Fs)
FUJITSU
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Author & Dept:
POA Operations Incident Management Procedure
Procedure Definition
Not applicable
This document details the POA incident processes which supplements
the incident processes defined in the Fujitsu EMEIA Business
Management Systems Incident Procedure with the Post Office Limited
specific requirements or requests.
APPROVED
Tony Wicks — POA Operations.
Matthew Hatch — POA Operations
Internal Distribution: Peter Thompson, Steve Bansal, Matt Hatch, Steve Parker, Steve
Security Risk
Evans, Andy Hemingway, Yannis Symvoulidis, Steve Godfrey, Jason
Muir, Sandie Bothick, Bill Membery, Chris Harrison, Jerry Acton
Assessment Confirmed:
Approval Authorities:
External Distribution: Ajayi Olugbenga, ATOS Business Continuity Manager
Dave King, POL Security Manager
Yes
Role See Dimensions for record
Nam
Steve Bansal
POA Senior Service Delivery Manager
Sandie Bothick
POA MAC & OBC Team Manager
Note: See Post Office Account HNG-X Reviewers/Approvers Role Matrix (PGM/DCM/ION/0001) for guidance.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 1 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0 Document Control
0.1 Table of Contents
o DOCUMENT CONTROL 2
0.1 Table of Contents
0.2 Document History
0.3 Review Details .
0.4 Acceptance by Document Review.
0.5 Associated Documents (Internal & External)
0.6 Abbreviations ..
0.7 Glossary.
0.8 Changes Expected .
09
0.10
1
44
42
1.3 Objective
1.4 Process Rational:
4.5 Mandatory Guidelins
2 INPUTS 10
3 RISKS AND DEPENDENCIES .........cesesesseeseeeee 10
3.1 Risks...
3.2 Dependencie:
4 RESOURCES 12
41 Roles
4.2 Incident Prioritisation within POA...
5 PROCESS FLOW....
5.1.1 Step 1.1: Incident identification, classification and prioritisation...
§.1.2 Step 1.2: Investigation and Diagnosis .............
5.1.3 Step 1.3: Resolution and Recovery
5.1.4 Step 1.4: Incident Closure......
5.1.5 Step 2: Trend Analysis and Reporting
5.1.6 Step 3: Ownership, Monitoring, Tracking and Communication
6 QUTPUTS.........0 21
Zz STANDARDG......... 21
8 CONTROL MECHANISMS... 21
Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVM/SDM/PROI0078
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR _ Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 2 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
+22
9 APPENDIX A: SECURITY INCIDENT REPORTING .........cccssesee
9.
9.4 POL Incident Handling Guidance ..
. IT Incidents
Incident Definitior
Incident Categorie:
Examples of IT Incidents
Investigation
Policy...
POL Security / Investigation Team
External Investigator
Evidence Rule:
Process
Qn Completion of report.
Completion of Investigation
9.9 Trends & Auditing
9.4 Frequency ...
1 APPENDIX B CONTACTS ....
0.1.4 Security Incidents
a
10.1.2 Major Incident Manager Contact Details
10.1.3 Qut of Hours Duty Manager Contact Details
10.1.4 POA Service Delivery Manager Contact Detail
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVMISDM/PROIO078
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR _ Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 3 of 28
Fs)
FUJITSU
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00234981
FUJ00234981
0.2 Document History
Version No, I Date ‘Summary of Changes and Reason for Issue Associated Change -
CP/PEAK/PPRR
Reference
0.4 16/10/06 First draft taken from CS/PRO/074. Updated to
include HNG-X document references.
Security Management appendix added
Incident Management Process modified to reflect
current working practises. Hardware and Network Call
priorities referenced
Problem Management escalation changed to SDM
rather than Problem Initiator.
1.0 06/11/06 Updated with comments following review of v0.1.
Issued for approval
14 02/03/07 ‘Security Annex has been updated
2.0 Updated with comments following review of v1.1
Issued for approval
21 14/04/09 Document updated names & job descriptions.
Acceptance section added.
2.2 16/04/2009 Version 2.1 is corrupt
2.3 10/06/2009 Updated to incorporate PC] DSS and comments
received from Connie G Penn.
3.0 28/07/09 Issued for approval
3.1 03/08/09 Updated to incorporate further comments received
from Paul Halliden
4.0 03/08/09 \ssued for approval
44 13/06/11 Updated to include clarified incident priority definitions
and changed personnel names.
42 30/06/14 Updated with comments following review of v4.1
5.0 06-Jul-2071 Approval version
5.1 23-Jan-2012 Update to include POLSAP and Security updates
5.2 24-Oct-2013 I Major update to align with Business Assurance
Management procedures and for organisational
changes.
6.0 13-Nov-13 Incorporated changes for Sarah Hill HSD and issued
for approval.
64 11-Jun-14 Amended to replace the HSD function with the Atos
Service Desk and replaced IMT references with the
MAC team.
Also updated to reflect the introduction of Atos as
POL's Service Integrator.
6.2 26-Jun-14 Section 9.1 enhanced to include , and any Payment
©Copyright Fujitsu Services Ltd 2006-
2019
FUJITSU RESTRICTED (COMMERCIAL IN Ref:
CONFIDENCE) Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SDM/PRO/0018
10.0
29-Jan 19
4 of 28
Pea)
FUJITSU
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00234981
FUJ00234981
Version No.
Summary of Changes and Reason for Issue
Associated Change -
CP/PEAK/PPRR
Reference
Brand incident (PC!)
7.0 47-Jul-14
Incorporates minor amendments
7 20 Oct-15
A major re-write to realign to the BMS Managed
Incident procedure.
7.2 23-Jun-16
Further major updates following a round-table review
within POA on 3" November 2015. Major
amendments to Appendix A handling of security
incidents.
8.0 12-Jul-16
Incorporated minor changes for comments from the
POA Senior Service Delivery Manager and issued for
approval.
8.1 20-Jul-2017
The procedure was checked for changes for CCNs
1602, 1609 and 16.14, no amendments were
required. The distribution list was amended for
organisational changes.
8.2 12-Sep-2017
Revised Appendix B, Contacts.
9.0 12-Sep-2017
Approval version
9.1 19-Oct-2018
Major re-write so that the Fujitsu EMEIA Incident
Procedure is used as the primary process and this
document maps those process requirements to
specific POA teams, see flow diagrams. Also updated
for TISNow which replaces TSD.
Amended section 9.5.2 to include breach of data
protection legislation
Amended section 0.5 Associated Documents
removing withdrawn documents.
Amended section 8.0 as SVM/SDM/SD/0001 has
been superseded by SVM/SDM/SD/0007.
Issued for formal POA Fujitsu review.
9.2 28- Nov-2018
Amended sections 1.3, 2, 3.1, 4 and 4.2 for
comments received.
10.0 29-Jan-2019
Incorporated comments made by Steve Bansal and
issued for approval
Amendments made as part of Author review
Removed the comment “Unavailability of sufficient
tools for Incident diagnosis” from section 3.1 Risks
0.3 Review Details
Review Comments by :
Review Comments to
Mandatory Review
Tony Wicks & Matthew Hatch
Role Name
POA Senior Service Delivery Manager Steve Bansal
POA MAC & OBC Team Manager Sandie Bothick
©Copyright Fujitsu Services Ltd 2006-
2019
FUJITSU RESTRICTED (COMMERCIAL IN Ref:
CONFIDENCE) Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SDM/PRO/0018
10.0
29-Jan 19
5 of 28
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Pea)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
POA Acceptance Manager Steve Evans
POA Chief Security Officer Steve Godfrey
Optional Revie
Role Name
POA Infrastructure Operations Manager Andy Hemingway
POA Business Continuity Manager Almizan Khan
POA SDM Networks Chris Harrison
POA SMC Manager Jerry Acton
POA Security Manager Jason Muir
POA Lead SDM Online Services Yannis Symvoulidis
POA Problem Manager Matthew Hatch
Post Office Ltd
Security Manager Dave King
ATOS
Business Continuity Manager Ajayi Olugbenga
(*) = Reviewers that retumed comments
0.4 Acceptance by Document Review
The sections in this document that have been identified to POL as comprising evidence to support
Acceptance by Document review (DR) are listed below for the relevant Requirements:
POL NFR DR Internal FS POL = Document Document Section Heading
Acceptance Ref NFR Reference Section Number
SEC-3166 I SEC-3285 9.5.2 Incident Categories
0.5 Associated Documents (Internal & External)
enc Version Date Title Source
PGM/DCM/TEM/0001 Fujitsu Services Post Office Account Dimensions
(D0 NOT REMOVE) HNG-X Document Template
CS/IFS/008 POAIPOL Interface Agreement for the I pyos
Problem Management Interface
SVMISDM/SD/0025 POA Problem Management Process I Dimensions
PAIPRO/001 Change Control Process PVCS
CS/QMS/001 Customer Service Policy Manual PVCS
SVMISDM/SD/0007 Service Desk — Service Description I Dimensions
SVMISDM/SD/0023 POA incident Enquiry Matrix Dimensions
SVMISDM/PRO/0001 POA Customer Service Major Incident I Dimensions
Process
SVMISDM/PLA/1048 ‘SMC Business Continuity Plan Dimensions
SVMISDMIPLA/0031 ‘Security Business Continuity Plan Dimensions
SVMISDM/PRO/0875 End to End Application Support Dimensions
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR _Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 6 of 28
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Reference Version Date Title Source
Strategy
EMEIA Incident Management Process I EMEIA BMS
EMEIA Major Incident Management EMEIA BMS.
Process
EMEIA Root Cause Analysis (RCA) I EMEIA BMS
Process
Information Security Incident ATOS
Iss¢-t1a Management Procedure
SVMISEC/POL/0003 POA Information Security Policy Dimensions
Unless a specific version is referred to above, reference should be made to the current approved
versions of the documents.
0.6 Abbreviations
Abbreviation Definition
AtG Advice & Guidance
BCP Business Continuity Plan
BMS Business Management System
cisO Chief Information Security Officer
CPP Common Point of Purchase
FI Forensic Investigator
HDI Help Desk Interface (between Atos SDM12 and TfSNow incident management
systems)
ICR Initial Case Report
Iso Intemational Standards Organisation
ITIL Information Technology Infrastructure Library
KA Knowledge Article also known as KEL
KEDB Known Error Database
KEL Known Error Log (in the context of this document, this is a workaround and
diagnostic database) (Theses are also known as Knowledge Articles.)
MAG Major Account Controllers (MAC team)
MSU. Management Support Unit
OLA Operational Level Agreement
OMDB Operational Management Database
ORF Operational Review Forum
OTl Open Teleservice Interface
PCI Payment Card Industry
PCI DSS Payment Card Industry Data Security Standard
PO Post Office
POL Post Office Limited
PSE Product Support Engineers
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR _ Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 7 of 28
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Pea)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Abbreviation Definiti
RFC Request For Change
POA Post Office Account
SAN Storage Area Network
SAP Systems, Applications and Products (in Data Processing)
SDM(s) Service Delivery Manager(s)
SDU Service Delivery Unit
siSD Service Integrator Service Desk (Atos Service Desk)
SLT Service Level Targets
SMC Systems Management Centre
SMT Service Management Team
SRF Service Review Forum
SRRC Service Resilience & Recovery Catalogue
ssc Software Support Centre
TISNow Triole for Services Now
UNIRAS Unified Incident Reporting & Alerting System
0.7 Glossary
Common Point of A location identified by card schemes as a single point where a number of stolen
Purchase cards were used before the card was involved in fraudulent activity.
KELs and KAs Note that different support teams refer to knowledge database information as either
Knowledge Articles or Known Error Log. Where within this document KELs are
referred to the reader can also consider them as Knowledge Articles.
Peak The Incident Management System used by POA 3” and 4" line support teams and
other capability units involved in HNGX releases. It is linked with the TfSNow call
management system.
0.8 Changes Expected
ne
0.9 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained as a result of any error or omission in the same.
0.10 Copyright
© Copyright Fujitsu Services Limited 2006-2019. All rights reserved. No part of this document may be reproduced,
stored or transmitted in any form without the prior written permission of Fujitsu Services
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 8 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1. Introduction
1.1 Purpose
The purpose of this Post Office Account incident procedural document is solely to supplement the
incident processes defined in the Fujitsu EMEIA Business Management Systems Incident Procedure with
any Post Office Limited specific requirements or requests.
This document outlines the management guidelines to be used for Incidents impacting the live estate in
communicating with Atos and Post Office Limited.
1.2 Owner
The owner of the Incident Management process at the local POA level is the Fujitsu POA Senior Service
Delivery Manager EMEIA DTS UK&I CSM.
1.3 Objective
For the purpose of this document an Incident is defined as:
“Any event which is not part of the standard operation of a service and which causes, or may cause, an
interruption to, or a reduction in, the quality of that service.”
The quality of the service includes the protection of the confidentiality of business, personal and card data
as defined by the POA Information Security Policy (SVM/SEC/POL/0003).
The document applies to all Incidents raised by the POA MAC or by SMC (out of hours or from systems
monitoring tools), where they are related to the Fujitsu outsourcing contract. N.B calls presented to POA
MAC / SMC that should be placed with the Atos Service Desk are transferred/ referred from POA MAC /
SMC to Atos Service Desk.
For clarity; Post Office Limited (the customer) appointed Atos as their Service Integrator including the
primary service desk function (Atos Service Desk, which may also be referred to as SISD).
The scope of the process is from the receipt of an incident by the MAC / SMC, through to the successful
resolution of the incident (or providing a workaround).
For clarity, it should be noted that the MAC team are responsible for managing/owning Incidents between
08.00 and 20.00 Monday to Friday, 08.00 to 17.00 Saturday and Bank Holidays 0800 — 1400 excluding
Christmas Day. The SMC assume this responsibility out of hours, i.e., outside these hours. The SMC are
responsible for escalation of incidents to the POA OOH Duty Manager.
The key objectives of the process are:
Log, track and close all types of incident requests
Respond to all types of incident requests
Restore agreed service to the business as soon as possible
Resolve incidents within the target timescales set for each priority level within the Service Level
Agreement(s)
Resolve a high number of requests at first contact
Ensuring incident priorities are linked to business priorities
Keeping the user informed of progress
Reduced unplanned downtime
Improved Customer satisfaction
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 9 of 28
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1.4 Process Rationale
The primary goal of the Incident Management process is to restore normal service operation as quickly
as possible, thereby minimising adverse impact to the business. In turn, this ensures the highest level of
service quality and availability. Normal service operation is defined here as service operation within
Service Level Targets (SLT).
Demonstrating a professional approach to Atos, the Service Integrator contracted to POL, and Post
Office Limited (the customer) and their clients.
1.5 Mandatory Guidelines
It is important to maintain a balance between:
a) Allowing the technical teams the right amount of time to diagnose and impact an incident
b) Avoiding unnecessary alerting of the customer
c) Assessing which incidents are major
The following guidelines should be adhered to.
* During the MAC Core Hours (Monday — Friday 08:00 — 20:00 and Saturday 08:00 — 17:00 and
Bank Holidays 0800 — 1400 excluding Christmas Day.) the MAC should be the first point of
operational contact between Fujitsu and the Atos Service Desk. Outside these hours the SMC
acts as the first point of contact.
e Any activity detailed in this document which is assigned to the MAC is handed over to the SMC.
outside the MAC Core Hours.
2 ‘Inputs
The inputs to this process are:
e All Incidents reported by Contact with the MAC / SMC. Contact is defined as voice, e-mail, incident
transfers over the HDI interface from the Atos Service Desk or Tivoli Alert as the methods of
communication with the MAC / SMC and fall into the following categories:
o Business process error
o Hardware or software error
o Request for information e.g. progress of a previously reported Incident
o User complaint
o Network Error
e Severity and SLT information.
« Evidence of an Error.
e System Alerts received automatically from transaction monitoring tools. Due to the urgent nature of
some of these alerts, they may be dealt with directly by SSC, with an update of workaround or
resolution supplied to MAC / SMC. It should be noted that these alerts enter the process at step
1.2.3, and are not subject to prior steps in 1.1 & 1.2 of this process.
3 Risks and Dependencies
3.1. Risks
The following define the risks to the successful delivery of the process:
e Break in the communications chain to third parties. Mitigation is to invoke escalation procedures.
e Non-availability of the MAC / SMC Incident Management System. Mitigation is given in the MAC /
SMC Business Continuity Plan.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 10 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Non-availability of the HDI interface with the Atos Service Desk. Mitigation is via e-mail.
e Non-availability of the OTI links to internal & external service desk tools. Mitigation is via e-mail.
e Lack of information given to the MAC / SMC regarding changes, Atos or POL Business updates,
request for changes, status of Problems etc. Processes must be followed to lessen this risk, such as
the Change Management and Problem Management Processes.
e Unavailability of sufficient support unit staff.
e Unavailability of sufficient tools for Incident diagnosis
e Non-availability of KEL or call management systems. Mitigation is a secondary SSC server for KELs
and manual call processes.
e The provision of inadequate staff training within the MAC / SMC, SDU's or 3 party suppliers
e Unavailability of systems for evidence gathering.
3.2 Dependencies
This process is dependent on:
Effective Incident handling by the MAC / SMC
The known error information being available and kept up to date with all errors as the root cause
becomes known to Problem Management
Knowledge database kept up to date with POL business and services knowledge
Fujitsu infrastructure support of the MAC / SMC tools
Appropriate training plans / skills transfer of desk agents.
Appropriate training needs to include hardware, software and networks support staff, SDU's and 3%
party suppliers
Effective routing of calls to SDUs and third parties
Effective escalation procedures and the maintenance thereof within Fujitsu, POL and third parties
Governance of Incident / Problem Management procedures
Effective feedback to POL through Service Management SRFs, contributing to end user education
and reduced Incident rates.
Internal feedback to improve the Incident / Management Process.
e SLT and OLA knowledge and understanding across all Fujitsu and 3 party support
e POA, SDU and 3" party consistent co-operation in incident identification and resolution.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 11 of 28
Fs)
FUJITSU
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00234981
FUJ00234981
4
Resources
The resources required for this process are:
Process Owners
Major Account Controllers team
Service Management Team
System Management Centre team
Software Support Centre team
Service Delivery Units
Triole for Service Now incident management system
Peak (third and fourth line incident database)
SDM12 (within Atos) and the HDI interface into TfSNow.
OTI links
TIVOLI (system components and event monitoring software)
Additional remote Management, Operational and Diagnostic tools
Detailed Process and Procedure documentation
4.1 Roles
The main roles required by the process are:
e Incident Manager - To drive the Incident Management process, monitor its effectiveness and
make recommendations for improvement. The key objective is to ensure that service is improved
through the efficient resolution of Incidents.
e Major Account Controller - To provide a single point of contact for Atos Service Desk, dealing
with the management of routine and non- routine Incidents, Problems and requests
e Incident Resolver - To accurately diagnose and resolve Incidents and to assess, plan, build/test
and implement Changes in accordance with the Change Management Process. This role will
typically be fulfilled by the support teams and service delivery units.
4.2 Incident Prioritisation within POA
The priority assigned to a TfSNow incident is either based on the priority documented in an existing KEL
or based upon the Urgency and Impact of the incident, refer to POA Incident Enquiry Matrix.
With the exceptions of Major Business Continuity Incidents and Major incidents POA generally utilise
three priorities for incidents based upon the following guidelines.
Consideration must also be given to if the incident being reported is a Security Incident, if it is it must be
classified and managed under the POA Operational Security process (See Appendix A for guidance).
Priority 1 where there is an immediate impact to any live service or potential security incident requiring
timely attention. Priority 1 incidents are voiced to a Support Delivery Unit, the POA Duty Manager and
the ATOS Service Desk.
Priority 3 where there is an infrastructure failure which has caused a loss of resilience or a failure or event
which needs the timely attention of a Support Delivery Unit whose team will be voiced
Priority 5 for other less urgent incidents.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref:
2019 CONFIDENCE) Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SDM/PRO/0018
0
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Note1: Generally Priority 2 and Priority 4 incidents are not utilised within POA. However, if there is a
genuine business reason to do so incidents may be allotted at these priorities when it is consistent with
EMEIA processes.
Note2: When incidents are transferred to the Software Support Centre (EDSC) the TfSNow incident is
transferred into a Peak incident system. Within Peak the incident priorities are defined as A, B, C and D.
Therefore, when transferring TfSNow incidents into Peak ensure the following is adhered to:
TfSNow priority 1 equates to Peak priority A
TfSNow priority 2 equates to Peak priority B
TfSNow priority 3 equates to Peak priority C
TfSNow priorities 4 and 5 equates to Peak priority D
If it this cannot be achieved through automation the MAC or SMC Agent undertaking the transfer is to log
a comment on the TfSNow incident stating the TfSNow and Peak priorities.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 13 of 28
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5 Process Flow
As stated in section 1.1 Purpose, this Post Office Account Incident Procedural document is solely to
supplement the incident processes defined in the Fujitsu EMEIA Business Management Systems Incident
PLOCESS een IRRELEVANT”
The following flowcharts provide an overview of the interactions for incidents with Post Office Account.
1
<> Incident identification, classification and
5 prioritisation
i
2
c
g
PE :
2 oO
a2 1.2 a
v4 & Investigation and diagnosis 25
zs aE
a6 E >
gs Se
2a fs
<6 pS
ve Ee
5° 13 a?
fe <-> oe >» 29
Fe & Resolution and recovery és
Gia oO
5 5
a
é
2 y
14
Cc —_> i
Incident closure
Figure 1: Level 1 Incident Management Process
SCopyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMISDM/PROMO018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 14 of 28
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
POA Operations Incident Management Procedure
CONFIDENCE)
FUJ00234981
FUJ00234981
5.1.1
Step 1.1: Incident identification, classification and
prioritisation
Responsible: MAC / SMC, users, SDU’s, Service Management
Service
Management
{ATOS Service ooo bien
Desk
{ATOS Service Desk send Y
automated incidents over a HDI
ok into Fujtsu, However, aia
incidents may also be phoned Cas
through, e.g, when the MACISMC
automated systems ae
inonerabe
Existing KEL? OP
Automated call ot query?
Unk
No
Record contact
advise calle of
inciortteronce
142 T
Create incident record I
Eat stisted wit
419
Claesty and prtse ~ avise
caler of inedert reference and
aaton No
J v
Incident
Advice & gudiance
3% party out of scope
a
Escalate to
v
Answer enquiry
and close or refer
‘Aaviee caller of
correct contact or
refer to Atos SD
to Atos SD a fee
¥
Yo step 1 Yo step 1 Yo step 14
Figure 2: Level 2 Incident Management Processes
Contact ended
Quality
J
Y
Escalation
procedure for
‘Atos SD
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 15 of 28
FUJ00234981
FUJ00234981
oe] POA Operations Incident Management Procedure “
J FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.1.2 Step 1.2: Investigation and Diagnosis
Responsible: MAC / SMC
x
124
Conduct initial
investigation
Yes “ ~ Yes
work around
<availatie? >
No Tne
swith work around ‘workaround
No
te
Incident? > POA. Duty Manager status of Incident Incident / Probiem
es or problem Record
. Yes
‘Attempt resolution of <Resowea? > Ql
y°
iirc rs shar ize
SoWver gq Refer incident to
oer Resolver Group
Yes
Transfer to new Review oct
resolver group pbleged ites
ee Incident Record to
Conduct extensive inform SDU of
analysis additional
‘ i
Figure 3: Investigation and Diagnosis
Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVM/SDM/PROI0078
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR _ Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 16 of 28
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.1.3 Step 1.3: Resolution and Recovery
Responsible: SDU’s
From
Step 1.2
I
13.4
Ascertain Information
and appropriate
‘evidence
1.3.2 ~ Yes SDU to alert POA SDM
Multiple occurrence, ~~ to the existence ofa_I
.
proactive action orroot. SSS pattern likely to
cause required? ~~ produce a Problem
[=
13.3
Implement Solution and Evaluate
13.3.2
Software Solution
(Standard Release
Process)
4.3.3.1
Software Solution
(Hot Fix)
1.3.3.3
Hardware Solution /
Configuration Change
1.3.4
Solution Identified and
Change Request (TFS
Now) required
Revise or create KEL
I
1.3.5
SDU to detail resolution
details on the
incident(s) and retum.
the incident(s) for
closure
To step 1.4,
Figure 4: Resolution and Recovery
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 17 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure “
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.1.4 Step 1.4: Incident Closure
Responsible: MAC / SMC
Closure from
From ste
Escalation poy
Process
144) > Yes
~ ATOS SD Raised
Incident? ~
[No , 7 Yes
< ATOS SDM12. —
\ raised incident? ~
I Automated
y No Link
x y
142 > Yes . A > Yes
Originator ~~No * ATOS SD agrees ~ TOS SD agree
_ agrees Incident ~ Incident resolved? closure in SDM12?.
\tesolved? S y z
Yes No I No
I 1
T
Yes
“POA DM agrees
« —__1— ~< Incident resolved &
~<.can be closed?
No
I
( Close incident) ATOS close)
e Incident
Figure 5: Incident Closure
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMISDM/PROIO078
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR —_ Date’ 29-Jan 19
STORED OUTSIDE DIMENSIONS
Page No: 18 of 28
POA Operations Incident Management Procedure
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00234981
FUJ00234981
5.1.5 Step 2: Trend Analysis and Reporting
Responsible: Reporting Team, MAC / SMC, P&MI
Step 2 On-
going
2.1 Trend Analysis
Regular Trend Analysis is to be
undertaken by the MAC, SMC and P&MI
teams (or by duly appointed
representative teams e.g., POA
Reporting Team).
Where trend of repeat incidents is
identified, with no known circumvention,
this information is to be input into the
POA Problem Management procedure.
2.2 Reporting
The POA Reporting Team produce
weekly reports detailing incident data for
the TFS Now and Peak incident stacks.
The POA Reporting team also produce
monthly Service Management Review
reports and the SMC produce a monthly
SMC Service Review pack.
Figure 6: Trend Analysis and Reporting
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref:
2019 CONFIDENCE) Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SDM/PRO/0018
10.0
29-Jan 19
19 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.1.6 Step 3: Ownership, Monitoring, Tracking and Communication
Responsible: MAC / SMC, SSC
I Step 3
On-going
3.1 Ownership
Ownership, Monitoring, Tracking and
Communication
Throughout the Incident, the MAC / SMC retains
ownership for monitoring and keeping the call
raiser informed of progress, unless the incident
is specifically software related, in which case
SSC hold the responsibility for confirming details
of closure
The MAC / SMC manages the complete end-to-
end Incident process. Activities include:
Regularly monitoring the status and progress
towards resolution of all open Incidents
Monitoring SLT and escalates accordingly.
MAC will alert the POA SDM to the existence of
a pattern likely to produce a Problem.
SMC produce TfSNow Knowledge Articles from
information supplied from SSC KEL
3.2 Alerting
Post Office Account have an account specific
process for alerting. The MAC team achieve
incident monitoring and alerting by constant
monitoring of the incident stacks and conduct
checks during core hours on a 15 minute basis.
ATOS have enable the alerting feature within
SDM 12 for incidents raised in their domain and
monitor alerts for those incidents.
Outputs: The MAC team advise the MAC and
OBC Team SDM when there is a risk of
incidents exceeding agreed SLTs.
Figure 7: Ownership, Monitoring, Tracking and Communication
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 20 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
6 Outputs
The outputs from this process are:
e Where one or more Incidents has been raised for a failure for which the underlying cause is unknown
and a trend is identified, consideration shall be given to raising it as a Problem.
An update to the Knowledge Database
Aworkaround or permanent resolution for a hardware, software or network error
An answer to a question from a user
The receipt and onward transfer of information received by the MAC / SMC
Aservice improvement recommendation.
Change of operations procedures.
Change of Business Continuity Plan (BCP) priorities and documentation.
Where appropriate:
e Monthly Report on all PCI minor incidents
e Record in the Incident Security Portal.
7 Standards
This Process conforms to:
¢ ITIL Best Practice
« BS15000
« Bsg9001
e BS/ISO IEC 27001
e IEC 17799:2005
« PCIDSS version 1.2
8 Control Mechanisms
The contractual measures that apply to this service are described in the Service Desk Service
Description (SVM/SDM/SD/0007).
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 21 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
9 Appendix A: Security Incident Reporting
9.1 Scope
This annex contains guidance regarding the reporting and investigation of security incidents concerning
the HORIZON Network, POA and any Payment Brand incident (PCI).
9.2 Aim
The aim of this guidance is to ensure that the reporting routes for Security Incidents are kept as simple as
possible and that investigations are managed in an efficient and auditable manner.
9.3 Changes
This guidance is primarily for use by the MAC team, the POA Security Team, the POL Security Team,
and SSC staff. The SecOps team also have their own work instructions for handling security incidents
and there is also an overarching Information Security Incident Management Procedure ISSC-11a.
All incident documentation is subject to review and update by the business continuity and information
security teams as part of the lessons learnt process following an incident and following the annual review
of the incident process as part of business continuity.
9.4 POL Incident Handling Guidance
All POL incidents will still be handled in accordance with existing POL/ATOS guidelines. This document
does not replace these or, indeed, replace any part of the content rather it details POA guidance on
handling security incidents.
9.5 IT Incidents
9.5.1 Incident Definition
An information security Incident is: "an adverse event or series of events that compromises the
confidentiality, integrity or availability of Fujitsu Services Post Office Account information or information
technology assets, having an adverse impact on Fujitsu Services and/or Post Office Ltd reputation,
brand, performance or ability to meet its regulatory or legal obligations." This will also extend to include
assets entrusted to Fujitsu including data belonging to Post Office Ltd, its clients and its customers.
9.5.2 Incident Categories
Incidents can be categorised in many ways, they can occur alone or in combination with other incident
categories and can vary significantly in severity and impact. It is important that all incidents are
recognised and acted upon.
For the purpose of illustrating the impact of incidents two levels of severity have been defined (Note: in
practice the assessment may be less straightforward):
A MINOR incident will normally have limited and localised impact and be confined to one domain,
resulting in one or more of the following:
e Loss or unauthorised disclosure of internal or sensitive material leading to minor
exposure, or minor damage of reputation
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 22 of 28
Fs)
FUJITSU
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Loss of integrity within the system application or data, leading minimal damage of
reputation; minimal loss of customer / supplier / stakeholder confidence; negligible cost of
recovery
e Loss of service availability within the domain, leading to reduced ability to conduct
business as usual; negligible loss of revenue; minimal loss of customer / supplier /
stakeholder confidence; negligible cost of recovery
e — Individual attempts to breach network security controls shall be treated as a minor
security breach.
e Subject to discussions with the POA Duty manager due to high volume of calls relating to
the same type of incident it may well be a requirement to follow the POA Major Incident
Process (SVM/SDM/PRO/0001) following the advice from the POA Duty Manager.
A MAJOR incident will have a significant impact on the Network Banking Automation Community
resulting in one of more of the following:
e Loss or unauthorised disclosure of confidential or strictly confidential material, leading to
brand or reputation damage; legal action by employees, clients, customers, partners or
other external parties
« Loss of integrity of the applications or data, leading to brand or reputation damage; loss
of customer / supplier / client confidence; cost of recovery
e Loss of service availability for applications or communications networks, leading to an
inability to conduct business as usual; loss of revenue; loss of customer / supplier / client
confidence; cost of recovery
e Aconcerted attempt or a successful breach of network security controls shall be treated
as a major security breach.
e Breach of Data Protection Legislation — inclusive of the GDPR, the Privacy and
Electronic Communications (EC Directive) Regulations 2003 and all other Applicable Law
in respect of data protection and data privacy including any applicable guidance or codes
of practice that are issued by the Information Commissioner, Working Party 29 and/or the
European Data Protection Board (and each of their successors);
NB. For a Major Incident the POA Major Incident Process (SVM/SDM/PRO/0001) should be followed.
9.5.3 Examples of IT Incidents
e Theft of IT equipment / property, including software
«Malicious damage to IT equipment /property, including software
e Theft or loss of Protectively Marked, caveat or sensitive IT Data
e Actual or suspected attacks on the Fujitsu Services POA Network or Information System
e Potential compromise of systems or services at the Data Centre through evidence
retrieved and presented by Police or POL's card acquirer
e Attacks on Fujitsu Services Post Office Account personnel via Information Systems. (I.e.
Harassment, Duress
e¢ Malicious/offensive/threatening/obscene emails
e Obscene phone calls
« Breaches of software licensing
e Virus attack and other malicious code attacks
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR _ Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 23 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
«Hacker attacks
° Terrorist attacks
e Insider attacks
e Competitive Intelligence gathering (Unethically)
e Unauthorised acts by employees
e Employee error
* Hardware or software malfunction
e Suspected Fraudulent Activity
e Specific compromise of card data.
The above list is a non-exhaustive list of examples. Any other IT related incidents
reported, will be considered and passed to the appropriate authority for action.
9.5.4 Containment
Whenever an Incident is identified which presents a serious threat to conduct normal business it should
be contained and isolated as quickly as possible. This will mean platforms that appear to have suffered
virus attack or other malicious code attack need to be quarantined immediately to prevent further spread.
It may also be necessary to isolate network connections that appear to be the source for Denial of
Service threats or where they have been subjected to suspected hacking attack.
If the incident relates to card data, the environment may be subject to a Forensic Investigation imposed
by POL's merchant acquirer. In this instance log data will need to be reviewed and analysed.
9.6 Reporting
Whenever a security incident is identified which presents a serious threat to conducting normal business
itis contained and isolated as quickly as possible.
A security Incident is first notified to either the MAC or SMC Team, then transferred to the SecOPs call
stack, once itis initially assessed as a Security Incident by MAC/SMC.
Security Incidents may also be reported directly into the POA SecOps team via the reporting button on
the POA Portal. It is important to allow the 2 reporting methods, as some staff may want to report some
types of security incidents directly to the SecOps team. In accordance with the Fujitsu Security Policy
Manual Section 16, the reporting routes must be kept as simple as possible. The initial report will be
validated and clarified by SecOps, with calls made to the initiator if more information is required. SecOps
will follow team work instructions to progress their investigation.
All Security Incidents are to be reported to the SecOps team via a dedicated mailbox and escalated by
phone if necessary. Depending on the type of Incident and the severity of the incident, POA Security
makes the decision to escalate details to the POL/ATOS Security teams. In the case of Data Centre
incidents, POA Security also informs the Data Centre.
Regardless of the severity of the incident, when a compromise in card data occurs, the incident is
reported to POL Security so that POL can comply with its contractual obligations with its card acquirer.
The investigation of a reported incident is carried out by a nominated investigator from the POA SecOps
team. ATOS and POL Security Teams will be on hand to provide support as required and in accordance
with the POL/ATOS Information Security Incident Management Procedure. The investigator will obtain as
much original evidence as possible to ensure that is admissible in court, if required.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 24 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Following the initial investigation and where considered appropriate, the appropriate senior manager
within POL liaises with the local Police or other external agencies.
When an investigation is closed the POA Security Manager seeks to ensure that details of the
investigation have been recorded and can be made available for Route Cause Analysis, trending &
lessons learned.
9.7 Investigation
9.7.1 Policy
Although all security incidents will initially be reported to the POA Security Manager in order to have one
point of contact for all parties, some or all of the investigation requirements may be passed to one or
more of the following for further action. The decision of delegation will be determined by the POA Security
Manager in association with POL Information Security Incident Manager.
9.7.2 POL Security / Investigation Team
9.7.2.1
In the event that the reporting of an incident is passed to ATOS Security or the Investigation Team,
details of the investigation, and final outcome or reference details, should be added to the TfSNow call
which be communicated to ATOS. It is important that for any incident investigated the correct procedures
are adopted regarding evidence, as the information collected and recorded may be used for evidential
purposes at a later date.
9.7.2.2
In the event that the POA Security Team takes ownership of an investigation, they will report the results
to ATOS.
9.7.2.3
During any investigation the Investigator must comply with the appropriate legislation and compliance
requirements and regulatory or standard requirements.
9.7.2.4
All initial investigations should be carried out at the earliest opportunity and any queries should be
directed to POA Security Manager. Investigation must be reliable, stand up to scrutiny and potential
cross-examination and evidence must be properly obtained, recorded and time stamped.
9.7.3 External Investigator
Should it be considered necessary the incident might be passed to an external Investigator or forensics
team, who will ensure that any data required for evidential purposes is captured and investigated using a
systematic approach which ensures that an auditable record of evidence is maintained and can be
retrieved. In some cases, where a compromise to card data is involved, two Forensic Investigation teams
may be involved. One team operating on behalf of POL gathering the required audit logs to use to
analyse and investigate the problem. A second Forensic Investigations team may be imposed to
investigate on behalf of the card acquirer and card schemes. In all incidences where a Forensic
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 25 of 28
FUJ00234981
FUJ00234981
POA Operations Incident Management Procedure
Fs)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Investigation is involved, the Forensic Investigators will be shadowed by POL's Legal and Security
Teams.
9.7.4 Evidence Rules
9.7.4.1 Rules of Evidence
Before undertaking security incident investigation and computer forensics it is essential that investigators
have a thorough understanding of the Rules of Evidence. The submission of evidence in any type of legal
proceedings generally amounts to a significant challenge, but when computers are involved the problems
are intensified. Special knowledge is needed to locate and collect evidence, and special care is required
to preserve and transport evidence. Evidence in computer crime cases differs from traditional forms of
evidence in as much as most computer related evidence is intangible and is in the form of electronic
pulse or magnetic charge, hence the need to use specialist teams. That said the information collected
and recorded from the Operational areas is equally important and must be recorded with due care and
diligence.
9.7.4.2 Types of Evidence
Many types of evidence can be offered in court to prove the truth or falsity of a given fact.
The most common forms of evidence are Direct, Real, Documentary and Demonstrative.
Direct Evidence
Direct evidence is oral testimony whereby the knowledge is obtained from any of the witness's five
senses and is in itself proof or disproof of a fact in issue. Direct evidence is called to prove a specific act
such as an eye witness statement.
Real Evidence
Real evidence also known as associative or physical evidence is made up of tangible evidence that
proves or disproves guilt. Physical evidence includes such things as tools used in the crime, and
perishable evidence capable of reproduction etc. The purpose of physical evidence is to link the suspect
to the scene of the crime. It is that evidence that has material existence and can be presented to the view
of the court and jury for consideration.
Documentary Evidence
Documentary evidence is presented to the court in forms of business records, manuals, printouts etc.
Much of the evidence submitted in a computer crime case is documentary evidence.
Demonstrative Evidence
Demonstrative evidence is evidence used to aid the jury. It may be in the form of a model, experiment,
chart or an illustration offered as proof.
9.7.5 Process
In most cases response to a reported incident the initial investigation will be carried out by a nominated
investigator normally the POA Security Manager or a member of the SecOps team. ATOS and POL
Security Teams will be on hand to provide backup and assistance if required. When seizing evidence
from a computer related crime the investigator will collect any and all physical evidence such as the
personnel computer, peripherals, notepads and documentation etc., in addition to computer generated
evidence.
There are four types of computer generated evidence:
e Visual output on a monitor.
e Printed evidence on a plotter.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 26 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e Printed evidence on a printer.
« Film recordings on such digital media as disc, USB stick, log files, tape or cartridge, and optical
representation on either CD or DVD.
The investigator will endeavour to obtain as much original evidence as possible. In the event of a court
appearance the court prefers the original evidence rather that a copy but will accept a duplicate if the
original is lost or destroyed or is in the possession of a third party who cannot be subpoenaed.
9.7.5.1
Following the initial investigation and where considered appropriate, the investigator will report to/ liaise
with the local Police and/or other external Agencies; this will only be done following consultation with the
POL Head of security and POL Head of Information Security or substitute.
Copies of the initial and follow up reports will be submitted to relevant authorities and details of all
investigations will be held on file by the POA Security to aid any subsequent trend analysis.
9.8 Remedial Action
9.8.1 On Completion of report
When the final report of an investigation has been completed, it should be passed to the relevant
authority for follow up action, the results of which should be referred back to the POA Security Manager.
9.8.2 Completion of Investigation
When an investigation is closed the POA Security Manager will ensure all details of the investigation
have been recorded and can be made available for subsequent future analysis.
9.9 Trends & Auditing
9.9.1 Frequency
9.9.1.1
POA Security Team carries out a monthly check of investigations and creates a summary report
highlighting incidents to the POL Head of Information Security.
The report highlights trends or weaknesses which may need to be raised at future Information Security
Management Forums (ISMF). POA will also submit a quarterly report to the Fujitsu Security
Management Forum, to ensure that Fujitsu Security Incident trends can be reviewed in the round.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
2019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 27 of 28
FUJ00234981
FUJ00234981
ee) POA Operations Incident Management Procedure
! FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
10 Appendix B Contacts
10.1.1 Security Incidents
e = Jason Muir (POA Operational Security Manager)
10.1.2 Major Incident Manager Contact Details
¢ Matthew Hatch t
« Sandie Bothick
e =Tony Wicks —
¢ Steve Bansal —
10.1.3 Out of Hours Duty Manager Contact Details
Please refer to Account Call Out Rota for the applicable OOH Duty Manager
¢ Sandie Bothick —
e Andy Hemingway
e Ramana Ravula —
17.30 - 09.00 Monday PM to Thursday AM
17.00 - 09.00 Friday PM to Monday AM
Outside these times, please contact the Major Incident Manager
Note: Names and phone numbers are correct at the time of document issue and subject to change. In the
event of difficulties refer to the Fujitsu Services Global Address List for the latest details.
10.1.4 POA Service Delivery Manager Contact Details
The Post Office Account service delivery contact details can be found on the Post Office Account Share
Point under Operations > BCP in a folder named Post Office Account Service Delivery Contact Details.
©Copyright Fujitsu Services Ltd 2006- FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SDM/PRO/0018
1019 CONFIDENCE) Version: 10.0
UNCONTROLLED WHEN PRINTED OR Date: 29-Jan 19
STORED OUTSIDE DIMENSIONS Page No: 28 of 28