FUJ00233004
FUJ00233004
Horizon Issues Remediation
Programme
Third Party Support — High level activities
10 November 2021
Latest updates in Final Column. Dated updates and bold Black (POL), bold Blue (Fujitsu)
FUJ00233004
FUJ00233004
Post Office Limited - Document Classification: INTERNAL
Objectives
1. Re-cap the scope of the Horizon Improvements Programme and answer any questions
2. Provide a high-level view of the POL requirements for Fujitsu me eget including timeline and current contractual status
3. Agree next steps to develop detailed requirements, agree mo) of work and move into implementation
Wo
Post Office Limited - Document Classification: INTERNAL
FUJ00233004
FUJ00233004
Standing up a 24-month programme to deliver lasting change
9 workstreams have been established, each with a clear objective to deliver change for the Postmaster.
Model
Provide an effective Horizon IT
function that can control and
prioritise Horizon change and
improve service operations.
Identify and implement improvements to the Horizon
system, including improving usal
data transfer elements to ensure transaction integrity.
This will include the creation of a data roadmap for
CORE WORKSTREAMS.
Re-design investigations
process that harnesses data to
improve the accuracy and
speed of investigations.
yy of the platform and
Horizon, implementing new data TOM, tools and
architecture.
For Postmasters... For Postmasters... For Postmasters,
Standing up the capabilitiesto _Improved usability and navigation for Postmasters, Standard
providing a Postmaster cent
ensure that Horizon / GLO is reducing the number of user errors. Appropriate training ae io ince for
to ensure Postmasters understand and can use the new
functionality. Assuring the quality and visibility of data ons fa to aper self-
servi
provided to Postmasters.
Noe of discrepancies.
‘Ask on Suppliers: ‘Ask on Suppliers: ‘Ask on Suppliers:
+ Participation in workshops + Embed some suppliers into scrums for Agile DelNgry + Keystroke logging
from process definition * Remediation support for data and user journeys + Unified data request
through to implementation _* SME input into scrum teams or part of wider w/s process
* Activity will depend onthe + Implementation support etc. + ARQ digital signature
supplier and process
+ Historical HZ health data
S=I controls
CNS and protect its
Or Postmasters...
Providing Postmasters with
better assurance over the
integrity of the Horizon
platform and branch data
Ask on Suppliers:
N/A
ENABLING WORKSTREAMS.
Design and implement a
Horizon security function to
safeguard the Horizon system
landscape from unauthorised
interference.
For Postmasters...
Providing Postmasters with
the assurance that their data
is appropriately protected.
Ask on Suppliers:
+ FLIDAM changes
+ Fi to provide security data &
architecture information
+ FU/CC security testing
* Brief on testing strategy
ogy Testing
Stand up an effective testing
capability designed to reduce
defects and errors while
improving the quality of the
Horizon software
For Postmasters...
Reduction in defects and
incidents post go-live.
‘Ask on Suppliers:
+ Support UFT, NFT
+ Regression testing
* Defect Mgmt.
+ Test policy implementation
+ Use Test Mgmt. tool
238 Organisational
we Change
Remediation Management
Office
strategy and roadmap.
Identify opportunities and embed tooling and automation capabilities in the way we provide Horizon, creating a tooling
Ask on Suppliers: New ways of
working & CMDB changes
Accelerate programme delivery through effective change management. Delivering integrated learning, change and communications activities to support
the implementation and ensure stakeholders are brought along on the change journey.
Track the delivery of all objectives across the programme, co-ordinate design and implementation governance
FUJ00233004
FUJ00233004
Post Office Limited - Document Classification: INTERNAL
RTQs for HI] — as of 10 November 2021
Work Order
HI Program Stream ~ Supplicr RTQSR# ~ Submitted De ~ Submitted By ~ Reference ~ Status Description hd Cost 2
Dean Bessell/Paul ARQ and data logging improvements - Changes
POREQO005282/ Counter UI SME to support the UX the scrum
POREQO005303/ Discrepancy Investigations — Design Study Follow}
Investigations Fujitsu RTQSROOO3358 14/07/21 Sally Rush cwo0466 On Hold On £ 98,206.00
Investigations Fujitsu RTQSROO03359 14/07/21 Sally Rush (Cwo0467, On Hold Investigations Design Study
POREQO005313/
Investigations Fujitsu RTQSROO03375 16/07/21 Dean Bessel! cwo0474 In Flight Key Logging Solution £ 32,102.00
POREQO005336/
Horizon System Improvements and Data Fujitsu IRTQSRO003389 05/08/21 Kevin O'Connor _CW00479 Lin Flight Horizon Help Screen Fix #2 £ $4,483.50
r ‘We require home test kits for the test team to
allow them to execute from home. There are.
Harshwardhan: limitations on the number of people allowed in.
‘Testing Fujitsu IPOREQO005362 19/08/21 Soman/Sarah Birch CWO0487 In Flight ‘the test room at FD due to COVID restrictions. I £ 9,117.00
/POREQO005383/
Investigations Fujitsu RTQSROO03437 27/08/21 Sally Rush cwo0491 On Hold Discrepancy Investigations ~ MS Dynamics.
Awaiting Supplier Impact assessment for CW00424 (Design Study
Horizon System Improvements and Data Fujitsu IRTQSRO003447 07/09/21 Kevin O'Connor [Response for Access to Branch Hub from Horizon)
Horizon System Improvements and Data Fujitsu RTQSROO003266 I Sally Rush (CwO0433, In Flight Documentation £ 15,103.00
POREQO005375/
Security Fujitsu IRTQSRO003429 I 31/08/2021 Paul Kingham _IPPT Slides In Flight PAM Enhanced Reporting
POREQOO0S411/
Horizon System Improvements and Data Fujitsu RTQSROO03488 16/09/2021 Kevin O'Connor cwooso7 In Flight Finish Branch HUB design for Pilot £ 20,238.00
N/A Awaiting Implement App Dynamics in SV&I, LST and
Horizon System Improvements and Data Fujitsu Marion Chave-Jones CWO0518 Approval/PO Production on DGEv2, BMXv2 £ 43,376.00
Post Office Limited - Document Classification: INTERNAL
Fujitsu (la of 3)
Workstream( Act
s)
Heavy involvement in: HZ
availability mgmt., HZ Capacity
mgmt., HZ Service continuity
mgmt. , HZ change mgmt. HZ
event mgmt. , HZ operational
supplier mgmt. , HZ investigations
support
Medium involvement: HZ Design
coordination, HZ service
catalogue mgmt., HZ data
governance, HZ transition
planning & support, HZ service
asset & config mgmt., HZ service
validation & testing, HZ request
fulfilment, HZ access mgmt., HZ
security operations, transaction
remediation
RTQ or Call off submitte
Not raised yet
Not raised yet
Comments / assumptions
Light involvement in other
activities too, but minimal
expected changes required
* Medium involvement - input into
reviews / discussions of updated
processes. Requires change to
process that impacts the supplier
+ Heavy involvement - involved
from start of activity, involved in
workshops and sessions from
process definition through to
implementation
High-level discussion with Martin
Godbold
for Fujits
FUJ00233004
FUJ00233004
05.08.2021. No action
u at this time.
08/09 Action: Dionne to
propose amendments to
the Governance
Schedule.
15/09 Action: Dionne to
propose amendments to
the Governance
Schedule.
21/09 Action: Dionne to
propose amendments to
the Governance
Schedule. 0/S
22/09 - No action for
Fujitsu at this time.
05/10 - 0/S action with
Dionne.
05/11 - 0/5 action with
Dionne (Q: Is the ISMF
ToR finalised?)
FUJ00233004
FUJ00233004
Post Office Limited - Document Classification: INTERNAL
Fujitsu (Ib of 3)
Workstream( Activities RTQ or Call off submitted Indicative timelines Comments / assumptions
s)
Tooling + Adopt new ways of working: + Not raised yet * Before November 2021 + N/A * 08/09: Process amendments to be
+ Change Mgmt. & process proposed by POL. E.g. CMDB
improvements data. DH to arrange a call with FJ
and POL
+ CMDB changes
+ 15/09 DH to arrange meeting to
understand the ask
+ 21/09 Meeting held 20" sept -
good discussion and
understanding of what POL are
trying to achieve but FJ C's are
not the route to achieve it.
+ 22/09 - No action for Fujitsu at
this time.
+ 06/10 - No action for Fujitsu
+ 11/10 - Potential ask to make
changes to FJ CMDB in order to
align with POL proposed
changes.
+ Service Transition & Design + Phase 2 Options Paper + Deliverables in Phase 3 (22/23 FY)
* 10/11 - No action for Fujitsu
FUJ00233004
FUJ00233004
Post Office Limited - Document Classification: INTERNAL
Fujitsu (Ic of 3)
Call off submitted
Workstream(s Activities
)
Indicative timelines Comments / assumptions Updated 10.11.2021
Investigations I + Complete ARQ digital + RTQSRO003238/CW00426 I + June 2021 (Digital + Access to keystroke logging I * Discrepancy Investigations ~ Design Study Follow On, CWO0466
signature under review. Signature) data is the subject of ongoing I * Implementation of the Discrepancy Investigations Design Study
+ Provision of Keystroke + Onhold + July-August 2021 discussions between POL and cwo0467
Logging data + Inprogress - Improvement (Keystroke logging) Fujitsu and may be removed I + ARQ Digitisation, RTQSRO003238, CW00426.
* Development of unified Plan actions w. Steve + July 2021 (Unified process) from scope * 08/09 Awaiting POL installing software
data request process Browell + July-September 2021 + Details of scope and format + 06/10 Awaiting POL installing software
+ Process for supplying + In progress - Improvement (Health data) ot Horion health data is . areareatprovals toinstall agreed ~ installation
roces spelt oer ss under discussion
historical Horizon “health pan actions w. Steve + Key Logging Solution CW00474. Response sent to POL 23.08.2021
: ; + 08.09.2021 POL raising the PO but initial meeting will be
* Unified Access Process I * Repurposing existing Horice I «No action for Fl charged to the Architecture call off PO.
icenses
+ 08/09 Awaiting kick off meeting dates from Dean Bessell
+ 15/09 Kick off meeting proposed but Fujitsu will need to
change to next week
+ 22/09 Kick off meeting scheduled for 14:00 24/09
+ 06/10 ~2 discussion held. Specific use case being
identified by DB to focus requirements
+ Investigations data sets, POREQO005335/RTQSR0003388, CWO0478.
Response sent 20.08.2021
+ 08.09.2021 - ongoing discussions.
+ 08/09 Awaiting information from Dean Bessell
+ 15/09 Some info shared and checked, awaiting further
information from DB
+ 22/09 Further info shared with POL. Awaiting further
information from DB
+ 06/10 — further info shared by POL. Simpler view needed
by Fujitsu. DB collating
+ 10/11 - Files with DB for analysis (parallel conversations
with CC arranged)
+ 08.09.2021 - New Discrepancy Investigations - MS Dynamics
POREQO005383.
+ 21/09: On Hold.
+ 21/09 NEW POREQ0005411 to complete Branch Hub design work.
+ 22/09 Not yet received by Fujitsu
+ 05/10 Pending RTQ review 7
+ 06/10 - Response being generated by Fujitsu
FUJ00233004
FUJ00233004
Post Office Limited - Document Classification: INTERNAL
Fujitsu (Id of 3)
Workstream(s Activities RTQ or Call off submitted? Indicative timelines Comments / assumptions Updated 22.09.2021
)
IT Controls + Dean Bessell has stated that an initial set of Controls
will be shared with Fujitsu for impacting soon. Initial
discussion was held 21.06.2021. No action for Fujitsu
at this time
+ Target submission of Controls - Sept 21
+ 08/09 Awaiting next update from Dean
Bessell/Hazel Freeman
+ 15/09 Awaiting next update from DB/HF
* 22/09 Awaiting next update from DB/HF
* 06/10 Awaiting next update from DB/HF
+ 10/11 Supplier Assurance will be required 6
monthly. Awaiting details from DB.
Post Office Limited - Document Classification: INTERNAL
Workstream(s
)
Horizon
System
Improvements
and Data
Fujitsu (2a of 3)
Activities
* Confirm CBA (Counter Business
Application) dependencies
+ Development capability to make
changes to CBA (part of scrum
team)
+ Testing capability to test changes to
CBA (part of scrum team)
+ Release capability to support
releasing changes to CBA (part of
workstream)
* Counter architecture SME available
to scrum teams (FT and part of
workstream)
+ Data centre architect SME
(available as required, not part of
workstream)
* Creation of an Horizon
Improvement Backlog
* Monitoring Solution
+ Reference Data Tool
RTQ or Call off sub
+ Not raised yet
+ Not raised yet
+ Not raised yet
+ Not raised yet
+ We have a call off pot in place
(CW00369) for architectural
support but it was not crafted for
the level of involvement we are
now seeking.
+ Not raised yet
+ No input from FJ required
Indicative timelines
Now and end Sept
July 2021
July 2021
July / August 2021
June 2021
June /July 2021
Pre-peak
Comments / assumptions
* Highly likely but we won’t know
until we complete detailed work
+ App Dynamics design &
implement
* Due Diligence underway
FUJ00233004
FUJ00233004
Resource for pipe clean activity being
provided under CWO0369
Unclear what
POREQ0005282/RTQSR0003336,
CW00459 will become (perhaps the
work after the pipe clean)
08.09.21 CWO0479: Horizon Help
Screen Fix #2
+ 08/09 Aware of CWO0479
which was sent to POL
31.08.2021
+ 15/09 Awaiting POL decision
+ 21/09 POL progression -
Awaiting approval of PO
+ 22/09 — Fujitsu standing by...
+ 05/10 - Active Project
RTQSROO03447 Impact assessment for
CW00424 (Design Study for Access to
Branch Hub from Horizon)
+ 08/09 CWO0424 is a BH
project
+ 15/09 In flight and Dan W
updating SO
+ 22/09 - Active project
+ 10/11: RTQSROO03447 design
now agreed....impact
assessment begun & response
awaited
21/09 NEW: CW00433 MoneyGram
Cancellation ~ Design Documentation
+ 22/09 — Active project
FUJ00233004
FUJ00233004
Post Office Limited - Document Classification: INTERNAL
Fujitsu (2b of 3)
Workstream(s Act
)
RTQ or Call off submitted? Indicative timelines Comments / assumptions
Testing + Test Policy implementation + Not yet raised + July 2021 (for all items) Fujitsu will have to buy into, and I + Test Policy 1.12 shared and feedback
+ Defect Management + Not yet raised be part of the uplift of testing provided to POL. No action for Fujitsu
+ Regression Testing + Not yet raised across the Horizon landscape at this time.
+ UAT Support + Not yet raised is will require their suppo CWo0418. RTQ placed on hold
+ NETSuggort «Not yet raised and involvement in test 19.08.2021 by Rohit Gogna ‘until
Pps ; y 4 delivery. further notice’.
Use Test Mgmt. too! Not yet raise ; + NeW: PoREQN005362 for Home
+ Request for remote access RTQis Testing kits
raised (RTQSRO003218/CWO0418) + 22/09 Fujitsu response
CW00487 sent last week
+ 05/10 Requisition raised -
awaiting approval.
* 10/11 - Discussion re Supplier Quality
Gate - adoption of Industry Best
Practice. No action for FJ.
FUJ00233004
FUJ00233004
Post Office Limited - Document Classification: INTERNAL
Fujitsu (3 of 3)
WorkstreamI
Acti RTQ or Call off sub Comments / assumptions
8)
Security Heavy involvement: * Not raised yet for IDAM- + June — November 2021 I Heavy involvement: Very conceptual discussion on PAM tooling/activity
+ Allidam deliverables driven by Improvement Plan * Where Idam controls on the Fi side visibility held 12.08.2021. Awaiting feedback from
i need changes (per the Idam strategy) Dean Bessell. No action for Fujitsu at this time
* HZ security test report acceler Sessions w Steve or where tooling is recommended, + 08/09 RTQSRO003429(CWO0493) PAM
Medium involvement: Initial discussion on pen and this interfaces with FI. Enhanced Reporting received 31.08.2021.
+ HZ SecOps process testing has taken place and + We may need to seek permission to Response due back to POL 21.09.2021
+ HZ ‘as-is’ assessment Network Topology expected run security testing on, through their + 15/09 Response nearing completion
+ Threat / risk based security by 18/06 from Steve systems. + 21/09 — Please confirm when this is
assessment Browell, POL with support Medium involvement: expected please. ;
+ He security testing strategy and from Fujitsu will conduct + may need to provide alternate + 22/09 — Response sent 21/09. Rejected
governance framework testing in areas It deems metrics or need to fulfil tasks to with supporting comments
most critical. This may also facilitate the running of the process. + 05/10 - Agreed set of actions on 28/09
require Fujitsu support for * We will need to understand what the + 06/10 - Fujitsu actions being progressed
any mitigations that are security architecture is as it pertains
implemented. to Hz, and what security controls are I * POL Pentest/Red Team under discussion in POL
in place. following initial discussion with Fujitsu.
+ We will need to get a feel for security + 08/09 Follow up meeting held 02.09.2021
control effectiveness, if the controls is and second meeting booked for 08.09.2021
FJ owned, If FJ have been involved in for POL to update Fujitsu
previous security incidents, would be + 15/09 RTQ received and initial joint
useful to gain information on these. discussion planned for 17.09
+ Need to brief suppliers on our + 21/09: POREQOO0S40S
proposed approach and ensure access + 22/09 Final discussions held 21/09. POL to
to systems is available when needed, reword and resubmit
or the process for requesting access is + 05/10 - Resubmitted requirements on
agreed and documented. Need in 30/09
principle agreement from suppliers * 06/10 - Response being generated by
that they subscribe to the approach Fujitsu against RTQSRO003480
+ 10/11 - Awaiting submission (due this
week)
+ 21/09 RTQs submitted to other suppliers to explore
fall back options for pen tests. 11
+ 22/09 - No action for Fujitsu