33
4.2.1.8 Intrusion Prevention System (IPS). 34
421.9 Radius & TACACS* Services (NS) wn moot 236
4.2.1.10 Key Management Service.. cesses 38
4.2.1.11 Network Persistent Store (NPS) 39
4.2.1.12 KMNG Workstation 39
4.2.1.13 KMNG Operator...... 40
4.2.1.14 Key Server....... 7 40
42.115 Key Server Operator... 40
4.2.1.16 Key Server Client... 40
4.2.1.17 Key Server Resilience Al
4.2.1.18 Key Server Certificate Ad
4.2.1.19 Key Server Access Control... Al
4.2.1.20 Key Server RSA Key Set. Al
4.2.1.21 Key Server Initialisation .....
(© Copyright Fujtieu Services) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Dale: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 20216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.1.22 Remote Management and Recovery.
4.2.1.23 Remote Monitoring
4.21.24 SSL
4.21.25 CHAP
4.2.1.26 PIN Management.
4.21.27 Counter.....
4.21.28 Hardware Security Module (HSM)
4.21.29 PIN PAS...
4.2.1.30 Root Certification Authority (CA)...
421.51 Secure Configuration Assistant (SCA)
4.2.1.32 Money Gram Password...
4.2.1.33 BAL Oracle User Password...
4.2.1.34 Component Interaction
4.2.1.35 Branch Access Layer.
4.2.1.36 Key Enforcement Policy.
4.2.1.37 Key Change Synchronisation
4.2.1.38 Identity and Access Management Service.
4.2.1.39 Secure Event Management Service 46
4.2.1.40 Vulnerability Management Service ....... 47
4.2.1.41 Payment Card Industry Solution (PCI)... AT
4.2.1.42 _Bluecoat (Reverse Proxy Service).. 48
4.21.43 HBS- Web Server... on 51
4.2.2 System Management Service (su ) 58
4.2.2.1 Service Summary... nn
42.2.2 Service Availability 54
42.2.3 SYSMAN3 Overview. 54
4.2.2.4 Tivoli Management Framework (SYSMAN).... — 54
4.2.2.5 System Management Platforms. 55
42.2.6 — Event & Systems Monitoring. 56
4.2.2.7 Fujitsu Network Management Systems (NMS / NNM) 57
4.2.2.8 Real Time Active Dashboard (RAD) 58
42.29 Software Distribution and Asset Management 58
4.22.10 Remote Access and Diagnostics 61
4.2.2.11 Time Synchronisation ....0.0ucncnnennnininsnininnnnnnnnnnnnnnnenenneneinnnnsnenn
42.212 High Level Scheduling. 65
4.2.2.13 Enterprise Boot Server ( 66
4.22.14 Server Provisioning.
4.22.15 Service Monitoring .
4.2.2.15.1 Active Monitoring...
4.2.2.15.2 Passive Monitoring
4.2.2.15.3 Event Processing...
4.22.16 Branch Agent...
4.2.2.17 Campus Agents...
4.22.18 Related Actions.
4.22.19 Event Management Infrastructure . . 70
4.22.20 Branch Counter. 70
4.2.2.21 Branch Router Events. 72
4.2.2.22 Campus Events. 72
4.2.2.23 Links to Known Error Logs (KELs) m4
4.2.2.24 Related Actions. 4
4.2.3 Operational Business Branch Change (includes OBC) Management / Estate Management
Service 74
4221 Branch Chango'Management!(nckides OBC) Overdew 74
4.2.3.2 Estate Management Overview... 75
4.2.3.3. Main Components... af
4.2.3.4 Estate Management Systems. 77
4.2.3.5 Estate Management Operations. 78
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 30f216
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.3.6 System Operations
4.2.3.7 — Estate Management interfaces.
4.2.3.8 Estate Management Server (EST)
42.3.9 EST Endpoints
4.2.3.10 EST Endpoint Clients.
4.23.11 Boot Platforn co.
4.23.12 Boot DMZ...
4.23.13 MTAS Access .
4.23.14 Scheduler Functions for Estate Management
4.2.4 Reconciliation Services..
4.2.4.1. Management Information Services ws) ‘Overview
4.2.4.1.1_ MIS Clients..
4.2.4.2 The Data Reconciliation Service (DRS) .
4.2.4.2.1 Reconciliation Reporting - HNG-X Outlets to DRS ..
4.2,4.2.2 Reconciliation Reporting - POA DRS to PO Ltd...
4.2.4.3 Data Warehouse...
4.2.5. End to End Reconciliation Service 5
4.2.6 POLSAP Development and Test/QA Services
4.2.6.1 POLSAP Hosting Development Service.
4.2.6.2 POLSAP Hosting XI QAtest Load Service.
4.2.6.3 POLSAP Hosting QATest Archive Service
4.2.7 Network Services
4.2.7.1 Branch Network Service ..
4.2.7.2 Branch Network Service ..
4.2.7.2.1 Time to Repair....
4.2722 Maintaining Contact with the HNG-X Central Infrastructure
42.7.3 Branch Service Structure...
42.7.4 Client Links
4.2.7.5 The Branch Resilient Network (BRN)
4.2.7.6 Branch Router Overview.
4.2.7.7 Branch Network Overview
AEI Interim Branch Connectivity
4.27.8 Wireless WAN Service.
427.9 Data Centre LANs. eo
4.2.7.10 WAN Connectivity - Fujitsu sites to IRE11 & IRE19 Data Centre
4.2.8 Fujitsu Shared Services.
4.2.8.1 Shared Data-centres....
4.28.2 — TRIOLE for SERVICE (T1S) ~ Shared Incident Management System
4.2.8.3 ConnectDSL - Shared Service - SDC/ TCY 0.
4.2.8.4 Fujitsu Global Cloud Platform(Salesforce) «1.
4.28.5 Cloud Connect VPN service and Cloud connect network service,
NETWORK SUB-SYSTEM DESCRIPTION
4.2.9 External Suppliers...
4.2.9.1 VODAFONE Networ
4.2.9.2 Transaction Network Services (TNS) .
4.2.9.3 Talktalk Business...
4.2.9.4 EMC— Disk Storage Supplier
4.2.10 Data Centre Operations Service...
4.2.11 Support Services..
4.2.11.1 The System Management Centre (SMC) 105
4.2.11.2 POA Customer Service. 105
42.11.21 Reference Data Team (RDT) 106
42.11.22 Third Line Support Services (SSC) 106
42.11.23 Reconciliation Service. 107
42.11.24 Management Information Systems (MIS) 107
‘© Copyright Fujfisu Servibes: FUJITSU RESTRICTED (COMMERCIAL IN. Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verto: (2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 4 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
42.11.25 Service Introduction (SI).
42.11.26 Change Control
4.2.11.2.7 Configuration Management — Signing Server.
42.1128 Live System Team
42.11.29 Fourth Line Support
4.2.12 Operational Services sub-group
4.2.12.1 The Systems Operate Service
4.2.12.1.1 UNIX System Support Service
4.2.12.1.2 Database Support Service ...
42.1241.3 ‘Windows NT/WINTEL Suppott Service .
4.2.12.1.4 Systems Security Team...
4.2.12.2_ Network Support Services. 5
4.2.13 The Major Account Controllers (MAC).
4.2.13.1 Overview.
4.2.13.2 Communications Management Team (oun.
4.2.13.3 Major Account Controllers (MAC).
4.2.13.4 Electrical POWEL 0...
4.2.14 The Message Broadcast Service Bs).
4.2.14.1 Service Availability.
4.2.15 Service Integration Service.
4.2.16 Receipt Template Service...
4.2.17 Service Management Service..
4.2.17.1 Service Elements...
4.2.17.2 Loss of primary operational office site in Bracknell
4.2.18 Internet Data Exchange (OXi). .
4.2.19 Corporate Data Exchange (DXC)
42.20 Performance & Capacity Management (SPN)
4.2.21 Branch Support Database System (BRSS)
4.2.21.1 Overview.
4.2.21.2 Data Population
4.2.21.3 Support Interface
4.2.21.4 Resilience /Fail-over
5 TESTING STRATEGY...
5.2 Ongoing Test Strategy.
6 PREVENTATIVE MEASURES.
6.1 Major Account Controllers (MAC) DR facility.
62 Triole for Service (TfS) - Service Desk system
63 Data Centre Operations Services (IRE11 / IRE1
6.3.1 Environment Monitoring Facilities... . reaitusesastin sect rennet 2G)
6.3.2 Data Centre Air Conditioning - IRE11 & IRE19. 126
63.3 Data Centre Power —IRE11 & IRE19. . .. .. 126
63.4 Oracle Real prnicaion Cluster Br (RAC) " 127
63.5 Oracle DataGuard.... iit " tment . 127
63.6 Disk Storage Arrays... ° cnn a 128
63.7 SAN Fabric. 128
63.8 Host Systems. 128
63.9 Blade Frame and Storage Overview. 129
6.3.10 _BladeFrame Connections 131
6.3.11 BX900/PAN7
6.3.12 Salesforce Support Service..
6.4 Network Services ..
64.1 Network Capacity into Data Centres. 135
© Copyright Fultisu Services: FUJITSU RESTRICTED (COMMERCIALIN Ref ‘SVMISDMIPLA/0001
Limited 2014 CONFIDENCE) ero: 20
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 5 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
6.4.2 Data Centre Network Topology. 135
6.4.3 Data Centre Disaster Recovery (DR) - Network. 137
6.4.4 Fujitsu Network Management Systems (NMS / NNM). 139
6.4.5 Vodafone Network Management Centre 139
6.4.6 Vodafone ISDN Availabilty. 139
64.7 Fujitsu Services SDCO1 & TCY01/02 Data Centres & ADSL Service Sone nnonf GO
6.4.8 Wireless WAN Availability. 139
64.8.1 Orange Wireless WAN - Availability & Resilience 140
6.4.8.2 Branch Router Availability...
64.9 Transaction Network Services UK LTD (TNS)..
6.4.10 Post Office Limited Northern Data Centres......
6.5 _ The Security Service
6.5.1 Key Management Servers and Database — HNG-X
6.5.2 KMNG Workstations
6.5.3 Tivoli Infrastructure
86 Branch and Estate Change Management Recovery and Resilience.
6.6.1 Estate Management Database Server (EST)...
6.6.2 Boot Platform
6.6.3 Branch Change Management Server (BCMS)
6.6.4 Radius Authentication.
6.6.5 Hardware Resilience for Estate Management Platforms.
6.6.6 EMDB Database Backups 1.0.
67 _ Reconciliation Service.
68. POLSAP Development and Test GA Services -IRET9.... nn gas
6.9 System Management SeIVice...csrnsrnsnsnninninnnninnnnnnntinnennnnnnnnnnninnnnsnnensenee MB
6.9.1 System Management Platforms ~ Resilience. 143
6.9.2 Loss of Network Communications to IND49/STEO4 144
69.3 Buildings — Blackpool BLAO1 — MSS North/ SMG 144
69.4 Buildings - IND49 - SMC 144
69.5 People - MSS. 144
6.9.6 People - SMC in IND49. 144
610 Operational Support Services... 144
6.10.1 The Systems Operate Service. 144
6.10.1.1 ACtIVEION coe 144
6.10.1.2 Loss of Documentation server... 145
6.10.1.3 Loss of Electrical Power .. 2145
6.0.1.4 Loss of Telephone exchange.. 145
6.10.1.5 Loss of the IRE11 Office area. 145
6.10.2 Support Services... 145
6.10.2.1 The System Management Centre (SMC) . 145
6.1.2.2 POA Customer Services - Overview... oe 145
6.10.2.2.1 Incident Management. -_ aarmncaaranasann siamese 48
6.10.22.2 Peak Support Incident Management. 146
6.10.2.3 Configuration Management — Signing Server. 146
6.10.2.3.1 Change Control 146
6.10.2.3.2 Development Operational Support Live System Team (LST). 146
7 PREPAREDNESS MEASURES
7A
72 Management & Delivery..
7.3 Risk Analysis.
8 CONTINGENCY MEASURES..
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 6 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
8.1 Recogni
82 Activation
8.3 Incident Management.
8.4 _ Initiation of Recovery Procedures.
9 RECOVERY OF NORMAL SERVICE...
9.1 Recovery Time Objectives and Recovery Point Objectives ..
9.1.1 HNG-X Infrastructure RTO and RTP Objectives
9.1.2 HNG-X Services Disaster Recovery RTO and RPO Objectives...
10 IMPACT & RISK ASSESSMENT.
10.1 Risks Identified Against the HNG-X Support Services
10.2 Trigger Tables for HNG-X Support Services.
155
187
11 RISKS IDENTIFIED AGAINST MAJOR ACCOUNT CONTROLLERS (MAC) . 210
11.1 Trigger Tables for Major Account Controllers (MAC).
12 SUMMARY OF CONTINGENCY ACTIONS...
12a; Summary of Contingency Actions for HS SNeupbporteervices
12.1.1 Reconciliation Service..
12.1.2 Security Management Service. -
12.1.3 Branch Change Management Service.
12.1.4 Estate Management Service.
12.1.5 Network Services
12.1.6 Data Centre Operations Service...
12.1.7 SAP Development and QA-Test Systems .
12.1.8 System Management Service
12.1.9 Support Services.
12.1.10 System Operate Services. . 7
12.1.11 Reference Data Management Service ....n.mrvnenesnnenniesn
12.1.12 Service Integration Servic
12.1.13 Receipt Template Service
12.1.14 Service Management Service -
122 Summary of Contingency Actions for the MAC
12.2.1 BT Telephone Call Delivery System, via IVR (NI
12.2.2 Loss of Functionality in STEO4 for MAC....
12.2.3 People
12.2.4 Manual Processes due to total loss of TAS incident Management System 225
12.2.5 Loss Of access to Tivoli/ KMA / Global User Counter / One Shot Password Sytem, on 225
12.2.6 Loss Commander Call Management... 225
13 POST OFFICE LIMITED FAILURES IMPACTING POA SERVICES ...
13.1 Post Office Limited failures impacting POA RDMS Service
13.2 POL and AP Client failures impacting POA APS Servic
13.2.1 Post Office Limited.
13.2.2 AP Clients
13.3 Post Office Ltd failures impacting POA TPS Service
13.4 Post Office Ltd and Supplier failures impacting POA NBS Ser
13.5 Post Office Ltd and Supplier failures impacting POA DCS Ser
14 PLAN ACTIVATION ..
141 Major Business Continuity Incident (MBC)...
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 7 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
14.2. Site Failover
15 CONTACT LIST...
15.1 Normal Processes
16.2 Escalation Processes..
16 APPENDICES
16.1 Appendix One: Post Office Outlet Trigger Table.
162 Appendix 2 IRE11 — IS Data Centre Information
16.3 Appendix 2 IRE19 — IS Data Centre Informatior
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 8 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
0.2 Document History
05/12/08, intial craft None,
‘Sent out for Technical review
02 2307S Updated Draft folowing resticted comment I None
oye
‘09/04/09 Updated by Nigel Bailey folowing comments on I None
draft version and request for additional content
03 ‘from Tony Wicks
Format and layout corrections
Tidy up by Tony Wicks before sending outon I None
oa comment 6
9/04/09 ne
Updated personnel mentioned along with
comments received through internal document
10 27/10/09 I review. Also updates inline with internal auc
Input from Vc Lawson and Nigel Hatcher
regarding audit updates.
T Reviewed and updated Reconaiiaion Sevise I None
aanyno™ I Pete win Cate ne
Replaced refs of POLFS with POLSAP
I removed majorty of references to Wigan
Removed refs to SMC bridging
Updated doc to reflect SMGIMSS location as
BLAOt
Changed refs of Bangalore to IND44
(Changed refs of MAC to IMT
‘Added mention of POA Networks now residing
‘at WAROT.
‘Added new info about laptops held by EMS for
DR purposes.
27105111
‘Added risk for loss of CREO2
Improved structure of tigger tables including
‘addition of an index table
‘Greated version’ 2 for formal review cycle None
based upon changes made in sub versions up
12 ose {0 and including v1.1.2 (see v1.1 changes)
‘OVOsaTS I Added POMS ( section 427.6) & Bue coat I None
(Reverse proxy server).
Document updated for formal Review. Also
1418/2014 I SSC comments updated.
Ta OTTO ‘Updates in response to review comments None
0.3 Review Details
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Liniia'2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: Gof 216
FUJITSU RESTRICTED
POAHNG-X Support Services Business Continuity Plan “4
(COMMERCIAL IN CONFIDENCE)
19-Sep-2014
Changdev Pawashe & Post Office Account Document Management
Name
POA MAC SDM Sandie Bothick
POA Networks SDM Roger Stearn
POA SAP & Online services Gaby Reynolds
Credence SOM ‘$ Edmondson
POA Client Services Manager (Engineering, OBC)
Leighton Machin; Chris Harrison
POA Security SDM (includes Reconciliation, Key
Management)
Kumudu Amaratunga
Infrastructure Operations SDM ‘Andrew Hemingway
Incident & Problem Management SDM Steve Bansal
‘SSC Manager Steve Parker; SSC Duty Manager
System Owner ‘Andy Gibson / Ed Ashford / Paul Stewart / Joe Diffin
Role Name
POA Senior Operations Manager =I Alex Kemp
POA Solutions Architect Krishnaral Selvaraj
POA Service Transition and Change Tony Atkinson
inimum
Position/Role
‘SMC Manager Jacob Cherian
Networks Architect Steve Freke; John A Clarke
Architect Jason Clark
HNS Networks Manager Raj Pate!
MSS/ SMG Operations Manager Jerry Acton
NT Management Tan Gibson
TRET1/ IRE19 Datacentre Operations Manager John ll
Problem Manager Steve Gardiner
Problem Manager Tony Wicks
Name
(7) = Reviewers that returned comments
0.4 Associated Documents (Internal and External)
‘© Copyright Fujitsu Services
FUJITSU RESTRICTED (COMMERCIALIN Ref
‘SVM/SDM/PLA/0001
Liniia'2014 CONFIDENCE) Venion: 20)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 10 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Reference jon Date Title Source
ARC/APPIARCIO00S HNG-X Online Services Architecture Dimensions
ARC/APPIARCIO007 HNG-X Batch Applications Architecture I Dimensions
ARCISECIARCI0003 HNG-X Technical Security Architecture I Dimensions
ARC/SYM/ARC/0001 ‘System and Estate Management — Dimensions
Overall Architecture
ARCISYM/ARC/0003 HNG-X System and Estate Management I Dimensions
Monitoring
ARC/SYM/ARCIO005 HNG-X Estate Management Component. I Dimensions
Architecture
CON/MGM/005 Post Office Limited and Fujitsu Services I Post Office
(ePi00C/021) Business Continuity Interface Agreement I Limited
I
I
DES/APP/HLD/0007 DCS Authorisation Agent High Level Dimensions
Design
DES/APP/HLD/0012 DVLA Intemal Web Service High Level__I Dimensions
Design
DES/APP/HLD/023 Branch Support Database High Level I Dimensions
Design
DES/APP/HLD/0030 ‘Audit Data Collection & Storage High Dimensions
Level Design
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref
CONFIDENCE) Version: 2.0
‘SVM/SDM/PLA/0001
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 11 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Reference Source
DES/APP/HLDI033 Data Reconciliation Service High Level I Dimensions
Design
DES/APP/HLD/0082 Data Warehouse High Level Design Dimensions
DES/MIG/HLD/0004 POL FS — Migration HLD Dimensions
DESINET/HLD/0006 Domain Name System Dimensions
DESINET/HLD/0018 Corporate Data Exchange Proxy High I Dimensions
Level Design Specification I
DES/PER/HLD/0002 HNG-X - Capacity Management I Dimensions
Database High Level Design
DES/PPS/HLD/0003, Active Directory High Level Design for I Dimensions
HNG-X
DES/PPS/HLD/0024 HNG-X Datacentre Platform Foundation I Dimensions
Bootstrap HLD
DES/SEC/HLD/0003 HING-X Key Management High Level Dimensions
Design
DES/SYM/HLD/0001 MON Supporting Platforms Dimensions
DESISYMIHLDI0002 I MON Supporting Agents Dimensions
DES/SYM/HLD/0014 ‘SYSMANS User Access Dimensions
DES/SYM/HLD/0034 ‘SYSMANS - Backup, Availability and Dimensions
Disaster Recovery High Level Design
DES/SYM/HLD/0036 ‘SYSMANS - Branch Router Management I Dimensions
DES/SYM/HLD/0048 Tivoli Real Time Active Dashboard — Dimensions
Business Process Views
DEV/INF/LLD/0047 Intemet Access LLD Dimensions
DEV/INF/LLD/0051 Low Level Design for McAfee Intrushield I Dimensions
IDS/IPS Appliance
DEV/INF/LLD/0077 Radius and TACACS+ Platform—Low I Dimensions
level design
DEV/INF/LLD/0080 Branch Router Wireless WAN ServiceI Dimensions
Network
DEV/INF/LLD/0083 HNG-X Vulnerability Scanner Low Level I Dimensions
Design
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref
CONFIDENCE) Version: 2.0
‘SVM/SDM/PLA/0001
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 12 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Reference Source
DEV/GEN/SPE/0007 Platform Hardware Instance List Dimensions
PGM/DCM/TEM/0001 Fujitsu Services Post Office Dimensions
(00 NOT REMOVE) AccountHNG-X Document Template
‘'SVM/SDM/PLA/0001 HNG-X Support Services Business Dimensions
Continuity Plan
SVM/SDM/PLA/0002 HNG-X Service Business Continuity Plan I Dimensions
SVM/SDM/PLA/0003 HNG-X Business Continuity Operational I Dimensions
Test Plan
SVM/SDM/PLA/0030 HNG-X Engineering Service Business Dimensions
Continuity Test Plan
‘SVM/SDM/PLA/0031 HNG-X Security Business Continuity Dimensions
Test Plan
SVM/SDM/PRO/0028 Fujitsu Services POA Customer Service I Dimensions
I HNG-X Business Continuity
Management Process.
I
I
SVM/SDM/SD/0014 OBC Branch Change Service Dimensions
SVM/SDM/SD/0020 End to End Recon tion Reporting Dimensions
‘SVM/SDM/SD/0019 ‘Communications Management Team: Dimensions
‘Service Description
‘SVM/SDM/SD/0022 Receipt Template Service: Service Dimensions
Description
SVM/SDM/SD/0007 Service Management: Service Description I Dimensions
SVM/SDM/SIP/0001 HNG-X Business Continuity Framework Dimensions
0.5 Abbreviations
A Authorisation
{c] Confirmation
[F) Financial Advice Note
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIALIN Ref: ‘SVMISDMIPLA‘0001
Limited 2014 CONFIDENCE) Verto: (2.0
UNCONTROLLED WHEN PRINTED OR Dale: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 13 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
RI Request
aae Application Authentication Cryptogram — generate by the ICC as a result of
a failed transaction
ACS Auto-Configuration Service
ADSL. ‘Asymmetric Digital Subscriber Line
AEI Application Enrolment and Identity (AEl) service
AIS ‘Application Interface Specification
AP-ADC ‘Automated Payments-Advanced Data Capture
APOP ‘Automated Payments Out-Pay
APS: Automated Payments Service
BAL Branch Access Layer
BCM Business Continuity Manager
BCMS Branch Change Management System
BCMT Business Continuity Management Team
BCT Business Continuity Team
BDC Bureau de Change Service (or Backup Domain Controller)
BGP
BNR Branch Network Resilience
BRDB ————«I-_ Branch Database
BCDB Branch Configuration Database (HNG-X solution)
mY. Branch Change Management System — HNG-X replacement for OBC and
OCMS:
BRSS Branch Support Database
BT Biitish Telecom
VODAFONE Cable & Wireless
cCAPO™ Card Account for Post Office
CE Customer Edge (Cable & Wireless Router)
CHAP Challenge Handshake Authentication Protocol
cl Card Issuer
osm Content Switch Module
oss Contents Services Switch
OTF Critical Time Factors
bcs Debit Card System
DcsM Debit Card System Management (server)
bcos Data Centre Operations Service
DNS Domain Name Server
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref
CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 14 of 216
‘SVM/SDM/PLA/0001
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
VODAFONE Cable and Wireless
DMZ De-Militarised Zone
DRS Data Reconciliation Service
DSLAM Digital Subscriber Line Access Multiplexor
DIF Dally Transaction Feed
DVLA POME Department of Vehicle Licensing Authority - Post Office MOT Enquiry
Dxc Corporate Data Exchange
PODG Post Office Data Gateway
EDS Electronic Data Systems
EMDB Estate Management Database Branch Change Management System
EMV Europay MasterCard Visa standard for financial smart cards.
EoD End of Day
EPOSS Electronic Point of Sale Service
EST Estate Management Server
ETS Electronic Top-up Service
FDDI Fibre Optic Distributed Database
Fl Financial Institution
Fics ~__I Fujitsu Services Core Services
FRTS __—_I First Rate Travel Service
FSCS Fujitsu Services Core Services
FTMS File Transfer Management Service
GPs Global Positioning System
GSN Global Satelite Network
HBS Horizon Business Server
MAC Major Account Controllers
HSM Hardware Security Module
HTTP Hypertext Transfer Protocol
1c Integral Chip Card
Pp Internet Protocol
IPS Intrusion Prevention System
KEK Key Encryption Key
KES Key Encryption Seed
KM Key Management
KMA Key Management Application
KMC Key Management Controller
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 15 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan ;
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
KMS Key Management System
LAN Local Area Network
LAR Logical Access Router
LCR Logical Campus Router
LFS Logistics Feeder Service
LNS L2TP Network Server
MBCI Major Business Continuity Incident
MBS: Message Broadcast Service
MID/TID Merchant Identifier/Terminal Identifier
MIs Management Information Service
MoT Ministry of Transport (Roadworthiness Certificate)
MTAS Mid Tid Allocation Service
NBR Network Branch Resilience
NBS Network Banking Service
NBSC. Network Business Support Centre operated by Post Office
NBX Network Banking Service (Replacement)
NDG Northern Data-Centre (Post Office Limited Operated)
NPS ~__ I _ Network Persistent Store
NNM _—_I_ Network Node Manager
NMS Network Management System
NS&l National Savings and Investment
NSSC National Secure Stock Control
NST Network Service Type
NTP Network time protocol
ors Operating System
OBC Outlet Business Change
‘ocms Outlet Change Management Service
ops Outlet Processing System
PAF Postal Address File
PES Personal Earth Station
PFG Payment File Generator
PHU Portable Hosted Unit (counter)
PIN Personal Identification Number
POL Post Office Limited
POLSAP ‘The POLSAP application that is configured by Fujitsu from SAP, to meet
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 16 of 216
FUJ00232658
FUJ00232658
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
POAHNG-X Support Services Business Continuity Plan
the business needs of Post Office.
POMS Post Office Managed Switch
POP Point Of Presence
PPP Point to Point Protocol
RAB Release Authorisation Board
RAC Request, Authorisation, Confirmation Model
(Oracle Real Application Cluster. The full erm has been used rather than
RAC (Oracle) the abbreviated "RAC" as this might be confused with the Network Banking
Request Authorise Confirm model.
RACF Request, Authorisation, Confirmation with Financial Advice Note
RAD Real time Active Dashboard
RD Reference Data
RDMG Reference Data Management Centre
ROMS Reference Data Management Service
RDS Reference Data System
RMG Royal MailGroup
POA Post Office Account
‘SAS Secure Access Server (SSN)
smc Systems Management Centre
SMS ‘System Management Service
SOAP. Simple Object Access Protocol
SORN Statutory Off the Road Notification
sos Systems Operate Service
ssc Software Support Centre
ssl Secure Sockets Layer, (also refered to as HTTPS)
Tar Track and Trace
Te Transaction Certificate
TDES Triple Data Encryption Standard
TES Transaction Enquiry Service
TFS TRIOLE For Service
TH1 Tech Hall 1
TH2 Tech Hall 2
TIP Transaction Information Processing
TLSS: Terminal Server Licensing server
TR Tivoli Managed Region
TMS: Transaction Management Service
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref
CONFIDENCE) Version:
UNCONTROLLED WHEN PRINTED OR Date:
‘STORED OUTSIDE DIMENSIONS Page No:
‘SVM/SDM/PLA/0001
2.0
15-Oct-2014
17 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
TPM ivoli Provisioning Manager
TPS Transaction Processing Service
TNS Transaction Network Services
Tws Tivoli Workload Scheduler.
UTC Coordinated Universal Time
VED Vehicle Excise Duty
VOSA Vehicle and Operations Services Agency
VPN Virtual Private Network
WAN Wide Area Network
XML Extensible Markup Language
0.6 Glossary
Hydra. Is the period between the first step of the Data Cente migration (currently the
POL FS move) and the last Horizon branch being migrated to the Branch
Database.
Luggable/PHU A Portable Horizon PC system (also known as a “mobile")
PGDD Service Application I The Guaranteed Delivery Date application which interacts with Neopost
Til A term for any Terminal or Kiosk connected to HBS and so differentiated
from a Horizon Counter.
0.7 Changes Expected
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 18 of 216
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
This is an operational document, which will be amended for numerous reasons inclu
© New risks identified;
+ Improved or new contingency actions are identified;
* Operational changes to the HNG-X Supporting Services Infrastructure.
1. To avoid duplication some sections that cover services or equipment used for primary and support
services are only covered in SVM/SDM/PLA/0002 — may need to review after draft reviews
2. Section 11 & 11.1- Risk Identified & trigger table will needs to be updated. Horizon Service Desk is
no longer exist. This sections will need to udated with details of MAC team. Awaitng to get the MAC
Service description document.
3. Section 12.2 Summary of Contingency Actions for the MAC will needs to be updated. Awaitng to get
the MAC Service description document.
3. Section 9.1- Recovery Point Objectives wil need to be updated. "Normal Service Provision" is
‘meaningless for an RPO. To update RPO's will need to check with platform owners.
4, Section 4.2.13.3 Major Account Controllers (MAC) & Section 4.2.13.4 Voice Systems Features will
need to be updated after getting the MAC Service description document.
5. Services which are migrating to FCN will need to be update.
6. Section 4.2.9.4 & section 6.3.6 will need to be updated after completion of Belfast refresh
programme.
7. Section 9.1.1 & 9.1.1 RTO will need to be updated after getting the information from all the platform
owners. This will cover the comment19 which is received from Edward Ashford.
0.8 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst
every effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however
caused) sustained as a result of any error or omission in the same.
0.9 Security Risk Assessment
Security risks have been assessed and it Is considered that there are no security risks relating specifically to this
document.
‘© Copyright Fujitsu Services
FUUTSU RESTRICTED (CONMERCIALIN. Ret’ SVMISDMVPLA0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date——_—15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 19 of 216
FUJ00232658
FUJ00232658
(Commented [ML2]: Is this stil not complete? )
FUSITSU
POAHNG-X Support Services Business Continuity Plan “4
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
1.0 Introduction
1.1 Using this document
This Business Continuity Plan has been created for the services that support the Post Office HNG-X
services provided from IRE11 and IRE19.
1.2. Business Continuity Plans for HNG.
For HNG-x the following Business Continuity plans have been created:
1 HNG-X Services Business Continuity Plan (SVM/SDM/PLA/0002);,
2. HNG-X Support Services Business Continuity Plan (SVM/SDM/PLA/0001 - this document);
3. HNG-X Engineering Business Continuity Plan (SVM/SDM/PLA/0030)
4. HNG-X Security Business Continuity Plan (SVM/SDM/PLA/0031)
This Contingency Plan provides a summarised description of the overall Operational HNG-X Support
Service provided by Fujitsu Services. This includes the following sub-services:
Security Management Service
Branch Change Management Service
Estate Management Service
Network Services
Data Centre Operations Service
SAP Development and QA-Test Systems
‘System Management Service
Support Services
System Operate Services
Reference Data Management Service
Reconciliation Service (includes Management Information Services, and the Data Warehouse,
End to End Reconciliation
Service Integration Service
Receipt Template Service
Major External Supplier Services
Service Management Service
POA Programme and Development Operational Support
MAC (Major Account Controllers) (includes the Communications Management Team)
Message Broadcast Service
GWS- Generic Web Services
PODG- Post Office Data Gateway
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 20 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
This document describes the measures taken by Fujitsu Services to minimise the risk of POA being unable
to provide these services and it explains the actions the Problem, Service, or Business Continuity Manager
takes to instigate service recovery.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 21 of 216
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
2 Scope
This plan covers the following key areas.
‘A summary of the individual HNG-X support services
‘A summary of the testing activities undertaken to validate those services.
The measures taken to anticipate and plan for business continuity incidents
Arisk and impact assessment
Agreed trigger points for plan activation
References to relevant operational recovery processes
Problem management contacts and escalation points
This plan does not provide detailed operational procedures with regard to recovery. Further details on the
procedures for recovery can be found in the Fujitsu Services Core Services Operations Procedures Manual
Index (SU/MAN/018).
3 Ownership and Operation
The Fujitsu Services Post Office Account Infrastructure and Availability Manager is the owner of and is
responsible for the maintenance and operational verification of this document. The Fujitsu Services Core
Services Service Manager operates this plan. Contact details are shown below.
MAC /CMT Business Continuity is also included within this plan.
‘Alex Kemp Fujitsu Services, Post All
Office Account, Head of
Service Operations.
Changdev Fujitsu Services, Post All
Pawashe Office Account, Business
alee Continuity Manager.
‘Account(Deputy)
‘Sandie Bothick I Service Delivery Manager MAC
(MAC)
Helen Robinson I Fujitsu Services Stream MAC
Manager (MAC)
‘The Fujitsu Services POA Business Continuity Manager and the Service Managers within Fujitsu Services
POA Customer Service Operations, responsible for service availability, hold copies of this plan.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref
Limited 2014 CONFIDENCE)
Version:
UNCONTROLLED WHEN PRINTED OR Date:
‘STORED OUTSIDE DIMENSIONS Page No:
‘SVM/SDM/PLA/0001
2.0
15-Oct-2014
22 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4 Service Functionality
4.1 Services Overview
For the purposes of Business Continuity planning, this contingency plan has been produced to document
the Post Office Accountresponsibilities for the end to end HNG-X support services. From an operational
perspective it is impracticable for the plans to cover every element or component in the end-to-end service,
eg. an unserviceable power lead in a single counter outlet, however major components are documented in
the risk table section 11.2 of SVM/SDM/PLA/0002,
Figure 1 provides an overview of all the HNG-X Services for which POA has partial or full responsibility.
This figure is derived from the Business Continuity Framework SVM/SDM/SIP/0001 and is based upon the
contractual requirement defined in ‘The Agreement’ that the Business Continuity plans shall document the
Applicable Services. The abbreviations used for those services are defined in SVM/SDM/SIP/0001. Also
note that LFS refers to the full end to end service.
Itis emphasised that some hardware components such as the Main Host (Database Server), EMC Disc
array and Network Routers in the Data-centres deliver service to all the sub-services detailed in this plan.
For some sub-services, there are hardware and software components specifically dedicated to that sub-
service.
The details of risks to a service using only shared architecture can be found against individual infrastructure
elements in the table in section 10 below and in the risk table section 11.2 of SVM/SDM/PLA/0002.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 23 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUfiTSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The diagram also provides details of the support applications and services covered within the HNG-X
Services Business Continuity Plan SVM/SDM/PLA/0002,
HNG-x Services Overview
t Service
Security Manage!
vice Management Service
Figure 1
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA0001
Limited 2014 CONFIDENCE) version; 2.0
15-Oct-2014
UNCONTROLLED WHEN PRINTED OR Date:
‘STORED OUTSIDE DIMENSIONS Page No: 24 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.1.1 Infrastructure Sub-services
Annumber of IT sub-services are used to support the HNG-X services, however for the purposes of this plan
they can be categorised into the following infrastructure support sub-services:
. The Security Service
. System Management Service
. The Outlet Change Management Service
. The Estate Management Service
. Reconciliation Service
. POL SAP (Development and QATest servers)
. Network Services (Vodafone and Transaction Network Services).
For the purposes of this continuity plan these sub-services can be considered to be running
primarily from the infrastructure contained in the campuses (IRE11 & IRE19)
4.1.2 Operational Support Sub-Services
Additionally there are a number of HNG-X operational support sub-services:
These consist of a number of support teams:
Ve
4.2
‘The Major Account Controllers (MAC) who manages the incident transfers to the Atos
Service Desk for issues in POL Clients domains. HSD is replaced by ATOS.
‘The System Management Centre(SMC) who, in addition to system management, provide second
line technical support.
The Software Support Centre (SSC) who p
Fourth line support is provided either by the Post Office AccountDevelopment team or by external
suppliers, e.g. EMC or Microsoft.
arly provides third line support services.
‘The HNG-X service is also supported by number of operational units.
The Core Services System Operate Service team who provide UNIX, NT and database operational
expertise.
The System Management Centre operational event management team at IND49, MSS and SMG
staff based at BLAQ1
The POA Customer Service operational teams, i.e. providing Reference Data operational service,
and the HNG-X Service Delivery Management functions.
The POA Programme and Development operational support teams
Infrastructure Support Services
Figure 1 provides an overview of all the HNG-X Services for which POA has full responsibilty, and identifies,
the support applications and services covered within this document SVM/SDM/PLA/Q001.
4.2.1 The Security Management Service
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 25 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Security Management Service provides a range of security-related activities that support the
establishment and maintenance of an ISO 27001 compliant infrastructure. The Security Management
Service monitors operations and introduces specific protective security controls to maintain the integrity,
availability and confidentiality of information used and produced by the various Services, other than the
Service Integration Service. See: ARC/SEC/ARC/0003
The risks to the infrastructure supporting the Security Management Service can be found in the trigger table
in section 10 starting at row 14.
421.1 Security Strategy
The security strategy for HNG-X is risk based and uses the Prevention => Containment => Detection =>
Response model
This strategy applies to both infrastructure and software development and provides defence in depth
protection to the HNG-X system through the application of layered security controls,
This security architecture has been developed with the aim of ensuring that there are no single points of
failure and that each area of risk has a number of technical and management controls working together to
mitigate that risk.
tem Description
Prevention Use a combination of security controls such as physical, network, platform and application
‘access control, system hardening and vulnerability management to reduce vulnerability.
Containment Constrains the spread of malware or malicious activity using various techniques and
Controls such as network segmentation, anti-malware controls and physical, network and
platform access control
Detection Quickly detect the presence of malicious activity or malware In any domain of HNG-X
through the use of anti re, Intrusion ‘and security event,
controls,
Response ‘Automatic or manual incident response to mitigate the activity using pre-configured
activities, Intrusion prevention and incident response procedures.
To reduce complexity and implementation times, the approach taken for security applications and services
is to use internal Fujitsu services when appropriate and to buy and integrate COTS products rather than
develop them internally.
Specific exceptions to this rule have been made in the area of cryptography and key management where
the Horizon solution has been redeveloped for the cryptographic API, (referenced in DES/SEC/HLD/0002),
and a key management solution has been developed in the absence of commercial alternatives.
Each online system or device can be further subdivided into four additional layers and by using these it is
possible to define both the functions that take place at that layer and the security strategy for each layer.
The four layers are;
4.2.1.4.1 Application
This is the data processing and presentation layer utilising the services provided by the software and by
the other three layers of the model.
4.2.1.1.2 Data
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 26 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Data Layer is responsible for the storage, integrity and management of application, platform and
network information.
4.2.1.4.3 Operating System
The major operating systems in HNG-X are Windows 2003 Server, Windows 2008, Windows XP, Red Hat
Enterprise Linux 4, Solaris 10 and, during Hydra, Windows NT4. A definitive list of the Platform Types and
their associated operating systems is maintained in DEV/GEN/SPE/000'
Following the security strategy of prevention, containment, detection and response, a specific Horizon-
Online build, (the Platform Foundation), has been created,
The Platform Foundation is suitably hardened by following a policy of removing unnecessary software
from the system, applying the latest relevant patches, and setting appropriate permissions contained in
the following documents;
+ Windows Server 2003 Security Guide (DES/PPS/MAN/0004}
© Red Hat Enterprise Linux 4 Seourity Guide (DES/PPS/MAN/0006)
‘* Solaris 10 System Administration Guide - Security Services (DES/PPS/MAN/0005}
‘+ Windows Server 2008 Technical Security Architecture (ARC/SEC/ARC/0003)
4.2.1.1.4 Network
The network architecture provides facilities to securely transmit data, to provide remote access and to
segment networks. In addition analysis and reporting facilities are provided to report against SLAs and to
enable base-lining and trending to be performed.
The following facilities are supplied by the service;
+ Provides secure network capabilities.
+ Provides secure remote access facilities.
‘+ Provides network segmentation.
* Enables network analysis and reporting
* Controls and manages network access control.
Detailed information on the HNG-X network infrastructure is contained in the HNG-X Network Architecture
{ARCINETIARC/0001}.
4.2.1.2 Data Integrity and Confidentiality
The Data Integrity and Contidei service ensures that confidential or sen:
protected within the HNG-X system
e data is adequately
‘A Root Certificate Authority and subordinate Certificate Authority is created to manage and create Public
Key Certificates for a number of purposes.
The Root CA is an Enterprise Root CA using Microsoft Software that creates the Root CA Key Pair. This is
a self-signed key pair and the Live (IRE11) and Test (IRE19) environments use different Root CAs. The
private key of this key pair is then used to sign other certificates to verify their authenticity. The public key of
this key pair is distributed to the subordinate CAs and to any other end-point that requires it.
The Root CA key pair is generated by the CS Security Manager and the resulting Certificate is deployed
over the network, to the relevant end-points. The end-points are defined in detail in the HNG-X Key
Management High Level Design {DES/SEC/HLD/0003} document.
The Root CA is stored by the CS Security Manager in a physically secured Fujitsu location.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 27 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The current end-points requiring the Root CA certificate are;
* Counter
* Counter Spare
+ EMDB
* Boot Platform
+ TES-QA Workstations
In addition to the other security controls mentioned in this document, OID restrictions are applied both on
the Counter and in the Data Centre, to ensure that any attempted connection must use a valid certificate for
that environment. Alerts and errors are reported through the event management system
The public key certificate for the appropriate Root CA and the SSL certificate signing sub-CA is stored in the
Counter certificate store. This technique means that it is easy to separate Live and Test environments as
the SSL termination point and the Counter have been configured to only accept the appropriate certificate.
See the following documents for more information:
+ DES/SEC/HLD/0003 covers the design of the key management system.
+ DES/SEC/HLD/0001 covers the design of the strong two-factor authentication system
+ DES/SEC/HLD/0002 covers the design of the cryptographic API, (Crypto-API), and key
management server, used by Banking authorisation agents, Debit and Credit Card
authorisation agents, Audit workstations, Debit Card Management Server, Connect:Direct
Gateway Server and the Key Management Workstations.
Through the implementation of a Crypto-API on all systems that require access to key material, an
application can request the appropriate key for its purpose and receives the key and passphrase/PIN value
in a secure fashion.
The Crypto-API component communicates with a dedicated Key Server which contains all of the relevant
passphrase or PIN material. The Key Server retrieves the appropriate key from a table in the Network
Persistent Store database and returns both the key material and the passphrase
4.2.1.3 Audit Server (ARC)
The Audit server is responsible for gathering Audit Tracks generated from a wide range of components of
the HNG-X systems including: -
* Post Office Counters
* Systems Management Facilities
* Database Hosts (including the Reference Data System)
* PODG( Post Office data Gateways)
* System Scheduler logs
Audit Tracks (including the External Gateway Audit Tracks) are not automatically duplicated at each data
centre. Files for these tracks are produced by each Audit Server and are exchanged between the two sites
Utilising the Inter-data centre link.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 28 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
An Audit server exists at each data centre and operate in an Active/Active configuration, Each audit server
gathers audit tracks from their local data centre.
In normal post Hydra operation, audit tracks will only be generated and gathered on the Active campus.
If there is a complete failover of the HNG-X service to the DR data centre, the audit server at the DR data
centre will take over responsibility for gathering audit data from all failed over machines.
Audit Track
Replication
‘Audi Server
Se
iS
Iss
iS
a Campus LAN ) Long
storage
Other Aust
Data Generating
‘Subsystems
Branch Host Database
Database Systems
External System
Gateways
Figure 2
Major components of Audit Solution at a single data centre
4.2.1.4 Active Directory Domain Controller (ACD)
Active Directory is deployed as the central repository for user, computer, and network service-related
information, and supports the existing industry standard, LDAP version 3 (LDAPV3), for querying and
modifying information in the directory and provides the directory services for all Active Directory data centre
servers, including the remote servers that will support the HNG-x infrastructure.
Active Directory is reliant upon the DNS for operation and uses the name resolution services provided by
DNS to enable clients to locate Domain Controllers and enable domain controllers hosting directory
services to communicate with each other.
‘The HNG-X Active Directory domain controllers will be hosted as para-Virtualised machines on the
Active/Active Bladeframe pair in both data centres. The Bladeframe systems present the domain controllers
as virtual sets of servers that exist in the SAN.
© Copyright Fultisu Services: FUUITSU RESTRICTED (COMMERCIALIN Ref ‘SVMISDMIPLA/0001
Limited 2014 CONFIDENCE) version, 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 29 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Active Directory is designed to be fault tolerant and can continue to operate if individual servers are
unavailable for periodic maintenance.
4.2.1.5 Security Domains (DOX)
There are a number of defined security domains with the HNG-X security model; therefore data traffic will
always be either intra-domain traffic or inter-domain traffic.
“Intra-domain traffic — Data traffic moving between systems in the same domain
+Inter-domain traffic — Data traffic moving between systems in different domains.
‘There is a third class of traffic consisting of data moving into and out of the HNG-X infrastructure,
Intra-domain traffic may be unrestricted because the systems share a LAN segment, or may be restricted
through the implementation of logical separation, (using VLANs), or physical separation, (using separate
network segments in the same domain),
Inter-domain traffic must pass through an enforcement point that restricts data flow based on its source,
destination, protocol, port, type or content/format.
Domains can also span physical locations. For example, the Key Management Domain contains Data
Centre systems as well as workstations in remote locations such as Bracknell and Lewes.
In the event that a database or application, nominally in one tier, shares a platform with another database or
application in a different tier, then the most restrictive set of permissions shall apply. This is particularly
relevant to the Solaris Main Host that supports a number of Oracle Databases, some of which contain
cardholder data and some of which don't. The Solaris Main Host has therefore been placed in the Core
PCI-CE Domain in Tier 3, despite the fact that a number of Databases hosted on it do not store Cardholder
Data.
The domain model is an overlay for each environment.
Separation between environments is controlled using a combination of preventive and detective controls
such as access control, firewall rules, BladeFrame configuration, switch configuration and event monitoring
The HNG-X Platform Hardware Instance List (DEV/GEN/SPE/0007} contains a definitive mapping of
platform instances to security domains.
The following table describes the purpose of each security domain;
# Name
1 Core PCI-CE Domain HNG-X Database Platform Types that store, process and
transmit encrypted and hashed PANs.
2 Key Management Domain HNG-X Platform Types that manage cryptographic
material.
3 Infrastructure Support Services HNG-X Platform Types that manage and control the
Domain infrastructure, such as Active Directory and DNS
Servers.
4 Horizon Domain Virtualised retiring Horizon Platform Types
5 Support Services Domain HNG-X Platform Types responsible for the management
of Audit Data
6 — RDT Domain Reference Data Team testing environments
‘© Copyright Fujfisu Servibes: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) ero: 20
UNCONTROLLED WHEN PRINTED OR Date: 16-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 30 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
7 Client Agents Domain HNG-X Platform Types responsible for communication
with Post Office clients.
8 Corporate /RMG Connection Domain HNG-X Platform Types responsible for communication
with the Fujitsu Corporate network and with the Royal
Mail network.
9 Internet Connection Domain HNG-X Platform Types responsible for communication
across the Internet.
10 — Support Connection Domain HNG-x Platform Types responsible for managing support
connections
11 Branch Connection Domain HNG-X Platform Types responsible for Branch
‘communication and management
‘There are 5 virtual Domain Controllers in each Data Centre running on RX300 servers.
4.2.1.6 Firewall Security Manager (NFM)
The Cisco Security Manager is used to manage firewalls and other security devices such as IOS routers
which includes IPSEC VPNs and runs on the Firewall Security Manager Server (NFM), along with
CiscoWorks, it provides centralised, auditable management, and minimises the security risk of changes
being implemented on a firewall undetected
This application administers consistent firewall policies using the policy view feature of the application.
Creation of the policies and their deployment to the ASAs and VPN applied routers is also managed from
this server and is located within the Management Services LAN.
4.2.1.7 Domain Name System (DNS)
ADNS service is introduced to centralise name, IP address and service resolution and remove the
dependency on individual platform host files.
Almost all data centre and network infrastructure systems are expected to use DNS. DNS is a distributed
hierarchical database system supporting the storage and dissemination of data. The data stored is typically
device names (terminal domains in DNS terminology) and Internet Protocol (IP) addresses, however, many
other types of data may be stored.
Typical DNS transactions are:
* Clients requesting the IP address of a given domain name (a forward lookup);
* Clients requesting the domain name of a given IP address (a reverse lookup);
+ Dynamic registration of an IP address by a DNS client system;
* Client lookup of a Windows service;
+ Windows server dynamic registration of a Service;
* Server to Server exchanges of DNS zone information (a zone transfer),
Microsoft Windows service resource records are hosted by Microsoft Windows Active Directory servers.
DNS Security is addressed via the use of internal and external name servers (split DNS) and the DNSSEC
protocol for updates and zone transfers.
The Internal DNS is deployed as an authoritative master DNS for the POA HNG-X zones. Two servers
exist at each POA data centre.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 31 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.1.8 Intrusion Prevention System (IPS)
‘As part of the network security strategy HNG-x is using a McAfee IDS/IPS solution. This solution resides
within both the data centres in IRE11 and IRE19, and protects HNG-x infrastructure from potential threats
from the WAN i.e. Branch whilst monitoring the traffic traversing between the Core and Access tiers.
The McAfee IDS/IPS 3000 Sensor acts as a security barrier by using both its IDS and IPS capabilities.
* IPS Mode/Policy (In-line) — Used only for Branch traffic monitoring,
* IDS Mode/Policy (In-line) — Used to monitor all other traffic flowing between the Core and Access
tiers,
IPS Mode/Policy places the sensor inline and therefore is seen as an active device in the traffic path for
Branch traffic and all traffic flowing between the Branch counters and the Core and Access tiers. The traffic
is inspected as it arrives on one interface and exits on the other. Any malicious traffic will be denied and an
alert sent to the Intrushield Security Manager (ISM) server located in Management Services LAN.
‘Subsequent malicious traffic will be blocked due to the IPS's proactive capability.
IDS Mode'Policy is utilised for remaining flows, and monitors the traffic between the Core and Access tiers
by also using in line ports that are connected to the Cisco 6513 Core switches and DMZ firewalls. Any alert
Notifications is sent to the ISM server in the Core Management LAN.
Sensor Management is via McAfee Intrushield software that is installed on a virtualised Bladeframe server
in the Infrastructure Management Domain in IRE11 and IRE19. Access to the sensors for general
management, signature and software updates is via this management server. As the software is deployed
on a Bladeframe server resilience is provided as part of that architecture. Information can be found within
the Platforms and Storage document (ARC/PPS/ARC/0001).
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 32 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘Data Contre 1
Access layer
Figure
IPS/IDS positioning (logical)
For resilience the sensors at both data centres are deployed in a Failover Pair configuration and must
adhere to the following criteria:
Both Intrushield sensors are active at alll times. This means that both sensors are ready to process packets
on their monitoring ports at all times; neither sensor is inoperative, or in “standby”
Since both sensors see all traffic their state information will be synchronised at all times.
Communication between a failover pair is via a "heartbeat" that occurs once each second. In the event of a
sensor failure, and as supported by McAfee’s documentation, the expectation of the sensor is as shown in
the table below:
Criteria Expectation
HNG-x Failover Target Time Expectation is for it to be immediate
Sensor Failover Time Immediate, as specified by McAfee on Page 2 of
Special Topics Guide - Sensor High Availabilty
that “failure is instantaneous and connection state
is maintained”
Traffic Loss None expected , Connection State Maintained as
specified by McAfee
Sensor Failover Expectation
(© Copyright Fujtieu Services) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Versine 200
UNCONTROLLED WHEN PRINTED OR Date: 16-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 33 of 216
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.1.9 Radius & TACACS+ Services (NRS)
Network access for branch router and remote support requires authentication, accounting and authorisation.
Authentication is providing the ‘who you are’, accounting is providing the ‘what has been performed/audit
trail’ and authorisation is providing the ‘what is permitted to be done’. These are know as the AAA functions
and provide the control for key components in the data centre by controlling branch router WAN connectivity
and data centre network devices.
‘The RADIUS protocol is primarily used to provide the Point-to-Point Protocol (PPP) AAA service for branch
router WAN access using the various technologies.
The TACACS¢ protocol is primarily used to provide the AAA service for branch router support and data
centre network access.
The platform for RADIUS authentication (NRS) will use an Active/Active approach with both IRE11 and
IRE19 data centres providing RADIUS services. There are no standby RADIUS services at the IRE19 data
centre.
The following diagram shows the high-level RADIUS instances and network attachment that will be
common for each data centre virtualised server. There will be two RADIUS servers per data centre,
following the data centre N+1 strategy.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 34 of 216
FUJ00232658
FUJ00232658
FU POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Fi
gure 4
Production RADIUS Layer 3 Network Topology
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMISDM/PLA/O001
Limited 2014 “CONFIDENCE) Versine 200
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. Page No: 35 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.1.10 Key Management Service
eg PTT
The main components detailed in this design document are shown in Figure 5 above. The roles,
responsibilities and key material required by each component are described below.
Note — the diagram only depicts interaction of components as far as key material is concerned, it is not
‘meant to illustrate the run-time interaction of the components.
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN. Ref: ‘SVM/SDM/PLA/0001
CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 36 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
- 808 CA Worsiaion
ay
IN Pad Prong Ri
esta Hs
ala Ht
9 ton
ata Hott
Figure 6
Figure 6 gives a more complete picture of new system for HNG-X and old systems that are migrated from
Horizon system.
4.2.1.11 Network Persistent Store (NPS)
The NPS is a persistent, fault-tolerant and resilient database deemed to be the repository for sharing key
information amongst components. The NPS is the reference point for all key material and components
requiring key material must synchronise with the NPS to ensure that correct key material is used.
Further details of the NPS functionality can be found SVM/SDM/PLA/0002.
4.2.1.12 KMNG Workstation
The KMNG workstations provides the user interface for the management of key material. The KMNG
provide the following:
Access control to KMNG
Management of MFK and PMFK
Key re-encryption from MFK to PMFK
Management of AZMK
© Copyriont ujmaulServices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 20
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 37 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Management of TK.
Management of PK
Management of T2k
Management of pkcsit12 key sets for other component such as Branch Access Layer, Key Server.
Management of BDK
Management of Money Gram password issued by POA / Money Gram
Management of 192 bit DES key used for protections of CHAP keys
Management of VPN PIN files for BAL and EM
Management of APOP Oracle password.
4.2.1.13_ KMNG Operator
The KMNG operator is responsible for the control, management and operations of the KMNG work station.
‘The KMNG operator is two-factor authenticated to the KMNG before any operations are permitted. Two
factor authentication depends on the mechanism defined in DES/SEC/HLD/0001
4.2.1.14 Key Server
The Key Server is responsible for secure distribution of key material to other components within the data
centre. Key material distributed generally consists of pass-phrases, and other key material, as required by
HNG-X components.
The Key Server runs the KSS application and enables components to access key material stored on the
NPS. No component can access the key material from the NPS directly; they must use the KSS to access
this material.
‘The Key Server initialisation is dependant on key material supplied by the sub-Certificate Authority (sub-
CA).
The media for distributing the key-set is electronically read from a secure remote management workstation
connected to the Key Server.
N.B. A Key Server must always be available for use by HNG-X components requiring key material.
4.21.15 Key Server Operator
The Key Server Operator is responsible for providing the initial key information required by the Key Server
to complete initialisation, which is strongly authenticated using two-factor authentication, and in addition is
responsible for the safe keeping and monitoring of the use of the Key Server key material.
4.2.1.16 Key Server Client
Key Server Client software enables servers requiring key material to communicate with the Key Server to.
retrieve key material.
4.2.1.17 Key Server Resilience
Resilience of the system is obtained by deployment of 2 Key Servers in the primary data centre.
Resilience of the Key Server service is managed through the Key Server Client that applications use to
interface to the Key Server which can detect which Key Server is not being operational at any given time.
Whenever a Key Server is detected as being non-operational, an alert is raised which is escalated to
Service Management to re-enable/correct the Key Server.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 38 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The algorithm used to load balance the Key Server from the Key Client is described in DEV/APP/LLD/0149,
4.2.1.18 Key Server Certificate
KMING is responsible for storing the Key Server X509 certificate in NPS. The certificate is generated by the
‘sub - Certification Authority. The certificate is presented to the KMNG which reads the relevant data files
from the storage media and save it to NPS with the appropriate tag.
The certificate is designated “active” as the current certificate for the Key Server and any previously “active”
certificate are designated to “inactive” state.
4.2.1.19 Key Server Access Control
‘Access to the Key Server workstation is for restricted personnel only. All access must be recorded and the
reason for access logged.
4.2.1.20 Key Server RSA Key Set
The Key Server operates under control of an RSA key-set generated by the sub-Certificate Authority and
issued in a pass-phrase encrypted file
4.2.1.21 Key Server initialisation
On initialisation, the Key Server must be presented with the password protecting the Key Server's key-set
The Key Server remote operator will enter the password and the Key Server will obtain the latest key data
from NPS. Using the passphrase, the Key Server un-locks the key data.
4.2.1.22 Remote Management and Recovery
The remote management software is installed and executed on the same platform as the KMNG
workstation to avoid the need for a separate platform to host this service.
The recovery process for the Key Server is identical to the initialisation process. The pass-phrase entered
by the remote operator must match the currently active Key Server RSA key set.
4.2.1.23 Remote Monitoring
KSS provides a fault tolerant service to components requiring key material, It is essential that the KSS
services are always available.
Remote monitoring is required to ensure that the KSS service is always available. If any of the KSS servers
are not available, remote monitoring shall inform the security operator to put the servers in an operational
state as soon as possible. If there is at least one server operational, it is not essential for the re-started
servers to be put into operation state immediately. This operation can be performed outside normal
business hours, or during the next day.
In the case of both Key servers being re-started, the security operator must be informed to put one of the
KSS servers into an operational state immediately. . The other Key server should be brought into use
outside normal business hours, or during the next day.
4.21.24 SSL
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 39 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
© SSL Termination Point
The SSL (Secure Sockets Layer) termination point is responsible for maintaining and terminating SSL
encrypted sessions between the Counter and the Branch Access Layer.
© Other SSL
Within the HNG-X solution, there are several clients-server interactions that require the use of SSL
encrypted sessions either with server side authentication only or both clients and server
authentications.
4.2.1.25 CHAP
CHAP keys are used to establish secure communication channels between branch routers and RADIUS
servers at the network level are managed by the Estate Management (EM) component of HNG-X. See
DES/SYM/HLD0031
4.2.1.26 PIN Management
For detailed information refer to DES/MIG/HLD/0006.
4.2.1.27 Counter
The Counters are located in Post Office branches and are responsible for protecting sensitive data
exchanges between the branches and the data centre.
4.2.1.28 Hardware Security Module (HSM)
The hardware security modules (HSM) are responsible for providing security services (DES encryption/
decryption, pin block translation) to applications. These devices are networked devices and are accessed
by the applications through a set of cryptographic API's.
HSMs are used to carry out the cryptographic functions to protect data that is transmitted from the HNGX
security domain to the security domains of the Fis by the Network Banking application and to protect data
that is stored within the HNG-X domain both by Network Banking and Retail applications.
Three HPHSMs are installed at IRE11 H IRRELEVANT {and another two at IRE19 f IRRELEVANT}
Two HPHSM f (IRRELEVANT shaved between LST and SV8I are also located in IRE19. Ina DR
situation, whef® IRETT 18 T6St} mReLevanr would be reconfigured for Live use.
4.2.1.29 PIN Pads
PIN Pads are hardware devices attached to the counter.
The cryptographic keys used by the PIN PAD are only used for PIN encipherment.
4.21.30 Root Certification Authority (CA)
The Root Certificate Authority is responsible for issuing X509, version 3 certificates. The root CA cattificate
is distributed, via Configuration Management, to end-points requiring it.
The root CA is only responsible for issuing certificates to other sub-CAs. There is no permanent network
connection from the root CA to other systems within the data centre.
4.21.31 Secure Configuration Assistant (SCA)
The SCA is used for key generation, key input from paper sources and secure transportation of the key
material for processing by KMN workstation. The SCA is responsible for the following keys:
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 40 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The SCA device is used to initialise the HSM with the MFK / PMFK keys.
4.21.32 Money Gram Password
KMING is responsible for storing the Money Gram Password in NPS.
Whenever a new password is required, the KMNG will store it in NPS with appropriate key tag to distinguish
it from older or current password.
Auser interface is provided to allow the operator to activate the password by marking it as “current”.
4.2.1.33 BAL Oracle User Password
KMNG is responsible for storing the BAL Oracle User Password in NPS. A separate password is required
{or live operation and for training purposes.
The KMNG provides a user interface to generate the BAL Oracle user passwords, encrypting the
passwords under a session KEK and storing in NPS with appropriated key tags
Whenever a new password is required, the KMNG will store it in NPS with appropriate key tag to distinguish
it from older or current password.
4.2.1.34 Component Interaction
=
1
TS Genero Rane nt
Logon caltRSA public key. IP tc)
Auterticaon
Revove key material encreypled under KEK of Key Server
I I
= pecysttoy atts I
'
I
Le ;
I
> Re-encrypt key material under RSA pubic key
be
i
i
'
i
1
'
I
Rotum encerypted key material
Figure 7
In order to distribute key material securely to components, the component interaction will be as follows:
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 41 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Component generates a temporary RSA key set
Public key sent to Key Server with additional information for identification purposes, e.g. IP address
The Key Server validates the identity of the component
(On successful identification, the Key Server retrieved the requested key material from NPS.
The Key Server decrypts the key material and re-encrypts them under the public key of the component
The encrypted key material is returned to the component
The component decrypts and recovers the key material in local memory
N.B. The process described above is performed by the Key Server
with to retrieve key data from NPS.
lient which the component interfaces
4.2.1.35 Branch Access Layer
The BAL signing key is used to sign messages exchanged between the BAL and Counters during the
Counter log-on.
On initialisation BAL will interact with the Key Server/Key Server Client to retrieve the pkos#12 key data and
the pass-phrase.
4.21.36 Key Enforcement Policy
Key enforcement policy to implement key changes, certificate changes etc will be manually controlled.
KMING is presented with new key material when a new key needs to be put into active state.
4.2.1.37 Key Change Synchronisation
All key changes are manually controlled via KMNG. Any new keys that need to be put into an active state
must be done so through the operator options provided by KMNG.
All components requiring key changes must synchronise with NPS via the Key Service/Key Service Client
at regular intervals to detect the current active key held in NPS.
4.2.1.38 Identity and Access Management Service
The identity and access management service provides facilities to create, modify and remove users,
groups, roles and access permissions. The service controls access at an application and platform level
including both local and remote access. This includes access to operational support, system support and
data processing systems.
Management in the following list means provisi
ing, de-provis
ioning, authenticating and authorising;
1. Operational support users are managed using a directory service for access to Platforms and to
Network Devices
2. Branch business user access is managed using the Branch Database. This includes Global users such
as Engineers on site visits and Branch Auditors.
3. Application accounts are managed by the application concerned, except where the application designer
has elected to utilise the Identity and Access Management Service.
4. Within the Data Centre, service accounts are managed using the directory ser
5. At the Counter, ser
The following facilities are supplied by the Identity and Access Management service. It provides;
identification; authentication; authorisation; accounting; non-repudiation; role based access control; and
network access control.
accounts are local accounts.
Enables the addition, removal and change of users, groups and roles.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 42 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Enables the addition, removal and change of network systems and devices.
Enables segregation of duties.
Controls and enables local and remote access for HNG-X.
I
I
ive Reto I Tent RotcA
I
ey I ee ee ee ee) Ge) Ge
I
se sr st rug vtec ‘va val vo
I
I
I
Figure 8
The Live and LST environments share a Root CA as LST is the final testing stage before deployment into
the Live environment and therefore it is occasionally necessary to test Live key material prior to use.
Alerts and errors are reported through the event management system.
The public key certificate for the appropriate Root CA and the SSL certificate signing sub-CA will be stored
in the Counter certificate store.
Further information is available in these documents;
1. HING-X Key Management HLD {DES/SEC/HLD/0003} covers the design of the key management
system in greater detail
2. HNG-X Strong Authentication HLD (DES/SEC/HLD/0001} covers the design of the strong two-factor
authentication system.
3. HNG-X Crypto Services HLD (DES/SEC/HLD/0002} covers the design of the cryptographic API,
(Crypto-API), and key management server, used by Banking authorisation agents, Debit and Credit
Card authorisation agents, Audit workstations, Debit Card Management Server, Connect:Direct
Gateway Server and the Key Management Workstations.
4.2.1.39 Secure Event Management Service
The secure event management service is a component of the overall Tivoli event management solution,
creating events and producing reports using the existing Tivoli event management database. Logs from
network devices, intrusion prevention and detection appliances and firewalls are also aggregated by the
Tivoli system either directly, or through the syslog server.
Logs are aggregated and analyzed to provide security information and reports. Relevant information will be
provided to the CS Security Team through the provision of regular reports.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 43 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The following facilities are supplied by the service;
* Provides log aggregation, correlation and analysis.
+ Enables security event alerting and reporting
‘+ Enables compliance reporting with standards and regulation such as ISO 27001 and PCI.
‘+ Enables trending and provides the ability to spot longer term security related events.
4.2.1.40 Vulnerability Management Service
The vulnerability management service ensures security patches and updates are maintained at the
appropriate level. The service provides secure platform builds that have been hardened to reduce the
vulnerability of the standard platform. The service provides protection against malware in the form of
Viruses, Trojans, and Worms etc. and detects and prevents malicious code and malicious activity on the
network. This service supplies the assurance that possible platform and application vulnerabilities have
been reduced to a minimum.
The following facilities are supplied by the service;
‘+ Provides system hardening
+ Provides vulnerability management.
* Provides patch management.
* Provides malware management.
* Controls vulnerabilities within HNG-X.
The vulnerability management service consists of a number of components that work together to identify
and reduce vulnerabilities in HNG-X. This includes vulnerabilities caused by configuration errors as well as
software bugs.
The main purpose of the vulnerability scanner server (VNS) is to detect potential vulnerabilities in the HNG-
X environment and report them via the correct mechanism so remediation can be initiated. The server is a
Foundstone FS1000 running the database and report manager and resides in the HNG-X Estate and
‘Systems Management Security Domain. All components will be located in IRE11 with a mirrored/replica
environment in IRE19 for DR purposes,
The FS1000 has dual processors and a redundant RAID storage system so can withstand a single
processor or hard disc failure.
4.2.1.41 Payment Card Industry Solution (PCI)
The online system has been designed to ensure that, for online transactions;
* No Debit or Credit card full track information is stored anywhere in the system.
‘+ Banking requires that the full track image is available for up to 5 days, post-authorisation, in the event
that a reversal is required,
+ No Sensitive Authentication Data is stored post-authorisation for Debit and Credit card transactions.
‘+ Aswith 1a above, Banking requires that the full track image is available for up to 5 days, post-
authorisation, in the event that a reversal is required.
‘+ No PAN (information) is stored in the clear anywhere in the system.
4.2.1.42 Bluecoat (Reverse Proxy Service)
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 44 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Anew Reverse Proxy Service from Bluecoat® that will be used to control access to the Channel Integration
service. A new Network Security layer (Bluecoat) in the Horizon Data Centre to authenticate non Horizon
devices before allowing them to connect to HBS.
There are security requirements to ensure that only valid devices can connect into the HBS.
Ithas been decided that this is something that can be implemented outside the HBS and that itis
reasonable to assume that any device that manages to connect through to HBS can be considered to be
valid.
The figure below shows the way in which 3 party devices will connect to HBS and the outline of the
security checks that will be enforced.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 45 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Pe)
ncn
NU gcc toa btn L?
‘ign by td sing CA
Tite sore
sParyCA Gor
ousco Fon St Car ante
(S80 Tein)
From Centos (sue name and sal ub) 2 —_
(porte sunigue anette sees ‘ORL te rom 3 Paty CA
9 sere Ceres (evesmpte one
aching eh Vendor)
SAN (Subjec:Atanaive Name} = Viewa Adress
‘SAN (Subj Ataave Name) =a. ey Sexe
Paty Signed Ca and
Sigetby Pay CA pts hey
rome ard urine
Jeane he subject tematve meres conser be detntely I, ~
ound oe picky pars he sj tema rare a
MUST be weed by ho CA vee
1'bask: pr mine pr dove =
appr 100 TPS en average
Security Model for Device Authentication
When the 3 party device is installed it will need to generate an SSL Client Certificate which follows the
following convention
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 46 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
© CNis DT-F-n
where
© DTis the Device Type which will have been provided by Post Office Ltd
© Fis the FAD Code (or Branch Code) allocated by Post Office Ltd
© is the Node Id which will have been allocated by the Horizon Estate Management
‘System as part of the OBC process
+ SANis IP address
The IP address will have been allocated by the Horizon Estate Management System as part of
the OBC process
{twill also need a Public / Private key pair for Payment Authorisation
All of this security material is tied into the logical device, such that if the physical device is swapped, then it
needs to be either securely copied to the new device or equivalent security material needs to be generated
on the replacement device.
‘The 3" party device also needs to know the Virtual IP address of the HBS.
Whenever the 3 party device wishes to connect to HBS, then this will be done by means of an HTTP.
Session as described in [REQ/APP/AIS/1794].. This is done by establishing an SSL session to the Bluecoat
Reverse Proxy Server, which will intercept connection attempts to the HBS. This means that as far as the
3 party device the connection is via HTTPS.
The Bluecoat Reverse Proxy Server will then validate the SSL Client Certificate that has been provided and
ensure that the source IP address of the connection matches the SAN attribute in the Certificate. It will also
add in details from the SSL Client Certificate and a copy of the certificate itself into HTTP headers (having
cleared any such HTTP headers if any are already in the message). All other HTTP headers and the
payload of the message are passed through
If all is well, then the Bluecoat Reverse Proxy Server will establish an HTTP connection to the virtual IP
address of the ACE Blade that front the HBS and pass through the payload of the original message and the
HTTP headers as modified above. The ACE blade then load balances the workload across the available
HBS servers, taking into account any ‘sticky session’ routing defined in the HTTP Headers.
When the Message is received by the HBS, then these HTTP headers are examined and the CN attribute is
broken down into its constituent parts (ie DT, F and n, using the *-" character as a separator when parsing).
HBS will identify a Device by fields in the ARTSHeader of the messages passed across as part of the Web
Service calls to HBS. Specifically:
1. Business Unit: This is the Location of the Device and is expected to be the Branch Code
This will be validated as being the same as the “F” component of the CN in the HTTP header
2. Business Unit.Name: This is the Organisation that is responsible for the device and is used to
control how Cash Settlements are to operate. For Phase 2a, this is expected to always be “POL”
3. Till: This is the Identity of the Device and is used to distinguish between multiple devices at a single
location and is expected to be the Node Id
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 47 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
This will be validated as being the same as the “n” component of the CN in the HTTP header
The Device Type (ie the DT component of the CN in the HTTP header) is then verified as being supported
by HBS. A key attribute of the Device type is whether it is manned (ie operated by a clerk) or un-manned
(eg a kiosk operated by various members of the public) and this controls how the Log On should be carried
out with the OSR. For Phase 2a, the only supported Device Types are unmanned kiosks which use a
“User-less” Log On mechanism. This is the only type of Log On supported for Phase 2a. This “User-less”
Log On will validate that the Device Type and supplied IP address (ie SAN attribute of the certificate)
matches those that have been configured in BRDB for the specified Branch Code and Node ID.
Unless a specific 3" party device has Logged On, then no other service requests from that 3 party device
ate allowed. Therefore it is expected that the first service request in a new HTTP session from a specific 3°
party device is a Log On request.
Manned Devices may require the User of that device to Log On Un-manned devices do not require any
further authentication,
Collect & Return - The Collect and Retum service is the second of two services intended to make use of the
reverse proxy service capability delivered by the Bluecoat Proxy SG appliances
4.2.1.43 HBS- Web Server
HBS (Horizon Business Server) is a platform designed to enable the consumption of services provided by
the HNGX infrastructure by applications other than the native HNGX counter.
The RTS Web Application which runs on the HBS provides interfaces to consumers to allow the
construction of and settling of baskets of transactions. To the ‘back-end’ HNGX infrastructure the
application looks like native HNGX counters, using the same interfaces into the OSR. Note, however, that
not all of the interfaces used by the native counters are supported by the RTS Web Application.
The following diagram shows how it fits into the overall architecture.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 48 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘The HBS operates as a set of server nodes in a cluster, providing Business Services to a set of terminals in
multiple outlets. It uses the services provided by OSRIBAL to fulfil some of these Business Services (and
the BAL in turn writes to the BRDB). The Counter business application also connects to the same BRDB
instances, but via a different vip for the BAL / OSR.
1D] Component Name
A KIOSKs KIOSKs that are connect via VLAN.
B Blue Coat Reverse Blue Coat Reverse Proxy Server will ensure that only
Proxy Server valid devices get connected to HBS. It provides firewall
and HTTPS SSL termination.
© [ACE Blades to HBS ‘Ace Blades to HBS provide load balancing across
multiple HBS farms and nodes in the cluster.
Horizon Business Server
E I ACE Blades to ‘Ace Blades to OSRIBAL provide load balancing across
OSRIBAL the existing 20 live OSRIBALs. If an OSR/BAL node goes
down, the current request will fail, but future requests will
go to a working node.
BAL OSRIBALs provide the current live service to Horizon
counters.
G I Branch Data Base BRDB provides basket item storage for the estate, and is
accessed by other POL and Fujitsu systems to pass on
(© Copyright Fultisu Services FUJITSU RESTRICTED (COMMERCIALIN. Ret: ‘SVM/SDM/PLA0001
Limited 2014 CONFIDENCE) Veni; 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 49 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
the information to financial, banking and other systems
H Gws GWS servers provide access to external third party Web
Services
1 ‘Agent ‘Authorisation Agents for eTopUps etc.
Bluecoat Reverse Proxy Server:
The reverse proxy server checks the cettificates held on the consuming devices (kiosks) to confirm their
validity.
Itis responsible for extracting data from the certificate and inserting it into the HTTP headers forwarded to
the HBS. HBS uses this data to identify/confirm the branch and terminal identities in incoming messages.
The principal functions are the NRPs are to terminate SSL traffic (if necessary) entering the data centre,
perform certificate revocation checking (if necessary), mutual authentication where appropriate, facilitate
anti virus scanning of content of various attributes, according to the specifics of each service
The NRPs implementation and configuration, including the outside and inside proxy VLANs as shown in
figure 1, are described in the HNG-X Network Reverse Proxy LLD DEV/INF/LLD2085.
There are multiple applications using the Network Reverse Proxies. The Channel Integration service uses
the NPs, as well as the Collect and Retums service; Smart Metering services (SMS), Common Digital
Platform Service (CDP), and HORIce web service.
Channel Integration service is described in HNGX Channel Integration Network LLD DEV/INF/LLD2086.
‘Smart Metering Service is described in HNGX Smart Metering Network LLD DEV/INF/LLD/2395. HBS is
also used as part of the smartmeter service, and initiates an outbound connection to british gas via the DX!
forward proxies. Also the smartcard service which involves Ingenico connecting to a VIP presented by the
Bluecoats.
Common Digital Platforms is described in HNGx CDP High Level Design DES/APP/HLD/2523
Collect & Return Service is described in HNGx Network High Level Design for the Collect & Return
Service DES/NET/HLD/2252.
HORIce web Service- Is used by support teams and the post office to query live and historic data.
This design will provide access from the Post Office via the Internet, and from Support location BRAO1 to
HORIce Web servers via the Network Reverse Proxies implemented in IRE11/19.
4.2.2 System Management Service (SMS)
4.2.21 Service Summary
The Systems Management Service comprises:
+ Event and Systems monitoring
* Software Distribution and Asset Management
« Remote Access and Diagnostics
* Estate Management and Branch Estate Platform Repair
The Enterprise Management software suite (based around IBM TIVOLI software), known as SYSMANS is
used to support the System Management Service.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 50 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Service is based on remote monitoring and resolution which helps to minimise interruptions to the
normal business operation of the Branch Infrastructure.
Co-ordination of activities across POA, Support units (Fujitsu and external providers) is provided in order to
track changes and resolve incidents, thereby enabling any service degradation to be restore in an effective
manner, including any that require multiple Support teams or Service providers to be involved.
4.2.2.2 Service Availability
The Systems Management Service is provided by the Systems Management Centre (SMC) and is available
24/7, 365 days per year.
4.2.2.3. SYSMAN3 Overview
SYSMANS is the HNG-X Enterprise Management solution which manages approximately 30,000 counters
(Managed Agents) in Post Office Outlets and another 250 Data centre Campus based Servers.
‘The products include applications which provide access for both users and administrators; some of these
applications are accessed via web browsers such as Internet Explorer, whereas others provide specific
desktop applications using technology such as Java.
‘Access to all SYSMAN3 applications will be via the SSN (Secure Access Server) platforms. These are
dedicated Windows 2003 servers running Terminal Services which provide secure access to all of the data
centre platforms. All users who require access to SYSMAN3 applications will need to connect to the
appropriate SSN platform and logon using their Active Directory username and password.
4.2.2.4 — Tivoli Management Framework (SYSMAN)
Management comprises 3 key components; Active monitoring with IBM Tivoli Monitoring, Event alerting with
Tivoli Netcool, Software Distribution with Tivoli Provisioning Manager and and Software Distribution with
TEM (Tivoli Endpoint Manager) to the counter estate.
The environment can be split into several layers.
Agent level — agents exist on Servers and Counters, either the initial receptor of a system fault or the target
for data distribution or a system request.
Comms level ~ Server processes that provide distributed services to higher level management services and
load balancing gateway communications between agents and applications. (e.g. EFS)
Collection level — Focal point processes for Monitoring and Event data (e.g. EMM, EES)
Management level — Services providing User Authentication, Storage of Monitoring and Event Data,
Administration, Business Process triggers and execution of Software Provisioning (e.g. EMS, EPM, EDS &
TEM)
User Level — Top level Data Reporting facilities and browser based views of Events and System status.
(e.g. EMD, EUI, EAS, ERP)
4.2.2.5 System Management Platforms
The platforms required to support monitoring may not be dedicated to a single function, but may also host
other software functions within the System Management architecture.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 51 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘The software applications to be hosted on the platforms are shown below:
Platform
Name
EMM ‘System Enterprise Monitoring Server
Eul System Enterprise User Interface Server
EMD System Enterprise Monitoring Display
EES ‘System Enterprise Event Server
EAS ‘System Availability Server
EFS System Enterprise Fan-out Server
EDS System Enterprise Database Server
TEM Endpoint Manager
‘The EMM and EUI platform instances together form the ITM environment.
The EED, EMD and EFS platform instances will provide the Object Server layers and Proxies for the Tivoli
Omnibus event solution.
‘The EAS platform instances provide the Business Service views Real Time Active Dashboard (RAD).
The EDS platform instance provides the Oracle RDBMS for the SYSMAN solution.
The TEM platform instance provides the software distribution to the counter estate.
4.2.26 Event & Systems Monitoring
The Systems Management Service provides event and systems monitoring of both the Branch
Infrastructure and HNG-X Central Infrastructure. Events are the indications of conditions that have
operational significance to either the Branch Infrastructure or the HNG-X Central Infrastructure. They
include Software, Hardware or security conditions that may require investigation and also include
occurrences of particular, repeated events, for example, a low battery in PIN Pads. Investigations will
involve either other relevant Operational Services or a defined recovery procedure,
Operational platforms have performance monitoring Software installed and this is available to the Systems
Management Service to enable systems monitoring to take place.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 52 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The following diagram highlights the location of the agents, the Campus Server agents are also installed on
all SYSMAN3 platforms.
od
Figure 9
4.2.2.7 Fujitsu Network Management Systems (NMS / NNM)
HP OpenView, Cisco Works and a number of diagnostic probes are located in each Data Centre.
The NMS also monitors the Branch network via the Branch router. The network is treated for management
purposes as entirely Production, with isolated areas of testing. This is to ensure that the secondary site
network is always ready to act as the DR target.
HP OpenView gathers SNMP events from network equipment, filters the events, and forwards them to Tivoli
(SYSMAN). OpenView also actively probes for managed devices, such as servers, and raises an alert if the
server cannot be contacted.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 53 of 216
‘SVM/SDM/PLA/0001
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The NMS is accessible by different teams, including the SMC (India), the Network Support team
(Warington) therefore in the event of a connectivity problem by any one team then monitoring is still
possible
The Network Management System comprises a set of software applications hosted on various platforms
and appliances. They are shown below:
Platform Description ‘Software Application Platform Operating
Type ‘System
NMN HP Open View HP Network Node Solaris 10
Manager
New Cisco Works LAN Management Solaris 10
Solution
NFM Cisco Security Cisco Security Manager Windows 2003
Manager
Fabric Manager
NPC Wireshark Windows 2003
(Appliance)
sys Syslog Server Syslog-NG Red Hat Enterprise
Linux
4.2.2.8 Real Time Active Dashboard (RAD)
The Tivoli Netcool Real time Active Dashboard (RAD) is used to provide a real time GUI view of the HNG-X
Business Processes, primarily used by the SMC during systems monitoring. In addition information is
available for the Service Desk, Service Management and the SSC.
The Business Service Views are intended to give a high level indication only of the status of all of the HNG-
X Services using a selected subset of the events produced by those Services. Low level detailed event
information will be maintained by the various Component Management Systems and also can be accessed
either by the Netcool AEL (Active Event List) or via Tivoli Reporting tools against the ERP.
4.2.2.9 Software Distribution and Asset Management
TPM 5.1 supports software distribution using two separate methods, Framework and workflow based. The
Framework based distribution is updated from the earlier versions of TCM, both methods will be used within
SYSMANS for ‘Horizon Online’. The workflow method is a TPM facility to allow single or low concurrency
actions and will be used for immediate updates and Branch Router updates.
In all cases the package that is delivered will have been pre-prepared to allow a number of functions;
whatever occurs in the distribution and installation scripts is not directly a property of the underlying
infrastructure. TEM supports distribution and installation via its Relay structure to ensure single delivery over
slow links. The fixlet that defines the installation applies the fix when itis relevant (time, product
dependencies etc...
TEM based distribution:-
Tivoli Endpoint Manager's architecture for software distribution, uses a single Central Server (TEM Server)
connected via a hierarchy of TEM Relays to endpoints running the TEM Client; the Relays ensure that
packages for distribution only make a single traverse of the path between any two relays. The positioning of
the Relays can be automatic, using network query to find the best route, but in the solution for ‘Horizon
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 54 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Online’ the relays will be pre-determined and configured manually to ensure best fit for the unusual
demands of the estate.
The only software distribution method available in TEM is a ‘PULL’ paradigm where the TEM Client is,
informed of potential actions and pulls the software through the Relay structure. An apparent ‘PUSH’
paradigm is achieved by the TEM server sending out a UDP prod to every target involved when a
distribution action is taken in the TEM Server; the receipt of this prod causing the Client to evaluate and
update software as relevant.
The TEM architecture will conform to the ‘Horizon Online’ architecture with TEM server and the TEM relays
being in the ‘active’ Campus. Fallback for failing servers is on a plus one basis, with defined DR being
achieved by moving the compete solution to the alternative Campus. However, TEM relays will be
configured with primary, secondary and tertiary routes, ensuring alternative paths during most ‘single point’
failure scenarios,
At the endpoint, the TEM Client must be installed. The TEM Client together with the related central service
provides authentication, secure communication and endpoint operations. TEM Relays may be activated on
any TEM Client, so within the Branch estate Relays will be defined in some of the Branch Counters. The
TEM Client runs continually within every endpoint and ensures conformance to policy while collecting
change data which is relayed back to the TEM Server The TEM Client also performs operations on behalf of
TEM server, providing its functionality through ‘fxlets’, ‘policy’ and ‘tasks’
The term ‘fixlet’ defines a set of steps that are taken each time the fixlet is inspected. These steps include
inspection for the relevance of the fixlet and actions that must be taken to correct the situation. Once the
situation is corrected the fixlet is no longer inspected. This is usually associated with the delivery and
installation of software updates.
The term ‘policy’ defines a similar concept to the fixlet, but the policy is continually inspected even after
corrective actions have been taken. This is usually associated with actions taken to ensure ongoing
compliance with a standard. The term ‘task’ is similar in concept to the ‘fixlet’, but associated with actions to
be taken on single, or groups, of endpoints rather than globally. An example may be to start a service on a
single counter.
The TEM server includes a database instance that records all actions and endpoint acquired data. All
managed endpoints run the TEM client and configured endpoints also run the TEM Relay. All software to be
installed is held in a private cache within the Relays as a SHA‘ file; at installation time it is transferred,
unpacked and validated into the Client cache from where any installation process is run by the Client.
Packages will be received from Configuration Management into the NAS interface; TEM policy will pick up
the new packages and introduce them and associated default fixlets to the TEM Server. Actions taken in
response to Release Management instructions will ensure that the packages are delivered to relevant TEM
Relays and subsequently installed.
‘TEM Relays are configurable to allow bandwidth control and toonly take actions in relevant time windows.
Workflow based Distribution and installatior
TPM supports workflows, which are essentially scripts or programs that run under TPM control but with
interface to the TPM Data Model.
‘The TPM Data Model is a database schema supported on a Database server; this records all software
distribution actions taken by TPM as well as holding a software inventory of all deliveries via TPM
Standard workflows are provided with TPM and new ones can be easily added.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 55 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Workflows will exist to install packages in rpm and msi format, and also in SPB format; this means that the
standard software packages released from configuration management can be distributed and installed by
workflow.
The user will simply use the TPM GUI to make the requests which are added to an activity queue within the
data model; the relevant workflow will process these request.
This form of distribution will be used for ‘one-shot’ updates. It will also form the basis of Branch Router
update since itis the only facility that can work in an endpoint agent free environment.
The infrastructure that supports this form of activity is the TPM server with its Database and a method of
authentication on the target device (TCA for platforms, telnet, ssh, scp etc. for agent free). It should be
noted that the TCA is only installed in HNG-X compliant Campus Platforms and that the agent free methods
are only supported within the Branch Router. This means that workflow based distribution is only available
to Campus Platforms (excluding those running Windows NT or Solaris 8) and Branch
Routers.
The following will be required for PUSH or PULL distributions:
‘A method for targeting a Specific software package at any portion of the managed estate, to include:
+ pilot distributions
* subset of targets based on branch specific criteria e.g. number of counters, location. Etc.
* subset of targets based on network considerations e.g. Satellite only
* control of targets based on the software inventory
* Control of targets based on general database queries, where the node name is a property
or linked property of the database tables queried,
* whole estate
Other controls include:
* Maximum retries
* Priority control
* Specified timed windows, to include distribution only, installation only, both, no use.
* Knowledge of how long an action takes to ensure window closures are not overrun
* Cancellation of PUSH distributions, which should stop at the earliest possible moment. It
will not be possible to stop an installation that has already started.
* Control Maximum network usage from any Relay.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 56 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
SYSMANS3 Software Distribution Infrastructure
TEM
EDs EPM
Campus Noses ~ 500
‘SeRbne Tem cient
Figure 10
Software Distribution Infrastructure
4.2.2.10 Remote Access and Diagnostics
All support staff connect to Secure Access Servers (SAS) resident in the data centre using workstations at a
defined software level as the only point of access. The connectivity may be from Corporate LAN or from an
extension of the Campus LAN. In the Corporate LAN case a Corporate build workstation with a fixed IP and
secure certificate will be used. In the extension Campus LAN case a formal POA workstation build is
required.
The connect route may be from Fujitsu sites or Out of Hours from home locations. There will be specific
challenges en route depending on the locale of the workstation.
At the SAS the user will be authenticated according to the Identity Management System that incorporates 2
factor authentication and results in the user being legitimised to operate in a defined role
The SAS provides onward access to data centre platforms and the branch estate using 3 rd party COTS
product management interfaces and audited client access via proxies ( for example SSH client or System
management Tivoli).
When accessing the platforms then the role of the calling user is used to determine access to the Operating
system, fle systems, databases and applications.
Copyright Fultsu Services FUJITSU RESTRICTED (COMMERCIAL IN. Ret: ‘SVM/SDM/PLA0001
im CONFIDENCE) ero: 20
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 57 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
There are three SSN Servers in each data centre to provide resilience (six in total).
(ow of Flour
Figure 11
Overall infrastructure showing onward access via SSH
Onward access into the System Management framework provides its own role paradigm that mediates
access to Tivoli objects and functionality. The Tivoli functionality covers all facets of software distribution,
monitoring and tasks.
‘As well as traditional Framework based tasks there is also workflow tasks available through TPM; these
allow agent-less access to the Branch Router as well as agent based access to other platforms,
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 58 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Figure 12 — System Management framework solution below illustrates the TPM workflow access entered off
the SSN Server, via the EPM, which passes through the management platform to reach the server, counter
or branch router that is the target of the management operation.
The system management framework is discussed in detail in ARC/SYM/ARC/0004.
Framework Solution
I
fer toval corgaeay
Target ~ 10 GX Camu
zevvers 1 agent,
Figure 12
‘System Management framework solution
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 59 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
TPM workflow Solution
™
aaa
Target — 4000
Branch Rees
Ago ee
‘arg 36.000 Counters
runing HNGK ond 3
‘Fac armen agent
“Target: -n GX Canpus serves -
‘Thar Corman Agont
Figure 13 - TPM workflow access solution
4.2.2.11 Time Synchronisation
The first stratum is the primary time source, being a highly reliable GPS (Global Positioning System)
satellite network. A data centre resident GPS time server uses rooftop antenna to receive signals from the
satellite.
The secondary stratum is the data centre which contains all the server platforms and network appliances.
These platforms poll the primary time server and request the time in UTC (Coordinated Universal Time)
format. The NTP (Network Time Protocol) product on the platform is configured to achieve millisecond
accuracy but will also protect against large clock shifts in a single request after the first synchronisation on
reboot.
If the GPS primary time server is not available then the server automatically switches to an altemative
primary time server.
If the alterative GPS primary time server is also not available then the server uses another server in the
stratum as the primary time source.
The third stratum includes all Active Directory Clients including subdirectory controllers. The subdirectory
controllers act as time sources for all of their Windows based clients and will technically be stratum 2+. All
Windows based workstations, irrespective of physical location, will be served by the Active Directory
Domain to which they belong,
‘The fourth stratum is the branch estate and any servers on client site's that are owned and managed as
part of the HING solution. For example the latter class includes file transfer platforms.
The branch estate uses NTP to synchronise with one of a set of nominated servers within the data centre.
The period of polling and the selection of server for a branch will be based on an algorithm such that each
counter can keep their clock accuracy within seconds, with a defined level of network quality of service.
The servers on clients’ sites use the same architectural solution as the branch estate. The polling interval
though may well be constrained by the nature of the network connection to the data centre. For example, it
may be a dial-up connection which is charged per connection,
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 60 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Any time-synchronisation request in the estate that results in a clock change will generate an event
message that is forwarded to the data centre and into the long term audit. Clock changes in the data centre
are also be audited. The audit provides ancillary evidence to fraud enquiries where the transactions have
been logged with the local clock value.
ragousrocrscrs «= —ZZ— @ Time Synchronisation
‘tor 8 Fiat
Figure 14
Time synchronisation infrastructure
Details of the time synchronisation solution will be found in the following document: DES/NET/HLD/0013
4.2.2.12 High Level Scheduling
The TWS scheduling product provides an enterprise level functionality derived from the Horizon Maestro
solution:
All access to the scheduling system is role based and that role definition shall include capat
functions by role (e.g. a monitoring role that has no change capability)
Details of the scheduling solution can be found in DES/SYM/HLD/0016 and DES/SYM/HLD/0025
4.2.2.13 Enterprise Boot Server (EBS)
The EBS (Enterprise Boot Server) currently provides a “bootstrapping’ facility to enable the automated
installation of operating systems onto the target hardware. It does this by providing Jumpstart
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref: ‘SVM/SDM/PLA0001
Liniia'2014 CONFIDENCE) Venion: 20)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 61 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
capabilities for Solaris deployment, NFS shares for Linux kickstart deployment and Samba shares for
Windows unattended deployment. It also runs scripts to generate the platform configurations. The EBS
function will now be provided by the BSS and BSL servers since the current EBS is currently being
shared across rigs, which is a security risk. EBS has also not got sufficient capacity to enable the
provision of newer versions of Operating Systems. The removal of the EBS server will also reduce the
hosting and support costs.
To overcome the issues the existing BSS (Solaris Backup Service) will be used to provide the required
jumpstart service and the solaris media files used during the jumpstart process. The BSL (Linux Backup
Service) will be used to provide the NFS shares required for the Red Hat builds and SAMBA shares for
the Windows builds.
Resilience for the LIVE boot servers is provided already since there are already two BSS and two BSL
servers in LIVE, one in IRE11 and one in IRE19 which provides redundancy in case of any failures at
either site. There will also be a share, BFDR, created from BSL1 and BSL2 (Production only) and the
Bladeframes will dump to BSL1 and BSL2 /export/pan_failover
This area will be committed to tape as part of the standard BSL backup which is currently not possible
in the existing environment.
There will be no redundancy for the SV&l and LST environments.
Bladeframe PAN Manager functionality is also used to aid platform foundation provisioning within the
Bladeframe.
The platform foundations are deployed by running scripts on the BSS and BSL servers and PAN Manager
(for servers located on the Bladeframe). These scripts are called by the Tivoli Provisioning Manager
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 62 of 216
i POAHNG-X Support Services Business Continuity Plan e
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
System state after yet to be defined CPO808 still using Tactical DXT
I
7
msc -
a
mas
a
=
oe
q reais
NI te I fesorsI mom I [ata Enesses>I ve
rete Eee Ee
Figure 15 Bootstrap Process
4.2.2.14 Server Provisioning
joning Manager (TPM) product is use« jing platforms from the base hardware when
provide facilities to equip a native hardware platform with an operating system image, personalise the
image, and then layer middleware and application packages using the same software distribution
technology and packaging as incremental updates to a live platform.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref: ‘SVM/SDM/PLA0001
Liniia'2014 CONFIDENCE) Venion: 20)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 63 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
It should be noted that within the Bladeframe the native build from image may utilise Bladeframe PAN
Manager scripts rather than build from image.
The delivery results are stored in a persistent inventory and reports or displays are available through the
standard product, and customised reports can be generated,
4.2.2.15 Service Monitoring
This is performed by event flow; events may be collected in both an active and passive manner, and alerts
may be created by sampling, aggregating, correlating or apply other rules on the raw incoming events. The
Tivoli Netcool RAD (Real Time Active Dashboard) product, which uses a GUI interface, is configured with
the business rules required to map such events into business services, and samples the event and alert
flow to display the required information,
The services monitored in this way include services offered by SYSMANS itself (e.g. software distribution,
event flow etc.) as well as mapping business applications (e.g. NBX, DVLA etc.)
4.2.2.15.1 Active Monitoring
Active monitoring is achieved by agents looking for known stimuli and raising events via the relevant Event
Logs. This may take the form of in-built functions (0.g. processor utilisation > 80%, service X not running) or
bespoke applications (e.g. script to confirm connection to URL).
In some cases the event flow may be through ITM to the managing system, where it will then be directed
into the main event flow.
‘Active monitoring is available in the branch estate via the ITM Universal Agent. Active monitoring is
available in the campus estate via the ITM Universal Agent and the ITM Operating System Agent. These
ate supported by a full ITM structure (TEMS and TEPS). Other agents are also employed for specialised
monitoring (e.g., Oracle database),
The IBM Tivoli Monitoring (ITM) suite of programs will be used for active monitoring,
4.2,2.15.2 Passive Monitoring
Passive monitoring is the process of collecting events that are already created wit
in the UNIX Syslog or Windows Event Log etc.). Such events may then be analysed and forwarded to a
central repository as required.
The events may be categorised, aggregated and potentially correlated at the event source; by this means it
possible for events to contain a varying criticality status. It is also possible to detect duplication and
excessive flow from a particular source and perform flow control and/or event replacement.
4.2.2.15.3Event Processing
The events selected, after the rules are applied at the source, are forwarded through the network
infrastructure to an event collection layer which are defined as an event sink. The others will remain in the
underlying source but are not forwarded.
When circumstances are such that the Tivoli event probe cannot forward the event (e.g. Network failure
etc.) the events will be cached and forwarded later.
Within the event sink itis possible to carry out further aggregation, de-duplication and correlation of events
received from different sources. By providing a single sink it is possible for all current events to be in context
at the same time. This allows alerts to be created from events.
The events received at the sink are passed into an Oracle database to allow for an event audit tra
statistical analysis and historical event searching over a controlled period
The events received in the sink are optionally forwarded to two separate display layers:
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 64 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
An event viewer where, any event of sufficient criticality may be viewed.
A business service monitor, where combination of events and alarms are configured to display the health of
each business service.
Using the above it is possible for support staff to see the underlying cause of problems and also to be
alerted to problems that are affecting the service.
For example it may be possible that the loss of a single server will not stop any business service, but will
either affect its performance or resilience; in such a case the combination of service monitoring and an
event viewer allows support staff to be alerted and to take the necessary corrective actions.
It should be noted that such monitoring action does not rely on the events held in the Oracle Database.
4.2.2.16 Branch Agent
The ITM agent that is used within the branch estate is the Universal Agent.
‘The HNG-X Branch solution is configure to send data to the data centre this will be achieved by writing to
the NT Event Log to allow data to be forwarded via passive event monitoring.
This solution allows monitoring and optional restarting of services in the branch estate with events returning
via the event management infrastructure.
4.2.2.17 Campus Agents
in the Campus both the Universal Agent (UA) and the Operating System (OS) agent are deployed.
full Tivoli Enterprise Management and Tivoli Enterprise Portal infrastructure are deployed as illustrated in
the following diagram, where the TEMS layer receives events from the agents and the TEPS layer is
responsible for correlation and display
ITM Solution
anager Weston
a oO
--— Bi
‘Dea. Prony Age
LT seperseomnsre
SIMU At
Figure 16
ITM Solution
(© Copyright Fultisu Services FUJITSU RESTRICTED (COMMERCIAL IN. Ret: ‘SVM/SDM/PLA0001
Limited 2014 CONFIDENCE) ero: 20
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 65 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
It should be noted that the Data Warehouse mentioned above is an intemal function of the ITM software.
4.2.2.18 Related Actions
ITM allows series of events or stimuli to be defined as ‘situations’. It is possible for the structure to take
actions based on events received and the defined ‘situations’.
4.2.2.19 Event Management Infrastructure
This is based on the Tivoli Omnibus suite of products. The event collecting agent is referred to as a Probe
and all Probes are configured in ‘store and forward’ mode to ensure reliable event delivery.
4.2.2.20 Branch Counter
Within the branch estate events are collected via the Windows Event Log. All applications write exceptions
and potentially positive information to the log; a Tivoli NT Event Probe receives all events from the
Windows Event Logs and pass them through a rule set to decide on forwarding. The Probe is compatible
with both Windows NT and XP.
Branch Event objet senor gopaton
{ayer win OMS or
omonsI a et
Io)
A —
race RDBMS or Reporting
"—.
comeereseen ga
{ayer wm neon
=a 2 —== nD che
28000 *werktatons each ering
{AON Event Pree to eward Everts
“AMITRLUA age ts mona now Sendo
Figure 17
Event Management Infrastructure - Branch
With reference to the illustration above:
There is enough Proxy Probes to ensure that no Proxy Probe has more than the maximum supported
number of Tivoli NT Probes sending events to it
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 66 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The collection layer accepts all events from all Proxy Probes and writes them to the Oracle database as an
historical archive.
The collection layer and its Oracle database write all received events to serial files as an audit trail and
allow searches on raw events received
A subset of events, those requiring the attention of support groups are passed to the aggregation layer.
Both a web and console access is offered to view these events, access to the relevant option being user
and role based
Event updates from the consoles are written back to the aggregation layer, to ensure that event data is
coherent for the user but not re-written to the audit and archive databases.
4.2.2.21 Branch Router Events
HNG-X branches have a Branch router to control communications.
The router can forward data, which can be seen as events, in two ways:
Local Events — Syslog messages from the router are directed on the local branch LAN and are picked up
by a CNIM process in one of the counters in the branch; this process writes events to a local log file and
any events it considers for forwarding to the NT Event Log.
Remote Events — Syslog messages from the router will be directed over the Wan to be picked up by the
relevant Network Management system
As well as simply forwarding events received from the router, the CNIM activity also processes the events it
receives to determine Quality of Service metrics and generates its own events, to inform of changes in base
communications etc...
Other events pertaining to the Branch router are received from the Estate Management Boot Platform,
whi joning of the Branch router and
forwards information about initial provisioning, registration and inventory, as events.
It should be noted that certain events from the Branch router, via NT Event Log, or the Boot Platform have
significance that must be interpreted by rules in the event receiver, and relevant actions taken.
‘An example of this is during Branch Router provisioning when events are sent from the Boot Platform via
the Microsoft Event Log. These events contains details of the Branch Router including its name, Branch
Code, Serial Number, interface serial numbers, GSM PID, QOS etc. ; Event rules are applied to add the
Branch Router managed object to the TPM Data Model and to update its inventory with the specific data
4.2.2.22 Campus Events
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 67 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
As well as an event flow like the branch estate the campus also receives events from sources such as ITM,
SNMP, text files etc.
Campus Event tj See Aon Lye
~N eo
tne * corneas oo
“ny
“Loge probe a equred
{Ps oer robes reed for equratnce
Figure 18
Event Management Infrastructure - Campus
With reference to the illustration above:
Probes may talk direct to the Object Server collection layer or via a Proxy Probe; this will be configured to
ensure that the Object Server does not exceed its maximum connection limit
Although Campus Platforms are shown as directly connected to the Object Server, a Proxy Probe may be
introduced if the number of Platforms threatens to exceed the Object Server connection limit.
‘Anumber of Probes are used to accept events from sources such as SNMP, Oracle, Sysco, text files,
Windows Event Logs etc.
The collection layer accepts all events from Proxy Probes and Probes and writes them to the Oracle
database as an historical archive.
The collection layer and its Oracle database writes all received events to serial files as an audit trail and
allow raw event searches by SQL query if required
‘A ssubset of events, being those requiring the attention of support groups, are passed to the aggregation
layer.
‘The aggregation layer and its Oracle database offer a reporting interface on significant events.
Event updates from the consoles are written back to the aggregation layer, to ensure that event data is
coherent for the user but not re-written to the audit and archive databases.
Business system views are provided by the RAD layer. Its rules are configured to access the events by
query into the aggregation layer, providing service and component views.
The structure above allows the receipt of Campus events from any event raising source.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date——_—15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 68 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4,2.2.23 Links to Known Error Logs (KELs)
Certain events may already have been considered and known error log entries may have been raised to
describe the cause and possible remedy for such an event. Mechanisms are provided to display, on
request, any known error log entries for a particular event or alert; these, by their nature, are requested
processes,
4.2.2.24 Related Actions
Rules are applied to events for correlation and/or aggregation in collection and aggregation layers. As well
as altering the state of events or raising alerts from events the rules can call external programs or scripts to
allow reaction to events.
4.2.3 Operational Business Branch Change (includes OBC)
Management / Estate Management Service
4.2.3.1 Branch Change Management (includes OBC) Overview
Branch Change Management changes are delivered to the OBC Team (Outlet Business Change - based in
Crewe CRE02) from the Post Office, and by Customer Services in response to changing Network Service
costs. OBC operations are implemented in the Branch Change Management System (CMS)
Changes are to the physical branch estate and include such requests as:
(a) Branch closures;
(b) Branch openings:
(©) Branch re-locations;
(d) Branch refurbishment;
(e) Counter Position increases;
(f) Counter Position reductions;
(g) Branch conversions;
(h) CPU relocations;
() Exchange of fixed Counter Positions with Portables and vice versa;
(@) ADSL porting service;
(k) Emergency re-openings; and
()) POMS installation and removal
The overall workflow of an OBC change can be summarised as follows:
To acknowledge and enter the OBC change into a scheduling system. To provide requests to any
necessary extemal parties to provision the OBC change. To schedule the timely update of any Data Centre
application's configurations that are impacted by the OBC change (this may for example require adding or
removing Branch Authentication data). The timely and automatic provision of any new or changed
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 69 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
personalisation data for the Branch router and/or counter affected by this OBC. The automatic installation of
the personalisation data at the time of any physical installation of the counter and/or Branch router
associated with this OBC. The provision of invoicing to Post Office. The ability to report on the progress
and/or change an existing OBC schedule in accordance with agreed policy.
* The update of central configuration repository such that the support staff always have an accurate view of
the status of a Branch.
+ To respond to and action (where feasible) amendments to the OBC request by Post Office.
For more information see OBC Branch Change Service (SVM/SDM/SD/0014).
4.2.3.2 Estate Management Overview
HNG-X Estate Management comprises:
The Management, registration, storage, and the supply and installation, of permitted configuration
information for Post Office branches and their equipment.
‘Some items of equipment e.g. the PinPad and items of Branch Configuration data e.g. the office trading
hours, are delivered by business application functionality or Reference Data. Current relevant equipment
includes the counter and branch router.
4.2.3.3 Main Components
The following diagram Figure 20 summarises the main components:
Requests for Change
oac ——>[—_acws ‘Swearne Via POL —
NSTManual IP ——p> I (Business Process ‘and Dobe, Card es,
NST Bulk iP ——> I_Managerent) Agents
Branch Database
(R03)
EST Palen
EMDS DarabaseI
‘and associied
‘Web Series
Presaring
‘Auocontg
Process
‘00st
SYsMANS Newark Service
Inttmation
Figure 20
Estate Management Target Arc!
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 70 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The red lines identify the scope of Estate Management.
The key points:
+ BCMS, the Branch Configuration Management System, is hosted in a resilient workflow server
configuration positioned within the Fujitsu Services Corporate Network providing change management
facilities into the Production Environment for the OBC team and managing internal and external
suppliers, scheduling, customer requests, billing and invoicing. It contains processes, rules and links to
external suppliers that fit within the Corporate Business environment rather that a strictly change
controlled production environment.
+ EST, the Estate Management Database and web Services platform, the repository for permitted branch
configuration items comprises 3 elements:
+ The EMDB Database, A flexible repository for configuration data stored in a metadata based schema.
* _MTAS, the Mid Tid Allocation Service, provides branch and terminal identity information used in Debit
Card transactions.
* Web Services Layer, services EMDB Endpoint Clients with configuration information from the EMDB
database.
+ EMDB endpoint Clients, these comprise systems that require EMDB data to maintain current information
‘on branch estate configuration and include counters in live operation.
‘+ Boot Platform - this provides the means to deliver personalisation data to Gold Build Branch Routers or
Counters these contain configurations and applications on the Counter that initiate the installation
process.
* Counter Auto-configuration - is the set of components resident in a counter that is invoked when the
counter is first installed. It calls into the data centre to a peer Auto-configuration component (on the
Boot Platform) and after authentication it is provided with its personalisation data which it applies to the
counter subsystems that requires dynamic configuration
‘+ Branch Router Auto-configuration - is the set of components that is invoked when the router is first
installed. It calls into the data centre to a peer Auto-configuration component (on the Boot Platform) and
after authentication itis provided with its personalisation data which it then applies.
4.2.3.4 Estate Management Systems
In the Data Centre (IRE11)
+ EMDB Server - Estate Management Database Server — the Registration Authority for the management
and storage of the Permitted Branch Estate Configuration data at the Infrastructure level.
* Boot Platform - Part of the Auto-configuration solution for the installation and spares replacement of
Branch Routers and Counter PCs.
In the Corporate Domain
+ BCMS Server - Branch Change Management Server hosting a Fujitsu BPM instance (BRAQ1 & LEW02)
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 71 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
+ EMDB Users, BCMS Client Workstations (using a Web front-end) in CREO2 are used to deliver changes
to EMDB
Within Branches the target systems that subject to AutoConfig processes are:
‘* Branch Router - Uses Branch personality data supplied by Estate Management via the AutoConfig
process.
‘* Counter - Uses Branch personality data supplied by Estate Management via the AutoConfig process.
The diagram below Figure 21 shows a simplified network diagram overlaid with external data flows for
ESTATEMAN2:
pare
<a
Figure 21
Network Diagram — overlaid with external data flows for ESTATEMAN2
4.2.3.5 Estate Management Operations
The functions are:
‘* Add (open) Branch.
* Add an item of equipment (e.g. counter).
‘* Remove equipment.
* Close Branch.
# Change an equipment attribute.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Liniia'2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 72 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.3.6 System Operations
* Day -10 operations are limited to the supply of MTAS Service data to Streamline, via Post Office
supplying Merchant and Terminal Identifiers.
‘+ Day -1 operations for the majority of Branch operations; these are supplied into EMDB every evening by
BCMS and represent the operational state for the Branch Estate for the following day. This operation is
scheduled by BCMS for 19:00 hours every evening.
‘+ Real time operations are instigated by BCMS for contingent purposes such as remedying incorrectly
managed change or accommodating late change or system malfunction
4.2.3.7 Estate Management interfaces
The data flows and their associated interfaces are as follows and are documented in DES/SYM/IFS/0003
EST Interface Specification.
EMDB has a view of Reference Data from the Branch Database, it also has legacy views from RDMC
(MTAS)
‘+ EMDB supplies interfaces for clients to invoke services:
‘+ Boot Platform (Counters)
‘+ Boot Platform (Routers)
* Boot Platform (Radius)
+ SYSMANS (Routers)
* SYSMAN2+ (Counters)
* Radius Servers
= BCMS Use Cases
+ Estate Management delivers material or triggers actions
‘* MTAS data deliveries MID/TID mappings to the Debit Card Agents via shares scheduled by TWS.
* MTAS data deliveries to Streamline via POL.
+ SYSMAN3 TPM - Router Registration — Inventory reported via Windows Events from Boot Platform
+ Branch Database — EMDB delivers current operational view & Reconciles reference data derived
information.
4.2.3.8 Estate Management Server (EST)
The Estate Management Database (EMDB) is based on a single SQL Server in IRE11, and is a combined
database and set of tools (stored procedures, triggers). The EMDB is the registration authority for the
permitted Branch Estate values, other values used in production of configuration data for endpoint
components are taken from other sources, primarily Reference Data.
Change data is injected into the EST by BCMS, this triggers the EST to generate all updates to relevant
data
4.2.3.9 EST Endpoints
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 73 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The EST Endpoints are predominantly provided by java clients that retrieve endpoint information from the
EST via SOAP calls.
The following table indicates in summary the Endpoints:
Endpoint Topic Architecture Data
Branch Database Branch Database Branch codes and IP addresses.
‘Advance notification of
‘opening/installation dates.
NNM Network IP Address data
DNS Network IP Address & name data
RADIUS Network Branch codes, IPS, BR Serial number
and CHAP data.
Boot Platform Estate Management RCFs, BSFs
Live Counters Counter Numbers of counters, NST data,
provisioned via BAL
RDDS: Reference Data Numbers of Counters.
SYSMAN3 ‘Systems Management RCFs
Estate management Endpoints
4.2.3.10 EST Endpoint Clients
These are the target systems for the configuration material; there are three types of Estate Management
endpoint client Equipment.
* Branch Equipment Routers, counters and future branch equipment are provisioned by the Router
BootServer Service on the Boot Platform. Note that once the Router BootServer Service registers the
details of the Branch Router with SYSMAN3, the router is subsequently managed by SYSMAN3 (TPM).
‘+ Network Equipment Network infrastructure such as DNS, NNM and the LNS routers need to know about
counter and branch router ip addresses for monitoring, diagnostic and directory purposes.
* Data Centre Equipment - RDDS has a requirement to be aware of the status of opening and migrating
branches and must therefore know in advance (day -1) of their intended opening;
4.2.3.11 Boot Platform
The Boot platform exists to support the provisioning of new Branch Router equipment into Branches. It
hosts the following functions:
+ The Radiator RADIUS Service which consists of a suite of customised PERL Scripts that support the
Branch Router AutoConfig processes. Router Boot processes are triggered following successful
authentication of a connection request to the boot radius by a Gold Build Router.
‘* Branch Router Boot Server Service.
‘= This is triggered by the Radiator RADIUS Service and configures the Branch Router.
Boot Platform functionality is described in DES/SYM/HLD/0037 “Autoconfig HLD”
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date——_—15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 74 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.3.12 Boot DMZ
The Boot Platforms reside in a single Boot Domain DMZ (De-Militarised Zone) with dedicated access points
to support the installation of the Branch Router. Gold Build Branch Routers are configured to connect into
the boot DMZ over PSTN as the primary connection method for configuration purposes; this network
service supports the identification of the Service Termination Point Using CLI.
ADSL is the predominant primary communications method, used for normal business, utilising this method
CLlis also be available for most ISDN equipped sites. Using known service termination points permits the
identification of the Branch at which the unit is to be deployed.
For installation of counters, the Branch Router is connected into the main Data Centre access LANs
already.
4.2.3.13 MTAS Access
EST hosts the MID/TID Allocation Service (MTAS) with data. This is made available in advance of the target
change date by BCMS and RDDS, With the introduction of HNG-X, the generation of MTAS material for
Counter Training Offices (CTOs) is suppressed; RDDS also excludes CTOs from its MTAS view and this
ensures that no MID/TID details are ever assigned.
4.2.3.14 Scheduler Functions for Estate Management
TWS is used to:
* Schedule backups of the EMDB database.
* Schedule Backups of the MTAS database.
* Schedule MTAS and other applications that need to be invoked on a periodic basis.
* Schedule the activities of any clients that have a dependency upon the TWS Schedules.
4.2.4 Reconciliation Services
4.2.4.1 Management Information Services (MIS) Overview
The Management Information Service consists of three primary databases, i.e. the Data Reconciliation
Service, the Transaction Enquiry Service and the Data Warehouse, all of which reside on the Database
‘Server (Main Host).
‘The POA Management Information Service does not have access to the APOP Voucher database which
resides on the Database server. (An APOP Administration Service is available within Post Office Limited at
their Northern Data Centre)
4.2.4.1.1 MIS Clients
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date——_—15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 75 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan “4
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
availablo-at STEO4, for reconeiliation purposesThe MIS Client Application facilitates access to the Data
Reconveiliation Database and is accessed via Remote Desktop connection to the Secure Access Server.
The TESQA is used by POA Service Delivery to access a read-only view of Network Banking Transaction
details.
TESQA is not available via a MIS client (due to a design omission relating to intranet access via red LAN
that doesn't exist),
4.2.4.2 The Data Reconciliation Service (DRS)
The DRS provides the end to end reconciliation for NWB and DCS (Electronic Fund Terminal PoS)
transactions performed at the Post Office counter. The transactions are held in the Branch Database and
transferred as C12 XML messages to the DRS system. The transaction data is also transferred to TPS from
the Branch Database and from there itis sent to the DRS as C112 validated data. The DRS generates DCS
C2 messages from the C12 for transfer to Streamline Globalpay which in tum cause confirmation messages
to be sent back to the DRS. Reports are produced for Post Office Limited and this is illustrated in the
diagram in the next section. The data for NWB transactions is also made available to the Transaction
Enquiry Service.
‘The DRS Workstation application is used to query the data held in the DRS tables-and-romaine unchanged.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 76 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
i POAHNG-X Support Services Business Continuity Plan z
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The shaded area in the diagram Figure 22 below shows the scope of DRS.
Aut Transactions to Transactions to POLFS&
Server ‘and rom DSM. and trom TES POL Mis
%,
N c2siausI 4,0,5 4.0.8
wu 2 I I “00s "I “Ses” _c2 Ns
Oe
ion prs “ TPs
ed
xu
Accourting weeks
‘lensine. or
oes hws
, e wen
I
Transactions from
Bons Branch Database ig
Figure 22
Scope of Data Reconciliation Service
4.2.4.2.1 Reconciliation Reporting - HNG-X Outlets to DRS.
There are two types of message flow between HNG-X Outlets and the DRS.
+ lpalvidual Confmation [C12] transactions. These are transferred
oR et Sse al ronieat rant thinthe
Erase warceconcis he Date Reconcliaton Senfoo the ond. asch ‘Trading Da
+ EoD transaction processing of [C11] transactions. These are transferred to the TPS Service at the end of
each Trading Day
As pait of the normal EoD. Campus processing, TPS transaction harvesting occurs following receipt of the
+ NBX and DCS transactions included within the TPS harvesting-isare forwarded to the DRS to provide an
aggregated Outlet position to support reconciliation. Such transactions are consistent with the Outlet
reported transactions sent to TIP_{other reconciliation measures. detect inconsistencies-within-the TIP.
and include the intended Cash Account Period (CAP) in-which they are-accounted for
by RO-Lid ‘ofthe FIR. DES/ARP/HLD/0033 4 Seder
POLSAP. __-{ Commented [AP2]: SOS to comment as to whether or not
Reconciliation fies travel through TIP remote or infact EO!
SAP?
4.2.4.2.2 Reconciliation Reporting - POA DRS to PO Ltd
‘Anumber of reports are generated, some daily and some weekly, as defined in HNG-X version
‘SVM/SDM/SD/0020 — Network Banking End to End Reconciliation Reporting.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref: ‘SVM/SDM/PLA0001
Liniia'2014 CONFIDENCE) Venion: 20)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 77 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.4.3 Data Warehouse
* Figure 23 below depicts the Data Warehouse inputs. The individual Host Database systems produce SLT
or PM data extracts as flat CSV files’. The Data Warehouse loads and consolidates this data as part of
its’ overnight process. A generic reporting mechanism detailed in (ref. DES/APP/HLD/0049) will be
installed in the host database systems and configured to make suitable data extracts to be imported into
the warehouse. In many cases there is already a mechanism which extracts similar data for SLT and PM
measurement. SSC is responsible for to ensure that the files reach the REC team by supporting the file
transfer route via the DXC. REC team produce the reports.
‘See DES/APP/HLD/0082 for more details.
The Databases that reside on the Solaris Main Host (Database server) are:
TES, APS, TPS, LFS, Web Service, BRDB & RDMS (RDMC and RDDS databases) services
‘Note: Performance and Service Level Measure reports are migrating to HORIce as part of CP1305.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 78 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
vs si
TS \=
iro f=} om ir
= (fm)
pos I fa
a a —
eros, -—— fe}
Figure 23
Data Warehouse inputs
The overall structure and functionality for contingency purposes may be represented as follows.
The “data warehouse process" is the set of operations/processes required to source, load, manage and
publish data in the data warehouse. Figure 24 gives a conceptual overview of the processing required to
operate the POA data warehouse.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Liniia'2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 79 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Data Warehouse Conceptual Process Architecture
=]
Figure 24
Data is provided by the source systems in the form of flat files uploaded to a dedicated area on the data
warehouse. The source files are then loaded (in parallel, where appropriate) into a staging area within the
data warehouse. This staging area holds a complete day's worth of data. Any transformations which may be
required (e.g. derivation of values etc) is performed on loaded data, and not as part of the load processes.
The staging area is normally the data source for processes which pre-compute daily aggregated totals,
These pre-computed totals are required by invoicing (invoice data) and to satisfy end-user queries. The
data in “today’ is transformed into a dimensional structure and moved into Current Period (CP). CP stores
the data pertinent to the current period while itis being built up over the course of the week. Once the CP
has been completed, the data is moved over to PP (this move requires no transformation). After the data
has been moved, it is archived. Archived data is used by the “near-line” mechanism to allow data which is
no longer on-line to be queried. CP and PP are the data sources for processes which pre-compute
aggregates of grains greater than a single day (ie. weekly and monthly)
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 80 of 216
‘SVM/SDM/PLA/0001
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The DFD feed is provided from an interactive harvested agent.
4.2.5 End to End Reconciliation Service
The following outputs from the Data Reconciliation Service (DRS) constitute the End to End reconciliation
service:
1. Banking and Related Services transactions, which includes DCS and ETS
2. Automated Payment System (APS)
3. Transaction Processing System (TPS)
The end to end transaction flows are supported by validation processes which verify that the transactions
processed by the APS Host are consistent with the transactions included in each Client Transmission File
and with the CTS sub-file sent to Post Office Ltd
This validation is carried out for the volume of normal transactions and the value of all transactions only in
each of these files. Any differences in this reconciliation will cause an operational alert to be raised and the
appropriate file delivery to be suspended.
A Validation Status report will be produced as part of this validation process and the results of this notified
to Post Office Ltd.
Reconciliation reporting operates on a seven day a week basis regardless of the Client file transmission
schedule (which may, for example, exclude weekends and bank holidays). These Rec files are delivered via
the DXC to SSC server poasmpdev which is then accessed by the Reconciliation team. In principle,
reconciliation reporting totals volume and value for transactions. It includes reversals by adding volume and
subtracting value.
4.2.6 POLSAP Development and Test/QA Services
‘The output reconciliation files (.ble) are delivered to SAP XI and transformed into idocs which in turn
updates POL SAP.
The Post Office Limited Financial Services SAP service consists of three elements:
a Production service, a Development service and a QATest service.
‘The POLSAP Production service is documented within the HNG-X Services Business Continuity Plan
(SVM/SDM/PLA/0002).
The POLSAP Development and QATest service have been classified as supporting services and are
therefore included in this plan.
The POLSAP Development Service and the QATest Service is hosted on a platform in the Fujitsu IRE19
Data-centre.
In the even of a disaster at IRE11 or a major incident occurring with the Production server, the
DevelopmentiQATest server at IRE19 may be brought into use to provide a disaster recovery environment.
Refer to HNG-X Services Business Continuity Plan (SVM/SDM/PLA/0002).
‘The POLSAP Development and QATest services are normally available Monday to Friday from 08:
18:00. However either could be available at other times by agreement.
to
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 81 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
There are no business continuity or disaster recovery requirements for either the POLSAP Development or
TestiQA services.
Post Office Limited users can run and print POLSAP financial reports from the POLSAP Production system
located in IRE11, by access through the POL Northern Data Centre. Additionally, Post Office Limited users
ate able to develop and test changes on the POLSAP systems in IRE19, again accessing these systems
via the POL Northern Data Centre.
In the event that the POL Northern Data Centre is unavailable, Post Office Limited may decide to invoke
POL NDC disaster recovery for the TIP remote Gateway at SunGard Hounslow and for EDG gateway at
Prism’s DR data-centre at Maidstone. POL and Prism users can then access the services in IRE11 and
IRE19 via Hounslow.
Duty Manager Notes:
1. In the event of a POA OOH Duty Manager being informed of ' P1" priority incident on either the
POLSAP Development and Test/QA services they are to inform the POA Client Interface Service
Delivery Manager.
2. Post Office Limited has accepted a POLSAP ‘disaster recovery’ fail-over time of 48 hours and the
unavailability of the POLSAP QA-Test service,
3. Itis Post Office Limited decision whether or not to invoke the fail-over to their SunGard DR site at
Hounslow and the time for full invocation is 48 hours.
4. In the event Post Office Limited invoke SunGard the SAP-Basis support team need to reconfigure IP
addresses for POL print server at Hounslow.
4.2.6.1 POLSAP Hosting Development Service
The Development server at IRE19 is a Fujitsu-Siemens PrimePower 450, running Solaris with ESF. Veritas
Volume Manager is used to mirror the boot device and to provide redundant multi-pathing over dual fibre
channel connections to the SAN and thence to the EMC disk array.
‘The development server supports one SAP instance. A PRISM development instance called PLD. This
forms part of the release process for fixes from PRISM (Xansa).
All application backups are performed by presenting EMC BCVs to the backup server. Each instance
presents the database and file systems (e.g. archive redo logs) separately.
4.2.6.2 I POLSAP Hosting XI QAtest Load Service
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 82 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The SAP Hosting XI Load service in IRE19 comprises a SAP NetWeaver Central Instance and 1 SAP
NetWeaver Application Servers
The NetWeaver servers are Fujitsu-Siemens PrimePower 450, running Solaris 9 with ESF. Each server
has 4 CPU (1.1GHZ SparcV64) and 8 GB RAM. Veritas Volume Manager is used to mirror the boot disk
and to provide redundant multi-pathing over dual fibre channel connections to the SAN and thence to the
EMC disk array.
The Central Instance has Disk storage allocated on the EMC, and is backed up by presenting EMC BCVs to
the backup server. The backup server presents the database and file systems separately.
The QATest XI server also provides DR capability; it has a spare set of boot disks which are restored
nightly from a backup of the production XI server which enables this server to be invoked as the production
XI Central Instance in the event of a Business Continuity incident.
‘The QAtest NetWeaver application server is connected to the NetWeaver Central Instance in the event that
a Business Continuity event is declared, the server has the capability to connect to either Production or
QATest Central Instance but under normal conditions the QATest connection is active,
4.2.6.3 POLSAP Hosting QATest Archive Service
The QATest Archive service runs on a Fujitsu-Siemens PrimePower 450, running Solaris with ESF. Veritas
Volume Manager is used to mirror the boot device and to provide redundant multi-pathing over dual fibre
channel connections to the SAN and thence to the EMC disk array. The archive service uses a software
package from Opentext (IXOS for SAP)
The QAtest Archive service is located in IRE19 and the archive data is held on EMC Centera system. The
1XOS application maintains an Oracle database on the archive server which maps SAP archive object ids to
the Centera. The QATest archive server maintains a different data partition on the Centera from that used
for production archive data
‘All application backups are performed by presenting EMC BCVs to the backup server. Each instance
presents the database and file systems (e.g. archive redo logs) separately.
4.2.7 Network Services
4.2.7.1 Branch Network Service
4.2.7.2 Branch Network Service
* The Branch Network Service is responsible, using appropriately trained operational staff, for
performing the day to day operational control and management of the following components of the
Branch Telecom Infrastructure:
‘The Wide Area Network (WAN) for connected Branches, i.e. the connection between the
Branch Infrastructure and the HNG-X Central Infrastructure. This excludes BFPO where the
connection is provided by the local British Forces.; and
© The connection between the router and the telecommunications socket in the Branch.
© The connection between the POMS and the router in the branch
* The Branch Network Service is based on remote unattended principles, i.e. monitoring tht seeks to
minimise interruptions to the normal business operation of the Branch Inrastructure.
* Communications Incidents can be identified by either the Branch or Fujitsu Services following
monitoring of the Branch Telecom Infrastructure
* All Branches will be equipped with a backup network based upon mobile communications via the
2GI3G router. The use of this backup resilient network will be dependent upon a 2G/3G signal
being available.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 83 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan e
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘The Branch Network Service is responsible for the measurement and reporting of Branch and
Counter Availability Service Level Targets (SLTs), which will include the effect of Branch Telecom
Infrastructure Incidents and Branch Hardware failures across all items within the Branch
Infrastructure and failures within the HNG-X Central Infrastructure.
‘The Branch Network Service is also responsible for the measurement and reporting of the
Reliability SLT and the call to fix SLT in respect of Branch Telecom Infrastructure faults,
The Branch Network Service is a service intemal to Fujitsu Services and is available 24 hours per
day, every day of the year.
Post Office may contact the Branch Network Service team during the hours of 09:00 to 17:30
Monday to Friday, excluding Bank Holidays.
4.2.7.2.1 Time to Repair
Incidents relating to the Branch Telecom Infrastructure which prevent an individual Branch from using
the HNG-X Application shall be resolved in accordance with the following SLT.
The location of each Branch is classified as either local or remote. All Branch changes may be subject
to Operational Business Change. A new Branch location will assume the same SLT and LDT as the
one it replaces unless it's local or Remote status is changed, in which case the SLT and LDT to be
applied
be agreed by Fujitsu Services and the Post Office.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 84 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
© The call to fix SLT for the Branch Network Service following receipt of a call to the Service Desk relating
to the Branch Telecom Infrastructure is identified in the table below:
Branch Location
Local / Remote ‘95% resolved in less than 4 hours 100% resolved in less than 6
i hours
Priority A
4.2.7.2.2 Maintaining Contact with the HNG-X Central Infrastructure
Branches use a resilient network where there is a 2G/3G signal available, should the primary
communications network be unavailable. There are no further Business Continuity arrangements to ensure
Branch Telecom Infrastructure connectivity.
4.2.7.3 Branch Service Structure
Approximately 11,212 Post Offices (as at July 2014) are linked to two Fujitsu Services (Post Office Account)
Data-centres by one of the network service types defined in the Table below, which also defines the
contingency routing and/or fail-over network services types which are available for each service type.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVMISDMIPLA‘0001
Limited 2014 CONFIDENCE) version, 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 85 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
22 22 VSAT
25 BFPO with ConnectVPN
24 24 Bronze ISDN (DoD)
23 ConnectVPN
26 23 POMS with ConnectVPN
29 29 Silver ISDN (nailed up)
23 ConnectVPN
26 23 POMS with ConnectVPN
33 33 ADSL
35 Mobile PO (VANN)
28 3 POMS with ConnectVPN but branch is defined as
NST-33 as no longer on ISDN
36 33 POMS with ADSL
34 34 ADSL with ISDN backup
28 23 POMS with ConnectVPN but branch is defined as
NST-33 as no longer on ISDN
36 34 POMS with ADSL
Branch Network Service Types
4.2.7.4 Client Links
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Liniia'2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 86 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Client links are defined as those circuits conveying data between the Fujitsu Services POA Data-
centres and:
‘+ the Post Office Limited data-centre in POL NDC, e.g. for LFS, APS, POLSAP and Reference Data;
‘+ all AP Client data centres, including EDS for the Card Account Receipt Service.
4.2.7.5 The Branch Resilient Network (BRN)
The Branch Resilience Network provides the following coverage:
* An automatic ISDN backup network for the largest ADSL branches
+ Abackup on demand GSM service that covers all the ADSL and ISDN sites This would involve an
Engineer turning up within 48 hours after a network outage had started and installing the backup
network. Once the fault had been fixed, the backup network GSM Modem would be removed.
‘+The ability to use the backup network, via GSM, for branch relocations if the main network had not yet
been installed in the new location
* The backup network would use the same IP address as the main network. This means that all Post
Master functions will work, albeit with less bandwidth than normal.
For full details please refer SVM/SDM/SD/0011- Branch Network Service Description
4.2.7.6 Branch Router Overview
The Branch Router selected is the Sarian DR6410 model and has an external (to the router) glass mount
antenna which is connected via a cable from the router to a suitable position within the post Office counter
secure environment. It has LAN switch functions, a selection of WAN interfaces, LAN & WAN routing
functions including ADSL, ISDN and Wireless WAN (2G/3G) interfaces, built in. PSTN connectivity is used
via an external modem connected to the serial port or USB port where required.
‘The Branch Router has four Ethernet ports performing the LAN switch function, two of which are used for
branch LAN connectivity. The other two are reserved for future use.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 87 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘Gateway & Mutiple Counter Branch
counterpc“
ded
Figure 25
Physical Overview of Gateway with Multiple Counters & Branch Router
4.2.7.7 Branch Network Overview
The ADSL network is the primary connection type. A new Wireless WAN data technology has been
introduced using a 2G & 3G services from Orange and Vodafone. WWAN provides a backup connection
type for the entire branch estate (where coverage permits). ISDN is retained in required sites as the backup
connection type. ISDN connectivity is being phased-out in favour of ADSL or WWAN connection types.
Exceptions to this standard approach to connection types are where the primary connection type is
unavailable, such as Hull and very remote areas where ISDN or VSAT are preferred (ISDN is preferred over
VSAT if available).
Itis envisaged that the majority of branches have two connection types (ADSL for primary and WWAN for
backup).
The VPN servers in the data centre (running NT under MSVS are configured to accept VPN traffic from the
Gateway PCs WAN IP address. With the Branch Router in place the Gateway PC is required to handle the
VPN connection, but will connect via its LAN interface to the router.
This diagram shows the logical connectivity from the Branch LAN to Data Centre
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date”——_—15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 88 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
i
jp
reas robe en Pi) Data cate >
Balancer cusaon Far
HING-X Branch
Figure 26
Logical connectivity overview Branch LAN to Data centre
AEI Interim Branch Connectivity
Design: DES/APP/DPR/0671
TIS: DES/NET/TIS/O731
Detailed Network Design AEI Interim Connectivity Solution: DEV/INF/LLD/0982
AEI Integration TIS: REQ/INF/TIS/0001
POMS HLD : DES/SYM/HLD/1886
Post Office is providing the Application Enrolment and Identity (AEl) service to some of its branches. One or
two AE! terminals per branch capture the data and send it to Cogent data centres at Famborough and
Bristol.
Fujitsu provide, manage and monitor the transit network between the Post Office branch and Cogent data
centres.Atter the implementation of POMS solution Fujitsu would support the POMS device along with the
existing ones.
The Famborough data centre is the primary data centre with the Bristol data centre operating as a failover
(OR) site. Resilience is provided between data centres via a common layer 2 LAN for the benefit of branch
connectivity only. In the event of Cogent invoked DR, branch AEI connectivity will automatically failover to
the Bristol site.
‘The following diagram outlines the basic architecture of the POMS solution which is the subject of the
Design Proposal (DES/SYM/HLD/1886). It depicts the AEI Counters connected to the Post Office Managed
‘Switch and using the Branch Router to reach the AE! Data Centres.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 89 of 216
i POAHNG-X Support Services Business Continuity Plan e
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Aeplftion + Applpion 2 Appigon 3
I Matiple Thre Party
‘ata Conroe
REVS Q
Fue Sate
Version
Diagram Source : DES/SYMIILD/1886
4.2.7.8 Wireless WAN Service
The Wireless WAN service is used as the primary connectivity for mobile branches, where no fixed line
communication service is possible, and as a backup network type in the event of the primary network at a
fixed branch, namely ADSL, ISDN or VSAT connection failing.
‘The Orange managed service utilises two private Ethemet based leased circuits into two data centres,
namely SDCO1 (30Mbps MegaStream Ethernet) and TCY02 (100Mbps LES). Orange provide managed
MPLS CE routers (Cisco 2811) which terminate the Ethernet services between the Orange MPLS PE. and
CE routers. The Ethernet circuit from Orange into the TCY02 data centre is the preferred for LIVE traffic as
this has the greater bandwidth. This also coincides with the primary route to the POA data centres, via the
VODAFONE MPLS WAN, being in TCYO2.
In addition to the Orange service there is another service from Vodafone which utilises an IPSEC tunnel
from the Vodafone MPLS network, over the internet to a Cisco 2811 router in TCY02. This test IPSEC
solution will be used to provide the concepts and connectivity for a Vodafone final service that is analogous
to the Orange managed service. All Vodafone test traffic will be presented over this test IPSEC solution until
the service is validated and a fine Vodafone managed service utilising dedicated leased lines for the live
environment and a single dedicated leased line for test.
4.2.7.9 Data Centre LANs
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 90 of 216
‘SVM/SDM/PLA/0001
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Git Systoms Postofice Sysiome Fuisu Support Stes
fecrcarpo
(aN
Broadland VsAT "©
‘Branch ‘
Figure 27
Overall view of the HNG-X Target Network solution
The solution comprises the following network components:
* Data centre LANs (Production and Test)
* Core LANs
* DMZs
© Branch
* Client (Santander, CAPO, Vocalink, DVLA, HMS(HSBC Merchant Service), EPay)
* Post Office (Huthwaite, Sungard)
Support (CRE02, WAR13, BRAO1, LEW02, STEO4, IRE11, IRE19)
+ Inter-data centre WAN connectivity
4.2.7.10 WAN Connectivity - Fujitsu sites to IRE11 & IRE19 Data Centre
WAN connectivity between the POA data centres and Fujitsu core sites is provided using VODAFONE IP
Connect VPNs. These comprise multiple L3VPNs (RFC2547bis). The live traffic for both HNG-X and
Horizon traffic shares a common VODAFONE VPN. Test traffic however, will have a dedicated VODAFONE
VPN.
VODAFONE provide and manage the CE router at each site and present individual VPNs as VRFs on each
CE, Routing between the PE and CE routers using eBGP is managed by VODAFONE. BGP will also be
used for routing between the VODAFONE CE routers and the Cisco 7304 VPN Crypt routers. As the
Utimaco VPN servers are considered network devices and therefore operate in an active/active manner,
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date——_—15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 91 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
there is no requirement to steer traffic towards a particular data centre (IRE11/19). Triangulation of access
to IRE11 and IRE19 is provided using intercampus VLANs and provides for failover between sites.
Live branch traffic will be steered to ingress/egress SDC01/TCY02 via the TCY02 CE router, with test
counter traffic steered via the SDCO1 CE router. The access circuits for both sites are dimensioned to carry
both live and test traffic during failover.
4.2.8 Fujitsu Shared Services
Fujitsu Services now provides many business solutions using a shared service model. This enables Fujitsu
to provide a more cost efficient service to all customers by sharing common facilities and functionality.
4.2.8.1 Shared Data-centres
The two Irish data centres, IRE11 and IRE19, which are used to provide the POA HNG-X solution, are
shared facilities. Non-POA equipment is kept at both locations in order to provide services for other Fujitsu
customers. In addition the POA solution also makes use of other Fujitsu Shared data centres in other parts
of the UK as part of the total solution, including TRIOLE for SERVICE (T1S) and ConnectDSL.
4.2.8.2 TRIOLE for SERVICE (TfS) - Shared Incident Management System
TIS is the Fujitsu Shared Services Incident Management system being used by POA and other Fujitsu
customers.
The TiS primary system is located at SDCO1 (Fujitsu Southern Data Centre) and is accessed via the Fujitsu
Corporate network.
Engineering incidents, which are to be passed into FMS for resolution, are transferred from TIS over the
OTI link into the D1 system and then to CRISP /Touch system.
There are two application servers operating as a single system. The loss of one server will cause a loss of
capacity and resilience. All users will be able to run from a single server but those users that had been.
logged into the failed server will need to log in again to be connected to the remaining server. There is a
backup system in SDC02, for use following the loss of the primary system which is kept up to date via data
log file shipping.
4.2.8.3. ConnectDSL — Shared Service - SDC /TCY
The ConnectDSL Shared Service provides the connections to Post Office Branches from the Fujitsu Data
centres in the south of England (Southem Data Centres). This service is also used by other Fujitsu
customers via common equipment and applications.
Each branch access method terminates on dedicated LNS platforms within the SDCO1 and TCY02 core
sites (VSAT does not use L2TP and therefore the platform is not strictly a LNS, but the general principle
remains). Bootloader access is an exception to this where shared LNSs within the VODAFONE network are
used.
Branch sessions are Radius authenticated. The termination platforms all reside on a common LAN
infrastructure between SDCO1 and TCY02 (referred to as the ‘shared LAN’). Live traffic is segregated from
test traffic using VLANs. The VODAFONE CE routers also currently reside on these VLANs. The CE routers
present VPNs as VRFs that in turn are associated with the VLANs.
‘Two layers of Radius are employed. A ‘platform Radius’ is used by Fujitsu Core Services within
SDCO1/TCY02 to identity the traffic type (live branch or test counter) and thereby which VLAN to forward
on. Further Radius platforms, under POA control, within IRE11/19 are used for authentication and
accounting.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 92 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The impact of loss of datacenter have written in SVMSDMPLAQ002- HNGX services business continuity
plan, in section 11.2 , Item number 201 to 221
4.2.8.4 Fujitsu Global Cloud Platform(Salesforce)
Post Office are at an early stage of utilising CRM and the future requirements and scope of integration with
the other business systems is unclear. However, significant business benefit had already been identified
during trial for Financial Specialists and Post Office were keen to replicate this benefit across all the FS
users. To allow Post Office to progress CRM whilst able to scale or even change future requirements was
key to Fujitsu's proposed solution. The Fujitsu Global Cloud Platform was selected as it provides no long
term commitment to the deployed infrastructure, can be quickly scale up or down. Also given that
salesforce.com is an internet based cloud application, the use of the FGCP was appropriate for this,
solution.
Produetion services are provided from the STE10 data centre in the UK. Customer's access the reserve
proxy using a URL (https://salesforce.postoffice.co.uk) and certificate provided by Post Office.
DR services are provided from the FGCP platform in Germany. Customer's access the DR reserve proxy
using a URL (https://sfdr. postoffice.co.uk) and certificate provided by Post Office.
The SQL databases used in this solution are replicated onto another SQL server in the DR infrastructure
using SQL log shipping facilities. A Remote Routing and Access Server (Windows 2008SE) is deployed to
provide routing into the two secure zones and to manage an IPSEC tunnel between the environments.
The impact of loss of datacenter have written in SVMSDMPLAQ002- HNGX services business continuity
plan, in section 11.2 , Item number 238 to 240,
4.2.8.5 Cloud Connect VPN service and Cloud connect network service.
The Cloud Connect VPN service and Cloud connect network service has been design to describe
infrastructure which exists outside of the FJ datacenters which host the existing HNGX services in Ireland.
For the avoidance of confusion, this infrastructure has no connectivity with HNGX in any way whatsoever.
Provide a transit path for ATOS SISD traffic originating from the public internet secured within an IPSEC.
VPN. Document Reference is DES/NET/HLD/2476.
Network Sub-System Description:
Atos will connect to TFS using IPSEC VPN over the public intemet. The IPSEC tunnel will be delivered
using the Fujitsu Cloud Connect IPSEC VPN service and terminate on a RIPE address presented by the
shared VPN devices in the Fujitsu TCY01 and TCY02 data centers.
Data from within the IPSEC endpoints will then traverse a new customer MPLS VPN across the FCN to the
data centers out of which the TFS service is hosted, namely SDCO1 and STE10,
TFS is a mixed component solution in that it consists of an Infrastructure as a Service managed firewall
which becomes the transit point for all ATOS and Fy related traffic as it leaves the FCN towards the TFS.
systems. The TFS systems are themselves contained within a specific TFS customer virtual pod and will be
referred to as TFS-PROD and TFS-UAT
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 93 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ATOSA ATOSB
The primary path will be from ATOS A to TCYO1 to both SDCO1 and STE10 in support of the annual switch
of Production and UAT between SDCO1 and STE10. Grey links are backup links to be used in the event of
the loss of primary path.
Networks:
The network solution is shown below with the access services described in red and the purple and blue
boxes showing the /AAS and TFS components of the solution.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref: ‘SVM/SDM/PLA0001
Liniia'2014 CONFIDENCE) Venion: 20)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 94 of 216
POAHNG-X Support Services Business Continuity Plan fe
FUfITSU @
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ATOSA ATOS B
Cloud Connect VPN x 2
FCN Cust VPHann
NAT pool to either hide
TES from ATOS or to
hide ATOS from TFS
IRRELEVANT!
SS
ae teat
IRRELEVANT.
RUA MRSS
Availability:
In summary:
© There will be two instances of the TIS application ~ Production and UAT, which are
known throughout this document as T£S-Prod and TfS-UAT respectively. These instances
are actually images of the virtual servers which are used to host the particular TIS
application. The images are stored on (and replicated between) the SANs located at STE10
and SDCO1. The details surrounding image replication between SANs and data centres is
beyond the scope of this network design document.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref: ‘SVM/SDM/PLA0001
Liniia'2014 CONFIDENCE) Venion: 20)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 95 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
* Under normal operating conditions the production image of TIS (T{S-Prod) will be loaded
on the IaaS infrastructure at one data centre (SDCO1 or STE10) and the UAT image of TIS
(TIS-UAT) will loaded on the TaaS servers in the other data centre (STE10 or SDCO1)
* There will be a scheduled ‘rolling fail over’ (approximately every twelve months) whereby
the Production and UAT images exchange locations, demonstrating the full DR capability.
Inanactual DR situation where the site running the production service suffers a
catastrophic failure requiring fail over, production will fail over to the alternative site; UAT
will run concurrently with production at that site, at reduced capacity. This supports a
scenario where a site is lost and there will be an extended period of time required to replace
it. During this period, UAT may still be required in a limited form
Note that:
* _ Disaster recovery (and indeed the scheduled rolling failover) is not automatic - it will be a controlled
process with downtime. From a network perspective changes will be required to the ATOS VRFs (at
each data centre) which is used to advertise T{S-Prod and T{S-UAT to the customer using BGP.
* Disaster recovery (and the scheduled rolling failover) is not automatic - it will be a controlled
process with downtime.
From a network perspective every time itis necessary to fail over TFS -Prod and/or T{S-UAT between data
centres it will be necessary to make the routing changes
4.2.9 External Suppliers
4.2.9.1 I VODAFONE Network
The core VODAFONE network has been designed to provide resilience through the deployment of SDH
technology. The network is made up of a series of interlocking rings, should one half of the ring fail (e.g.
fibre break) the traffic will be routed to its destination via the other half of the ring.
VODAFONE (NMC) have a network management centre that monitor and control their network 24 hours.
per day, 365 days per year. In the event of a fault being detected the appropriate maintenance team is
despatched to rectify the problem in the shortest possible contracted timeframe.
The VODAFONE network has been configured such that all POA calls have two routes (primary and
secondary) between VODAFONE switches, hence if one route is temporarily congested the call will
automatically route via the second choice.
4.2.9.2 Transaction Network Services (TNS)
TINS provide two X25 link network links, one from IRE11, and one from IRE19, to HMS(HSBC Merchant
Service) for DCS online debit card transactions.
The online component uses Transaction Network Services (TNS) to provide the network connectivity
between Horizon Online and HMS. The batch component uses ISDN to transfer reconciliation files between
DCSM and HMS. The batch component will use Post Office Data Gateway (PODG) to transfer files via the
Internet in the future,
The network connectivity comprises:
* X.25 between Horizon Online and TNS
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 96 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
* TCP/IP between TNS and HMS
4.2.9.3 Talktalk Business
Talktalk Business provide connections to Post Office Branches as part of the ConnectDSL service operated
by Fujitsu.
The Talktalk Network Operations Centre in Irlam, Manchester monitor and controls their network 24 hours
per day, 365 days per year. In the event of a fault being detected the appropriate maintenance team is
despatched to rectify the problem in the shortest possible contracted timeframe, working with Fujitsu NOC
and Core ISP where required.
4.2.9.4 EMC — Disk Storage Supplier
EMC provide Fujitsu with very high capacity, highly resilient disk storage systems in IRE11 and IRE19.
There are very high speed connections between the two data centres that allow the data replication to
ensure data is not lost following a major incident at the primary site (IRE11). EMC provide their own
monitoring of their disk system in both data centres which enables fast identification and resolution of
failures.
Belfast Refresh is replacing EMC with ETERNUS storage. A large number of servers have already migrated
as part of Release 10, DAT services will migrate during Release 11, and BRDB & NPS during Release 12.
See section 0.7 changes expected.
4.2.10 Data Centre Operations Service
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 97 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Data Centre Operations Service is responsible for:
© 24 hours by 365 days a year operation,
‘+ The provision of all Data Centre operations, which includes, for example; all the agents, servers, and
databases used to manage and support the Branch Infrastructure and HNG-X Central Infrastructure
used to deliver the Business Capabilities and Support Facilities irrespective of technology platform or
geographical location.
‘The day to day management and operational control of the Data Centre environments located in the
live Data Centre and the Disaster Recovery (DR) Data Centre applying ITIL best practice within these
‘environments.
+ The monitoring within each of the respective Data Centres to an agreed level.
‘+ On-site operational support in order to identify / minimise interruptions to the HNG-X Services provided
by Fujitsu Services.
‘+ Running the live Data Centre in an active DR mode, with the DR Data Centre being used for testing.
The live Data Centre (including the communications in and out of the building) is, in its own right, fully
resilient. Business Continuity testing is completed during the week (Monday to Friday) for a maximum
of two (2) weeks per year, during which operational testing will not take place at the DR Data Centre.
+ The AP Client File Re-Send Service — this service component of the Data Centre Operations Service is,
described in Annex A of this document.
+ The Post Office SAP Hosting Service
+ The Data Centre Operations Service will implement a maintenance plan, which shall be shared with
Post Office on request, for the calendar year covering testing of the following environmental elements:
+ The Environmental Maintenance Services
* Configuration Management
* Capacity Management
* Failover to the DR Data Centre
NB: Impact of Loss of Datacenter has been written in the SVMSDMPLA0002-HNGx Service Business
Continuity Plan. See section 11.1 Impact & Risk Identification, Item numbers from 31 to 44.
4.2.11 Support Services
4211.1 The System Management Centre (SMC)
The System Management Centre service is being provided by Fujitsu Consulting India from Bangalore,
India (IND49). SMC_ DR site (IND46) is at Pune, India
The SMC team’s primary function is to monitor and manage the POA HNG-X infrastructure via
eventing, The team provides 24 hours shifted service, every day of the year.
4.2.11.2 POA Customer Service
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 98 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Fujitsu Services POA Customer Service support, operations and infrastructure services are provided
primarily from the Fujitsu Services Bracknell (BRAQ1) building.
Fujitsu Services LEW02 has been designated the ‘Disaster Recovery site for the CS and essential
Development support services which are provided from Bracknell.
The overall structure and functionality for contingency purposes may be represented as follows:
POA Customer Service
{ T T 1
RDT ssc Setvice BSu Mis
Introduction
4.2.11.2.1Reference Data Team (RDT)
The Reference Data Team validates and processes live Reference Data in association with Post Office
Limited at Chesterfield and the Post Office Limited Support Change Implementation Team who are also
located in the Fujitsu Services BRAO1 building. RDT validate changes whilst POL verify them.
The prerequisites to provide the service are:
‘Access to RDMS validation and verification counters; workstation access to live ROMS service;
Ability to receive Reference Data from, and send Reference Data to Post Office Limited at Chesterfield and
BRA01 respectively (Also known as RDT team);
Access to Fujitsu Services (POA) infrastructure services i.e. E-mail, MIS, Peak, TRIOLE for Service, PVCS.
4.2.11.2.2. Third Line Support Services (SSC)
SSC provide 3rd line application support for the Horizon solution” and is available 24 hours per day, but is
provided only on an on-call basis outside of 09:00hrs to 17:30hrs Monday to Friday, and Bank Holidays.
Horizon Online 3rd Line Application Support Service: Service Description in SVM/SDM/SD/0004
A support server for the SSC is located in IRE 11 (SSC). This platform provides the SSC with diagnostic
information with the ability to access a three month archive.
connected to the Data Centre host LANs and will be accessed from either
1. SSC Workstation PCs connected on a private LAN in BRAO1, over an encrypted link to the Data
centres using the firewall already installed and maintained in BRAO1 by ISD.
2. From the SSN Servers in the Data centre
The server
‘Access to SSN servers is limited to support staff only by use of two factor authentication. SSC staff have
laptops dedicated to home use to ensure that they have an access route should corporate premises be
unavailable in a DR situation.
SSC manage the PEAK call management system. See 6.11.2.2.2
In normal operations the SSC Support Server will be accessed in IRE11, however in a disaster recovery
situation, the server may be started up in IRE19. Resilience is provided by the fact that the server resides
in the BladeFrame environment
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 99 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
4.2.11.2.3Reconciliation Service
The Reconciliation Service investigates and resolves all ‘Reconciliation’ incidents received from Post Office
Limited.
The prerequisites to provide this service are access to the Business Incident Management (BIM) system,
fax and telephone facilities.
4.2.11.2.4Management Information Systems (MIS)
The Management Information Systems (MIS) function processes Management Information collected and
processed on the DRS database and on the Data Warehouse.
The prerequisites to provide the service are:
‘Access from MIS Clients to the DRS and Data Warehouse databases, and to the MIS File server.
4.2.11.2.5Service Introduction (SI)
Service introduction primarily consists of a Customer Service programme planning function and a Release
Management function.
Release Management manage the release of software changes into the live environment across the
Horizon and HNG-x service.
The prerequisites to provide the Release Management service are:
Access to Fujitsu Services (POA) infrastructure services i.e. E-mail, Peak, TRIOLE For Service, PVCS.
4.2.11.2.6Change Control
The POA Programme Team manage two version control systems, PVCS and Dimensions.
PVCS is used for the Horizon Programme. To access PVCS users require either ‘PVCS Terminal’ or PVCS
Dimensions PC Client.
Dimensions is used for the HNG-X programme. To access Dimensions users must first gain access
credentials. Interfaces to Dimensions are then through a web interface or via the Dimensions Serena Client.
Both require corporate LAN connectivity.
4.2.11.2.7Configuration Management — Signing Server.
POA Programmes manage the day-to-day operations of the Configuration Management Signing server,
Which is used to authenticate software releases to the live estate. The primary CM Signing server resides
in BRAO1 and a secondary server resides in LEWO2. The databases on these severs are synchronised on
an hourly basis over the Fujitsu Services Corporate network. In addition daily back-ups are also taken of
the Signing servers.
In the event of a disaster at BRAO1 the Programme team can access the LEW02 CM Signing server using
disaster recovery laptops at least one of which is held off site.
4.2.11.2.8Live System Team
The Live System Test (LST) team, who reside within the POA Development organisation, test software
changes about to be released into the live estate. This is achieved by proving the software changes on
discrete test configurations that replicate the live software environment.
The prerequisites to provide this service are:
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 100 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
+ Availability of hardware test rigs upon which the live software set can be loaded and run;
* Access to Fujitsu Services (POA) infrastructure services i.e. Peak, TRIOLE For Service, PVCS,
Dimensions.
4.2.11.2.9Fourth Line Support
POA Development and the development teams of external suppliers provide the final line of support,
generally referred to as fourth line support.
4.2.12 Operational Services sub-group
The Operational Services sub-group consists of the following teams:
* The System Operate Service
+ Network Support
* POA Customer Support
* POA Programme and Development operational support teams.
4.2.12.1 The Systems Operate Service
In providing an ongoing managed service for the Systems Operate, FSCS will provide POA with a support
service covering the following areas:
© UNIX Support Service
* Database Support Service
+ NT Support Service
+ Systems Security Team
The overall structure and functionality for contingency purposes may be represented as follows for the
Systems Operate Service (SOS):
Operational System
I I I I
NT Op. Support unix bp, Securty team Database Op,
Support ‘Support
In providing the Operational Support Service FSCS provide POA with a round-the-clock service,
managing and supporting those parts of the POA Solution housed in the POA Data Centres at IRE11
and IRE19. Below is a summary, which includes:
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 101 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘+ Management of the hardware maintenance.
‘+ Management of the environmental controls
‘+ Management of the infrastructure maintenance to agreed schedules.
‘+ Operate the service in ‘supervisor’ mode for special maintenance activities,
+ Management and archiving of system and user filestore,
+ Production and maintenance of archive reports.
* Production and maintenance of filestore repair tapes,
* Monitoring of the key service elements, to ensure that service issues are identified at the earliest
Possible opportunity.
* Responsibility for investigating all faults and problems arising on the Supported Systems, resolving the
First Line support faults and problems, and where appropriate forwarding unresolved support issues to
the FSCS or POA support teams responsible.
‘* Monitoring of the workflow through the Supported Databases. The Supported Databases will be
automated via the Maestro scheduler but will be monitored by FSCS staff in IRE11. Any event, which
cannot be resolved by first line staff, will be progressed to FSCS technical support.
‘+ Provision of a duty manager, based in IRE11. The duty manager will act as a point of contact for POA
and Post Office Limited operations staff for day-to-day operational dialogue and any escalation issues.
‘A duty manager rota will be provided on agreed periodic basis.
‘+ Monitoring the capacity usage of the Supported Systems and Operating System Software and advise
POA when limits are being approached. FSCS will also provide recommendations on remedial action
to POA.
‘+ Management of off-site storage of system archives and recovery information.
* Collection of necessary diagnostics to allow faults to be progressed to resolution.
* Management of diagnostic links to subcontractors.
4.2.12.1.1UNIX System Support Service
The System Support Service will provide POA with comprehensive support for the Operating System
Software from the FSCS Data Centre in IRE11 Belfast. This will include:
‘+ Software support and system administration activities
‘* Investigation and progression of all system alerts and dumps.
‘* General housekeeping of the system error logs and audit files.
‘© Maintaining UNIX teleservice interfaces.
‘+ Introduction of new hardware components.
‘+ Applying changes to user and group security as necessary.
+ Maintenance of file and directory permissions.
‘Changing to communication cataloguing information as required.
‘Maintenance of the network configuration information.
‘* Integrity checks on file systems and recovering inconsistencies as necessary.
* Responsibility for managing to a successful resolution, all problems and faults associated with the
Supported Systems.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 102 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘© Resolving of faults and problems arising on the Operating System Software.
‘© Ownership of the operations manual covering all aspects of the services provided as part of the
Systems Operate Service,
‘* Management of the Supported Systems and Operating System Software.
‘+ Management of ongoing operating system support activities
‘+ Performing back-ups and recovering as necessary.
4.2.12.1.2Database Support Service
The Database Support Service will provide POA with comprehensive support of the Supported Databases
including user facing support activities from the FSCS Data Centre in IRE11 Belfast. Below is a summary,
which includes:
* Database administration activities which include:
‘The set up of users after a new software installation or upgrade.
+ Exporting of data.
‘* Creation/recreation of databases.
‘© Upgrade, migration or creation of databases,
‘* Changes to the Supported Databases using Change Management.
‘+ The import of data from an export as required in support of the Supported Databases.
‘+ Installation and testing of build software after any change, upgrade of the operating system, upgrade of
database software, or after modifications to the Supported Databases.
‘+ Monitoring the Supported Databases using BMC Patrol and software supplier supplied views; run
regular checks to monitor table-spaces, availability and fragmentation, and when appropriate
reorganise the database (where reorganise includes: export, recreate and import)
‘+ Management of problems and faults associated with the Supported Databases by forwarding calls,
resulting from the above support activities to the appropriate support unit.
+ Investigation of faults and problems arising on the Operating System
‘* Monitoring database utilisation and occupancy.
‘Management of the Supported Databases under Change Management, recording software revision
levels.
* Maintenance and administration of the Supported Database variables, under Change Management.
4.2.12.1.3Windows NT / WINTEL Support Service
The Windows NT / WINTEL Support Service provides POA with comprehensive support for the Windows
NT / WINTEL Software from the FSCS Data Centre in IRE11 Belfast. Below is a summary, which includes:
‘* Operating Software support and system administration activities for the Supported NT / WINTEL
Systems as follows:
‘+ Investigation and progression of all system alerts.
‘+ Undertaking general housekeeping of the system error logs and audit files.
© Introducing new hardware components.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 103 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan e
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Applying changes to user and group security as necessary.
Maintaining file and directory permissions.
Maintaining network configuration information.
Performing integrity checks on file systems and recovering inconsistencies as necessary.
Performing back-ups and recovering as necessary.
Responsibility for managing to a successful resolution, all problems and faults associated with the
Supported NT Systems.
Management of the Supported NT Systems and Windows NT Software, recording software revision
levels and hardware modification status in accordance with the FS POA Change Control Process.
Install new releases of the Windows NT Software such that the minimum release levels for the
software, as recommended by the software supplier, are correctly maintained
Provision of ongoing operating system support acti
4.2.12.1.4Systems Security Team
The installation and configuration of POA firewall systems including: IRE11 & IRE19, LEW02 and
Bracknell. On each system, the Systems Security Team manage the UNIX hardware and operating system
whi
includes users, file-systems, system backups and installed applications e.g. Checkpoint Firewall-1
The configuration of Checkpoint Firewall-1 rule bases is managed by the Network team.
4.2.12.2 Network Support Services
The Network Support Service based at WARO7 provides POA with comprehensive support for all aspects of
the
Live POA Network and limited support of POA related test networks. The network service is provided
by the Network Support team. The service includes:
‘Support 24 by 7 for operations and network services.
Investigation of all network related issues to 3rd line and progression and monitoring of those calls that
go to 4th line support organisations.
Progression and monitoring of WAN/ISDN and network hardware issues for non-Live POA related test
environments that require 4th line support assistance.
Monitoring of all network and some host elements of the live service using HP Openview as required.
Maintenance and support of all network hardware on the live estate.
Management of Network hardware systems connected with the live service at remote sites.
Management of IP address schemes and databases at all sites connected with the live service.
Management of the Network cable infrastructure and databases in IRE 11 and IRE19 Data-centres.
Management of cable infrastructure at all Live remotes sites.
Introducing new network hardware or configuration elements.
4.2.13 The Major Account Controllers (MAC)
4.2.13.1 Overview
Major Account Controllers (MAC)
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 104 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
MAC team are responsible for managing/owning Incidents between 08.00 and 20.00
Monday to Friday, 08.00 to 17.00 Saturday and Bank Holidays 0800 ~ 1400 excluding Christmas
Day. The MAC team also manages the incident transfers to the Atos Service Desk for issues in
POL Clients domains. The SMC assume this responsibility out of hours, ie., outside these hours.
‘The SMC are responsible for escalation of incidents to the POA OOH Duty Manager.
1. Communications Management Team (CMT)
This team manage network issues with third party e.g., BT.
2, Management Information Team (MIS)
This team provides internal and customer reporting and also measures all SLAs, both contractually
and internally.
TRIOLE for SERVICE (T'S) is used by the MAC and SMC teams as an incident management system, and
by POA as a Problem Management system. These services are provided from a shared location at either
SDCO1 or SDCO2.
4.2.13.2 Communications Management Team (CMT)
The CMT service complements the ATOS.
* The CMT Service is available from 08:00hrs to 17:30hrs Monday to Friday and 08:00hrs to 12:00hrs on
Saturdays and bank holidays (excluding Christmas Day)
* The CMT is a function responsible for providing an end-to-end management to resolution of all network
related incidents which render the service unavailable within the Branch,
+The CMT provides an enhanced level of value add activity to maximise the speed at which network
related incidents are resolved and the service restored to the Branch. As part of this approach, both
Post Office and the Branch are informed at regular intervals as to the status of the incident.
‘+The CMT will input into, the Daily Report provided by Fujitsu Services to Post Office which identifies all
Branches with open incidents and the current status of those incidents. This daily report enables Fujitsu
Services and Post Office to track and monitor the progress of incidents and escalate any specific
problems to minimise the amount of time the Branch cannot trade.
+ To ensure the Branch and Counter Position availabilty is kept to a maximum and within the Branch and
Counter Availability Service Level Targets (SLT), the CMT will work closely with the Systems
Management Service. Where an event or a system or network incident has been identified, the
Systems Management Service will raise an appropriate incident, (this may be in advance of any
incident raised by the Branch), at the required severity / priority level to enable the issue to be resolved
4.2.13.3 Major Account Controllers (MAC)
The MAC team willbe a link between Fujitsu Services and the Atos Service Desk.
MAC team hours of cover is 0800 to 2000 Monday to Friday, 0800 to 1700 Saturdays and 0800 to
1400 on Bank Holidays excluding Christmas Day.
The team’s email address is MAG GRO __ I~ Emails will be acknowledged within thour of
receiving
Telephone Number
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 105 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Overview of their General Tasks -
* Global User Reset and unlocking of Passwords for Postmaster’s and POL employee's —
> 30 minutes response time
* Single point of contact for Atos Enquiries and Escalations
* Engineering Priority 1 Incidents which have failed SLA
* Engineering Priority 3 Incidents which have failed SLA
* High Priority Incidents, Horizon System Failure
+ POL/PM escalations on incidents within the Fujitsu Domain which have failed SLA
+ File Transfers
* Engineering or Network Customer complaints which require a Fujitsu response
* Engineering Cancellations
4.2.13.4 Electrical Power
To provide contingency against mains power failure, the TfS system is covered by UPS and generators in
SDCO1, and the telephone communications equipment in STEO4 is also covered by a UPS and standby
generator. In the event of power loss at either of these locations it is expected that continuous power is
provided, initially by the Un-interruptible Power Supplies and then by the generators.
4.2.14 The Message Broadcast Service (MBS)
+The Message Broadcast Service enables Post Office to communicate directly with Branches, for the
purposes of issuing instructions, advice or information urgently, where paper and postal
‘communications may be too slow or inappropriate. The Message Broadcast Service only enables
‘communications from Post Office out to Branches; Branches are unable to respond or communicate to
Post Office using this Service.
‘+ Each Message is distributed to target Branches as identified by Post Office.
+ Only Branches that are currently in communication with the HNG-X Central Infrastructure at the time of
the Message Broadcast will be able to access the Message.
+ Messages approved for distribution to the Branch Infrastructure are distributed by the Reference Data
Management Service on behalf of the Message Broadcast Service.
4.2.14.1 Service Availability
‘The Message Broadcast Service is available during the hours of: 08:00hrs to 20:00hrs, Monday to
Saturday, excluding all Bank Holidays. In exceptional circumstances, Post Office and Fujitsu Services may
agree to distribute a Message outside of these hours.
‘+ The loss of both the Data Centre Operations Service and the Reference Data Management Service
would affect the ability of the Message Broadcast Service to issue a Message Broadcast.
4.2.15 Service Integration Service
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 106 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Service Integration Service is provided by Fujitsu Services to allow for services to be provided on non
HNG-X Service Infrastructure and to be delivered alongside the HNG-X Service Infrastructure.
The Service Integration Service will be available from 9:00hrs to 17:30hrs Monday to Friday excluding Bank
Holidays or at other specific times agreed.
4.2.16 Receipt Template Service
The Receipt Template service is provided as an extension to Operational Business Change and does not,
in itself, provide any ‘Live’ service, and consists of a single component, namely the provision of new or
amended templates to be applied to Automated Payment receipts on the HNG-X system.
The primary elements of this service is to cover the receipt, production and verification of new, or
amendments to existing, receipt templates.
Within the context of this service there are three types of change:
+ New-where the template does not currently exist
+ Major amendment - where the structure or flow of an existing template is being
changed
* Minor amendment — where the amendment to an existing template is not to
structure or flow, e.g. change of text
Within the context of these types of changes, the content of a Receipt Template is restricted to the
underlying functions which are available at the time that the new/amended template is requested. If Post
Office requests a template where the underlying function is not currently available Fujitsu Services will
inform them that this is the case and Post Office will then raise a Change Request in order to have the new
functionality added to the receipt template mechanisms.
See SVM/SDM/SD/0022 for more details
4.2.17 Service Management Service
4.2.17.1 Service Elements
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 107 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘+ the provision of monthly service reports;
‘* the management of the HNG-X Services other than the BCSF Services in their achievement of all
SLTs, Operational Level Targets (OLTs), performance metrics and design targets;
‘+ the management of service improvement plans in collaboration with the Post Office;
‘the liaison with Post Office in respect of the overall performance of services;
‘+ all aspects of Data Centre operations availability management, network management, systems
management and technical interfaces with Post Office Clients and other domains; and
‘+ the maintenance and management of Business Continuity Plans
* Problem Management
* Branch Issues Management
* Complaints Procedure
* Service Improvement
‘© Operational Change Proposals
* Configuration Management
All elements of the Service Management Service are provided from Bracknell (BRAO1) and are available
Monday-Friday 09:00hrs -17:30hrs excluding Bank Holidays, with the following exceptions:
‘+ release introduction activities such as Data Centre migration or Software distribution will be carried out
in accordance with relevant project plans; and
+ duty management is available 24 hours a day, every day of the year.
See SVM/SDM/SD/0007 for more details of the service, and the POA Organisation Chart for the structure of
the POA Service Delivery team.
4.2.7.2. Loss of primary operational office site in Bracknell
Prov
ion has been made for staff to either work from home or to relocate to the DR site at LEW02
4.2.18 Internet Data Exchange (DX!)
This service provides the Intemet DMZ. The Intemet Services Hub provides for outgoing connections only
(server initiated towards Internet). The services identified within the service hub are:
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 108 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
* MGRM to MoneyGram Intl. test service (http)
© BKAC Agent - validates Bank Sort Code and Account Number. A Web Service Agent implemented in
the TWS that interacts with the BACS Checker Service (http)
+ BACS Checker Service Postcode Anyware - A Web Application provided by Postcode Anywhere for
validating Bank Sort Codes and Bank Account Numbers. (https)
+ BBND Agent - A Web Service Agent implemented in the TWS that interacts with the ADSL Checker
Service. (https).
+ PGDD to Neopost's Bank Guaranteed Delivery Caloulator (SOAP over http), called Kahala. Neopost
calculates a GDD for delivery from one postal location to another. A Web Service Agent implemented in
the TWS that interacts with the GDD Calculator Service Application
* SSL VPN traffic from HNG-X to EMC addresses (https)
* EMC Remote Support Gateway (RSG),
This is a single non-resilient Internet access service through each data centre (IRE11 and IRE19). Although
non-resilient, redundancy of access between sites is provided and services can be manually restored
between sites.
4.2.19 Corporate Data Exchange (DXC)
DXC is a platform and applications that facilitates the transfer of material between the HPEV (HNG-X
production environment) and the FSEV (Fujitsu Services corporate environment); it will act as a barrier to.
protect HPEV from corporate network based threats and vice versa and will provide mechanisms to:
* Control the transfer of data between the HPEV and the FSEV and vice-versa.
© Audit to ensure that any material moved between the two environments is identified and an
appropriately granular record is made.
‘+ Maintain access and control policies.
‘* Provide procedural control mechanisms on the transfer of such data
The operating system is Secure Red Hat Linux.
The Database Server is PostgreSQL.
It will accept only data from agreed databases/schemas in an agreed format; there will be no facility to
perform undefined transfers. Transfers may be scheduled or unscheduled (ad-hoc in JSCAPE terminology),
The Web Server is the web transfer component of JSCAPE Secure FTP Server.
The file server is SCAPE Secure File Server complemented by JSCAPE Secure FTP Factory,
complemented by bespoke clients’ written using JSCAPE Secure FTP Factory.
Since JSCAPE will be managing both types of data transfer, there will be single, managed mechanism for
control, logging and reporting,
‘virus and malware checker is supplied which vets all material transferred to HPEV.
Availability
© Copyriont ujmaulServices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) ven 20
UNCONTROLLED WHEN PRINTED OR Date: 16-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 109 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan fe
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
This device will be in a live/standby configuration with the equivalent platform at the DR site. It will be
provisioned on a blade or vBlade with a recovery time of 15 minutes or less.
Network Topology
The server will be placed in a network topology indicated by “DXC Corporate Data Exchange Proxy” as
shown in the diagram below.
Production REA
PVCS itrares n High Bandwidth “
cnr WAN tunel RE re:
‘rewals oly “cate
Figure 28
Network Topology
4.2.20 Performance & Capacity Management (SPN)
The Capacity Database is an essential part of providing an effective capacity management function to the
Post Office Account. The role of the database is to provide a central repository for system and selected
business metrics which can be interrogated to provide a picture on the current performance of essential
services and can be extrapolated or modelled to provide a view of the near future.
The performance database is required to store data relating to service metrics. These will include metrics,
related to Operating System, Middleware, Database, Applications (bespoke and COTS), API's and Defined
Service Levels. These metrics are used to build a picture of the performance of a system and can assist in
the resolution of performance as well as availabilt
‘© Copyright Fujitsu Services
FUUTSU RESTRICTED (CONMERCIALIN. Ret’ SVMISDMVPLA0001
Liited 2014 CONFIDENCE) venom 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 110 0f 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
There are two main access methods to this server for management purposes:
* TCP/IP level access provided by the Secure Access Server
+ HTTP / SQL access via the Corporate Data Exchange Proxy solution.
This provides the means by which the System Qualities and other support teams can access and manage
the SPN platform.
‘An SPN platform instance is present in both datacentres in an active / passive configuration. The
provided by Clariion storage and make use of replication to ensure synchronicity of data between both
frames.
The solution is based on SAN-Attached hardware and therefore is inherently resilient against disk failures
given the RAID architecture employed by the EMC Clarion system.
To ensure high availability, the disks are synchronised with the passive data centre. This ensures that in the
event of a disaster scenario, the system qualities team can continue to capture and collect system
performance data.
© Copyriont ujmaulServices) FUJITSU RESTRICTED (COMMERCIAL IN. Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) ven 20
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 111 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Datacentre 1 Datacentre 2
Athene Data
(CMDB Data
‘Athene Tables
(Subset)
Replicated
‘Backup
‘oMsp8 fais Fala
raion Database Dat
(Subset)
WEEKLY FLAT FILE COPY
Backup Drive
Figure 29
4.2.21 Branch Support Database System (BRSS)
4.2.21.1 Overview
‘The Branch Support Database (BRSS) system provides a dedicated, available and resilient (as it resides
within BladeFrame) repository of Live transactional, reporting and control data for the various HNG-X.
business and technical support streams to provide levels of support to the Post Office Branches and Post
Office Limited.
The BRSS system runs on a single p-blade within the Fujitsu-Siemens’ BladeFrame environment using a
SAN-based storage solution (BRS ~ Branch Support Server),
The Branch Support Database is implemented in the form of a single instance Oracle Enterprise Edition
database.
The BRSS transactional repository consists of the following type of transactional, reporting and control data:
* User and Session Management
Counter users, roles (Clerk, Manager etc) and stock units.
log-onilog-off events and session establishment.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 112 0f216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
(Migration specific) Outlet migration status
* Audit
Auditable requests
« Settlement Basket Capture
Settlement transactions.
+ Reporting
Transaction level and aggregated report data
Report generation requests (events) used for audit and reporting purposes.
* External Authorisation Transaction Recovery
Control information for recoverable transactions.
* Track & Trace
* Counter Reference Data
+ Cash and Stock Pouch Despatches, Advice Notices
+ Delivery & Collection Notifications and Cash Declarations
+ Message Broadcast (Desktop Memo)
Data in the Counter audit
tore is retained for 14 business days.
The data in Transactional, Recovery, LFS and Track & Trace tables is kept for up to two months (sixty two
calendar days).
Data in the Reporting transactional and aggregation tables will be retained for six months (182 calendar
days). All control and metadata tables are based on the same retention pe!
of 182 calendar days.
The BRSS system consists of a number of Linux-based host processes that are run by scheduling software.
These processes typically perform operations such as table & index partition management, consuming data
replicated from the Branch Database and file / table housekeeping,
BRSS runs in archived redo-log mode to provide the facility of point in time recovery. RMAN will be used as
the tool for performing backups and restore/recovery.
4.2.21.2 Data Population
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 113 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Branch Support Database (BRSS) contains transactional, event and other relevant data replicated from
the Branch Database. For the customers (technical / business support streams) to be able to use BRSS as
the sole point of access to live data, relevant data is replicated to BRSS on a near real-time basis.
4.2.21.3 Support Interface
The Branch Support Database is the first point of call for any support queries related to Branch information.
All applications run under the batch scheduler through defined Unix users with only the necessary access to
run the application.
Oracle database connectivity and access control is through defined Oracle Users and the Roles granted to
those Users would only be those that are necessary to run the application.
Data security is maintained by constraining the database object by type and range and by restricting access
through Role to only those applications requiring such access.
Note that the BRSS is used for all support queries that are run by the support teams. The only
circumstances under which the Branch Database can be used for querying data instead of the BRSS is:
+ The Branch Support System (BRSS) is down / inaccessible or the replication between the Branch
Database and Branch Support System is down / or too far behind.
4.2.21.4 Resilience / Fail-over
The Branch Support Database runs on the BladeFrame Linux environment. Fail-over is implemented using
a remotely mirrored EMC file store while resilience to hardware faults can be handled by the BladeFrame
technology's inherent fault management and resolution,
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 114 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
5 Testing Strategy
5.1 Initial Testing
The initial testing of all business continuity contingency plans has been documented in the HNG-X Business
Continuity Operational Test Plan (SVM/SDM/PLA/0003)..
Some tests are focused at sub-service level, however other tests are based upon a facility, e.g. the Loss of
a Data Centre (IRE11).
5.2 Ongoing Test Strategy
This refers to how the contingency measures, in place for the HNG-X Support Services, shall be periodically
tested to ensure they are current and reflect the service model for those services as they mature.
This is provided by an ongoing series of business continuity tests at a predetermined frequency for the
duration of the Fujitsu Services POA contract. The nature of these tests is documented in the HNG-X
Business Continuity Operational Test Plan (SVM/SDM/PLA/0003), which also contains a yearly test
schedule.
‘© Copyright Fujisu Services FUJITSU RESTRICTED (COMMERCIAL IN. Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE)
Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 115 0f216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
6 Preventative Measures
Itis a fundamental philosophy of the POA solution that wherever technically possible, components of the
service are designed in such a way as to ensure maximum resilience to failure by way of eliminating
possible single points of failure, i.e. by providing multiple platforms performing similar functionality both for
performance and resilience,
In general HNG-X provides resilience based on the installation of an additional server (whether physical or
virtual) over and above that required for normal operation. These additional servers are located in the
primary data centre in IRE11
For example The Key Management Service (KMN) only requires one server to perform all normal tasks,
however there are two servers in IRE11 creating an N+1 implementation (where N is the number of servers.
required for normal operation). In addition, since the KMN server is hosted on a bladeframe, there is extra
resilience via a spare blade in the same cabinet which can be used as a direct hardware replacement
should the designated hardware fail.
6.1 Major Account Controllers (MAC) DR facility
‘The Major Account Controllers (MAC) service can be delivered from the Disaster Recovery site in BRAO1
following a relocation of staff from Stevenage. The relocation can be completed within around 3 hours of the
decision to enable the DR site. POA staff in Bracknell would assist with the initial setup activities.
6.2 Triole for Service (TfS) —- Service Desk system
‘Should the primary Incident Management System (TfS) sustain a total failure there is a second system that
is kept updated in SDC02 which can be brought into use.
6.3 Data Centre Operations Services (IRE11 / IRE19)
The HNG-X service is based upon using the two Data Centres (IRE11 and IRE19) at the same time for live
services, the primary Data Centre being IRE11. In normal operational mode IRE19 is supporting the live
service while also accommodating the test environment for HNG-X.
* Both Data Centres operate 7D x 24H x 365/366 days with operational staff on site at all times. The sites
are located approximately 5 miles apart (11 miles by road).
Ina situation where IRE19 is unavailable then a full live service can be provided through IRE11
However, if IRE11 (the primary site) becomes unavailable then a full service can be provided from IRE19
only following a full site failover. It is expected that all test and development facilities services will be
unavailable while running a full ive service from IRE19, however there may be provision for a limited test
service.
The overall HNG-X solution adopts and demonstrates industry best practice in areas such as systems
enterprise and operational management.
This provides the capability to monitor and report on virtually every hardware component and software
application comprising the HNG-X solution.
Italso allows a significant amount of automation to be introduced into the overall HNG-X capability, which in
most situations allows timely resolution of any failures that are experienced.
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 116 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The impact of loss of datacenter have written in SVMSDMPLAQ002- HNGX services business continuity
plan, in section 11.2,, Item number 31 to 44,
6.3.1 Environment Monitoring Facilities
IRE11 & IRE19 Operations staff monitor the environmental facilities against potential threats.
Examples would be:
Loss of mains power UPS and Generator take on load
Loss of Air Con Standby unit brought into use
Flood / Fire warnings Detection systems will give early warning
Early detection is the key to the preparedness, the building disaster detection facilities are regular tested
and appropriately maintenance in accordance with contractual agreements. In the event a problem is
detected, which may affect the live service kit, the appropriate support group responsible for implementation
of fault resolution or instigation of disaster recovery will be immediately contacted.
FSCS has a comprehensive maintenance and call out contract, covering all environmental kit. All
contractors are on a 4 hours response to site basis agreement, and since resilience is built into the main
systems, only minor disruption should occur.
See Appendix 2 (IRE11) and Appendix 3 (IRE19) for further details,
6.3.2 Data Centre Air Conditioning — IRE11 & IRE19
* Both IRE11 Tech Halls are served by six air conditioning units. The environment can tolerate the loss of
two of these units without impact
Portable units are also available in the case of emergencies.
+ The IRE19 Tech halls are served by eleven air conditioning units.
The loss of a single unit within any of the halls would require addressing in the form of arranging for a
portable unit to be obtained.
6.3.3 Data Centre Power —IRE11 & IRE19
«The Primary Site is at IRE11
This has two feeds from independent substations to onsite transformers. The site is capable of running
for three days at peak load when on generator power, or longer provided fuel deliveries to site are
possible. IRE11 has two computer rooms (or Tech Halls) which are physically separate buildings. TH2
is the site for the majority of the HNG-X equipment, and is fully N+1 resil
power. TH1 is connected via separate paths of single-mode and mul
of a row of cabinets for POA equipment. TH1 has N+1 resilience in UPS, but only a single generator.
In practice the double failure of NIE supply and generator is highly unlikely, and there is a programme
of generator and UPS testing each year to ensure that the generator is serviceable.
Further information for IRE11 is outlined in the Appendix.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 117 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
* The Secondary Site is at IRE19.
This has a feed from a single substation with the transformer offsite. The site is capable of running for
eleven days at peak load when on generator power.
Further information for IRE19 is outlined in the Appendix.
Neither site shares a common substation and Northem Ireland is a resilient part of the National Grid with
inter-connectors to Scotland and England.
At both sites: power is supplied to each server rack / equipment from a single / triple breaker via armoured
cable fitted with commando socket and plug in the floor void to the equipment.
Power is routed to each piece of equipment via separate PDUs unless single source power. Power can be
isolated via either the breaker within the PDU or switch on the commando socket. New suppliers can be
upgraded or downgrade by replacing the breaker within the POU.
6.3.4 Oracle Real Application Cluster (RAC)
The Branch Database and the NPS database both use Oracle Real Application Cluster to provide high
availability.
This configuration provides load balancing of client requests during normal operation. Additionally, if one
node in the RAC cluster fails the other nodes takes over the load.
Therefore, the system capacity is managed in an N+1 configuration, such that the RAC cluster can handle
peak load even with one failed node.
Branch Database N=3 (four nodes normally active)
NPS
For Branch Database each branch will normally access the same node, if a node is unavailable then the
failed node's branches is spread across the remaining nodes.
(two nodes normally active).
NPS supports several services e.g. ETS, DCS, NBS as if they were separate applications. A branch
connection goes to the same node for any one of these services, but the branch does not necessarily use
the same node for alll services.
6.3.5 Oracle DataGuard
Oracle DataGuard is an Oracle feature which allows one or more standby databases to be maintained in a
transactionally consistent fashion to a primary database. This is achieved by applying changes from the
primary database to a secondary copy of the database.
The production Branch Database is the primary database, and a secondary copy of this database is
maintained at the same site. The purpose of this secondary database is to guard against physical corruption
of the primary production database, i.e. some form of unrecoverable VO error resulting in a loss of database
integrity
Because of the manner in which the changes are propagated at application level, applied changes it is very
unlikely that a data corruption will be propagated, and in the event of the primary being unavailable due to a
corrupt block failover to the standby is extremely fast. The primary can then be repaired.
6.3.6 Disk Storage Arrays
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 118 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Both the Symmetrix and Clariion storage arrays have a high level of internal resilience.
Storage arrays are provided with power from separate Data Centre power supplies, and these are
themselves supplied through independent uninterruptible power supplies and separate breaker (fuse)
panels. Internally the storage arrays have many features the mean that failure of a single component is
unlikely to affect the ability of the array to continue offering a service.
Within individual disk arrays RAID is used to ensure data integrity in spite of the loss of a disk drive (either a
RAID-1 mirror or RAID-5 parity stripe).
The disk arrays also allow point-in-time copies of data to be maintained as snapshots or cloned copies.
These enable rapid recovery from corruption.
Belfast Refresh is replacing EMC with ETERNUS storage. A large number of servers have already migrated
as part of Release 10, DAT services will migrate during Release 11, and BRDB & NPS during Release 12.
See section 0.7 changes expected.
6.3.7 SAN Fabric
‘The SAN Fabric is built around two fibre-channel switches (directors) at each Data Centre. The two
switches are independent, that is, they form two separate SAN fabrics.
This provides at least two forms of redundancy ~ firstly, the two fabrics allow for failure of any element in
any one fabric (assuming both server and storage are connected to both fabrics). Secondly, a (human) error
during a configuration change on one fabric will not affect the other independent fabric, typically allowing the
change to be corrected before any adverse results are encountered.
6.3.8 Host Systems
All systems that connect to the storage arrays have two HBAs, each HBA connects to a different FC
director, and therefore to a separate fabric. Multi-pathing is managed either by the control blades in the
BladeFrame, or by host based multi-pathing for the relevant platform.
If one of the Storage ports, HBAs or FC directors fails or if there is a cabling problem, it will not cause the
server to lose its connection to the storage.
6.3.9 Blade Frame and Storage Overview
HNG-X storage is synchronously replicated between the Live and DR data-centres using SDRF via the
Intercampus link described earlier. Before a write is acknowledged to a server, itis written to the storage at
both data-centres to ensure consistency of data between the sites,
‘The Symmetrix DMX disk arrays are operated as two independent pairs. One will contain the Branch
Database, and the other the Branch Standby DataGuard copy. In the unlikely event that a fault develops
with the storage continuity of service is ensured, as at least one copy of the Branch Database will be
available.
The CX3-80 Clarlion also supports an area of disk for Oracle RMAN backup. This is the primary recovery
point for Branch Database corruption, and online storage is provided to allow recovery to be made in as
timely a manner as possible. The Storage Area Network for HNG-x is illustrated in Figure 30 below
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 119 of 216
FUJ00232658
FUJ00232658
i POAHNG-X Support Services Business Continuity Plan ES
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
=a II I} Sees I SE =
kip Siggy
re
Pi
o
TerB Tier 8
I aE Lg
The BladeFrame system introduces the concept of a stateless server. Within the BladeFrame the actual
processing unit only contains CPU and memory. All other components that usually make up a server are
abstracted and provided by the BladeFrame chassis, e.g. network interface cards and host bus adapters.
Production —IRE11 I OR/Test—IRE19
Tere
Figure 30
The storage subsystem is extemal to the BladeFrame system and no HNG-X server hosted inside the
BladeFrame has internal hard drives or other storage devices. A server is defined as a combination of a
blade with a CPU and memory with resources such as a network interface, a host bus adapter and a
storage subsystem. This configuration is held in a XML file. As a consequence the definition of a server (or
platform) can be moved from one physical blade to another, from one BladeFrame to another or even from
one data-centre to another.
BladeFrame from Fujitsu-Siemens consists of a chassis with up to 24 stateless processing blades
(pBlades), two control blades (cBlade) and two switch blades (sBlade) in a cabinet with a foot-print similar
toa normal server cabinet,
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDMIPLA/0001
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 120 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Please refer to the Platform Hardware Instance List, DEV/GEN/SPE/0007, for the latest configuration of the
HNG-x live environment in IRE11 and test environment in IRE19.
The application of the BladeFrame technology for the purpose of disaster recovery to the HNG-X solution
enables the meeting of the SLT for CAPO and all other HNG-X services. A farm of three BladeFrame
systems is installed in each of the HNG-X data-centres.
The BladeFrame farms are composed of identical hardware in both data-centres. The configuration of the
Live farm is captured in a configuration file. This configuration file is replicated to the DR data-centre at
regular intervals. All data and operating system information that is held in the Live data-centre storage
arrays is also replicated to the DR data-centre according to predefined criteria (either synchronously or
asynchronously).
In the event of a disaster the configuration of the Live BladeFrame farm is applied to the DR farm. This
process configures the DR farm identically to the unavailable Live farm and then presents the replicated
Live data to the farm. This process has been designed to complete in less than an hour allowing for time for
UNIX Support to check that all applications and services are ready to go Live again, enabling the branches
totrade.
6.3.10 BladeFrame Connections
All server instances on BladeFrame reside on the Core switches, and the BladeFrame is not physically
connected to the Access switches.
Itis necessary to distinguish between the management interface, which is a single connection to each
cBlade, and the network ports available for pServer instances. Each BladeFrame will attach on cBlade to
the header and one to the footer. For out of band support an Aurora Console Tower system (CON) will be
provided that allows secure, managed serial connections to the serial port on the control blade.
Each BladeFrame has two management ports, one on each Blade, and these are connected to different
Data Centre switches. The PAN Manager service has a virtual IP which fails over to the master cBlade. The
Blades provide proxy arp resolution for each other, and simple ping tests are an unreliable way of tracing
network problems.
Each cBlade has four on-board and four PCI based gigabit NIC for use by the pServers. These are grouped
into resilient Ethernet interfaces (rEth) which may also span BladeFrame chassis as mega-rEth (mrEth) if a
BladeFarm has been formed to allow a pServer to move between chassis.
Virtual switches are created within the PAN, and these are identified with the NIC that traffic is passing
through and the security domain of the VLAN ID, e.g. vSwitch1_DB or vSwitch15_SAS. The LPAN
Administrator will ensure that servers are only permitted access to those switches associated with VLANs in
which that server resides. The PAN Administrator ensures that Test VLANs are not visible to Production
systems and vice-versa.
6.3.11. BX900/PAN7
There is one radical change in architecture from PANS, which is that the storage path is now "native" to the
BX900 chassis, and does not pass through the PAN Ops management servers. This allows a pair of
relatively small RX200/S7 servers to run as a cluster providing PAN Manager services, managing up to 16
BX900 chassis, each containing up to 18 "pNodes", as the BX924/S3 blades are now known
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 121 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Each BX900 has a clustered pair of management blades and an active/active pair of connection blades. For
PAN7 these are Brocade VDX2730 switches capable of Ethemet or Fibrechannel connectivity. The pNodes
themselves have a common network adapter (CNA) very similar to the current pBlades, with the connection
blade taking the place of the sBlade and cBlade in a Bladeframe, and the internal connections of the BX300
taking the place of the Bladeframe backplane.
Currently extended control is provided through a ServerView VIOM server, but a later release is expected to
manage the BX300 directly.
R12 will only migrate the RAC clusters, which are currently deployed as "bare metal” pServers. An initial
installation of Oracle Virtual Machine (OVM) as a hypervisor will permit the RDT RLS servers to be
deployed virtually.
Itis expected that a later release of PAN will provide vBlade type functionality, but details are not yet clear,
and the only virtualisation currently supported by Oracle is OVM.
‘An overview of the failover mechanics are shown in the figures below, but the principle follows that used in
Bladeframe/PAN7, that the PRoduction LPAN is created and started on the DR hardware.
PAN7 provides a more extensive suite of tools for importing LPANs from a DR archive, simplifying a
process that had been written as part of DEV/INF/LLD/0066.
The essential precursor steps of storage and network failover are still required.
The storage is presented to the individual pNodes rather than to the oBlade. Although this makes more
work for the storage management team storage discover via SMIS makes the PAN Admin task very
straightforward, and it is easy to manage small sets of LUNs in ETERNUS LUN Groups for each server
rather than the huge presentations that had to be managed for Bladeframe
Figure 31
6.3.12 Salesforce Support Service
The Salesforce Support Service provides Post Office with a hosted and managed service for the
PerspecSYS data residency solution (to host software as procured directly by Post Office). Support desk
services will be provided to log calls from Post Office's end user help desk for issues relating to the hosted
service and the Salesforce solution instances used by Financial Specialists and Stakeholder Management
teams.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 122 0f 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan e
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The Fujitsu Salesforce Support Service(SVM/SDM/SD/1977) provides hosting, support, and service
management for the PerspecSYS data residency solution which forms a critical supporting technical service
for the Post Office Finance Specialists Salesforce Solution.
The Fujitsu Salesforce Support Service also provides call logging and i
ident routing for technical
problems encountered by Finance Specialists and Stakeholder Management.
Fujitsu will route the incident to.
RESPONSIBILITY SUMMARY.
End User Viewpoint
Area of Finance Specialists Stakeholder Management
responsibility Salesforce Solution Salesforce Solution I
End User Help Desk I Post Office Post Office ~~ Y
Call Logging and Fujitsu Fujitsu \ es
Incident Routing for
technical faults
Resolving hosting I Fujitsu Not applicable to Stakeholder
and connectivity Management Salesforce
issues related to the Solution
PerspecSYS
software
Service Fujitsu Not applicable to Stakeholder
management for the Management Salesforce
hosting and support Solution
of the PerspecSYS
software
Resolving Post Office (PerspecSYS I Not applicable to Stakeholder
application software I contracted to Post Office) Management Salesforce
issues related to Solution
Leela the PerspecSYS support team
and notify Post Office End User
Help Desk
Resolving Post Office has the direct Post Office has the direct
Salesforce technical I relationship with Salesforce relationship with Salesforce and
issues and Fujitsu is not providing an I Fujitsu is net providing an End to
End to End Salesforce service.
Fujitsu will take calls and
resolve the issue when the
problem originates in its own
domain, however where the
problem has not originated in
the Fujitsu domain Fujitsu will
pass the call to Post Office End
User Help Desk who are
responsible for raising calls,
with the Salesforce support
team.
Additionally Fujitsu will take
and manage the resolution of
calls raised with Salesforce
End Salesforce service.
Fujitsu will take calls and
resolve the issue when the
problem originates in its own
domain, however where the
problem has not originated in
the Fujitsu domain Fujitsu will
pass the call to Post Office End
User Help Desk who are
responsible for raising calls with
the Salesforce support team.
Additionally Fujitsu will take and
manage the resolution of calls
raised with Salesforce that
breach the SLA target that exists
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 123 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan e
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
that breach the SLA target that
exists between Post Office and
Salesforce. These Salesforce
‘Support Service Escalated
Calls will be chargeable under
a separate monthly fixed
charge that will be reviewed
after the first three months of
live service.
between Post Office and
Salesforce. These Salesforce
Support Service Escalated Calls
will be chargeable under a
separate monthly fixed charge
that will be reviewed after the
first three months of live service.
Resolving Post
Office
‘communications
network issues
Service Availability:
Post Office (via
communications network
supplier)
If the call is intially passed to
Fujitsu by the Post Office End
User Help Desk it will be
passed back so that a call can
be raised by Post Office on the
‘communications network
supplier
Post Office (via communications
network supplier)
If the calls initially passed to
Fujitsu by the Post Office End
User Help Desk it will be passed
back so that a call can be raised
by Post Office on the
communications network
supplier
The supported hours of operation for the Salesforce Support Service hours are 08.00hrs to 18.00hrs
Monday to Friday and 08:00hrs to 12:00hrs on Saturday's excluding Bank Holidays.
‘Scheduled maintenance activities including applying security patches and carrying out data and system
backups will be scheduled to take place outside the supported hours of operation
In some emergency situations it may be necessary to carry out maintenance activities within the supported
hours of operation, with the result that the Salesforce Support Service is unavailable. Any such emergency
changes will be agreed with Post Office.
The Salesforce Support Service will not normally be available outside of the hours stated in section 2.3.1
except when scheduled or emergency maintenance activities are taking place.
Monitoring of the platforms, database, and application for the PerspecSYS data residency soluti
a.Automated monitoring and raising of incidents related to hardware, operating systems, database
management systems, network components, scheduled activities, and alerts raised by the PerspecSYS
application
b.24x7 monitoring by SMC for automatically raised incidents.
The impact of loss of datacenter have written in SVMSDMPLAQ002- HNGX services business continuity
plan, in section 11.2 , Item number 238 to 240.
6.4 Network Services
6.4.1 Network Capacity into Data Centres
The capacity of the access network to the data-centres in IRE11 and IRE19 has been designed to ensure
that each data-centre is capable of fully supporting the predicted maximum network traffic.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 124 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
6.4.2 Data Centre Network Topology
The Data Centre network is based on four core Cisco 6513 switches (two per site) and four Access 6513
switches with resilient ASA5540 based firewalls between the Core and Access layers. Each core switch
has a firewall module and an ACE (Application Control Engine) module. Both the ACE and the FWSM have
redundant connections as well as the main MSFC interconnect. The FWSMs interconnect using a heartbeat
(not ISL) over a Dot’ Q 20G link, and the FWSMs interconnect over a 4GB link carrying a heartbeat. It is
possible for any (or more than one) of the modules to fail and have traffic routed between switches to
different modules in different chassis’.
All network components are deployed in pairs at each Data Centre. The only exception is the Vodafone link
which has a single CE router and single HO router.
Every discrete server that connects to the network has at least two NICs. Each NIC connests to a different
network switch. The NICs are configured in an Active/Passive configuration (not load balanced) with Switch
as the preferred switch.
More information is available in:
Architecture (ARC/NET/ARC/0001)
Data Centre LAN Design (DES/NET/HLD/0004)
Wide Area Network Design (DES/NET/HLD/0009)
Branch Access HLD (DES/NET/HLD/0014)
Transit LAN Design (DES/NET/HLD/0015)
Figure 31 below gives a very high level view of the switch connectivity that forms the basis of providing a
resilient Data Centre network service with DR capability. The inter-site links are leased dark fibre from
Virgin (NTL) with an FTEL service. The links do not share any single point of failure, and there is a minimum
410m component separation at all points along the route.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 125 0f216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Ireland 11 Ireland 19
Figure 31
Connections from outside the Data Centre are via dedicated Vodafone 155 mbps circuits, one to each Data
Centre. Resilience of client connections is provided via the inter-site link.
The segregation is such that a DR Business Continuity Test should only need to consider failover of the
‘core switch layer. The Access layer is covered by normal component resilience testing.
6.4.3 Data Centre Disaster Recovery (DR) - Network
The two data centres normally operate in an active/DR manner, with IRE11 as the normally active site.
IRE19 will be used as a test facility under non-DR conditions. Although applications and services from the
data centres generally operate as active/DR, the network operates active/active at all times (including the
Utimaco VPN servers). However, since a data centre failover requires the BAL servers to retain the same
server IP addresses, along with the same VIPs advertised towards the clients, these elements of the
network operate in an active/DR configuration to prevent problems associated with the advertisement of
duplicate subnets.
Under normal circumstances Live traffic on the clear (unencrypted) side of the VPN servers will be steered
towards IRE11 using an intercampus VLAN. Traffic will not be load balanced across parallel paths. Test
traffic will be steered towards IRE19 in a similar manner. Support staff will have connectivity to either site.
Failure of data centre WAN equipment on the preferred path (local CE and/or local Handoff router) results in
traffic re-routing via the equivalent router in IRE19 and the intercampus LAN
Invocation of DR, where the operational data centre is transferred from IRE11 to IRE19, is a manual
process that takes up to two hours. Network failover to DR uses scripting, where necessary, to manage the
changeover, which facilitates the reconfiguring of the server estate with the same IP addressing as used in
IRE
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 126 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUfiTSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Figure 312
Branch access network end-to-end
6.4.4 Fujitsu Network Management Systems (NMS / NNM)
NMS platform resilience is achieved by the deployment of two management platforms, one in each data
‘centre, Should a single platform fail, the equivalent platform at the other data centre will continue
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMISDMI/PLA/0001
Limited 2014 CONFIDENCE) vee 20
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 127 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
operations, however the normal mode of operation is active / active. This mode of operation is important as
it is essential that when DR is invoked the network fail-over activities can be performed without having to
wait for network management system platform provisioning to take place.
Reference: Network Management System HLD (DES/NET/HLD/0012)
6.4.5 Vodafone Network Management Centre
‘The Vodafone Network Management Centre is a 24-hour manned facility based at Bracknell. In the event of
the unavailability of the Bracknell site the Vodafone NMC shall relocated to the Watford disaster recovery
site,
6.4.6 Vodafone ISDN Availability
The Vodafone ISDN LNS platforms (one in each data centre) are located in SDCO1 and TCY02.
BT's 21CN network architecture means that both ADSL and ISDN circuits may share the same aggregation
or metro-area network from the BT exchange.
For all outlets there are single points of failure within the BT network, namely at some local serving
exchanges where an ISDN2 line to a PO outlet terminates, however overall Branch availability is increased
through the use of Branch Router secondary connection type (e.g. WWAN) which activates in the event of
ity problems within the ISDN network,
6.4.7 Fujitsu Services SDC01 & TCY01/02 Data Centres & ADSL Service
The Fujitsu Services ADSL IPStream infrastructure utilises four Points Of Presences in the Fujitsu Services
Souther Data Centre 01 comms rooms 1 and comms room 2, and two more at TeleCity01 and TeleCityo2
Data-centres. The DLS LNS routers are configured to provide contingency across the six Points Of
Presence.
BT's 21CN network architecture means that both ADSL and ISDN circuits may share the same aggregation
or metro-area network from the BT exchange.
Asymmetric Digital Subscriber Line (ADSL) technology has been implemented within the Vodafone MPLS
data network. ADSL served Post Office Outlets have a connection through a specific Vodafone Broadband
Access Servers and therefore for ADSL outlets this is a single point of failure within the Vodafone MPLS
network
This would result in the loss of communication with a number of PO outlets, but ‘local exchange failures,
‘would be limited to a small geographical area, however overalll Branch availability is increased through the
use of Branch Router secondary connection type (e.g. WWAN) which activates in the event of any
availability problems within the ADSL network.
6.4.8 Wireless WAN Availability
Although the Wireless WAN (WWAN) network will mainly be used as a secondary network connection type,
there will be some cases where it will be used as the primary network connection type, such as with mobile
vans.
The Orange and Vodafone networks have a high level availability within the core of the networks; however it
is a non-guaranteed & contended service at the wireless access point,
In the situation of the WWAN being the primary network connection type then branch network availabilty
will be directly subject to the network provider's availability
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 128 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
6.4.8.1 Orange Wireless WAN - Availability & Resilience
The Orange MPLS service and hand-off is designed for high availabilty and resilience by providing N+1 at
various elements in the end to end service. There are two geographically diverse Orange GGSN nodes,
Orange resilient MPLS network, dual leased circuits for different Orange points of presence with
corresponding CE routers delivered to two Fujitsu data centres. On from this there are dual WWAN LNS.
routers capable of terminating 8000 PPP sessions, one per data centre.
6.4.8.2 Branch Router Availability
‘The MTBF (uptime) of the Sarian DR6410 router along with a reduced MTTR (downtime), combine to
improve overall availability.
6.4.9 Transaction Network Services UK LTD (TNS)
‘The network links provided by Transaction Network Services are currently limited to one X25 link from
IRE11 and one from IRE19 to HSBC Merchant Services (HMS) for the DCS online debit card transactions.
Data can be transferred by either route,
6.4.10 Post Office Limited Northern Data Centres
Access to the POL NDC site is via Vodafone separately routed Vodafone IP Select network connections.
The resilience of these circuits is also high due to the fact that there is no common point of failure between
each site and the data-centres. Each data-centre has two separately routed Vodafone IP Select network
connections back to two separate Vodafone Synchronous Network Access Points (SNAPs). Conne
between SNAPs and the POA data-centres is provided by Vodafone fibre, via the Vodafone backbone,
6.5 The Security Service
6.5.1 Key Management Servers and Database —- HNG-X
Resilience of the system is obtained by deployment of 2 Key Servers in IRE11 (the primary data centre)
Resilience of the Key Server service is managed through the Key Server Client that applications use to
interface to the Key Server. .
6.5.2 KMNG Workstations
KMNG workstations are based in BRAO1, exist in a secure room, on a dedicated business network, fire-
walled and separate from the Fujitsu corporate network, and are operated by the HNG-X Security Team.
The KMNG workstations are replicated at the designated disaster recovery site (LEW02), and (after
initialisation) can be used in the same way as the normal live version to facilitate POA business operations.
Bug-fixes, design or configuration change to the application or platform is replicated at the disaster recovery
site as soon after issue as possible.
6.5.3 Tivoli Infrastructure
Lawn 7s lil FUJITSU RESTRICTED (COMMERCIALIN Ref: ‘SVMISDMIPLA‘0001
ii CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 129 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
With the exception of the Certification Authority Workstation (which is not connected to the network), all
processes in the Key Management Centre are monitored by Tivoli, which will raise appropriate alarms if a
process stops running.
6.6 Branch and Estate Change Management Recovery and
Resilience
The Estate Management Infrastructure will be available to service requests on a 24 hour basis. Where there
is a requirement to update any of the component platforms comprising the service there will be limited
periods of un-availabilty out of normal business hours (08:00 - 18:00) while this takes place. The Radius
servers will provide an uninterrupted service during this period.
6.6.1 Estate Management Database Server (EST)
In general terms the EST clients, with the exception of the Radius Servers and the Boot Platform, will not
require data in an interactive mode out of normal working hours, and will tolerate EST non-availability,
except at those times where scheduled activities to retrieve data from EST ocour. The Boot Platform is used
during branch equipment replacement and installation activities which includes the Branch Router Rollout
programme. The resilience model for Release 1 of HNG-X is the provision of good Radius resilience and
conventional recovery profiles for all other systems that would limit downtime to a period commensurate
with the re-instancing of a blade in the case of a physical hardware failure and recovery from database
image where database corruption has occurred. The time lost in this instance should be limited to no more
than 2 hours.
‘The EMDB Server will be an SQL Server 2005 and Tomcat based platform with the following
characteristics:
* High availability for read operations.
‘* Low number of write operations.
Database backups will be scheduled every evening to facilitate point in time recovery in the event of
database corruption, operational failure, or hardware failure, and will facilitate point in time recovery using
the transaction logs which will also be SAN based. The operational filestore will be maintained on SAN to
facilitate recovery in the event of Site failure.
6.6.2 Boot Platform
The Boot platform is responsible for ensuring that the installation of counters and Branch Routers is
uninterrupted especially during periods of high activity such as Branch Router rollout. There are two
operational Boot Platforms, these will be addressed in turn (no attempt to load balance) by Branch Router
and Counter platforms, if an attempt to contact the primary fails then the secondary will be selected.
6.6.3 Branch Change Management Server (BCMS)
BCMS Resilience is not critical for the operation of the HNG-X Service, therefore a period of up to 24 hours
is manageable in the event of failure.
The primary server is in BRAO1, with a DR Instance located at the POA DR Site (LEW02) to be used in the
event of a primary site failure.
6.6.4 Radius Authentication
CHAP authentication requires that the EMDB maintains an operational profile that will service the Radius
servers for connection requests during normal working hours. Resilience will be provided by the client
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 130 0f 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
application on the Radius platform maintaining a cache of all CHAP secrets on all Radius platforms that are
periodically refreshed to provide up to date information.
6.6.5 Hardware Resilience for Estate Management Platforms
‘The EMDB and the Boot Platform are provisioned as individual vBlades within a Blade Frame Server. The
Blade Frame technology effectively gives each server platform a fully resilient virtual LAN connection to
their respective Network Security Domains in the Campus Network.
‘The Blade's storage is supplied via a common SAN that is configured with distinct areas for Operating
‘Systems and Paging, Binaries and Data.
In the event of a single platform Blade or vBlade failure, there are four likely failover scenarios.
+ Re-provision the failing platform on a spare (v)Blade in the Blade Frame.
n the fa
platform on a spare (v)Blade in another Blade Frame.
* Restore Image on new (v)Blade in the Blade Frame
* Restore Image on new (v)Blade in another Blade Frame
In both of the re-provision cases above, the entire platform's storage is immediately accessible via the SAN.
SAN replication ensures that there is a current copy of the Database Storage media including transaction
and rollback logs present and available at the DR Site in the event of a Site Failover.
6.6.6 EMDB Database Backups
EMDB uses a hot backup every night with no loss of service.
6.7 Reconciliation Service
This runs on the Main Host Server
6.7.1 Main Host / Data Warehouse
This provides the capability to monitor and report on virtually every hardware component and software
application comprising the Horizon solution in general and the Data Warehouse/MIS solution in particular.
Italso allows a significant amount of automation to be introduced into the overall HNG-X capability, which in
most situations allows more timely resolution of any failures that are experienced.
The Data Warehouse runs, on the HNG-X Main Host server, a Fujitsu-Siemens Primepower platform under
Solaris.
The server is provided with dual power supplies and uses the EMC Symmetrix DMX3 which is a fully
resilient enterprise class storage array spanning both Data Centres, and has no internal single points of
failure.
Resilient components include:
* Disks (EMC Raid)
© Power
© Memory
* Internal Processors
6.7.2 Main Host Server Resilience
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date——_—15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 131 of 216
FUJ00232658
FUJ00232658
‘(Commented [AP3]: Check if itis now on biade frame )
FU,
POAHNG-X Support Services Business Continuity Plan e
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
There is a second Main Host server in the same Data Centre in IRE11 which can be used in the event of a
total unrecoverable failure on the primary server. As a guide it takes approximately two hours to fail-over.
6.8 POLSAP Development and Test QA Services - IRE19
The POLSAP service is treated as two separate systems, being Production and Development / Test / QA,
however from the point of view of service delivery itis treated as active/active since both are used by
external customers.
Itis possible for the POLSAP Production service to be failed over to IRE19 without any impact on the rest of
IRE11 which provides the HNG-X service to outlets (the POLSAP non-live services that were running in
IRE19 are not available during a Production fail over). Network load balancing uses ACE in HNG-X and
advertises a VIP to the external customer for the POLSAP service which allows them to easily access the
POLSAP live service from either data centre.
The Development, Test and QA systems which run in IRE19 have no failover facility.
6.9 System Management Service
6.9.1 System Management Platforms — Resilience
All of the platforms run using blade technology and use the spare blade capability in the event of a server
failure. The EMD and EES have additional resilience via a secondary server in IRE11. The EFS servers
operate in pairs giving dual access to services.
All data is replicated to IRE19 to facilitate a data centre failover.
How
man}
TEMS
TEPS H
Object Server
Object Server
RAD
Proxy Probe
Database H
Repository
EMM ‘System Enterprise Monitoring Server 1
EU System Enterprise User Interface Server 1
EMD ‘System Enterprise Monitoring Display 2
EES System Enterprise Event Server 2
EAS System Availabilty Server 1
EFS System Enterprise Fan-out Server 40
EDs System Enterprise Database Server 1
RR EARHADN
6.9.2 Loss of Network Communications to IND49/STE04
In the event of IND49 becoming isolated, due to the loss of network devices, SMC off-shore staff could
relocate to Pune (IND 46) which has a separate intemet connections to TCY01 and TCY02 in the UK. Up to
twelve hours has been allowed for this from the time a decision is taken. During the relocation process SMC.
staff could request assistance from MSS or SSC.
FUJ00232658
}J00232658
6.9.3 Buildings — Blackpool BLAO1 — MSS North/ SMG ( Commented [AP4]: Needs updating
With the loss of BLAQ1 it is planned that staff would relocate to WARO7 or work from home.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref
Liited 2014 CONFIDENCE) Menon I 2
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 132 0f216
‘SVM/SDM/PLA/0001
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
6.9.4 Buildings — IND49 - SMC
With the loss of IND43 it is planned that the off-shore SMC staff would relocate to Pune. Up to twelve hours
has been allowed for this from the time a decision is taken
6.9.5 People - MSS
The MSS is operated on a ‘two shift’ basis. In the event of the loss of employees from one shift, staff from
the unaffected shift would be available.
6.9.6 People — SMC in IND49
The SMC is operated on a “24 by 7” basis. In the event of the loss of employees from one shift in IND49,
staff from the unaffected shift teams would be available to transfer to an alternative site, or operate from
Pune.
6.10 Operational Support Services
6.10.1 The Systems Operate Service
6.10.1.1 Activation
‘Once an event has occurred that will impact the provision of the UNIX and NT Service and/or the
Operational Service, then in all instances the ‘Activation’ procedure will be invoked and a TRIOLE for
Service incident will be raised with the SMC or MAC.
6.10.1.2 Loss of Documentation server
‘The document server is part of the office infrastructure and is located in the IRE11 operation-centre. A
secondary document server is based in IRE19. The contents of the secondary server are automatically
updated at 19.00 each evening from the primary server. The secondary documentation server is accessed
a8 part of the Systems Operate Services Business Continuity Test to confirm its functionality and accuracy.
6.10.1.3 Loss of Electrical Power
In the event of a power failure the UPS will activate and keep all FS systems up and running whilst the
standby generator activates. The backup generator will take effect approximately 30 seconds after the
failure. The lighting and air conditioning will have no power [due to being non-UPS supported] for the 30
seconds it will take for the generator to start providing power. Emergency lighting will immediately be
activated as the mains supply is lost.
6.10.1.4 Loss of Telephone exchange
In the event of the loss of ‘land-line’ telephone networks in either IRE11 or IRE19 operation-centres mobile
phones would be used as a backup contingency measure. All Belfast based SOS staff are provided with
company mobile phones. The Services Manager woul liaise with the Major Accounts Controllers to ensure
a full awareness of the situation.
6.10.1.5 Loss of the IRE11 Office area
In the event of a disaster that left IRE11 inaccessible, Support Service fail-over would be instigated in
accordance with the FSCS Support Contingency site fail-over procedure. Actions to restore all the required
support functions will be managed through incident management procedures as detailed in this document.
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 133 0f 216
FUJ00232658
FUJ00232658
l
‘Commented [APS]: Which Documentation server? Ask
Adrienne
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
6.10.2 Support Services
6.10.2.1 The System Management Centre (SMC)
In the event of a major incident or disaster at IND49 it is planned that the off-shore SMC staff could relocate
to Pune IND46. Up to twelve hours has been allowed for this from the time a decision is taken.
6.10.2.2 POA Customer Services - Overview
Fujitsu Services POA has developed plans to provide CS operational and support services from LEWO2 in
the event of a disaster or unexpected incident at Fujitsu Services (POA) Bracknell. SVM/SDM/PLA/0034
(POA Crisis Management And BRAO1 Disaster Recovery Plan) details the disaster recovery equipment for
CS operational use at LEW02. This equipment consists of a mixture of hot and warm ‘standby’ equipment.
The hot standby servers and workstations are connected to the live infrastructure and maintained, by the
FSCS SOS at a fully operational state. The warm standby workstations are stored in a ‘ready-for-use-
state’.
Internal business walkthroughs are conducted on an annual basis to assess the preparedness of any new
service element for implementation.
6.10.2.2.1 Incident Management
In the event of an incident occurring at Bracknell the Fujitsu Services (POA) Incident Controller for Bracknell
will be informed, See SVM/SDM/PLA/0034. The Incident Controller referring to the Incident Management
Plan will inform all CS Business Recovery Team Leaders of the event, instigate the raising of a TRIOLE For
Service call to escalate the incident and, if necessary, contact the Fujitsu Services (POA) Crisis,
Management Team.
The Incident Controller will decide which CS teams and individuals are to be relocated to Fujitsu Services
LEW02, other Fujitsu Services sites, or are to work form home. The Incident Management Team members
will instruct the Business Recovery Team managers of the invocation of relocation and the Business
Recovery Team managers shall decide which team members will be relocated.
The call will meet the MAC (Major Account Controllers) escalation criteria, so it is escalated to the Fujitsu
Services (POA) Duty Manager. The Duty Manager uses the processes described in SVM/SDM/PROI0028.
If the criteria for a Major Business Continuity Incident (MBC!) are satisfied (SVM/SDM/PRO/0028) the Duty
Manager escalates the incident to the Fujitsu Services (POA) Business Continuity Manager as a Business
Continuity event.
6.10.2.2.2 Peak Support Incident Management
The Peak Support incident Management service is provided by the SSC.
The primary Peak server (peak2) is installed in BRAO1 and the secondary Peak server (peak3) resides in
LEW02. The database on this server is synchronised every 15 minutes over the Fujitsu Services corporate
network. In addition nightly back-ups are also taken of the Peak servers and placed on to the PEAK server
in LEWo2
‘The Peak Client is installed on the Office PCs in both BRAQ1 and LEWO2. ‘Commented [AP6]: Confim with John Simpkins if PEAK
lint is used! necessary. Surely a statement around access Is
via corporate LAN would suffice?
6.10.2.3 Configuration Management - Signing Server
The POA Programmes secondary Configuration Management Signing server resides in LEW02. The
database on this sever is synchronised on an hourly basis with the BRA01 Signing server via the Fujitsu
Services corporate network In addition daily back-ups are also taken of the Signing servers.
In the event of a disaster at BRAO1 the Programme team can access the CM Signing server at LEWO2
using disaster recovery laptops at least one of which is held off site.
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Nene: 30
UNCONTROLLED WHEN PRINTED OR —Date———15.Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 134 of 216
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
6.10.2.3.1 Change Control
The primary PVCS server resides in BRAO1 and a secondary server resides in LEW02. The BRAO1 PVCS
server is replicated overnight to LEW02 PVCS server. In addition to this daily tape backups are taken off
site.
To access PVCS users require either ‘PVCS Terminal’ or PVCS Dimensions PC Client. PC client is
installed on the Office PCs in both BRAO1 and LEWO2.
HNG-X Dimensions is accessible to authorised users via the Fujitsu LAN. Access is either via the web
interface, or via the Dimensions Serena Client,
6.10.2.3.2 Development Operational Support Live System Team (LST)
The Live System Test (LST) team, which resides within the POA Development organisation, test software
changes about to be released into the live estate. This is achieved by proving the software changes on
discrete test configurations that replicate the live software environment.
The prerequisites to provide this service are:
‘+ Availability of hardware test rigs upon which the live software set can be loaded and run;
* Access to Fujitsu Services (POA) infrastructure services i.e. Peak, TRIOLE For Service, PVCS.
Disaster Recovery facilities are available at LEW02 for the LST service. This is only true for those elements
of the service based in BRAO1. In the even of a loss of IRE19 there would be no LST Service. There would
also be no SV&l service, no POLSAP DEV or QA service, and no Credence/MDM OAT service
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 135 0f216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
7 Preparedness Measures
Preparedness in the HNG-X context is defined as, those measures taken to ensure the technical solution
and business processes supporting that solution deliver the service that they are designed to deliver,
such a way as to meet and exceed the service level
7.1 Testing
From a technical standing, functionality is proven by testing the solution at a unit, system and business
integration level.
This functional testing has been complemented by performance and security testing to ensure that the
solution is both scalable and secure.
Internal business walkthroughs are conducted on a regular basis to assess the preparedness of any new
service element for implementation.
In preparation for any HNG-X Release, in conjunction with Post Office Limited, a full end to end processing
rehearsal and test is performed where the whole solution and supporting processes are run as if live for a
period of several days.
Itis usual for this to include a rebuild of all operational platforms used in the delivery of the service which
further validates the accuracy of operational procedures and configuration management processes.
7.2 Service Management & Delivery
From a business perspective, this process starts by establishing very exacting and specific service level
agreements with all suppliers to the HNG-X Service which are constantly monitored and reviewed
The provision of Operational documentation for all aspects of service delivery is mandated and allows POA
to ensure that the service is being delivered in a consistent way that satisfies service level requirements.
7.3 Risk Analysis
Impact & Risk Assessment contains a risk analysis of the end to end supporting services incorporated in
this plan.
This identifies potential risks to those supporting services, the assessed probability of that risk occurring,
the impact of that risk becoming a reality and the contingency activity or plans necessary to contain such an
occurrence with minimum impact to those supporting services.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 136 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
8 Contingency Measures
Contingency measures are defined as the actions to be performed in the event of a service break to enable
business impact to be minimised during the service outage prior to recovery being completed.
Contingency measures will include the recognition, activation, incident management and initiation of
recovery procedures,
8.1 Recognition
The HNG-X solution includes a Systems management capability to monitor and report on events that occur
upon all the platforms involved in the service delivery and counters.
The process of monitoring and managing the Network components and Routers is performed by a
combination of the products HP OpenView and CISCO works.
ITM (Tivoli) is used to manage and monitor the Sun Solaris Servers and Windows platforms and to
consolidate and present the status information.
‘The SMC monitor all services and escalate incidents to the POA Duty Manager, and depending on the
severity of the abnormal circumstances that have been identified, also to the POA Business Continuity
Manager.
8.2 Activation
Once an event has occurred that will impact the provision of the NBS Service (Network Banking), then in all
instances an incident will be raised with the MAC (Major Account Controllers).
There are a number of scenarios where the capability of the Systems Management environment will trigger
an operational script to run upon the platform/application that has suffered the problem, to correct the
failure. Operations personnel may override
8.3. Incident Management
Personnel at the SMC will normally perform this function. If the incident cannot be resolved by the SMC at
the time of the call it will be routed to the appropriate support unit for resolution. At the same time if the
incident meets the SMC escalation criteria, it wll be escalated to the Fujitsu Services POA Duty Manager.
If the criteria for Cross-Domain Business Continuity Management are satisfied the Duty Manager will
escalate the problem to the POA Business Continuity Manager who will own the problem as a Business
Continuity event.
Note: Post Office Limited may also escalate Business Continuity events directly to the POA Duty Manager.
8.4 Ini
ion of Recovery Procedures
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 137 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Where this is a POA only incident, this would usually be instigated by the support team charged with
supporting the equipment upon which the failure has occurred, as soon as possible, and certainly with intent
to resolve the incident within the relevant Service Level Agreement.
Depending on the severity of the incident, there may be some dialogue between the Duty Manager and the
support function to agree on the most appropriate course of action:
Wherever there is a Cross Domain incident, the resolution would be instigated at the time when all parties
affected had agreed the course of action:
In the case of a Business Continuity incident, this would be after the Business Continuity Team had agreed
a plan of action, see Section 12, Plan Activation.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 138 of 216
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
9 Recovery Of Normal Service
All aspects of the Services infrastructure within POA are managed operationally by the Core Services
division of Fujitsu Services (FSCS),
‘As such, the process of recovering from an event causing an impact to the service will by definition involve
FSCS in performing an operational activity to resume the full service.
FSCS have developed an Operations Procedures are underlying on web pages that make up UNIX & NT
operational documentation from which operational and recovery processes and procedures are identified,
{or all possible failures in the end to end HNG-X Services.
Thus in its simplest form, normal service could be resumed by the Duty or Problem manager liaising with
the support team, agreeing when the recovery action should be run, and then carrying that activity out.
Where the recovery action is dependent upon a third party, e.g. Prism or Post Office Limited, the support
dialogue would take place between the support teams, and the problem management dialogue would take
place between the appropriate management.
9.1 Recovery Time Objectives and Recovery Point Objectives
9.1.1 HNG-X Infrastructure RTO and RTP Objectives
The following table provides the maximum recovery time objective and the recovery point objective for the
infrastructure supporting the HNG- services.
Maximum Recovery I Maximum Recovery Point
Time Objective Objective
Storage Systems
Audit Centera Array Next day Normal Service Provision
Audit Server 2 hours Normal Service Provision
Backup Servers I 2 hours Normal Service Provision
ECC Server (or equivalent) I Next day Normal Service Provision
Main Backup System (Disk or Tape) 2 hours Normal Service Provision
Support Systems
‘Secondary Authentication Service 715 minutes Normal Service Provision
‘Antivirus Server I Next day Normal Service Provision
‘Application Monitoring Server 75 minutes Normal Service Provision
Certification Server 75 minutes Normal Service Provision
DNS Server 75 minutes Normal Service Provision
Domain Controllers 75 minutes Normal Service Provision
NBX Network Observer Server Next day Normal Service Provision
NBX Network Probe Server Next day Normal Service Provision’
‘© Copyright Fujfisu Servibes: FUJITSU RESTRICTED (COMMERCIAL IN. Ref ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 20
UNCONTROLLED WHEN PRINTED OR Date: 16-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 139 0f 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Maximum Recovery
Time Objective
Maximum Recovery Point
Objective
Network CISCO Works Server 75 minutes Normal Service Provision
Provisioning Server Next day Normal Service Provision
Radius Servers 2 minutes Normal Service Provision
‘Accounting Radius Servers 2 hours Normal Service Provision
SSN Server 75 minutes Normal Service Provision
Signing Server 2 hours Normal Service Provision
‘SQL Server (ACDB, OCMS, Athene, MTAS) I 2 hours Normal Service Provision
‘SSC Branch Database 2 hours Normal Service Provision
‘SYSMAN Enterprise Managing Server hours Normal Service Provision
‘SYSMAN Enterprise Monitoring Server 2 hours Normal Service Provision
‘SYSMAN Enterprise Event Servers [2hours ‘I Normal Service Provision
‘SYSMAN Availabilty Server I 2 hours Normal Service Provision
‘SYSMAN Enterprise User Interface Server 2 hours Normal Service Provision
‘SYSMAN Enterprise Database Server [2 hours Normal Service Provision
‘SYSMAN Enterprise Provisioning Server 2 hours Normal Service Provision
‘SYSMAN Enterprise Fanout Server 2 hours Normal Service Provision
'SYSMAN Enterprise Staging Servers I 2 hours Normal Service Provision
‘SYSMAN Enterprise Legacy manager 2 hours Normal Service Provision
‘SYSMAN Enterprise Monitoring Display 2 hours Normal Service Provision
Network switches 24 hours Normal Service Provision
Network routers 24 hours Normal Service Provision
Cable failures / mis-cabiing 24 hours Normal Service Provision
Data Exchange Server
No data to recover
Key Management Server
Normal Service Provision
Main Host (Batch Database Server)
Normal Service Provision
Normal Service Provision
Normal Service Provision
Normal Service Provision
Normal Service Provision
9.1.2 HNG-X Services Disaster Recovery RTO and RPO Objectives
The following table provides the maximum recovery time objective (RTO) and the recovery point objective
(RPO) for the HNG-X services following a major incident or disaster that causes POA to invoke a failover to.
IRE19.
© Copyriont ujmaulServices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Liniia'2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS
Page No: 140 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan e
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Core Solution and Network Banking, including:
Branch Database Servers
Client File Transfer (OCS, ETU, Banking)
DCS Servers
FTMS TIP Local & Track and Trace
NBX Banking Agents
Branch Access Layer servers
NPS Servers (Database)
2 hours
Normal Service Provision
All remaining Services excluding POL-FS:
ETU & DVLA online Servers
PAF & APOP Agent Servers
TES Application Servers
APOP Servers (Database)
(Priority would be given to any services crucial
at time of DR e.g. DVLA if at end/beginning of
month. PAF if at Christmas mailing peak
period)
S hours
Normal Service Provision
Security Management Service
Not defined
Branch Change Management Service
Next working day
Normal Service Provision
Estate Management Service Not defined
Network Services: Zhours Normal Service Provision
Data Centre Operations Service Zhours Normal Service Provision
SAP Development and QA-Test Systems Not defined
System Management Service hours Normal Service Provision
‘Support Services 2 hours Normal Service Provision
System Operate Services hours Normal Service Provision
Reference Data Management Service
Reconciliation Service
Next working day
Next working day
Normal Service Provision
Normal Service Provision
Service Integration Service Not defined
Receipt Template Service Not defined
Service Management Service Not defined
Message Broadcast Service Not defined
MIS Service Next working day Normal Service Provision
Third Line Support S hours Normal Service Provision
(©Copyright Fujitsu Services: FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDMIPLA/0001
Limited 2014 CONFIDENCE)
‘Version: 20
UNCONTROLLED WHEN PRINTED OR Date: 48-Oct-2014
‘STORED OUTSIDE DIMENSIONS
Page No: 141 of 216
FUJ00232658
FUJ00232658
FUSITSU
POAHNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Fourth Line Support Not defined
Branch Network Service Not defined
Third Party Management Service Not defined
Service Desk Service Shours Normal Service Provision
POLS 48 hours Normal Service Provision
(Reduced Performance Provision)
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
‘STORED OUTSIDE DIMENSIONS
Ref ‘SVM/SDM/PLA/0001
Version: 2.0
Date: 15-Oct-2014
Page No: 142 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
10 Impact & Risk Assessment
10.1 Risks Identified Against the HNG-X Support Services
The matrix below details the identified risks to the data processing elements of the HNG-X Services.
The nature of the service changes between the day and night schedules, however to improve the usability
of this plan the worst case Critical Impact Timing for each service element incident has been used.
Day time processes are primarily concemed with Counter transactions and Help Desk processes, Night
time processes are primarily concerned with preparing for the next counter day, and processing the
transactions that have been processed during the Post Office Core day. This is reflected in the actions
against the identified risks.
As a matter of normal operational practice, a calll would be placed against MAC Team if any of the identified
risks materialised.
The intention is that the list of identified risks (Section 10.2) can act as a guide to personnel assessing and
managing any incident affecting the HNG-X service.
The matrix contain a column identified as probability with a range of 0 to 4. These estimate the probable
risk of failure. It must be emphasised that these are not percentages and should be considered simple
weighting factors.
‘As a guideline the following occurrence ratings have been allocated:
Rating
0 Tess than one incidents predicted per year
7 ‘One incident is predicted per year
2 I Two incidents are predicted per year
3 I Approximately three incidents are predicted per year
4 Ensure that appropriate contingency measures are taken e.g. duplicate routing or
the holding of spares on site.
The probability of failure of major elements of the service is low because:
1. There has been a high level of resilience and duplication built into the infrastructure.
2. Extensive validation has been performed upon the infrastructure.
3. The Fujitsu Services POA project team has developed a vast knowledge of component failure and
service availability over the past three years.
Where a Potential MBCI or MBC! (Major Business Continuity Incident) has been designated as being
triggered and there is no reference to section 11.3 then there are no further contingency actions to be
performed over and above normal operational incident processes and the actions already identified within
the risk table,
fa failure occurs during or after any hardware or software change, then consider regressing the change.
Please Note: This business continuity plan is one of four. If the POA Duty Manager (or other authorised
person) is unable to find the failed infrastructure components in this plan they are mandated to refer to:
* _HNG-X Services Business Continuity Plan (SVM/SDM/PLA/0002);
Lawn 7s lil FUJITSU RESTRICTED (COMMERCIALIN Ref: ‘SVMISDMIPLA‘0001
ii CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 143 of 216
FUJ00232658
FUJ00232658
POAHNG-X Support Services Business Continuity Plan e
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
‘+ HNG-X Support Services Business Continuity Plan (SVM/SDM/PLAJ0001 );
+ HING-X Engineering Business Continuity Plan (SVM/SDM/PLA/0030)
* HNG-X Security Business Continuity Plan (SVM/SDM/PLA/0031)
The risk assessment identifies the Critical Time Factors for activation of contingency measures as defined
in the Business Continuity Framework SVM/SDM/SIP/0001. For on-line service, e.g. NBX and DCS the CTF
is identified against Post Office Core Day Processing, whilst for fle transfers, e.g. APS and TPS the CTF is,
identified against Post Office Non-Core Day Processing.
The ‘Impact’ column contains a statement indicating the level of business disruption. This impact from a
Support Service Perspective refers to a potential impact to primary services, e.g. APS, TPS, as well as
software drops, Reference Data releases, counter management etc.
© Copyright rujteuBervices) FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Verse 210)
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 144 of 216
FUJ00232658
FUJ00232658
FUSITSU
POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
10.2 Trigger Tables for HNG-X Support Services
Notes:
1
2.
The following trigger table details the non-availability of the Primary component, and the Primary and Standby components.
The non-availability of support services Standby servers and some network components should be treated as a loss of resilience and resolved via normal
incident management processes.
Branch Network Resilience - No entries have been included in this table for the loss of ADSL and the ISDN/GSM service for outlets where BNR has been
implemented. If there is a loss of online services for Branches that have lost their primary connection through ADSL and secondary through ISDN/GSM
please treat the failure as an MBC! Trigger and the POA BCM is to inform the POL BCT.
No entries have been included in this table for the POLSAP Development or QATest infrastructure as there are no contingency or DR requirements for
these services. Refer to SVM/SDM/OLA/0872 for details of the OLA for these services.
There are two possible failure scenarios for any virtual server using a Blade. There could be a failure of some kind with ONLY one specific virtual server,
leaving the other virtual servers on the same Blade unaffected, or there could be failure of the whole Blade causing up to 5 separate virtual servers to fail
at the same time.
In the trigger table below all service that are provided from a Bladeframe virtual server should initially restart on one of the spare physical Blades
(assuming that it has been configured for an auto restart), therefore the entries in this table assume this initial capability
. normally a failed physical Blade will be identified by at least two alerts:
* there should be an alert for each lost virtual server that was running on the failed physical Blade (up to 5 virtual servers)
* _ there should be an alert for the hardware failure of the specific physical Blade
. the lost virtual servers should be restarted automatically (unless specifically set to NON-auto start)
* the SMC and support teams
* will verify that functionality has restarted for all lost virtual servers
* will resolve the problem with the failed physical Blade
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE)
Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 145 of 216
FUJ00232658
FUJ00232658
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
* bring the failed or replaced physical Blade back into service at an agreed time
* confirm normal operation and return the spare physical Blade back to being the spare
POA HNG-X Support Services Business Continuity Plan cE
© Copyright Fujitsu Services
Linbedoni4 FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
nn CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 146 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Note the following parts of the HNG-X Solution are covered in SVM/SDM/PLA/0002 HNG-X Services Business Continuity Plan
POL NDC to Data-Centres
Data Centre Local Area Network (Client and Server Access)
POL SAP
Data-centres Buildings
Data-centres/Clients TIP and AP Gateways
Data Centres Database (Host) Server/EMC Disc Array,
Network Banking Infrastructure and T&T Harvesting Agent and Transaction Journal.
Debit Card Infrastructure (Note: ETS also utilises some DCS infrastructure)
ETS Specific Infrastructure
DVLA, PAF, APOP,GWS,CWS and MoneyGram Web Services
Data-Centre LANs and Supporting WANs
Data-centre — Branch Access Layer and Branch Database
Data-centre LAN Infrastructure (to Branches)
Network Links to Branches
Post Office Branches
Reference Data Service - Specific Infrastructure
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 147 of 216
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
POA HNG-X Support Services Business Continuity Plan
Index to trigger tables
Security Management Service 1
Main Host / Data Warehouse / Disk Arrays 16
Branch & Estate Management 21
BRAO1 61
IRE11/ IRE19 81
IND49/ IND46 (SMC) 112
BLAO1 (MSS, SMG) 116
WARO7 (POA Networks) 118
CREO2 119
Miscellaneous 120
Vodafone 128
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. PageNo: 148 of 216
FUJ00232658
FUJ00232658
FUSITSU
POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Probability
BladeFrame Resilience - See SVM/SDM/PLA/0002
Security Management Service
Key Management
Workstation (KSN)
Failure of BOTH Workstations in
BRAO1
0 4hrs I Unable to operate Key
management functions.
I I
Impact: Fujitsu Services /
Resolve via Incident
Management
Use the DR / Backup.
Workstation at LEWO2.
Potential MBCI
Inform POL BCT
xv
Key Server (KMN)
Failure of the Primary Key Server
(IRE11)
1 24 hrs The alternative active
instance shall provide service
whilst the fail-over to the
spare is completed
Resolve via Incident
Management
No impact
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS
PageNo: 149 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impa
3.I Key Server (KMN) Failure of the Primary AND 0 4hrs No Keys can be changed Resolve via Incident
Secondary Key Servers (IRE11) “THis service will nat be Management,
available until the fail-over to
a spare Blade is completed
Impact on POL / Fujitsu
I Services
I
4,I Key Management Primary and secondary Firewall 0 hrs No access to Key Resolve via Incident
Firewalls Failures I Management service Management.
No Keys can be changed
Potential MBCI
Impact on Fujitsu Services/ Inform POL BCT
POL
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 150 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impa
5,I Intrusion Prevention Failure of the Primary Server 1 4hrs No loss of service since the I Resolve via Incident
Management Server (IRE11) alternative server will process I Management.
(IPS) the data from branches
The service will operate via
the alternate data centre until
the fail-over to a spare Blade
is completed
I No Impact
I
6_I Intrusion Prevention Failure of the Primary Server 0 Immediate I No data from branches can _I Resolve via Incident
Management Server (IRE11) AND Secondary Server be processed until the fail: I Management
(IPS) in IRE19 ‘over to a spare Blade is
completed
Impact on POL / Fujitsu
Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version:
20
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 151 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Time I Impa
7.] Hardware Security Failure of a single Module in 1 2days I Service will be maintained by I Resolve via Incident
Module (HSM) either IRE11 or IRE19 one of the other HSMs Management
No Impact
be I
8, Vulnerability Scanner Failure of the Server (IRE11) 7 4hrs I No scanning can be Resolve via Incident
Server (VNS) ib ara I performed until the FS1000 I Management.
Note: there is no secondary
Server server is repaired
Impact on Fujitsu Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 20
Date: 15-Oct-2014
UNCONTROLLED WHEN PRINTED OR
‘STORED OUTSIDE DIMENSIONS PageNo: 152 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impac
9.] Audit Server (ARC) Failure of the Server (IRE11) 1 4hrs Potential delay in capturing I Resolve via Incident
audit data. Management
Note: there is no secondary
server The service will not be
available until the fail-over to
a spare Blade is completed
I Impact on Fujitsu Services
I
10] Firewall Security Failure of the primary server in 1 4hrs Potential delay in managing I Resolve via Incident
Management Server IRE some aspects of the Firewall I Management
(NFM) Note: there is no secondary system.
server The service will not be
available until the fail-over to
a spare Blade is completed
Impact on Fujitsu Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 153 of 216
FUSITSU
POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
41] NT Domain Controllers
(DOX)
Loss of a single controller
- IRE11 or IRE19
Potential loss of ability of a
service to connect into the
required Secure Domain
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact:
Resolve via Incident
Management
Connection will complete via
one of the other Domain
controllers (there are 6 in
each data centre)
12I Secure Access Server
(SSN)
Loss ofa single server in either
IRE11 &IRE19
7 hrs I Potential loss of ability to
access systems via a specific
route for Support teams
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact: Fujitsu
Resolve via Incident
Management
There are 6 SSN servers
running as Active / Active (3
in each data centre)
Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS
PageNo: 154 of 216
FUJ00232658
FUJ00232658
FUSITSU
POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
13] Domain Name Server
(DNP)
Loss of the primary server in
IRE11
0 4hrs I Loss of ability for services to
access Domain name related
information
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact:
Resolve via Incident
Management
Secondary server also
available (DNS)
14] Active Directory Domain
Controllers (ACD)
Loss of a single controller
-IREW
7 hrs Potential loss of ability of a
‘service to connect into the
required Secure Domain
The service will fail-over to a
Resolve via Incident
Management
Service should continue via
FUJ00232658
FUJ00232658
spate Blade; the second Controller in
IRE11
No Impact:
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 155 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
15] Network Radius Server Failure of a single server in either 1 8 hrs Limited potential for Resolve via Incident
(NRS)
IRE11 or IRE19
There are 2 servers in each data
centre
authentication failures.
Service will be maintained by
one of the other 3 servers
Management
An alternative active instance
shall provide service whilst
the fail-over to the spare is
I completed
I
I No Impact
Loss of single appliance inI Resolve via Incident
Ire11 results in IP SLA Management
tracked routing failover to
remaining appliance in Ire11
16] Reverse Proxy Server Loss of a single server in either 1 NA
(NRP) IRE11 & IRE19
Loss of single appliance in
Ire19, under normal operation
conditions has no effect.
No impact
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN _ Ref:
Limited 2014 CONFIDENCE) Version:
20
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 156 of 216
‘SVM/SDM/PLA/0001
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Reverse Proxy Server
(NRP)
Loss of a Dual server in either
IRE11 & IRE19
POA HNG-X Support Services Business Continuity Plan
Loss of two appliances in
Ire11 would result in the DR
appliance being used, this
would happen automatically
and IP SLA route tracking
would route to the DR
appliance in Ire19
I No impact
Action
Resolve via Incident
Management
Main Host
st / Data Warehouse / Disk Arrays
18] IRE11 Database Server
(DAT)
19] IRE11 Database Server
(DAT)
Primary Database (DAT) Server
hardware, software or Maestro
failures
Primary and Secondary Solaris I
Database (DAT) Server
hardware, software or Maestro
failures
See SVMSDMPLA0002
Section (E) Data Centres
Database (Host) Server/EMC
Disc Array
See SVMSDMPLA0002
Section (E) Data Centres
Database (Host) Server/EMC
Disc Array
20) RET /IRE19
~ EMC Disc Array
For all part or total failures
See SVMSDMPLA0002
Section (E) Data Centres
Database (Host) Server/EMC
Disc Array
© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN Ref:
CONFIDENCE)
Version:
UNCONTROLLED WHEN PRINTEDOR __ Date:
‘STORED OUTSIDE DIMENSIONS Page No:
‘SVM/SDM/PLA/0001
20
15-Oct-2014
187 of 216
FUJ00232658
FUJ00232658
FUSITSU
POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
21] MIS Client AIlMIS Clients at BRAO1 for any 1 Sdays I Noimpact. Just loss of Resolve via Incident
reason resilience as the Ml service is I Management. If required
no longer dependent on the _I_ another MIS client is available
MIS clients at STE04 in the machine
room.
22I Data feeds to Data Loss of one or more data feeds 3 1toSdays I The Data Warehouse will wait I Resolve via Incident
Warehouse from other services for any for the feed to become I Management
Feason \ ang then, Continue Either resolve the problem at
I pl 9 source system or switch to
Impact: , Fujitsu Services I Secondary system — time of
I day and day of week will
contribute to decision. May be
possible to use a dummy feed
and run the real feed later.
Branch & Estate Management
23] Boot Server (BPL) Single server total failure 1 24hrs—_I The alternative active Resolve via Incident
instance shall provide service I Management
whilst the fail-over to the
spare is completed
No impact
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN _ Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 158 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
24] Boot Server (BPL) Both servers total failure 0 8 hrs Delay in implementing outlet I Resolve via Incident
changes and the replacement I Management
of base & router units at
branches
The service will not be
available until the fail-over to
a spare Blade is completed
I Impact on POL / Fujitsu
Services
‘25I Branch Change All Workstations unavailable at 0 24hrs I Delayin entering new Outlet I Resolve via Incident
Management (BCMS) _I primary site - CREO2 changes whilst some staff Management
Workstation (BPM) relocate to the alternate site. I), festationa at th
Impact POL / Fujitsu Services I US workstations at the
altemative Fujitsu Services
site, BRAO1
26I Branch Change Failure of primary server in 1 24hrs I Delay in entering new Outlet I Resolve via Incident
Management Server BRAO1 ‘changes Management
(BCMS) Impact POL / Fujitsu Services I Consider enabling the DR
server in LEWO2.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN _ Ref: ‘SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 159 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
27] Estate Management Loss of server 1 4hrs Delays in processing Branch I Resolve via Incident
Database Server (EST) I ‘note: there is no secondary change data. Management
server) Possible loss of Radius
authentication
The service will not be
available until the fail-over to
a spare Blade is completed
I Impact: Fujitsu Services /
I POL
28] Enterprise Monitoring Loss of server 1 2hrs Possible loss of monitoring of I Resolve via Incident
Manager Server (EMM) A systems. Loss of access to I Management
(Note: there is no secondary historical event dita
server)
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. PageNo: 160 of 216
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
29] Enterprise User Interface
Server (EUI)
Loss of server
(Note: there is no secondary
server)
POA HNG-X Support Services Business Continuity Plan
2hrs Possible loss of ability to
diagnose system faults
The service will not be
available until the fail-over to
a spare Blade is completed
I Minimal Impact
Resolve via Incident
Management
30] Enterprise Management _ I Loss of server 1 2hrs I Possible loss of software I Resolve via Incident
Server (EMS) (Notaijthere fe no esconidary Pibution and inventory Management
server) I
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact
31I Enterprise Database Loss of server 1 2hrs Possible loss of the ability to I Resolve via Incident
Server (EDS) (Notesifiérelis no becondary provision ouild) other Management
server)
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact
q Gopi Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
imit CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 161 of 216
FUJ00232658
FUJ00232658
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
32] Event Reporting Platform
(ERP)
Loss of server
(Note: there is no secondary
server)
POA HNG-X Support Services Business Continuity Plan
2hrs Possible loss reporting
capability
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact
Resolve via Incident
Management
33] Enterprise Provisioning
Manager (EPM)
Loss of server
(Note: there is no secondary
server)
Zhrs Possible loss of software
distribution and the ability to
I provision (build) other
servers.
I The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact
Resolve via Incident
Management
34] Enterprise Event Server _I Loss of both primary and backup 0 2hrs Possible loss of event Resolve via Incident
(EES) servers in IRE11 collection and processing. I Management
This is a two server configuration The service will not be
running as Active / Standby available until the fail-over to
a spare Blade is completed
Impact Fujitsu Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 162 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
35] Enterprise Monitoring Loss of both primary and backup 0 2hrs Possible loss of aggregation I Resolve via Incident
Display Server (EMD) servers in IRE11 and display of events Management
This is a two server configuration The service will not be
running as Active / Standby available until the fail-over to
a spare Blade is completed
Impact Fujitsu Services
36] Enterprise Availability Loss of server in IRE11 1 Bhrs _I__ Possible loss of Business _I Resolve via Incident
Server / Real time active I ote there i ” Systems View of Events to I Management
Dashboard (EAS) / (RAD) eee joreiig no:secondary I the RAD tool
The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact
37] Enterprise Management _I Loss of server in IRE11 1 hrs Possible loss of Security I Resolve via Incident
(Security) Server (EMS) related services for SYSMAN I Management
(Note: there is no secondary
server) The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. PageNo: 163 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
Enterprise Fan-Out Loss of a single server in IRE11 Possibility that distributed I Resolve via Incident
Server (EFS) (Note: there are 40 EFS servers Evert enecemert cletis Management
in IRE11 configured so that there ig és This is effectively a two
in RE’ ystem management j
is a primary and backup favation server configuration for each
capability) client running as Active /
Minimal Impact Active
39I Enterprise Boot Server __I Loss ofa single server in IRET1 7 hrs Possible loss of ability fo I Resolve via Incident
(EBS) or IRE19 I take-on new datacentre I Management
(There are two servers (active / henctwfare Service should continue via
active) one in IRE11, one in Impact: Fujitsu Services the server in the alternate
IRE19) data centre
40 Corporate Data Loss of both servers 0 Bhrs Loss of ability fo transfer data I Resolve via Incident
Exchange server (DXC) between the secure POA I Management
IRETT AIRES systems and Fujitsu
This is a two server configuration Corporate systems
running as Active / Active. Ths eenvice wil not bs
available until the fail-over to
a spare Blade is completed
Minor Impact: Fujitsu
Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 164 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Time I Impa
41] Internet Data Exchange Loss of server in IRE11 or IRE19 1 24 hrs None Resolve via Incident
Proxy (DXI) Management
Active-active resilience will
continue running the required
services.
42I Internet Data Exchange Loss of all servers in RE11 and 1 Immediate Loss of ability to transfer data Resolve via Incident
Proxy (DXI) IRE19 over the Internet to Third I Management
I Party Suppliers
Services affected: Kahala,
Post Code Anywhere, ADSL
Checker.
Impact: Fujitsu Services /
POL / Suppliers
43I SSC Support Server Loss of server in IRE11 7 2hrs Loss of ability for SSC to I Resolve via Incident
(Ssc) perform some support Management
(Note: there is no secondary activities
server
The service will not be
available until the fail-over to
a spare Blade is completed
Minor Impact: Fujitsu
Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 165 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
44] SMC Web server Loss of primary server in IND49 2 >4Hrs I Various information including Resolve via Incident
SMC KELs would not be Management.
available Switch to secondary server
Minimal Impact: SMC,
Fujitsu Services
45I Data-centres to SMC Any loss of single connection 1 24 Hrs Possible slowing of access Resolve via Incident
POA Network from SMC. Management.
Impact: SMC Networks to diagnose and
I resolve.
I Dual connection to systems
through IRE11 or IRE19.
46I Data-centres to SMC Any loss of both connections 0 Immediate No system management Resolve via Incident
POA Network capability, no view of the live Management
— If total loss and not resolved
Impact: SMC, Fujitsu within 2 hours may need to
Services, POL initiate contingency plan / site
relocation.
Potential MBCI
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. PageNo: 166 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
47] Data-centre to IRE11 ‘Any loss of connection 1 8 Hrs Minimal impact dual Resolve via Incident
(MSS) POA Network connection to systems Management.
through IRE11 or IRE19 Networks to diagnose and
Impact: MSS, Fujitsu resolve
Services, POL, If total loss and not resolved
within 8 hours may need to
initiate contingency plan
Potential MBCI
I Inform: POL BCT
48I Sarian Remote Loss of all 4 firewalls 0 4hrs I SMC unable to manage up to Resolve via Incident
Management (PHU 1.5) I _iped1 g IRE19 250 PHU 1.5 systems Management (Commented [APT]: Needs revieing
Impact: Fujitsu Services Failure of IRE11 only would
POL require a manual failover of
the Remote Manager to
IRE19
Horizon Services Potential
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. PageNo: 167 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
49] Sarian Remote Loss of both VPN Concentrators 0 4hrs ‘SMC unable to manage up to Resolve via Incident
Management (PHU 1.5) I ipe44 8 IRE19 250 PHU 1.5 systems Management
Impact: Fujitsu Services Failure of IRE11 only would
POL require a manual failover of
the Remote Manager to
IRE19
Horizon Services Potential
I
I Inform: POL BCT
50] Sarian Remote Loss of both Sarian Remote 0 his ‘SMC unable to manage up to Resolve via Incident
Management (PHU 1.5) I Management servers 250 PHU 1.5 systems Management
- IRE11 (Live) Failure of IRE11 only would
it . require a manual failover of
& IRE19 (DR Site) Impact: Fujitsu Services the Remote Manager fo
POL
IRE19
Horizon Services Potential
MBCI
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 168 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
51{ Primary & Secondary Primary Radius Server 0 2hrs No Impact. Resolve via Incident
Campus- Network Management
Management LAN ‘Switch to the secondary
Radius Server.
52I Primary & Secondary Primary and Secondary Radius 0 Immediate General HNGX Services via Resolve via Incident
Campus- Network Server the Vodafone Data Network Management.
Management LAN ;
I Reconfigure connections via
I Impact: , Fujitsu Services, secondary data-centre.
POL HNGX Services MBCI
I Trigger
Inform: POL BCT
53I Performance & Capacity I Loss of server 0 Bhrs Loss of ability to record and I Resolve via Incident
Database Server (SPN) I ine a, analyse Performance & I Management
- Capacity data
No secondary servay The service will not be
available until the fail-over to
a spare Blade is completed
Minimal Impact: Fujitsu
Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 ‘CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 169 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
54] Branch Support Database I Loss of the server in IRE11 0 8 hrs Loss of ability to access the — Resolve via Incident
Server (BRS) Branch Support database by I Management
- No secondary server support teams
The service will not be
available until the fail-over to
a spare Blade is completed
Impact: Fujitsu Services
55] Network Management Loss of a single system in IRE11 1 8hrs I Loss of ability to monitor the I Resolve via Incident
System (NMS) or IRE19 I network from one data centre I Management
Minimal Impact: Fujitsu Access the NMS in the
Services alternative Data centre
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 170 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
56] Network Management —_I Loss of both systems 0 2hrs Loss of ability to monitor the I Resolve via Incident
System (NMS) sIREtH or IRE‘O network using the NMS tools I Management
SMC and Network Support
team would use other
monitoring tools such as
Tivoli to provide a reduced
level of monitoring
Impact: Fujitsu Services
57I Primary & Secondary _I Vodafone Data Network Service 0 Immediate I General HNGX Services via Resolve via Incident
Campus — Network Failure of primary and secondary the Vodafone Data Network Management.
Infrastructure exchanges Impact: , Fujitsu Services, HNGX Services MBCI
(ADSL IP Data) POL, Trigger
Inform: POL BCT
58] Primary & Secondary I Fujitsu Services single POP 7 his General HNGX Services via Resolve via Incident
Campus — Network failure. the IP Stream Network Management.
Infrastructure .
(ADSL IP Stream) Impact: , Fujitsu Services, I Ensure Fujitsu Core Services
POL switch to the secondary POP.
HNGX Services Potential
MBCI
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 171 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
I Time I Impa
59] Primary & Secondary Fujitsu Services Dual POP failure. 0 Immediate I General HNGX Services via Resolve via Incident
Campus — Network (ADSL IP Stream) the IP Stream Network Management,
Impact: , Fujitsu Services, HNGX Services MBCI
POL Trigger
Inform: POL BCT
60I Primary and Secondary _I Dual FJS Core ISP Satellite LNR 0 Immediate ABT VSAT Branches This equipment is supplied
Campus — Network router failure I (approximately 60) will lose I and managed by FJS Core
Infrastructure communications with the IsP
I Fujitsu Services Data- i
Resolve via Incident
centres.
\ - Management
Business Impact: POL HNGK Senioes'MBC
Trigger
Inform: POL BCT
61 Network (To Outlets) Satellite Service Failure. 1 Immediate I Loss of online services for 1 Resolve via Incident
Loss of BT equipment at Turin. or more BT VSAT Branches Management
Impact: , Fujitsu Services, MBCI Trigger
POL Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE)
Version: 2.0
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 172 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan =
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Service Element Probability I Critical Time. I Impact ‘ction
Factor
62) Network (To Outlets) I ISDNBT Tail 2 Immediate General HNGX Services Resolve via Incident
Loss of network connection to Minimal Impact Management
individual outlets (Refer to Appendix One for
Outlet MBCI Triggers)
‘Site Specific Buildings & People
BRAO1
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 173 of 216
FUSITSU
POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Fujitsu Services (POA)
Bracknell site
Unavailable through
fire/flood/bomb/ industrial action/
unspecified disaster
Impai
Immediate Unable to provide any
Bracknell based services.
Impact: Fujitsu Services, POL
After obtaining confirmation
from the BRAO1 incident
controller that it is a genuine
fire or disaster invoke
Business Continuity and
relocate provision of services
to LEWo2
EMS keep a reserved and
separate stock for Fujitsu of
60 laptops (20 each at
MAN35 / STEO4 / BRAO1)
built and ready to deploy
(apart from the
personalisation) for DR
Bracknell - building
systems and equipment.
Minimal Impact.
contingency.
MBCI Trigger
Inform POL BCT
64] Fujitsu Services (POA) I Mains power unavailable / 7 36 hrs No Impact Power supply maintained by
Bracknell site - building I interrupted UPS and backup generator
65] Fujitsu Services (POA) _I UPS non functioning 1 36 hrs Unscheduled closedown of all I Backup Generator powered
up. All systems restarted to
provide capability
© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
‘STORED OUTSIDE DIMENSIONS
Ref:
Version:
Date:
Page No:
‘SVM/SDM/PLA/0001
20
15-Oct-2014
174 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
Action
66] Fujitsu Services (POA)
Bracknell - building.
Total power loss including backup
generator Unavailable and/or non
functioning
Invoke Business Continuity
and relocate provision of Ref.
Data service to LEW02
Potential MBCI Trigger
Inform POL BCT
67I Fujitsu Services (POA)
Bracknell - building
‘Air conditioning failure
Resolve problem via
maintenance contract.
Switch off non-essential
‘equipment and instigate the
immediate hire of cooling
units.
68] Fujitsu Services (POA)
Bracknell - building
Telephone system unavailable
Use mobile phones.
69] Fujitsu Services (POA)
Bracknell site - network
IP Select (CE or PE) single Wide
‘Area Network router failure
Failure resolved using normal
support routes.
Alternative network access
achieved via LEW02 and/or
IRE11 route. Possible
degradation in response
times
© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
‘STORED OUTSIDE DIMENSIONS
0 Immediate Unable to provide any
Bracknell based services
Business Impact: Fujitsu
Services POL
7 ZT hours Equipment overheating
I leading to unscheduled
closedown
I Nobility to change
I Reference Data, software
fixes. No ability to progress
diagnosis of software
problems.
Minimal impact
7 Thour No ability to receive incoming
calls or faxes.
Minimal Impact
7 Shours No Impact
Ref: SVM/SDM/PLA/0001
Version: 20
Date: 15-Oct-2014
PageNo: 175 of 216
FUSITSU
POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Critical Time I Impa
Factor
Action
70] Fujitsu Services (POA) IP Select (CE or PE) Dual Wide 2 8 hours No Impact. Failure resolved using normal
Bracknell site - network I Area Network routers failure support routes.
Alternative network access
achieved via LEW02.Possible
degradation in response
times
71] Fujitsu Services (POA) Bracknell to LEW02 network 2 8 hours No Impact. Failure resolved using normal
Bracknell site - network I router failure I support routes.
I Alternative network access
achieved automatically via
I IRE11/IRE19 route. Possible
degradation in response
times.
72I Fujitsu Services (POA) I Bracknell to LEW02 network 2 ® hours No Impact. Failure resolved using normal
Bracknell site - network circuit failure Vodafone IP Select support routes.
— Alternative network acoess
achieved automatically via
the remaining Vodafone IP
Select link. Possible
degradation in response
times.
73] Fujitsu Services (POA) I LST rig components failure 2 24hrs Potential unscheduled Replacement sourced from
Bracknell site interruption to testing. spare equipment holding
Rebuild from scratch using
build scripts
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 20
UNCONTROLLED WHEN PRINTED OR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. PageNo: 176 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
74] Fujitsu Services (POA) I BIM System corruption 1 24 hrs Manual recording of REC team to restore from
Bracknell site incidents. backup.
(POL have copies of previous Provide paper BIM notes as
BIM reports which are applicable
published on a daily basis) I (Rec team have previously
Minimal Impact taken to a corporate network
drive and provide paper BIMS
I as applicable)
75I Fujitsu Services (POA) _I Total loss of MIS IT infrastructure 0 24 hrs I No impact Resolve via incident
Bracknell site (MIS client) management
MIS can use either their
laptops via SSN or relocate to
‘STE04 where there is another
MIS client
76I Fujitsu Services (POA) __I Total loss of LST IT infrastructure 0 2a hrs Minimal impact ‘Ahot Standby LST rigis
IRE19 available in LEWO2
77I Fujitsu Services (POA) __I Total loss of SSC IT infrastructure 0 Immediate Minimal impact ‘SSC may invoke DR using
Bracknell site remote working lap tops.
Warm standby workstations
are also available at LEW02.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 20
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 177 of 216
FUSITSU
POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
78] Fujitsu Services (POA)
Bracknell site
Failure of the Primary PEAK
Incident Management Server
Resolve via Incident
Management
Invoke Secondary Peak
Server at LEWO2
79I Fujitsu Services (POA)
Bracknell site
80] Fujitsu Services (POA)
Bracknell site
Total loss of RDT IT infrastructure.
Failure of one POL
e-mail laptop
Invoke Business Continuity
and relocate provision of Ref.
Data service from LEWO02
Note RDMC Admin.
Workstation is available in
STEO4
Potential MBCI Trigger
Inform POL BCT
Use one of the other
mailboxes.
© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
‘STORED OUTSIDE DIMENSIONS
Version: 2.0
Date: 15-Oct-2014
PageNo: 178 of 216
Impat
1 8 hrs Minimal Impact
0 2a hs There is no immediate impact
due to the loss of Ref. Data IT
Infrastructure
I Impact: Fujitsu Services
I POL
2 NA Minimal Impact.
Ref: SVM/SDM/PLA/0001
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Time I Impai Action
81] Fujitsu Services (POA) I Failure of all laptops or POL e- 1 Inability to receiveltransmit I Revert to fallback facilities,
Bracknell site mail service requests/authorisations etc I e.g. telephones, floppy disc,
to/from POL. fax, etc.
Minimal impact. EMS keep a reserved and
separate stock for Fujitsu of
60 laptops (20 each at
MAN35 / STEO4 / BRAO1)
built and ready to deploy
(apart from the
personalisation) for DR
contingency
82I Fujitsu Services (POA) _I Failure of one RDMC workstation 7 WA No Impact. Use one of the other
Bracknell site workstations.
A Hot standby RDMC.
workstation is available in
LEwo2
83] FSCS SOS Operations Failure of primary KMS Admin 1 8 hrs No Impact Resolve via Incident
IRE11 Workstation Management
(IRE11) Use the secondary Admin
Workstation at IRE19
84] FSCS SOS Operations I Failure of primary Wide Area 1 4hrs No Impact Resolve via Incident
IRE11 Network Router. (IRE11) Management
Use the secondary Wide Area
Network Router.
© Copyright Fujitsu Services
Umbetent4 FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
ane CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 179 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Critical Time
Impai
Factor
Action
85] FSCS SOS Operations Failure of both Wide Area 0 2hrs No Impact Resolve via Incident
IRE Network Routers. (IRE11) Management
Use the secondary Admin
Workstation at IRE19
(Belfast).
86I FSCS SOS Operations Failure of both KMS Admin 0 Thr No Impact Resolve via Incident
IRE11 Workstations and/or WAN routers Management
at both IRE11 and IRE19. Ifvequired reisoate
I appropriate SOS Staff to
I IRE11, BRAO1 or LEWO2
87I IRE11 to POA Network I Single Router Fail 1 ahrs No impact Resolve via Incident
Management.
Use altemative router
88/ IRETT to POA Network I Dual Router Fail 0 Thr Loss of network Resolve via Incident
‘communications from IRE11 Management.
no direct system tT rt can b
management possible emporaly suppett an be
Impact: provided by staff based at
sites other than IRE11
Relocate support staff to
Potential MBCI
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 180 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
'89] Access to IRE11 Total loss of access for any 1 Thr No direct system Resolve via Incident
reason management possible Management
Impact: Temporary support can be
provided by staff based at
sites other than IRE11
Relocate support staff to
Potential MBCI
I Inform: POL BCT
90} IRE11 Data Centre Total or substantial loss of the 0 Immediate I Loss ofall services from Resolve via incident
_ ; services for any reason IRE11 - All service affected. Management/Fault
ProductioniSits (firesfloodistorm etc) procedure
. - Full If no possibility of restoring
aa hay ata full service within 30 mins
then full site failover to IRE19.
May need to relocate support
staff to IRE19
MBCI Trigger
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 ‘CONFIDENCE) Version: 20
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 181 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Service Element sbability I Critical Time I Impact Action
Factor
91] IRE11 Data Centre ‘Air conditioning — loss of 50% or 0 Immediate Kit overheating, higher Resolve via Incident
more of capacity potential for equipment Management/Fault
ir Consioning, failures procedure.
Major Impact: Fujitsu Consider use of portable Air
Services / POL Con units.
Consider failover to IRE19
data centre.
Review switching off any non-
I essential equipment.
Potential MBCI
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 182 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Time
Impai
92] IRE11 Data Centre
Power
Total Mains Power failure from all
sources.
Potential loss of all services
Minimal Impact.
Resolve via Incident
Management/Fault
procedure.
Power to the site is drawn
from two separate sources on
the grid.
If one fails the other will take
the load.
Additional resilience is
provided by UPS and
generators.
Ensure UPS and generators
switch in
Potential MBCI
Inform: POL BCT
93] IRE11 Data Centre
Power
Backup generator test failure
2a his No resilience in total power
loss scenario.
No impact
(Assuming mains power still
available.)
Resolve via Incident
Management/Fault
procedure.
© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
‘STORED OUTSIDE DIMENSIONS
Ref:
Version:
Date:
Page No:
‘SVM/SDM/PLA/0001
20
15-Oct-2014
183 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
94] IRE11 Data Centre Fire/Flood Detection System 1 8hrs Loss of monitoring only. No Resolve via Incident
Fire/Flood Detsction failure loss of service — small Management/Fault
S increased risk procedure.
systems
No Impact
‘95I IRETT Data Centre Security systems CCTV 7 hrs Loss of monitoring only. No Resolve via Incident
Building Security malfunction loss of service — small Management/Fault
Svsieny increased risk procedure.
systems \
No Impact
96] IRE19 Data Centre Total or substantial loss of the 0 Immediate I Loss of all Live services from Resolve via Incident
— Part Production / DR I S2"vices for any reason I IRE19 Management/Fault
Test site (ireffioodisterm ete) All live services can run from procedure
IRE11
Loss of all test & MBCI Trigger
development services Inform: POL'BCT
No failover / DR site
available
Impact: Fujitsu Services /
POL
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 184 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan =
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impa
97] IRE19 Data Centre ‘Air conditioning — loss of 50% or 0 Immediate Kit overheating, higher Resolve via Incident
more of capacity potential for equipment Management/Fault
ir Consioning, failures procedure.
Major Impact: Fujitsu Consider use of portable Air
Services Con units.
Review switching off any non-
essential equipment.
98I IRE19 Data Centre Total Mains Power failure from all 0 ahs Potential loss of all test Resolve via Incident
Power sources. I services Management/Fault
I Impact. Fujitsu Services procedure.
Power to the site is drawn
from two separate sources on
the grid.
If one fails the other will take
the load.
Additional resilience is
provided by UPS and
generators.
Ensure UPS and generators
switch in
Potential MBCI
Inform: POL BCT
© Copyright Fujitsu Services
Linbedoni4 FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
nn CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 185 of 216
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
POA HNG-X Support Services Business Continuity Plan
Impai
Action
Resolve via Incident
Management/Fault
procedure.
Resolve via Incident
Management/Fault
procedure.
Resolve via Incident
Management/Fault
procedure.
Invoke SMC off-shore site
contingency plan
Some services can be
provided by MSS/ SSC.
MBCI Trigger
Inform: POL BCT
99] IRE19 Data Centre Backup generator test failure 1 24 hrs No resilience in total power
Pi loss scenario.
ower
No impact
(Assuming mains power still
available.)
100 IRE19 Data Centre Fire/Flood Detection System 7 hrs Loss of monitoring only. No
, : failure loss of service — small
Fire/Flood Detection tigreascd te
Systems
No Impact
101] IRE19 Data Centre Security systems CCTV 1 hrs Loss of monitoring only. No
‘di 7 malfunction loss of service — small
Building Security increased risk
Systems
No Impact
102 SMC - IND49 building Any total loss of use by off-shore > Thr The service(s) provided from
SMC, e.g., loss of building, the building are severely
network connections, ete. disrupted or terminated
Impact: SMC / Fujitsu
Services
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 186 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impa Action
GDC Development ‘Any total loss of use by off-shore Extremely unlikely as we run I No formal DR requirement.
IND49 building development, e.g., loss of a blended service model so at Resolve via incident
building, network connections, any point there will be Indian management.
etc. guys in the UK (3-4) working
alongside UK resources with
the same skill-set.
Development data is copied
between sites.
704) People SMC (IND49) Any total loss 0 > Extremely unlikely since staff Invoke SMC off-shore
work on shifts — 2" line contingeney Plan.
support, system monitoring,
software distribution Soothe Mea rese
capability lost Proviced 5Y. a
PS MBCI Trigger
Impact: SMC, Fujitsu .
detiiens Inform: POL BCT
105 GDC Development Team I Any total loss 0 Extremely unlikely as we run Resolve via incident
People (IND49) a blended service model so at management
any point there will be Indian
guys in the UK (3-4) working
alongside UK resources with
the same skill-set.
© Copyright Fujitsu Services
Umbetent4 FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
ane CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 187 of 216
FUJ00232658
FUJ00232658
firs POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ritical Time I Impa
106 Buildings Blackpool Total loss for any reason 0 > Thr The service(s) provided from I Staff can work from home or
BLAO1 (MSS North, the building are severely WARO7
SMG) disrupted or terminated
Impact: MSS, SMG, Fujitsu
Services MBCI Trigger
Inform: POL BCT
107I MSS / SMG people Any total loss 0 > Thr Extremely unlikely since staff Invoke SMG/MSS
BLAOI work on shifts and from home contingency plan.
~3'line support and f
fr Some services can be
development capability lost provided by 4LS/ SSC
Impact: MSS, SMG, Fujitsu
Ractioes MBCI Trigger
Inform: POL BCT
108 Buildings Warrington I Total loss for any reason 0 > Thr
(s) provided from I Staff can work from home or
WARO7 (POA Networks) BLAO1
ing are severely
disrupted or terminated
Impact: POA Networks,
Fujitsu Services MBCI Trigger
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version 38
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 188 of 216
FUJ00232658
FUJ00232658
firs POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
vice Element sbability I Critical Time I Impact Action
Factor
Buildings Crewe CREO2_ I Total loss for any reason. > 12hr There may be a delay to ‘One team member's OBC
(OBC) processing OBC queries. I laptop can be used to work
Impact: OBC, Fujitsu from home.
Services Resolve via incident
management
© Copyright Fujitsu Services
Utefonta FUJITSU RESTRICTED (COMMERCIAL IN Ref ‘SVM/SDM/PLA/0001
m CONFDENOE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 189 of 216
FUSITSU
POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
110 Buildings Loss of one or more major 0 Immediate I The service(s) provided from Invoke Major Site
building. the building are severely
disrupted or terminated Contingency Plan
Impact: , Fujitsu Services, es kogp a reserved and
POL
separate stock for Fujitsu of
I 60 laptops (20 each at
I MANS5 / STE04 / BRAO1)
I built and ready to deploy
(apart from the
personalisation) for DR
contingency,
MBCI Trigger
Inform: POL BCT
111} People Loss of staff at one or more 0 Immediate I The service(s) provided by a
locations. team are severely disrupted
or terminated MBCI Trigger
Impact: POL Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS. PageNo: 190 of 216
FUJ00232658
FUJ00232658
FUSITSU
POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Action
112 Phone System Failure of corporate landline 1 Immediate No impact Resolve via Incident
telephones, for any reason Management.
Use mobile phones or OCS
as required
113 Phone System Failure of corporate mobile 7 Immediate No impact Resolve via Incident
telephones, for any reason Management.
I Use landline telephones,
personal telephones or OCS.
I as required
114 Collaboration Complete loss of SharePoint 1 48hours I Inability to access Major Refer to mailboxes where
Incident Reports reports were sent
119 Collaboration Complete loss of ProjectWeb 1 48hours I Some NT workinstructions I Additional support provided
unavailable may mean certain I _by system owners where
incident resolutions may be required
slower.
114 Document Management _ I Complete loss of PVCS. 7 T hours Inability to access Change Resolve via incident
Proposals and their management.
associated documents Consider failing over to
Lewo2
117I Document Management I Complete loss of Dimensions 1 4 hours Inability to view/edit the
official store of HNG-X
documentation
VODAFONE (Cable & Wireless )
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS
PageNo: 191 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
Action
118 VODAFONE New Post Office Provision 1 45 days Minimal, Post Office able to Resolve via Incident
ISDN2 notavenabls for continue working Management,
new Post Office Impact: POL VODAFONE to provide
alternative solution, e.g.
satelite.
119 VODAFONE Fujitsu Services Data-centre 7 6 months Parallel running of old and Resolve via Incident
: routers new numbers. Management.
National Number Change
Impact: Fujitsu Services, I Fujitsu Services to reprogram
I POL, VODAFONE data-centre routers for new
numbers.
120 VODAFONE ‘Switch/SNAP/ibre fail 2 hrs Resilience designed into Resolve via Incident
Date:contres to solution. Management.
VODAFONE network No impact. Use alternative routes
121] VODAFONE ISDN2 fail/ BT LSE fail 3 2 days Minimal, Post Offices able to Resolve via Incident
PostiOficestinto continue working Management,
VODAFONE network Impact: POL VODAFONE CCC fault
reporting process.
12 VODAFONE VODAFONE and or BT Network 3 Tday ‘Slow data transfer. Resolve via Incident
Network congestion Impact: , Fujitsu Services Management.
issues (ISDN network) VODAFONE and BT traffic
monitoring — traffic re-routes
instigated.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 192 0f 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Impai
123, VODAFONE VODAFONE IP Select Network 3 4hrs ‘Slow data transfer. Resolve via Incident
Network congestion Impact: , Fujitsu Services, Management
issues (VODAFONE POL VODAFONE monitoring —
data network) traffic re-routes instigated.
124 VODAFONE Bracknell _ I VODAFONE, Bracknell Network 0 Thr ANMC disaster recovery site Resolve via Incident
NMC unavailable e.g. Management Centre is available at Watford Management.
ponieina I VODAFONE Disaster
I Impact: , Fujitsu Services, Fecovelyiprocesses;
POL
I Potential MBCI
Inform: POL BCT
125, VODAFONE BT SMC 0 Thr Impact: VODAFONE Resolve via Incident
Evacuation of BT SMC Management.
BT DR document
126 VODAFONE New Post Office Provision 2 45 days VODAFONE require 45 Resolve via Incident
Face cianse presses working days notice to Management.
oP Provide ISDN service to a change control document.
new Post Office. 7
Impact: POL
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 193 of 216
POA HNG-X Support Services Business Continuity Plan
FUSITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Service Element abability I Critical Time I Impact Action
Factor
127) VODAFONE New Post Office Provision 1 45 days Minimal, Post Office able to Resolve via Incident
ISDN2 notavenabls for continue working Management,
new Post Office Impact: POL VODAFONE to provide
alternative solution, e.g.
satelite.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE)
Version: 2.0
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 194 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
11 Risks Identified Against Major Account Controllers (MAC)
‘The table below summarises the identified risks to the provision of the MAC services.
As a matter of normal operational practice, a call would be placed against MAC (or other Fujitsu Services support unit) if any of the identified risks
materialised
The intention is that the list identified can act as a guide to personnel assessing and managing any significant incident affecting the MAC.
The table within section contains a column identified as probability with a range of 0 to 4. These estimate the probable risk of failure. It must be emphasised
that these are not percentages and should be considered simple weighting factors.
The probability of failure of major elements of the service is low because:
1. There has been a high level of resilience and duplication built into the infrastructure.
2. Extensive validation has been performed upon the infrastructure.
11.1 Trigger Tables for Major Account Controllers (MAC)
Service Element Probability Critical Impact
Time
Factor
Major Account Controllers (MAC)
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Veron: 2.0
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 195 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability Impact Action
Major Account Controllers (MAC)
BT telephone call delivery I Any failure by BT lines into 1 Immediate I Total loss of MAC service I (100% service requirement placed
system via SPoC IVR system I SpoC (at POL) ; on BT via resilient systems, links
Possible'SET Failure) contracted to POL not Fujitsu
Possible Business Services, therefore no contingency
Impact possible within Fujitsu Services)
POL, Fujitsu Services, Log test calls / investigate
YBr tesm Resolve via MAC incident process
Consider site relocation for some
staff fo the DR site, and invoke
fourth floor desk clearing process if
required.
I MBCI Go to 10.2.1
I Inform: POL BCT
2. I Commander ACD telephone I Partial loss. Loss of 2 Immediate 5 minute loss of Issue ACD Pins to agents. Use
call management system— I Commander with failover to telephony while system ACD system until Commander
STEO4 ACD. fails over restored. (See section 10.2.6)
Ability to monitor and Resolve via MAC incident
manage queues lost management process.
Minimal impact
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Veron: 2.0
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 196 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability Impact Action
Major Account Controllers (MAC)
Commander\ ACD telephone I Total loss for any reason. 1 Immediate Major Impact For HSD:
call management system —
STE NO calls being taken
See section 4.2 UPS would provide
emergency, then a generator would
Potential Business ;
Impact on HSD and provide power.
Fujitsu Services, POL I Invoke BT Command Link to switch
to voicemail & put message on IVR
via NBSC
Resolve via HSD incident process
> 60 mins consider temp site
relocation to DR site in BRAQ1, and
I invoke fourth floor desk clearing
process if required.
I MBCI Go to 10.2.2
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Veron: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 197 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element
Probability Impact
Action
Major Account Controllers (MAC)
Loss of access to TIVOLI at I Any failure 1 <hr Minimal Impact Resolve via incident management
STEO4 HSD Total Loss HSD - No ability to handle Process.
calls that require ability to I __ Request MSS & SMC to assist.
access a PO Counter
system
Probable SLT failure
th. Major ingot Potential MBC! Go to 10.2.5
Inform: POL BCT
Business Impact:
I HSD, Fujitsu Services,
POL
5. I Voicemail failure for OOH Any failure I 0 >B hrs Call volumes very low I Unknown until next day for normal
calls Out Of Hours, unless a operation
major problem is Resol .
encountered, or is ‘esolve via incident management
anticipated process!
Miiienall leapt Inform: POL BCT
HSD, POL
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 198 of 216
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability Impact Action
Major Account Controllers (MAC)
STE04 HSD site non- For any reason < 30mins Minimal impact For HSD:
operational HSD lost of 100% capacity > 20mins
for all HSD activities
Major Impact. Invoke command link to pass calls
to voicemail.
Call queuing
No calls being taken by
Consider assistance from
associated SDUs, and Fujitsu
Services Data Centres.
Probable SLT failure if
over an extended period.
Business Impact:
HSD, Fujitsu Services
and POL
Consider relocation to DR site in
BRAO1, and invoke fourth floor
desk clearing process if required.
Resolve via HSD incident process.
MBCI Go to 10.2.2
Inform: POL BCT
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Veron: 2.0
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 199 of 216
FUJ00232658
FUJ00232658
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability Impact Action
Major Account Controllers (MAC)
Loss of people in STEO4 Loss of access to most staff <20mins Minimal Impact HSD must invoke command link to
pass calls to voicemail
— > 20mins Major Impact.
Consider assistance from
No calls being taken by I associated SDUs, and Fujitsu
Services Data Centres.
Call queuing Resolve via HSD incident process.
Probable SLT failures MBCI Go to 10.2.3
Business Impact: Inform: POL BCT
HSD, Fujitsu Services
and POL
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 200 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Impact Action
TRIOLE Incident Partial failure Minimal Impact Allusers that were logged into the
Management System failed server will need to log in to
the remaining server
Resolve via HSD incident
management process.
Possible slower response
times
Loss of resilience whilst
restoration to normal
service is being
performed.
Minimal Business
Impact:
HSD
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Veron: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 201 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability Impact Action
Major Account Controllers (MAC)
TRIOLE Incident Total loss for any reason 1 Immediate Major Impact: Implement Manual Call Logging
Management System
Unable to log calls Resolve problem via HSD incident
quickly. management process
Possible queuing if calls Potential MBC! Go to 10.2.4
levels high Inform: POL BCT
Possible SLT failure if
over an extended period.
Potential Business
Impact: HSD, Fujitsu
Services and POL
10. Loss of One Shot Password I Any circumstances I 0 <1hr Minimal Impact: Resolve via HSD incident
workstations in STEO4 All OSP workstations
Unable to resolve
management process
unavailable some outlet
PThr problems
Lost 100% capacity 6 One Shot Password
Major Impact workstation available for
contingency
Potential Consider using the 2 DR one Shot
Sebi Password workstations in BRAQ1
Business
Impact: HSD /
POL/ FMS
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTED OR Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 202 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability Impact Action
Major Account Controllers (MAC)
TRIOLE Incident 2 >4 hrs Minimal Impact: Resolve problem via HSD incident
Management System 19 D1 I automated process lst was sree management process
E-mail or Fax details or hand carry
(Unless over an extended I “call details that would be passed
La Ks into D1 to FMS Service Desk
volumes)
12. I Incident Management Any failure 2 >4 hrs Minimal Impact: Resolve problem via HSD incident
System to Peak ink Automated process lost HSD Fujitsu Services management process.
‘Support services Fax details of calls that would be
(unless over an extended I passed into Peak to the SSC.
I period)
13. I POA Network link(s) to both Any failure to both sites 0 > 30 mins No access to Tivoli (see Resolve via incident management
Data-centre(s) (IRE11 & IRE19) I Risk 3) process.
Business Impact: Alternate network routes make this
unlikely.
Request MSS & SMC to assist.
Potential MBCI Go to 10.2.5
Inform: POL BCT
HSD, Fujitsu Services,
POL
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Veron: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 203 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan =
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability
Impact Action
Major Account Controllers (MAC)
Loss of Corporate Network I For any reason in STEO4 1 Immediate I HSD unable to access I Invoke Manual call logging process.
Resolve via problem management
TRIOLE Incident probes
Management System and I Consider relocation to DR sites if
BRAO1 site is unaffected,, and
other services. This will I invoke fourth floor desk clearing
process if required.
slow call resolution.
Unable to fully verify Potential MBCI Go to 10.2.4
caller details Inform: POL BCT
I Loss of e-mail
Possible SLT failures for
HSD
Business Impact:
HSD, Fujitsu Services,
POL
© Copyright Fujitsu Services
Linbedoni4 FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA/0001
nn CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR __ Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 204 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Probability Impact Action
Major Account Controllers (MAC)
Loss of Corporate Network I For any reason 1 Immediate I HSD unable to access I May be possible to access TRIOLE
via another data centre server,
TRIOLE Incident otherwise invoke manual call
logging process.
Resolve via problem management
process
Potential MBCI Go to 10.2.4
Inform: POL BCT
At SDCO1
Management System and
other services. This will
slow call resolution.
Unable to fully verify
caller details.
I Loss of e-mail
Possible SLT failures for
HSD
Business Impact:
HSD, POL
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVMW/SDM/PLA/0001
Limited 2014 CONFIDENCE) Veron: 2.0
UNCONTROLLED WHEN PRINTEDOR —_Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 205 of 216
FUJ00232658
FUJ00232658
fe) POA HNG-X Support Services Business Continuity Plan
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ice Element Impact Action
Loss KMA functionality Total loss of all KMA. Minimal Impact: Resolve via HSD incident
workstations in STEO4 for
Unable to resolve
any reason Sore aitiet management process
e2ihs roblems
p There are 7 workstations in STEO4
Major Impact -
potential for contingency
imact HED j Consider using the KMA
POL/FMS workstations in BRAO1
I
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: 'SVM/SDM/PLA/0001
Limited 2014 CONFIDENCE) Version: 2.0
UNCONTROLLED WHEN PRINTEDOR _Date: 15-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 206 of 216
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
POA HNG-X Support Services Business Continuity Plan
@
12 Summary of Contingency Actions
12.1 Summary of Contingency Actions for HNG-X Support
Services
The following are additional contingency actions to be taken for the risks identified in the table in section 11.2.
12.1.1 Reconciliation Service
There are many essential systems that enable the Reconciliation Service to continue operating. These
include BIMS database, TWS schedule (successful run), Delivery of reports, TES, DRS, APS. Contingency
actions to be defined,
124.62 Security Management Service
To be defined
12.1.3 Branch Change Management Service
Tobe defined
12.1.4 Estate Management Service
To be defined
12.1.5 Network Services
Tobe defined
12.1.6 Data Centre Operations Service
To be defined
12.1.7 SAP Development and QA-Test Systems
No further actions
12.1.8 System Management Service
Tobe defined
12.1.9 Support Services
To be defined
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIALIN Ret ‘SVM/SDMIPLA/0001
Limited 2014 CONFIDENCE) Verion: 20
UNCONTROLLED WHEN PRINTED OR Date: 18-Oct-2014
‘STORED OUTSIDE DIMENSIONS. Page No: 207 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
12.1.10 I System Operate Services
To be defined
12.1.11 Reference Data Management Service
To be defined
12.1.12 Service Integration Service
No further actions
12.1.13 Receipt Template Service
No further actions
12.1.14 I Service Management Service
To be defined
12.2 Summary of Contingency Actions for the MAC
The following are additional contingency actions to be taken for the risks identified in the table in section 12.1
12.2.1 BT Telephone Call Delivery System, via IVR (NBSC), to MAC.
There is no contingency action to be performed by MAC over and above normal operational incident
processes and the actions identified within the above risk tables. This is a BT supplied service.
12.2:2 Loss of Functionality in STE04 for MAC
if STEO4 (the primary site in Stevenage) is unavailable for use by MAC provision has been made for staff to
re-locate to facilities in BRAO1, another Fujitsu Services site in Bracknell. If BRAO' disaster recovery site is
invoked the POA Duty Manager is to arrange that all staff occupying MAC DR desks on the fourth floor are
instructed that they are to be vacated.
In addition a provision has been made to allow phone contact to be re-established once staff have relocated,
via a BT command switch. During any period when MAC is unavailable to take calls, the calls will be directed
to the voicemail service. Once staff are operational at the alternate location the voicemail calls will be
processed and the callers will be called back. There is about one hundred desktop PCs in STE04 that can be
Used for TIS, and other related services , and forty laptops in BRAO1.
12.2.3 People
‘© Copyright Fujkeu Services FUJITSU RESTRICTED (COMMERCIALIN Ref: ‘SVMISDM/PLA/0001
Limited 2014 CONFIDENCE) Mentos 20
UNCONTROLLED WHEN PRINTEDOR Date: 18-Oct-2014
‘STORED OUTSIDE DIMENSIONS Page No: 208 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Human Resource Management processes are in place to manage the normal tumover of staff.
12.2.4 Manual Processes due to total loss of TfS Incident
Management System
In the event that the TfS servers have failed at both SDC01 and SDC02, or are inaccessible, or are in the
processed of being failed over, manual processes will be used to log calls until such time as TIS can be
returned to service.
12.2.5 Loss Of access to Tivoli / KMA/ Global User Counter / One
Shot Password System
In the event of the unavailability of Tivoli at STE04, including and PCs used by the SMC, for an extended
period of time (at least 3 hours) then temporary relocation to BRA? shall be considered. There are twenty
five Tivoli PCs in STEO4 and four at the DR site in BRAQ1
In the event of the unavailability of all of the KMA (Key Management) Workstations (there are seven in STEO4
— and one in BRAO1), or all One Shot Password Systems in STEO4 (there are six in STE04 - two in BRAO1).
for an extended period of time (at least 3 hours) then temporary relocation to BRAO1 shall be considered in
order to provide this capability,
12.2.6 Loss Commander — Call Management
In the event that calls are not being passed by the normal call management system (Commander) itis
possible to switch to the use of the standard ACD (Auto Call Distribution) system, however this may limit call
management capability and reduce the number of calls being handled.
If whatever has caused the Commander system to be unusable is also preventing use of the ACD system
then calls will be diverted to voice mail and consideration given to a moving to the DR site,
‘© Copyright Fujkeu Services FUJITSU RESTRICTED (COMMERCIALIN Ref: ‘SVMISDM/PLA/0001
Limited 2014 CONFIDENCE) Mentos 20
UNCONTROLLED WHEN PRINTEDOR Date: 16-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 209 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
13 Post Office Limited failures impacting POA Services
13.1 Post Office Limited failures impacting POA RDMS Service
The POA RDMS utilises Reference Data being supplied by POL Chesterfield but is not strictly dependent on
it. Itis the POL business which is dependent on the data.
The availability of Post Office outlets to utilise the ROMS to the customer is a further prerequisite of the end to
end service provision.
13.2 POL and AP Client failures impacting POA APS Service
13.2.1 Post Office Limited
of Post Office outlets to provide the Automated Payment Service to the customer is a further
of the end to end service provision.
Non-availability of one or more post Office outlets restricts the availability of the service and may trigger a
Business Continuity event, see Appendix One.
13.2.2 AP Clients
The availability of the Automated Payment Clients to receive the transaction files is a further prerequisite of
the end to end service provision.
Non-availability of one or more of the AP Clients restricts the availabilty of the service and may trigger a
Business Continuity event.
The Fujitsu Services POA plans and procedures for dealing with this situation can be found in the Client
Specific Operational Level agreements (CS/OLA/003 — Generic AP Client OLA from which all specific Client
OLA's are derived).
13.3 Post Office Ltd failures impacting POA TPS Service
Non-availability of TPS service at POL NDC, or the disaster recovery site at Isleworth, or one or more Post
Office outlets restricts the availability of the service and may trigger a Business Continuity event, see
Appendix One.
13.4 Post Office Ltd and Supplier failures impacting POA NBS
Service
The non-availability of one or more of the Financial Institutions or one or more Post Office outlets can restrict
the availability of the Network Banking Service and may trigger a Business Continuity event
13.5 Post Office Ltd and Supplier failures impacting POA DCS
Service
The non-availability of the Streamline Debit Card System, or one or more of the Card Issue services, or one
‘or more Post Office outlets can restrict the availability of the Debit Card Service and may trigger a Business
Continuity event.
© Copyright Fultsu Services FUITSU RESTRICTED (COMMERCIAL Ret SVM/SDMIPLA/OO01
Limited 2014 CONFIDENCE) ee 5D
UNCONTROLLED WHEN PRINTEDOR Date: ——_15-0ct2014
‘STORED OUTSIDE DIMENSIONS PageNo: 210 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
14 Plan Activation
14.1 Major Business Continuity Incident (MBCI)
‘Once the criteria for Business Continuity have been satisfied, i.e. an MBCI Trigger from the table of risks in
section 10 & 12 Impact & Risk Assessment then after a call had been placed and appropriate details logged
at MAC, the problem ownership is passed to the Fujitsu Services POA member of the BCMT (Business
Continuity Management Team)
After compiling all relevant information, and if necessary communicating this to the other members of the
BCMT listed below in the Contact List, a full impact assessment will be conducted to determine if the joint
Business Continuity Management Processes detailed in:
CS/PRDIO31 (Fujitsu Services (POA) Business Continuity Management ) and
SVMSDMSIP0001 (Post Office Limited and Fujitsu Services Business Continuity Interface Agreement) will be
invoked.
This will be done in conjunction with Senior Managers, relevant Business Units and Expert Domains as
appropriate
If the Joint BCM processes are invoked, the next steps will be to agree who from the BCMT owns the MBCI.
The BCMT will then agree a plan of action and agree upon the recovery and contingency activities to be
carried out. Again, this will be done in conjunction with Senior Managers, relevant Business Units and Expert
Domains as appropriate.
The agreed plan will then be monitored and reviewed until such time as the MBCI (Major Business Continuity
Incident) impacting the service has been resolved, and the MBCI closed.
14.2 Site Failover
Site failover is covered by a Major Incident Process.
‘Some of these steps will be capable of being carried out in parallel. Major checkpoints will be included in the
business continuity plan to allow coordination of steps which depend on each other.
Testers will be given as much notice as possible to stop their testing and shut down their systems cleanly.
A message will be put on the MAC team phone to inform Post Masters and Mistresses of a major problem
Authorisation will be sought for failover
Availability and operation of support services will be confirmed,
If possible production servers and LPANs at the primary site will be shut down cleanly, followed by Test
LPANs at the secondary site.
The test network will be disabled and the production network prepared for operation from the secondary site
The storage will be failed over.
The Production LPANs will be started at the secondary site
Business critical services will be started
Other services will be started
States of sites - IRE11 Primary /IRE19 Secondary:
Normal Running:
‘© Copyright Fujkeu Services FUJITSU RESTRICTED (COMMERCIALIN Ref: ‘SVMISDM/PLA/0001
Limited 2014 CONFIDENCE) Mentos 20
UNCONTROLLED WHEN PRINTEDOR Date: 16-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 211 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Primary — Production
Secondary — Tes/Production”
aster:
Primary — non-functional / unavailable
Secondary — Test/Production”
After Failover:
Primary — Unavailable
Secondary — Production / Limited Test
After Failover and after primary site fault is fixed:
Primary — Standby
Secondary — Production / Limited Test
* The bulk of the Secondary data centre is used as a test environment
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref:
mites 2014 CONFIDENCE) veer
UNCONTROLLED WHEN PRINTEDOR Date
STORED OUTSIDE DIMENSIONS Page No
‘SVMISDM/PLA(0001
2.0
16-Oct-2014
212 of 216
FUJ00232658
FUJ00232658
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
POA HNG-X Support Services Business Continuity Plan
15 Contact List
15.1 Normal Processes
‘Organisation ‘Contact Name Role Telephone Number
As per rota Duty Manager Pager: I GRO
POA pclae by MAC I oF Office Hours applicable Service .
team
Peter Thompson
Delivery Manager
CS Head of Service Management —_I mobile:
(MBCI Contacts) I Changdev Business Continuity Manager Mobile
Pawashe
Peter Thompson I CS Head of Service Management _I Mobile
FS Core Services I Roger Steam Network Manager Mobile .
Intemal: I GRO I
FS Core Services I Adrienne SOS NT and UNIX Manager Office:
SOS NT and UNIX I Thompson Mobile:
FS Core Services I Jacob Cherian ‘SMC Manager Office:
suc Mobile:
Business Stream Manager Office:
Mobile:
Post Office
Limited (ATOS)
‘ATOS It Service Continuily management
te
15.2 Escalation Processes
Escalation I Level 1 Level 2 Level 3 Level 4
Level
Fujitsu ‘Duty Manager Problem CS Security Operations Customer Service
Oes Hoiis
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: ‘SVM/SDM/PLA0001
FUJ00232658
FUJ00232658
FUJITSU
POA HNG-X Support Services Business Continuity Plan .
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
applicable Day Time
POA Duty Manager
Vie MAC team,
Business
Continuity
Manager.
Changdev
Pawashe
FS Core
Senices Data Networking Support
Networks Network Maneger Manager
POA Networks Duty
1
SOS NT
NTBUNIX Manager
and UNIX 8 Technical Support Manager
Andrew Gibson
eiber Fiona lennox
Mobile: Moblie:_
smc
‘SMC Manager
MAC Mobile: ; GRO}
Team
MAC Ops Manager
Sandie Bothick
Post Business Continuty Network Support Service
Office Manager Manager.
Limited
ATOS IT Service
Continuity management
team
ATOS IT Service Continuity
management team
‘© Copyright Fujitsu Services
Limited 2014
FUJITSU RESTRICTED (COMMERCIALIN Ref
CONFIDENCE)
UNCONTROLLED WHEN PRINTEDOR Date:
‘STORED OUTSIDE DIMENSIONS
Version:
‘SVMISDM/PLA(0001
2.0
18-Oct-2014
PageNo: 214 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
16 APPENDICES
16.1 Appendix One: Post Office Outlet Trigger Table.
The following table provides guidance on identifying the severity and classification of incidents that have an
adverse affect on Post Office outlets. All problems, which are an exception to the ‘normat’ incident profile and
fit within any of the categories defined below should be escalated to the POA Business Continuity Manager
for consideration.
Not Geographically Concentrated Outlets.
Less than 200 outlets affected for less than 0.5 of a trading day Aproblem
Less than 200 outlets affected for between 0.5 and 1 trading day Potential MBCI
Less than 200 outlets affected for more than 1 trading day Potential MBCI*
Between 200 and 800 outlets affected for less than 2 hours of a trading day ‘AProblem
Between 200 and 800 outlets affected for more than 2 hours but less than one Potential MBCI
trading day
Between 200 and 800 outlets affected for more than one trading day Potential MBCI"
800 and more outlets affected Potential MBCI*
Geographically Concentrated Outlets.
Between 10 and 20 outlets affected for less than 0.5 of a trading day ‘AProblem
IBetween 10 and 20 outlets affected for between 0.5 and one trading day Potential MBC!
Between 10 and 20 outlets affected for more than one trading day Potential MBCI*
Between 20 and 100 outlets affected for up to 7 hour of a trading day ‘AProblem
Between 20 and 100 outlets affected for between 1 hour and 0.5 ofa trading day I Potential MBCI
Between 20 and 100 outlets affected for more than 0.5 of a trading day Potential MBC”
More than 100 outlets affected Potential MBC"
‘© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIALIN. Ret SVMISDM/PLAI0001
Limited 2014 CONFIDENCE) veri 2.0
UNCONTROLLED WHEN PRINTEDOR Date: 1-Oct.2014
‘STORED OUTSIDE DIMENSIONS PageNo: 215 of 216
FUJ00232658
FUJ00232658
POA HNG-X Support Services Business Continuity Plan
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
16.2 Appendix 2 IRE11 - 1S Data Centre Information
Refer to: ISNO00666 - IS Data Centre Specification - IRE11
Describes the environmental specification for the IRE11 Data Centre
16.3 Appendix 2 IRE19 — IS Data Centre Information
Refer to: Refer to: ISNO00667 - IS Data Centre Specification - IRE19
Describes the environmental specification for the IRE19 Data Centre
‘© Copyright Fujkeu Services FUJITSU RESTRICTED (COMMERCIALIN Ref: ‘SVMISDM/PLA/0001
Limited 2014 CONFIDENCE) Mentos 20
UNCONTROLLED WHEN PRINTEDOR Date: 16-Oct-2014
‘STORED OUTSIDE DIMENSIONS PageNo: 216 of 216
FUJ00232658
FUJ00232658