FUJ00235006
FUJ00235006
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Document Title: Post Office HNG-X Account ISMS Manual
Document Reference: SVM/SEC/MAN/0003
Document Type: Manual
Release: N/A
Abstract: An approach and framework to implementing,
monitoring and improving Information Secu
HNG-X Account.
Document Status: WITHDRAWN7
Author & Dept: Chris Cole — Post Office Accour
Approval Authorities:
Nam Role
Tom Lillywhite
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MANI0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 1 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
0 Document Control
0.1 Table of Contents
i} DOCUMENT CONTROL
0.1 Table of Contents
0.2 Document History
0.3 Review Details
0.4 Associated Documents (Interna
0.5 Abbreviations
0.6 Glossary.
0.7 Changes Expected .
4 INTRODUCTION AND SCOPE 17
4.4. ISMS Manual Overvii 17
41.2 Scope.. 17
1.2.1 Statement of Scope . 17
4 Exclusions .. 17
41.2.3 Statement of Applicability. .17
2.1 Information Security Definition.
ISMS Operating Procedures.
Introduction
INFORMATION SECURITY RISK MANAGEMENT ...........ceseseseseseeee
4.1 Information Security Risk Management Objective:
4.2 Information Security Risk Management Approach
4.3 Objective Measures.
44 Measures of Effectivenes:
45 Risk Treatment Options
4.6 Monitoring POA Information Security Risks
5 INFORMATION SECURITY POLICY...
5.1 Fujitsu Corporate Information Security Requiremen
5.1.4 POA Information Security Policy
©Copyright Fujitsu Ltd 2074 FU JITSU RESTRICTED Ref. SVMISECIMANTO003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
Manual
UNCONTROLLED IF PRINTED Page No: 2o0f 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
5.1.2 POA Information Security Policy Review...
ORGANISING INFORMATION SECURITY...
POA Information Security Organisation ....
6.1.1 Management Commitment to Information Security
Information Security Co-ordination
Allocation of Information Security Responsibilities ....
Authorisation Process for Information Processing Facilities
Confidentiality Agreements .
Contact with Authorities
6
61
6. Contact with Special Interest Group: . 37
6.1.3 Independent Review of Information Security . 37
6.2 External Part . 38
6.2.4 Identification of Risks Relating to External Parties
6.2.2 Addressing Security when Dealing with Customers
6.2.3 Addressing Security in Third Party Agreements .
ASSET MANAGEMENT. ........cceseseseseeeeenees
Responsibility for Assets .
Inventory of Assets ....
Qwnership of Assets .
Acceptable Use Policy .
7.2 Information Classification
7.24 — Fujitsu / POL Classification Guideline:
7.2.2 Information Labelling and Handling .
Z
TA
48
ze 48
1. Physical Entry Controls... 48
9.1.3 Securing Offices, Rooms and Faci 48
9.1.4 Protecting Against External and Environmental Threats . 49
9.1.5 I Working in Secure Areas .... . 49
9.1.6 Public Access, Delivery and Loading Areas . . 50
9.2 Equipment Security. . 54
Equipment Location and Protection. 54
Supporting Utilities . 54
Cabling Security... 52
Equipment Maintenance .. 52
Security of Equipment Off-Premises 52
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 3 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
9.2.6 Secure Disposal or Re-use.
9.2.7 Removal of Property ....
10 COMMUNICATIONS AND OPERATIONS MANAGEMENT. ...........000
10.1, Operational Procedures and Responsibilities
10.1.1 Documented Operating Procedures ......
10.1.2 Change Management
Segregation of Duties
10.1.4 Separation of Development, Test and Operational Faci
157
10.2 Third Party Service Delivery Management. . 57
10.2.1 Service Delivery .. . 57
40.2.2 Monitoring and Review of Third Party Services . 57
10.2.3 Managing Changes to Third Party Services . . 58
. 59
. 59
. 59
64
64
61
- 62
. 62
- 63
- 63
. 63
- 63
. 63
. 64
64
. 64
10.3 System Planning and Acceptance
Capacity Planning ..
.2 System Acceptance
10.4 Protection against Malicious and Mobile Code.
4.1 Controls against Malicious Software
.4.2 Controls against Mobile Code
10.5 Backup...
0.5.4 Information Backup ....
10.6 Network Security Management...
10.6.1 Network Controls.
10.6.2 Security of Network Services .
10.7 Media Handling....
Management of Removable Medi:
Disposal of Media...
Information Handling ProcedI
Security of System Documet
10.8 Exchange of Information:
.5 Business Information
Electronic:Col rce Servi
lock Synchronisation...
11 ACCESS CONTROL
44.4 Business Requirement for Access Control .
11.1.1 Access Control Policy ..
41.2 User Access Management
11.2.1 User Registration ....
74
74
74
11.2.2 Privilege Management. .
User Password Management. .77
11.2.4 Review of User Access Rights .77
14.3 User Responsibilities . 78
©Copyright Fujitsu Ltd 2074 FU JITSU RESTRICTED Ref. SVMISECIMANTO003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 4 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
14.3.1 Password Use.
11.3.2 Unattended User Equipmen
14.3.3 Clear Desk and Clear Screen Policy.
411.4 Network Access Control...
11.4.1 Policy on Use of Network Service:
14.4.2 User Authentication for External Connections .
11.4.3 Equipment Identification in Networks
14.4.4 Remote Diagnostic and Configuration Port Protection .
Segregation in Networks...
Network Connection Control
Network Routing Control...
Operating System Access Control
Secure Log-on Procedures...
User Identification and Authentication
Password Management System
Use of System Utilities .
Session Time-out
Limitation of Connection Time
11.6 Application and Information Access Control.
11.6.1 Information Access Restriction ...
11.6.2 Sensitive System Isolation...
44.7 Mobile Computing and Teleworking
11.7.1 Mobile Computing and Communications
14.7.2 Teleworking...
412 INFORMATION SYSTEMS ACQU
MAINTENANCE....
. 80
81
81
. 82
. 83
. 83
. 83
. 83
. 84
. 84
. 84
85
. 85
. 85
. 86
. 86
. 86
OPMENT AND
Correct Processing in A
Input Data Validation...
evelopment and Support Processes
trol Procedures ..
Information Leakage ....
12.5.5 Outsourced Software Development.
12.6 Technical Vulnerability Management .
12.6.1 Control of Technical Vulnerabilities...
13 INFORMATION SECURITY INCIDENT MANAGEMENT
13.4 Reporting Information Security Events and Weaknesses.
13.4.1 Reporting Information Security Incidents
13.1.2 Reporting Security Weaknesses..
13.2 Management of Information Security Incidents and Improvements
13.2.1 Responsibilities and Procedures......
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 5 of 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
43.2.2 Learning from Information Security Incidents
13.2.3 Collection of Evidence .
14 BUSINESS CONTINUITY MANAGEMENT
414.4 Information Security aspects of Business Continuity...
14.1.1 Including Information Security in the Business Continuity Management Process
14.1.2 Business Continuity and Information Security Risk Assessment ..
44.1.3 Developing and Implementing Continuity Plans including Information Securit
14.1.4 Business Continuity Planning Framework
14.1.5 Testing, Maintaining and Re-assessing Business Continuity Plans
45 COMPLIANCE...
15.4 Compliance with Legal Requirements.
15.1.1 Identification of Applicable Legislation
45.1.2 Intellectual Property Rights (IPR).....
15.1.3 Data Retention and Protection of Organisational Records .
15.1.4 Data Protection and Privacy of Personal Data ...
15.1.5 Prevention of Misuse of Information Processing Facilities .
15.1.6 Regulation of Cryptographic Controls ....
15.2 Compliance with Security Policies and Standards
15.2.1 Compliance with Security Policies and Standards.
15.2.2 Technical Compliance Checking..
15.3 Information Systems Audit Considerations
15.3.4 Information System Audit Controls ..
15.3.2 Protection of Information System Audi
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 6 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
0.2 Document History
Date ‘Summary of Changes and Reason for Is:
0.1 Initial Draft
0.2 19/02/08 Updated with information from service
description
0.2 19/02/08 Issued for Review
1.0 30/04/08 Issued for Approval after updating with review
comments
441 30/04/09 Review Amendments
1.2. 14/12/09 Updates to reflect HNG-X
1.3 7 I “16/ 1 2109 I Risk Approach updates I
1.4 Review and update
1.5 8/04/10
1.6 01/06/10
1.7 16/06/2010
1.8 24/06/2010
2.0 21/07/2010
21 30/08/2011
2.2 26/05/2012
2.3 02/11/201
24 :
25 fised as per Bill Membery comments.
3.0 Approval version
_Major Revision. This ISMS Manual is a change
of approach and addresses the requirements of
ISO/EC 27001:2005 and is intended to capture
how the POA is compliant.
Revised following review.
Approval version
Section 4.1, new Information Security Risk
Management Objectives, new section 4.3
Objective Measures and 4.4 Measures of
Effectiveness
5.0 30-Apr-2014 Approval version
WD 31-May-2017 I ISMS now EMEIA centralised
©Copyright Fujitsu Lid 2014 FU JITSU RESTRICTED Ref. SVMISEC/MAN/O003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
Manual Page No: 7 of 111
UNCONTROLLED IF PRINTED
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
0.3 Review Details
Review Comments by
Review Comments to CISO, Information Security Risk and Assurance Manager
Mandatory Review
Role Name Paragraphs
ciso Brad Warren All
Acting CISO Tom Lillywhite All
Delivery Executive James Davidson 6.1.1, 6.1.3,
Security Operations Kumudu Amaratunga
Manager
11.2.4, 11.3.1, 11.3.2, 4
12.6.1, 13.1.1, 13.1.2, 1
15.3.2,
Quality and Compliance Bill Membery
Manager
Security Architect Dave Haywood 10.10.6, 11.4.2, 11.4.3,
11.4.7, 11.5.1, 11.5.2,
-5.6, 11.6.1, 11.6.2, 12.4.1,
2, 12.5.3, 12.5.4,
Commercial Manager Sarah Guest i“ 5.1.1, 15.1.2, 15.1.3, 15.1.4
Service Implementation lan Sinclair
Manager
7.4,
Document Manager Matthew Lent
Commercial Change .2, 10.2.3, 12.5.1
Manager
HNG-X Test LST Test 10.1.4, 12.4.2
Manager
Lead SDM - End User 10.2.1, 10.2.2
Services
Network yy, Hemingway 10.2.1, 10.2.2
Catherine Obeng 10.2.1, 10.2.2
Gaby Reynolds 10.2.1, 10.2.2
Steve Parker 10.3.1,
Service Governance Adam Bowe 10.3.2,
Manager
Software Development Nick Lawman 10.4.2, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.5.5
Manager
Principal Technical Edward Ashford 10.5.1
Services Specialist
Tech Support Specialist Niall Vincent 10.10.2
Business Continuity Sathish Ramalingam 14.1.1, 14.1.2, 14.1.3, 14.1.4, 14.1.5
Manager
©Copyright Fujitsu Lid 2014 FU JITSU RESTRICTED Ref. SVMISEC/MAN/O003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 8 of 111
FUJ00235006
FUJ00235006
fee)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Name Paragraphs
Security Operations Kumudu Amaratunga All (other than those stated above)
Manager
Quality and Compliance Bill Membery 4,7.1.1, 7.1.2, 7.1.3
Manager
Issued for Information —
Please restrict this
distribution list to a
minimum
Position/Role Name
POL Via the ISMF
©Copyright Fujitsu Ltd 2074 FU JITSU RESTRICTED Ref. SVM/SEC/MANI0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual Page No: 9of 111
re)
FUJITSU
Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
FUJ00235006
FUJ00235006
0.4 Associated Documents (Internal & External)
R Version Date Title
Information Technology
Techniques — Security BSI
ISO/IEC 27001:2005. 1.0 October 2005 I Techniques — Information Security ISO/IEC
Management Systems —
Requirements
SVM/SEC/POL/0003 HNG-X Account Information
Security Policy
NSN 20 8 May 2013 Fujitsu UK&l BMS Security ik
Manual.
CPM20 8.1 11 Apr 2011 Fujitsu Security
CPM3 6.1 I 19 Jul 2011 Café Vik
cPM6 74 I 21Nov2011 Café Vik
cPM21 3.4 I 21Nov2011 Café Vik
cPM27 2.41 I 17 Aug 2011 Café Vik
CPM31 6.1 I 11 Apr 201 Café VIK
CPM36 22 Café Vik
C-MP1.2 Café Vik
N/A Fujitsu Way Code of Conduct Café Vik
Global Business Standards
Group/Q&BE/08 Control of Documents Policy Café Vik
N/A (Fujitsu) Security Governance Café Vik
SVM/SEC/PRO/00 HNG-X Information Security Risk
4 Management Procedure
QMSR Terms of Reference Dimensions
Information Security Management
18 Feb 2009 Forum Terms of Reference Dimensions
19 Jun 2013 Professionals Communities Policy I Café Vik
13 Jun 2013 I POA Security Roles and Dimensions
Responsibilities
SVM/SEC/STD/0026 POA CISO Terms of Reference Dimensions
C-IDBM1.3 3.4 I 220ct2012 _ I Infrastructure Design and Build Café Vik
Methodology
NSN 1.0 4 Jun 2011 Fujitsu Conduct Policy Café Vik
NSN 1.0 41 Mar 2011 Fujitsu Conduct Guidelines. Café Vik
NSN 2.1 I 1 Aug 2012 Bullying, Harassment and Café Vik
Victimisation Policy
COM/MGT/REP/0001 6.3 20 Mar 2013 Transfer Asset Register Dimensions
©Copyright Fujitsu Lid 2014 FU JITSU RESTRICTED Ref. SVMISEC/MAN/O003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED
Manual
Page No:
10 of 111
re)
FUJITSU
Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN
CONFIDENCE
FUJ00235006
FUJ00235006
Reference Date
Fujitsu UK & Ireland Business
ITG-PO1 3.4 I 42Jul2013 I QPerations, Information and Café Vik
Technology Group Internal IT
Policy
SVM/SEC/STG/0739 1.0 I 31 May 2010 eeoutly Communications Dimensions
trategy
Quick Reference Guide - Fujitsu
NSN 1.2 11 Feb 2013 UK & I — Information Classificati Café Vik
Matrix.
Explanatory Notes and
FPVS v 3-1 3.4 12 Sep 2012 Application Form: Fujitst ik
Personnel Vettin
Fujitsu Welcome :
NSN 2.2 1 Oct 2012 Process Café Vik
GB/BSA/0002 2.0 16 May 2013 Café Vik
1SNO01021 3.2 9 Jul 2009 Café Vik
ISN/001377 Café Vik
ITGSM-POL-0017 Café Vik
PGM/CM/PLA/0001 Configuration Plan for HNG-X Dimension
HNG-X Capacity Management
PA/PER/033 and Business Volumes Dimensions
SVM/SDM/PRO/0039 Removal and or Destruction of I pimensions
Electronic Media
. HNG-X Backup and Recovery
DES/SYM/HLD/00; ). Nov 2010 HLD Dimension
sco02 17 Nov 2010 Manage Recycle Service Café Vik
DEVIINF/LLD/041 10 Mar 2011 I HNG-X Test Services LST Rig I Dimensions
Low Level Design
28 May 2013 SV&l HNG-X Test Services Low Dimensions
Level Design
HNG-X Platform Hardware Dimensions
Instance List
ARC/NET/ARG/0001 HNG-X Network Architecture Dimensions
HNG-X Architecture — Security Dimensions
ARC/SEC/ARC/0003 3.0 12 May 2012 Architecture
ARC/SVS/ARC/0001 3.4 I 5Apr2012 _I Horizon (On-Line) Architecture - I Dimensions
Support Service
User Registration Management Café Vik
ISNO06654 1.0 19 Dec 2012 Procedure
NSN 0.2 I 6Dec 2012 Account User Access Procedure Café Vik
Information and Technology .
ITGSM-05 - I 22Feb 2013 I Group Fujitsu Managed Mobile Café Vik
Service Security Policy
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref: ‘SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED
Manual
Page No:
11 of 111
re)
FUJITSU
Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN
CONFIDENCE
FUJ00235006
FUJ00235006
Reference sion Date Title Si
N/A A Managers Guide to Home Café Vik
Based Working
CADBM1.2 4.0 26 Sep 2008 Fujitsu UK&l BMS ADBM Build Café Vik
and Unit Test
HNG-X Design & Build
PGM/PAS/PRO/0002 6.0 1 May 2013 Methodology Requirements and Dimensions
Design Process
HNG-X Design & Build
PGM/PAS/PRO/0003 5.0 1 May 2013 Methodology Code, Build and Dimensions
Component Test Process
HNG-X Generic Code Review.
DEV/GEN/TEM/0003 2.0 25 Jan 2013 Template
HNG-X Tool for Obfusc i
DEV/GEN/SPG/0023 46 17 May 2013 Counter/BAL-OS! Dimensions
PO SMC 4LS GDC Sow 6.0 7 Sep 2012 Dimensions
Hs1.1 2.1 I 25 Jan 2011 Café Vik
DES/APP/HLD/0029 Dimensions
Cafe Vik
cPMs1 8.0 Master Policy
LAB 1.9 age Continuity of Fujitsu UK Café Vik
2land Business Process
SVM/SDM/PLA/0003 -X Business Continuity Test I Dimensions
Business Continuity Test
NSN Schedule Planner
Quality and Compliance Dimensions
PGM/PAS/MAN/0004 Framework
Documentation and Record Café Vik
Group/Q&BE/03
Standards
versions of the documents.
ferred to above, reference should be made to the current approved
Copyright Fujitsu Ltd 2014
UNCONTROLLED IF PRINTED
FU JITSU RESTRICTED
COMMERCIAL IN CONFIDENCE.
Manual
Ref:
Version: 5.0
Date:
Page No:
SVM/SEC/MAN/0003
30-Apr-2014
12 0f 111
re)
FUJITSU
FUJ00235006
FUJ00235006
Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
0.5 Abbreviations
Abbi tion Definitior
AD Active Directory
ALM Application Lifecycle Management
ARQ Audit Record Queries
API Application Programming Interface
BAL Branch Access Layer
BAU Business as Usual
BMS Business Management System
DPA Data Protection Act
CBT Computer Based Training
CCB Change Control Board
ccD Contract Controlled Document
clsoO Chief Information Security
COTS Commercial Off the Shs
cP Change Proposal
CR Change Reque:
CSLC
CT
DAB
GDC
GRN
HLD
HNGxDBM
jardware Security Module
Hyper Text Transfer Protocol
Hyper Text Transfer Protocol Secure
Infrastructure Design and Build Methodology
Intrusion Detection Systems
Intellectual Property Rights
ISAE International Standard of Assurance Engagements
ISBR Information Security Review Board
ISMS Information Security Management System
ISMF Information Security Management Forum
Copyright Fujitsu Ltd 2014
UNCONTROLLED IF PRINTED
FU JITSU RESTRICTED Ref: SVM/SEC/MAN/0003-
COMMERCIAL IN CONFIDENCE Version; 5.0
Date: 30-Apr-2014
Manual Page No: 13 of 111
re)
FUJITSU
Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
FUJ00235006
FUJ00235006
Definition
Key Services
Key Service Client
Local Area Network
Live System Test (LST)
Low Level Design
Managed Service Change
Network Persistence Store.
Network Time Protocol
Operational Level Agreement
Operations Security Manager
Online Service Router
Pluggable Authentication Module
Primary Account Number
PCCB
Programme Change ControI
PCDA
PCI-DSS
PDC
PIN
PKI
POA
POL
POLMI
POMS
QMSR
RDP
Desktop Protocol
equest for Work Package
Recovery Point Objective
Return to Operation
Statement of Applicability
Service Level Agreement
SLS Supply and Lifecycle Services
SMC Systems Management & Global Cloud
SOP Standard Operating Procedure
SoW Statement of Work
SPG Support Guide
©Copyright Fujitsu Ltd 2074 FU JITSU RESTRICTED Ref. SVMISEC/MAN/O003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual Page No: 14 of 111
re)
FUJITSU
Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
FUJ00235006
FUJ00235006
Definition
SSIP. Security Services Improvement Programme
SSL Secure Sockets Layer
SVél Systems Validation and Integrity
TEM Tivoli Event Management
TNT Thomas Nationwide Transport
TK Traffic Keys
UPS Uninterruptible Power Supplies
WAN Wide Area Network
VLAN Virtual Local Area Network
VPN Virtual Private Network
4" Line Support
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 15 of 111
FUJ00235006
FUJ00235006
[oe]
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
0.6 Glossary
Term Definition
PCI-DSS Term defined as the PAN or the PAN plus any of the following:
e Cardholder Name
e Expiration Date
Cardholder Data * Service Code
* Start Date
¢__Issue Number;
PCI-DSS Aset of security controls defined by the Payment Card Industry organisation.
0.7 Changes Expected
This is a major revision and changes are expected following peer review.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MANI0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 16 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
1. Introduction and Scope
1.1 ISMS Manual Overview
This Information Security Management System (ISMS) Manual supports the Fujitsu Post Office
Account Information Security Policy in describing the overall strategy for providing Information
Security and is based upon security practice as defined by ISO/IEC 27001:2005.
It should be noted that achieving ISO/IEC 27001:2005 certification or indeed Cot
contractual deliverable but as both Post Office Limited (POL) and Fujitsu recognise t
that adherence to the Standard brings the overarching principles will unde)
Office Account Information Security approach.
lance is not a
Post Office Account which, together with the Framework of Contre
Contractual requirements.
1.2 Scope
1.2.1. Statement of Scope
This ISMS covers activities undertaken by t
POL including design, development, dep!
support of services, as well as
rnance and administrative
This ISMS Manual document dé
is based upon best practice
Data, Personal Identifiable Information, POL Financial Information, POA
formation, Audit Data and Operational Data.
provided by Fujitsu's Global Delivery Centre (GDC) are mentioned within this ISMS
ut it should be recognised that GDC hold independent ISO/IEC 27001:2005
Certification. This is accepted by the POA and their local implementation is not further expanded
upon.
1.2.3. Statement of Applicability
The POA shall implement and maintain a Statement of Applicability which will capture the
Controls in place to support the ISMS. It shall also specifically state what ISO/IEC 27001:2005
Controls are out of scope and include a justification for their exclusion.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 17 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
2 ‘Information Security Management
2.1 Information Security Definition
Information is an asset, which, like other important business assets, has value to an organisation
and consequently needs to be suitably protected. Information Security protects information from a
wide range of threats in order to safeguard customers and staff, ensure business ‘continulty,
minimise business damage and maximise operational efficiency.
Information can exist in many forms. It can be printed or written on paper, stored el
transmitted by post or using electronic means, shown on films, or spoken
Whatever forms the information takes, or means by which it is shared of:
be appropriately protected and is subject to the provisions of this policy
Information Security is characterised here as the preservation of
* Confidentiality: ensuring that information is accessible only
access; °
e Integrity: safeguarding the accuracy and comI
methods;
e Availability: ensuring that authorised us:
assets when required.
Information chee is achieved aby impl
h to managing sensitive company
isses people, processes and IT systems.
2.2
2.2.1
C written descriptions of the management processes and activities
ate and control the ISMS.
-X Account adopts the Plan, Do, Check, Act (PDCA) process approach for
urity management as presented in ISO/IEC 27001:2005 which promotes:
Understanding an organization's Information Security requirements and the need to
establish policy and objectives for Information Security.
e Implementing and operating controls to manage an organization's Information Security
risks in the context of the organization's overall business risks.
« Monitoring and reviewing the performance and effectiveness of the ISMS.
e Continual improvement based on objective measurement.
2.2.2.1 Plan
©Copyright Fujitsu Lid 2014 FU JITSU RESTRICTED Ref. SVMISEC/MAN/O003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 18 of 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
The cyclic Information Security lifecycle offers reoccurring opportunities for continuous
improvements to the ISMS. New opportunities for improvement to reduce a new or previously
identified risk can come from a variety of sources including, but not limited to,
e Audit findings
e Information Security reviews.
e Information Security incidents
e Change in industry best practise advice
«Technology change
e Environment change
When the requirement for a new or a significant change to existing, policy ure
etc is identified an Information Security Risk may be added to the Informat
e To the Information Security Management System that
Confidentiality, Integrity or Availability of the Services ot
¢ To the documentation within the ISMS Frame’
2.2.2.2 Do
On appropriate approval the CISO is to i tation of the Controls as identified
in the Risk Treatment Plan.
The CISO is to determine the mi
to all members of staff. Options:
chanism to communicate the Control change
ide, but are not limited to,
«Email bulletin
Sharepoint
Notice Boards.
2.2.2.3
specific Account internal Information Security audit programme is considered to be superfluous
as it is anticipated that all requirements will be met in customer / internal Fujitsu driven activities.
2.2.2.4 Act
The Statement of Applicability is to be adjusted accordingly and the document management
control updated.
The ISMS change is to be formally communicated to all staff and all interested parties with an
appropriate level detail according to each circumstance.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 19 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
All lessons learnt shall be captured and any improvement principles that can be applied to any
other preventative or corrective actions should be extended across the ISMS.
2.2.3 Management Review of ISMS
The CISO shall ensure that the ISMS is reviewed at planned intervals (at least annually to ensure
its continuing suitability, adequacy and effectiveness.
This review shall include assessing opportunities for improvement and the need for changes to
the ISMS, including the Information Security policy and Information Security objectives.
2.2.3.1 Review Inputs
The review shall consider
e Results of ISMS Audits (External and Internal)
e Major Information Security Incidents
e Status of Information Security Risk Register
e Feedback (both Internal and External)
Changes that could impact the ISMS.
2.2.3.2 Review Outputs
The review shall produce
« ISMS Improvement Reco!
2.3
s to the ISMS are discovered will determine whether the Corrective or
lan is followed.
rrective and Preventative Plans thereafter
2.3.1 Corrective Action Plan
The Corrective Action Plan should be initiated when non-conformity is identified as the result of
an activity that has occurred.
Nonconformities can be identified through a number of avenues including
e — Information Security Incidents
e Monitoring and Alerting
e Internal and Independent Audit Reports
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 20 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
2.3.2 Preventative Action Plan
The Preventative Action Plan should be initiated when non-conformity is identified as the result of
an activity that has either not occurred or has not been previously reported as an Information
Security Incident.
Potential nonconformities can be identified through a number of avenues including
« Management Reviews of the ISMS
e Internal and Independent Audit Reports
e Monitoring and Alerting
e Reporting of Information Security Weaknesses
2.4 Corrective and Preventative Action Plz
2.4.1. Determining the Causes of Non-Conform
2.4.1.1. Technical Non-Conformities
The CISO shall liaise with appropriate technical.specialists. to: fy'the root cause of any
technical non-conformity.
2.4.1.2 Non-Technical Non-Conformities.
The CISO shall engage will ap)
non-technical non-conformity.
presentatives to identify the root cause of any
2.4.2
-conformance(s).
nt shall be presented to the Quarterly Quality Management and
formity constitutes a breach of Contract.
Any non-conformity that constitutes a breach of Contract is to be addressed with the highest
priority and captured in the Information Security Risk Register.
Should any additional resource be required the CISO is to consider presenting mitigating
proposals at an appropriate POA Change Board.
2.4.2.2 Longer Term Remediation
An entry shall be made in the Information Security Risk Register and managed according the
combined likelihood and impact scores as defined by the Information Security Risk Management
Methodology. Additionally, ISMS non-conformities may be considered as a candidate for
remediation through the SSIP.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 21 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Where remediation of the non-conformity falls outside the Contractual boundaries then the CISO
shall present any recommendations for POL to consider as a Project.
2.4.3. Implementing Mitigating Measures
Any adjustment to mitigating security controls must be approved at an appropriate managerial
level proportional to the level of change required.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 22 of 111
FUJ00235006
FUJ00235006
©.
FUJITSU Post Office HNG-X Account ISMS ’
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
3 Document and Records Management
3.1 Introduction
All documents required by the ISMS are controlled through the Fujitsu Services Control of
Documents Policy.
Records are established and maintained to provide evidence of conformity to re
the effective operation of the ISMS.
ements and
3.1 ISMS Document Structure
Information
Security
Policy (CCD)
—T.
Risk Assessment Methodology
Risk Identification “STREAM”
Risk Analysis
Risk Treatment Evaluation
Risk Register
Risk
Treatment
Plan
Statement of
Applicability
‘Audit Reports
Related
Records {Incident Reports
Education Records
Minutes...ete...ete
isms Information Security
Management & Management Forum (ISMF) ===
Monttoring ‘Quality and Security
oe Management Review Meetings
Records "owee)
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MANI0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
Manual
UNCONTROLLED IF PRINTED Page No: 23 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
3.2 Key Documents and Records
The following key documents support the ISMS:
Document Description Location Retention
POA Information Security Policy Dimensions Life of the ISMS.
ISMS Manual (this document) Dimensions Life of the ISMS
Statement of Applicability Dimensions
Information Security Management Forum/Board TOR's Dimensions
QMSR/ISMF Minutes
Information Security Risk Registers
Risk Treatment Plans Life of,the ISMS
Integrated Audit Plan urrent year +1
Audit Reports 7 years
Reports of Security Incidents 7 years
Life of the ISMS
Information Security Monthly Report
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 24of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
4 Information Security Risk Management
4.1 Information Security Risk Management Objectives
The objectives of the ISMS are to:
e Provide an information security framework within which the programme is developed,
delivered and implemented to all relevant areas of the business;
e Provide an organisational and responsibility framework for security activi
security roles and responsibilities;
e Identify risks associated with the provision of the POL S
assessment techniques, and prioritise and implement appro}
measures;
e Ensure appropriate security and business continuity proc
to support Services provided; 4 .
e Ensure that information security controls
information processed and stored;
e Ensure contractual, legal & regulator
e Identify the security awarene:
subcontractors.
4.2 Information Secur
ally agreed version, and the Fujitsu Services
ited in the HNG-X Information Security Risk
Risk Management approach is not a blanket risk assessment
lanned or reactive technique for making business decisions
risks to identify whether there are potential threats which could be
that, if exploited, could have an adverse impact on the POA or POL.
services Post Office Account will implement and maintain Information Security Risk
rs which shall be the repository for Information Security Risks.
4.3 Objective Measures
Objective I Measure Target
4 A management system, based on an I Ongoing maintenance of the ISMS per
information security risk approach, I registration to IS027001:2005, under the
exists to establish, implement, operate, I auspices of the Plan, Do, Check Act
monitor, review, maintain and improve I cycle.
information security.
Demonstrated through the review_of
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 25 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
audit coverage & results; corrective
actions; security incidents; risk
assessment and reviews.
2 An organisational framework has been I Appropriately competent appointees
established, and approved by RMGA, to I identified and in post (with relevant and
identify and allocate security roles and I approved TORs).
responsibilities. Subject to regular review & update by the
ISMF.
3 A formal risk management process has I A fully documented risk
been established whereby relevant risks I process including a con
will have been identified, measured and I risk registers
appropriate controls and
countermeasures implemented.
management
framework,
Demonstrated through the risks being
reviewed on a regular basis as part of
the Business Review Process.
4 Controls relevant to the identified asset
risks are in place together with
documented business continuity plans,
test schedules and scripts.
isset register, business
. test schedules and
subject to regular
(as applicable)
Demonstrated through
completeness of BC plans
5 The ISMF meets on a formal and regular
Forum (ISMF) ha: basis and minutes (with concomitant
established to requirements) are distributed to relevant
stakeholders.
6 The SoA, which can be affected by
changing business circumstances, is
reviewed at a minimum on an annual
basis, and updated where applicable.
of controls will be
reviewed and documented through the
local audit programme.
The handling of information will be in I Training, Awareness and Communication
strict compliance with all relevant I programs are established to ensure all
contractual, legislative and regulatory I stakeholders are apprised of the
requirements. requirements. The requirements
themselves are visited on a regular basis
Demonstrated throught audit results and to ensure currency.
incident review.
8 All personnel who are assigned I Regular review of staff records to ensure
responsibilities defined in the ISMS I compliance with ISMS. Ongoing CBT
have documented records of training, I training is monitored and reported, with
skills, experience and qualifications. relevant records maintained.
©Copyright Fujitsu Lid 2014 FU JITSU RESTRICTED Ref. SVMISEC/MAN/O003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 26 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
4.4 Measures of Effectiveness
Measures of effectiveness for controls and groups of controls are as follows:
«The audits and their results
e Technical testing e.g. penetration testing
« STREAM dashboard
e Incident reporting and lessons learnt
e Manage change process
4.5 Risk Treatment Options
There are several options available when considering identified In!
chosen option (or mix of management techniques) will dep:
urity Risks. The
level of the risk.
The key options are:
st of control is greater
Risk Tolerance lo accept such risks.
‘mation Security Risk, and there is
Risk Termination ity or to conduct the process in a
Risk Treatment
representative at the ISMF.
n Security Risk Manager shall maintain the Information Security Risk Register and
Owners on the progress of Risk entries and provide summary updates to the
required.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 27 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
5 Information Security Policy
5.1 Fujitsu Corporate Information Security Requirement
The Post Office Account is to be compliant to the Fujitsu UK&l BMS Security Master Policy (Ref:-
CPM20) as the policy is applicable to all Employees, Contractors and businesses carried on by
Fujitsu Services Limited and its subsidiaries and any other company or organisation (including
working partners operating or carrying out work on Fujitsu UK & Ireland sites or elsewhere on
behalf of Fujitsu UK & Ireland) that is managed by the Chief Executive Officer, Fi United
Kingdom and Ireland.
Failure to comply with this Policy, the Fujitsu UK&l BMS Security Polic
subsidiary policies and procedures or to neglect personal security res;
the Global Business Group Global Business Standards may lead to disci
Further guidance to managing Information Security is provided in!
Security Policy (Ref:- C-MSv1.10).
5.1.1. POAInformation Security Policy
The Post Office HNG-X Account Information Security
captures the Executive Information Security
ind relevant POL Information
urity policies and overarching
It is consistent with Contractual and Regula
Security Requirements as expressed in the
applicable principles of ISO/IEC27! i
5.1.1.1. Communication
The Information Security Poli
Account Information.Security
communicated
replaces the
sure that all changes to the Post Office HNG-X
Account Information Security Policy is owned by the Fujitsu Post Office
mation Security Officer (CISO) who is responsible for its maintenance and
The policy will be also be updated whenever necessary to reflect the needs and obligations of the
Fujitsu Post Office Account and developments in relevant best practice.
The annual review will include a review of effectiveness, impact of the policy on the business and
the effect of technology changes on the policy.
5.1.2.1. Review Timings - Scheduled Annual Review
Ata period no later than eleven calendar months from the previous approval date the CISO is to
initiate a review of the Post Office HNG-X Account Information Security.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 28 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
It should be noted that some Policy and Procedural documents referenced from the Post Office
HNG-X Account Information Security Policy are owned and maintained at a corporate level and
their maintenance is outside the influence of the Account Security Management Team.
The Account Security Management Team will request that these be updated but no guarantees
can be given.
5.1.2.2 Review Timings - Unscheduled Annual Review
On notification of a major Information Security incident or significant change affecting the ISMS.
the CISO is to initiate a targeted review of the relevant Information Security Doc! ntation as
soon as reasonably practical, typically within 20 working days.
Note:- An unscheduled review of individual Information Security Docu
the annual review cycle requirement as not all areas of the Informatio
will be reviewed.
5.1.2.3. Review Scope - Scheduled Annual Review I
The annual Information Security Policy review shall encompass the.
Information Security Policy and POA ISMS Manual. "
eview initiated by a major Information Security
se segments of the Information Security
Any ad-hoc Information Security
Incident or significant change s!
Policy, ISMS Manual or suppor
all relevant business areas in reviewing the continuing
of the Information Security Policy, the ISMS Manual and
rk instructions and capture any changes within 15 working days.
f the Information Security Policy, ISMS Manual or supporting procedures and
anges within 20 working days.
5.1.2.7 Documentation
All alterations to the Information Security Policy, ISMS Manual or supporting procedures and / or
work instructions shall be captured by version control within the document history.
The CISO is responsible for presenting the reviewed Information Security Policy, ISMS Manual or
supporting procedures and / or work instructions to the Delivery Executive, or a nominated
representative, for management approval.
5.1.2.8 Senior Management Approval
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 29 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
The Delivery Executive or a nominated representative shall approve the Post Office HNG-X
Account Information Security Policy prior to the annual renewal date.
5.1.2.9 Senior Management Non-Approval
The Delivery Executive or a nominated representative shall identify and communicate to
document owners any non-approval issues prior to the annual renewal date.
5.1.2.10 Senior Management Non-Approval — CISO’s Action
Document owners should agree a corrective course of action, with agreeable tim
Delivery Executive or a nominated representative.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 30 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
6 Organising Information Security
6.1 POA Information Security Organisation
6.1.1. Management Commitment to Information Security
Senior Management commitment to Information Security is demonstrated on Fujitsu's Post Office
Account by the Delivery Executive having approved the Information Security Policy and by giving
delegated authority of Information Security implementation to the CISO.
6.1.1.1 Fujitsu’s Corporate Security Governance Framework
Ensuring effective management of business risk is the responsibil
Governance Board, made up of directors and external audit.
The Security Management Board is responsible for overseeing
risk and reporting that this is being carried out to the Corporate
Security Policy and mandates this to all areas of the i
incidents from the Security Management Forum as well.
ice Board. It approves
details of risks and
The Security Management Forum is respon:
and process, based on changes to busin
submitted by businesses. Process chan
nding changes to security policy
ind a review of incidents and risks
d to the Engineering Board to
- Includes Directors and
Fujitsu Services Corporate Governance Board External Audit
Corporate - Reviews Risk
- Senior Process Owners and
Risk, Engineering Board «= EES
metrics - Approves investment
recommendations
Process Responsible for agreeing
Issues process strategy and
Security Management Board roadmap
- Risk,
-Metrigs
-PolicyIChanges
- Incidents
Account, Functionai Risks,
Unit Incident Data
The format of the governance
Security Governance Structure structure at this level is not
mandated
©Copyright Fujitsu Ltd 2074 FU JITSU RESTRICTED Ref SVMISECIMANTO003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 31 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
6.1.1.2 Fujitsu Post Office Account Security Governance
Information Security is an inherent part of, and is seen as a core responsibility of, the Fujitsu Post
Office Account. Executive sponsorship ensures that the Account:
e Allocates sufficient expert resource to address its Information Security obligations;
e Participates fully in customer meetings and workshops responsible for information
exchange, the advancement of best practice definition and communication;
e Takes steps to ensure that all of its services are delivered from a standpoint of compliance
with this Policy, through endorsement by executive management and a cultufe of intolerance
of non-adherence.
6.1.1.3
Post Office Account Organisation Chart
6.1.1.4 Post Office Account Security Team Or:
The POA Security Team Organisation Chart ca!
nt%20Organisation.pdf
6.1.2 Information Securi
There is a POA Quali 3
and is chaired by ‘Membership and governance of the QMSR is detailed
» SVM/SEC/STD/0027).
igement Forum (ISMF) which operates in accordance with terms of reference (Ref:
STD/0031) agreed between both parties
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 32 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
6.1.3 Allocation of Information Security Responsibilities
The POA Security Roles and Responsibilities (Ref:-SVM/SEC/MAN/2220) fully defines security
roles and responsibilities and is summarised below.
6.1.3.1 Fujitsu Service Post Office Account Delivery Executive
The POA Delivery Executive has ultimate responsibility for security, with the responsibility for
policy and the general direction of Information Security delegated to the CISO. «
The Information Security related responsibilities of the POA Delivery Executive incl
e Overall control and management of Information Security throughot
e Provision of adequate resources for Information Security and aI
security professional responsible for managing and coordi
across the complete POA domain.
e Approval authority for the POA Information Security:
© Ownership and overall control and management of Oper
e Overall control of Information Security Risk Mi
* Chairing the POA Quarterly Quality M;
Senior management is supported by the P\
specialists with specific expertise in the at
Management.
which consists of experienced
\d Information Security Risk
and the responsibilities of the
SVM/SEC/STD/0026).and sui
wing the Post Office HNG-X Account Information Security Policy and approving
supporting Information Security procedures owned and implemented at business level.
Monitoring for compliance with the POA HNG-X Account Information Security Policy.
Ensuring that Information Security incidents and events are recorded and investigated.
e Ensuring that system audit trails are analysed on a regular basis.
e Defining the Information Security Risk Management methodology of POA.
e Analysis and evaluation of Information Security risks and evaluating options for the
treatment of risks.
e Ensuring all POA Staff are screened in line with Contractual requirements and Fujitsu
Services Group Policy.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 33 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
6.1.3.3. POA Operations Security Manager (OSM)
The Responsibilities of the Operations Security Manager include:
e The management of Information Security incidents
e The provision and oversight of event auditing services
e Management of the Patching and Associated Anti-Virus Service (including chairing the
Patch Approval Board
« Impact assessment, authorisation and approval for all operational and system design
changes to ensure the implementation of security controls in technology processes.
« Co-ordinating the evaluation of all new security products proposed,
e Providing regular Information Security operational reporting on‘
6.1.3.4 POA Information Security Risk and Compliance
The Information Security Risk and Compliance Manager is
Information Security Risk Management and documentation
the POA Information Security Risk and Compliance ing
e Maintaining the Information Security Risk Regi:
* Production and maintenance of the
« Production and maintenance of
6.1.3.5 POA Quality and
The Information Security relat
itact for external audit personnel.
ing out audits of POA’s business functions.
Security
Propet ry and Group Security have responsibility for physical security at all sites used by
Office Account.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 34 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
6.1.4 Authorisation Process for Information Processing Facilities
The Infrastructure Design and Build Methodology (Ref: C-IDBM1.3) is the standard lifecycle
model used within Fujitsu Services for all Infrastructure Design and Build projects.
It is made up of the following core processes, summarised and portrayed in the diagram below.
Desig) Integration
High Level Design Build & Unit Test
Test Planning and Preparation
Test Execution
Definition
Impiementation Planning & Preparation
Operation Service Planning & Preparation
6.1.4.1 Definition
This process deals th: quirements from all stakeholders, identification of the
existing environmé infrastructure must integrate, and identification of the
i II normaily be part of a general requirements gathering activity, and
may only be a subset of the overall requirements.
lesigner will normally need to provide technical information to the project
\duce overview project plans and allocate resources.
al information on the risks, issues, assumptions and dependencies is also
roject managers at this stage, including technical information on the logical order
ight make suitable work packages etc.
6.1.4.2 sign and Build Work Packages
This process takes the requirements, and turns them into a high level design, then a low level
design, and eventually into build instructions and the initial component builds. The list of items
needed is also generated during this process.
This is often considered the main part of the design process, but it cannot be successful in
isolation. Key outputs from this process are the High Level Design, Low Level Design, Bill of
Materials, build instructions, and associated automation for the builds.
6.1.4.3 Implementation Planning and Preparation
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 35 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
This process runs in parallel with the Design & Build process. During this phase, the designer
helps the project manager identify the work required to implement the infrastructure, and
realisable proportions for work package planning.
These steps, from planning the strategy down to more detailed planning, inform project
management planning.
6.1.4.4 Test Planning and Preparation
This process defines the activities required to plan and prepare for the verification and validation
of a deliverable.
6.1.4.5 Integration
This process takes individual components and assembles them togethe!
larger components.
This process works closely with the Test Execution process, as eact
components is built, they should be tested, until the solution’¢an be
6.1.4.6 Test Execution
This process defines the testing activities used
customer requirements are satisfied.
leliverable to ensure that
The main testing activities occur within the ise; however, an important test
odules are developed and built
This will include planning fo ree ind training, and ensuring that support staff have
the tools, information and acc:
is concerned with ensuring that the other IDBM processes work. This includes the
's, which check that the IDBM processes are being run correctly.
2s how designs should be peer reviewed and approved, and how change should
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 36 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
6.1.5 Confidentiality Agreements
All employment contracts (permanent and temporary) as well as consultant, contractor and
supplier contracts (Generic Supplier Contract Template) include clauses governing the treatment
of Customer (in this case POL) information gained as a result of their employment.
Fujitsu staff on the Post Office Account must be aware of their obligations set out in Paragraph
2.6.3 of Schedule A4, Legislation, Policies and Standards. For clarity Paragraph 2.6.3 is
reproduced below:-
“Fujitsu Services shall not disclose any Personal Data to any person except to sut
employees, agents, sub-contractors, third parties performing software maintenance
and consultants in each case who require that information in order for Fujit
its obligations under this Agreement.
Prior to disclosing Personal Data or any portion thereof to such employet
contractors, third parties or consultants, Fujitsu Services shall ensi
agent, sub-contractor, third party or consultant is subject to a written.cor
Services requiring them to comply with Fujitsu Services’ obligations
and confidentiality of the Personal Data and to comply with Fuji
processing it.
vant employee,
ith Fujitsu
ding the security
Fujitsu Services shall not knowingly cause or allow an
party performing software maintenance or supp
ent, sub-contractor, third
a¥ocess Personal Data in a
6.1.6 Contact with Authorities
established Fujitsu Corporate channels.
Contact with law enforcer S$, government vetting agencies and Centre for
the Protection of National ill be maintained by Fujitsu Group Security.
« Contact with regulatot
Fujitsu Group begal
Information Commissioner will be maintained by
rest security groups and best practice security organisations will
Office Account Security Team but only via voluntary, individual
s and any value added provided by Fujitsu individual membership
of Information Security are subject to regular independent reviews. As documented in
» Audit High Level Plan these include:
e ISAE3402 — Annual external audit conducted by Ernst & Young to support POL Financial
Reporting.
e PCI-DSS - Annual requirement from POL who own and manage the audit.
e ISO/IEC 27001:2005 - Annual POA Accreditation which is part of Fujitsu Certification and
own by the CISO.
e LINK Audit — Annual audit conducted by POL external auditor.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 37 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
6.2 External Parties
6.2.1 Identification of Risks Relating to External Parties
The risks associated with access to POA information and information processing facilities by third
parties will be assessed and appropriate security controls implemented in line with HNG-X
Information Security Risk Management Procedure (Ref:- SVM/SEC/PRO/0033).
These controls must be agreed, documented and defined in agreements with any
parties.
Physical access to any POA processing facilities provided by Fujitsu shall: to third
parties until all security requirements have been satisfied and evidenc
POA will create and maintain a register of external parties with
to POL.
6.2.1.1 3 Party Connectivity
As described in the HNG-X Network Architecture (Re
boundary between the HNG-X
onnects to.
The transit LAN exists both for security ai
HNG-X and that organisation
6.2.1.2 I Off-Shoring
Prior to any off shoring work un
to Off Shoring Managing Ss
Note:- POL have a requireme!
service/support serviee which
POL Account information will be subject to the requirements of the HNG-
urity Policy (Ref:- SVM/SEC/POL/0003) and applicable components of
ig Security in Third Party Agreements
ods and services to Fujitsu that support the Services provided to POL must be
document as a baseline standard.
The Ariba system is Fujitsu's standard toolset for the Managed Procurement Cycle and
Contracting with Suppliers processes and captures all evidence of compliance with and approval
of the project steps belonging to these processes. It also captures Third Party Governance.
(http://www.cafevik.fs.fujitsu.com/001 10/manageprocurement/Pages/home.aspx )
Individual agreements with suppliers of standard COTS components are not required provided
that there is clear evidence the components meet all security, regulatory and contractual
requirements.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 38 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
7 Asset Management
7.1 Responsibility for Assets
7.1.1 Inventory of Assets
Asset identification and recording is a key aspect of Information Security management and is the
maintenance of correct and up-to-date asset information is key to a number of bi
objectives as described in the Information and Technology Group Hardware Asset
Policy (Ref:- TGSM-POL-003).
The POA maintains a Transfer Asset Management Database which is
Manager. This database contains the data maintained on all major,asset h
Transfer Asset Register (Ref:- COM/MGT/REP/0001).
The Asset Register covers:
e All assets employed by Fujitsu specifically for.
e This asset register is a snapshot in time and
and the impact of any changes due to the devel
progress at this time are not includ:
The register is structured according to thé
Software
Hardware
Documentation
Data
asset, namely:
The assets identified within th
Production, Test
own where appropriate by their functionality ie:-
ner Estate, Supplier/Third Party.
of the POA HNG-X Service will be assigned an owner, who will be
s per the Fujitsu UK & Ireland Business Management System Security
team, rather than an individual. Details of ownership must be documented in
ts which will be reviewed regular (at least yearly) to ensure its accuracy.
nel using Fujitsu Post Office Account and Corporate systems will be subject to Fujitsu
corporate acceptable use policies as captured in the Fujitsu UK & Ireland Business Management
System Security Policy Manual, the Acceptable Use of IT Within Fujitsu Services and the Fujitsu
UK & Ireland Business Operations, Information and Technology Group Internal IT Policy
(Ref:ITG-PO1).
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 39 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
7.2 Information Classification
7.2.1 Fujitsu / POL Classification Guidelines
All information concerning POL and its contracted services, that are not in the public domain,
shall be considered potentially sensitive and by default treated as private to POL and its
contractors.
Fujitsu has a formal approach to information classification documented in the Fujit
Ireland Business Management System Security Policy Manual.
UK &
The POL Limited Community Information Security Policy for Horizon & Hot
External Document - POL/HNG/CIS/001) documents the Information S
used within POL.
All Users who have access to multiple sources of sensitive, perso
and whereby this information is then acquired or stored by them rt
level (through aggregation) may increase /decrease and this must b
it the Classification
The current Fujitsu and POL approved markings consist of a cla
has an optional qualifier.
level and Fujitsu also
7.2.1.1 Fujitsu Unclassified
Information marked as Unclassified can
marking is optional where its use is unnece
some uncertainty about the classi
would never be associated with
le and outside of the company. This
\ just be used where there may be
ve any ambiguity. By definition, Unclassified
7.2.1.2 Fujitsu Restricted
re is no reason for disclosure outside of Fujitsu (or
re disclosure to unauthorized persons might cause minor
the ‘qualifier’ grot
damage.
Examples
sensitive customer information, negotiating positions, market assessments, or
formation, and technical information that could impact the security of IT systems.
7.2.1.4 Fujitsu Secret
This is used for information and material of an extremely confidential and sensitive nature, or of
strategic importance, the disclosure of which could cause grave damage to the interests of the
Company.
Examples are high-level business and competition strategy and plans, very sensitive competitor,
partner or contractor assessments, patent secrecy information, and information, including
passwords, vital to the security of IT systems.
7.2.1.5 Fujitsu Optional Qualifiers - Eyes Only
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 40 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
This indicates the scope of data disclosure (e.g. Fujitsu UK&l Eyes Only or Applications Services.
Eyes Only).
7.2.1.6 Fujitsu Optional Qualifiers - Commercially Sensitive
This applies to information and material which is intended to be shared with a limited number of
third parties for business purposes and where disclosure would not result in any significant
impact to either Fujitsu or the recipient. It would be used in conjunction with Fujitsu Restricted.
7.2.1.7 Fujitsu Optional Qualifiers - Commercial in Confidence
This applies to information and material, the unauthorized disclosure of wh
embarrassment or might be detrimental to the interests of the Compa
can be shared with third parties if necessary for business purposes. It
7.2.1.8 _ Fujitsu Optional Qualifiers — Personal Addr
the owner, their delegated representatives, and the int
example would be a letter re pay increases. Where th
it would have a handling marking of Fujitsu Con’
ere the subject matter under
e disclosure or unauthorized access could
Examples are bonus scheme details and
information as described in the UK Data Protection Act along with
Fujitsu believes should be subject to similar protection.
7.2.1.4
at has been assessed to be of a sensitive nature and likely to cause damage
ithorised disclosure. Personal data (as defined by the Data Protection Act) is
be treated as CONFIDENTIAL. Transaction records that do not identify a person are
confidential on bulk data/reports only. Transaction receipts for individual transactions do not need
to be labelled as CONFIDENTIAL, since they are intended as a receipt for a transaction by an
individual”.
7.2.1.12 POL Strictly Confidential
“Information meeting the classification standards of government departments, the security
services, clients, or assessed to be so sensitive that unauthorised disclosure would cause acute
organisational damage.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 41 of 1117
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Information identifying cash handling staff, routes and/or timings is STRICTLY CONFIDENTIAL.
PIN data and all encryption keys are also interpreted as STRICTLY CONFIDENTIAL”.
7.2.1.13 POL Internal
All other information must be classified as INTERNAL unless specifically authorised for release.
7.2.2 Information Labelling and Handling
Data handling guidance is a corporate responsibility and is captured in Fujitsu UI é
Business Management System Security Policy Manual and the Quick Reference
UK & I — Information Classification Matrix.
Ireland
All documentation and displayed output from POL systems containing i
Confidential or Strictly Confidential must carry an appropriate classificati
Restricted documents containing sensitive information shall be st
Dimensions according to the labelling and handling requirements.
POA information, which supports delivery of the Service, that:
unauthorised access (whilst not exhaustive) includes
« The business data exchanged with POL. and
EPOSS and transaction data resulting from P%
HL... the POA Data Centres and
between the Data Centres and the Post es. It is stored at the main
operation systems and also in Iso available for management
services via the SMDB
POA Classification: Fuj
POL Classification: C:
« POA business mani
Confidentiality and i
Information System cc
forwarded as approprié
m the operational systems. This is then
s, POL. and their Clients.
I - the inclusion of any personal data (as defined by the
escalates the POL classification to Confidential
supporting the business processes such as training data (special, non-sensitive,
business style data used in training sessions) and on-line documentation
POA Classification: Fujitsu Restricted
ii Internal
« Operational systems data such as the software, configuration information, Tivoli scripts,
system management event logs etc. This information must be held in Dimensions
Document Management and associated configuration management servers and is
subject to change management access controls.
POA Classification: Fujitsu Restricted.
POL Classification: Confidential
e Security information about users, Sensitive personal data, details of security
investigations, keys, security audit logs etc.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 42 of 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
POA Classification: Fujitsu Secret.
POL Classification: Strictly Confidential
In addition, POL has specific requirements for the handling of Cardholder Data and
Sensitive Authentication Data (see Glossary for definition):
« Sensitive Authentication Data shall not be stored in any file or database including log,
audit or diagnostic files after a transaction has been authorised even if the data is
encrypted. Such data shall also be deleted after use.
« Cardholder Data shall be rendered unreadable anywhere it is stored (including data on
portable media, backup media, and in logs) by using any of the following
One-way hashes (hashed indexes) such as SHA-1, Truncation, Index tok
AES 256-bit with associated key management processes and pI
e All Sensitive Authentication Data and Cardholder Data sh
approved algorithms and encryption protocols whilst in tr:
is prohibited to send unencrypted PANs by e-mail. /
3DES (as per ANSI X9.52) and 256-bit AES (FIPS 1
data and cardholder data must be treated as
Any exceptions to these policy requirements wil agreed in writing in the document
entitled "Security Constraints" (ARC/SEC/AI
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 43 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
8 Human Resources
8.1 Prior to Employment
8.1.1. Roles and Responsibilities
8.1.1.1 Professional Communities
Fujitsu has a Professionals Communities Policy which stipulates that the
employees is best served by defining and maintaining a set of Professional
Professional Communities define and support capability development
The Professional Community structure provides a framework for
groups of people with similar skills and objectives.
These groups are aligned to an organisational structure that’
of our customers.
All employees within Fujitsu are members of a Profes:
their role.
8.1.1.2 Job Descriptions
All personnel engaged on the Fujitsu POA
Reference for their position.
riptions and / or Terms of
curity, ‘esponsibilities these will be defined in
documented job descriptions ar mented in POA Security Roles and
Responsibilities (Ref~:- SVM/SI
Generic security responsibil
for the appropriate pr i
be included in all role descriptions or objectives
out Personnel Vetting in order to confirm identity, honesty, integrity and right
the UK. To achieve this Fujitsu uses the Fujitsu Personnel Vetting Standard as
Fujitsu’s Commercial clients, however, from both Commercial and Government sectors,
\dditional checks to the FPVS to be made before individuals are permitted to work on
Completion of the Pre-Employment Screening process is a mandatory condition of employment
and must be completed within two months of an employee's start date or referral will be made to
HR which may affect the continuation of employment.
8.1.2.2 Additional Checks / Security Clearances
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 44 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Requirements for further pre-employment checks for POA Staff are outlined below. It is the
responsibility of the hiring manager to ensure that employees have the appropriate level of
security for their role.
e Additional security checks, in accordance with POL vetting procedures, must be
performed for all POA engineer staff that requires access to Post Office branches in
order to undertake development, support or maintenance activities.
e Satisfactory Credit Reference Bureau checks will be required for all POA Staff who have
access to financial information contained within Post Office systems.
« Criminal Record Checks will be carried out on POA Staff. This will be d
UK Government specified Baseline Standard check.
ne as part ofa
e Higher level UK Security Clearance may be required for individu:
POL information classified as Strictly Confidential. Advice shout
Chief Information Security Officer who will confirm the requiem
by case basis.
When an existing Fujitsu employee transfers to work on the POA
ensure the employee has either satisfied the checks above ‘
the employee has not already been fully checked.
I Manager must
performed if
8.1.3. Terms and Conditions of Employ:
8.1.3.1 Employee Contracts
All personnel engaged on the Fujitsu Servic count will have a signed contract of
employment.
The employment contract stipu'
Security Policies.
ry to follow all Fujitsu HR and Information
ements with suppliers of standard COTS components are not required provided
ar evidence the components meet all security, regulatory and contractual
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 45 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
8.2 During Employment
8.2.1. Management Responsibilities
All Line Managers are to ensure that POA staff and contractors apply security in accordance with
agreed Fujitsu and the POL Information Security Policy (Ref:- SVM/SEC/POL/0003 and
supporting procedures.
8.2.1.1 Intimidation
There is always a risk that employees with access to sensitive material
of intimidation. Employees who have been, or are subject to intimidation
contact their Line Manager or whoever they report to on the POA either
soon as it is safe to do so. 4
Intimidation is considered a form of Bullying or Harassment and al
Employees should not knowingly endanger themselve
client assets from theft or damage by criminal entities.
8.2.2 Information Security Edu
urity Awareness
lement Team will promote Information
se of Information Security controls.
M/SEC/STG/0739) will promote Information
Security awareness and explaii
The Security Communications.
Security awareness and explait
includes Information.
rnal Information Security Awareness
ees are mandated to complete Information Security Awareness CBT
Data Handling
ite Protection Act
8.2.3. Disciplinary Process
Any member of POA Staff failing to adhere to the HNG-X Information Security Policy, associated
Information Security procedures and instructions may render themselves liable to disciplinary
action in accordance with the Corporate Fujitsu Conduct Policy and Fujitsu Conduct Guidelines.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 46 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
8.3. Termination Responsibilities
8.3.1. Termination Responsibilities
When a member of the POA staff exits or transfers from the Account it is the Line Manager's
responsibility to ensure that all assets; including information, software and hardware assets are
reviewed and returned and that access rights are reviewed and where applicable revoked or
adjusted upon change. é
Any specific security responsibilities of the departing individual must also be revi
reallocated, as necessary.
and
8.3.2 Return of Assets
All POA Staff must return all of POA Assets in their possession ur
employment, contract or agreement. “
procedures to ensure the return of all POA property wi
all POA equipment and software licences. The line m:
and Internal IT Policy (Ref: ITG-
agement service. Equipment
should not be redeployed locally.
8.3.3 Removal of Acce: 3
ind information processing facilities must be
ntract or agreement or adjusted upon change
removed upon termination of
of company assignment or ro!
from POA premises @
SVM/SEC/PRO:
isswords, safe combination numbers, etc, must be changed on the departure of a
team; this too is a Line Management responsibility.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 47 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
9 Physical and Environmental Security
9.1 Secure Areas
9.1.1. Physical Security Perimeter
Group Property and Group Security have ultimate responsibility for physical security at all sites
used by the Post Office Account.
The POA CISO is responsible for working with Group Property and Group Security
the appropriate physical and environmental controls are in place, bast
protect assets from unauthorised access, damage and interference in lit
requirements.
sure that
All physical perimeters of Fujitsu POL Account sites are clearly de
personnel at Fujitsu POL Account sites maintain an appropriat
security perimeter of each site deploying security barriers, en
special lighting etc. as necessary.
Within all POA sites consideration is also given to any
premises.
Intrusion detection alarm systems must be us'
Alarm Systems must be tested regularl
There are regular visits by Fujitsu Corpora
levels of physical security ensurin,
I Security and the POA will work closely with the Data
servations are acted upon. (It should be noted that this is
ISNO001021).
POA visitors to POL sites will be subject to any POL screening/vetting procedures and must
abide by processes and procedures for such visits provided to the by POL.
9.1.3 Securing Offices, Rooms and Facilities
The Fujitsu's POA employs a best practice approach to securing offices, rooms and facilities
across all sites, including a Clear Desk Policy.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 48 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
In practice this means
e Access to all secure areas is strictly controlled.
e All papers, discs and portable media that contain Fujitsu's POA Information are to be
stored in an appropriately secured place when not in use.
e PCs and workstations are to be protected by passwords and, either locked or a
password-protected screen-saver invoked when not in use.
e Support functions and equipment e.g. photocopiers, fax machines must be sited
appropriately within the secure area to avoid demands for access which Id
compromise information.
* Doors and windows must be locked when unattended and extern
considered for windows particularly at ground level.
e Directories and internal telephone books identifying locations of
facilities must not be readily accessible by the public.
« The use of portable wireless devices, including item:
areas where sensitive data is stored, processed or tran
phones with built in cameras are similarly prohibited.
9.1.4 Protecting Against External and E
of the possibility of damage from
f natural or manmade disasters.
Account should also be taken
given also to any security th
ata Centre. In the event that there is a disaster at the live site, a
There is a Live
i anual fail-over to the Test/DR Data Centre with RTOs of 2, 5 and
decision is
the Live and Tes/DR Data Centre in real time, over the inter-site link
costs and security risks inherent in moving data physically and to
ient resilience built into the Live Data-centre to minimise the risk of equipment or
invoking the HNG-X Data Centre disaster recovery plan.
9.1.5 Working in Secure Areas
Information processing facilities for POL data must be housed in secure areas in accordance with
the Fujitsu UK&l BMS Security Policy Manual.
Managers responsible for secure areas must ensure that access rights to secure areas are
regularly reviewed and updated at least monthly.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 49 of 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Information processing facilities managed by POA must be physically separated from those
managed by third parties.
Physical and logical segregation of POA Assets from other Fujitsu contracts must be maintained,
however shared use of data centres, server rooms and environmental facilities is permitted.
Security measures associated with installed equipment must take these factors into consideration
to reduce POA's risks to an acceptable level.
Similar considerations apply to POA Assets at other non-POA sites (e.g. AP Client sites).
Unoccupied secure areas must be physically locked and subject to at least daily periodic checks,
Access to sensitive information and information processing facilities mu:
restricted to authorised persons only. Authentication controls (e.g. swi
used to authorise and validate all access. An audit trail of all access
securely.
9.1.6
POA sites will be through main entrances.
Additionally there is clear direction that where POA sil
then these will be monitored when in use by
CCTV.
Direct access to the site will not normally I
The loading bay and delivery area doors ar:
the loading bay or delivery area.
when not in use.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 50 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
9.2 Equipment Security
9.2.1 Equipment Location and Protection
9.2.1.1 Location
In accordance with the Fujitsu UK&l BMS Security Policy Manual all equipment should be located
so that it avoids unnecessary access into work areas. Sensitive network devices
servers, routers, firewall etc will be located in secure areas which with some excepti
business requirements shall be in Fujitsu Data Centres. é
All printers located in secure areas should be used only used by those p
secure areas. General printing shall be conducted outside secure areas.
equipment ie photocopiers, fax machines must be sited appropriat
access which could compromise information.
9.2.1.2 Positioning
All equipment in secure areas should be positioned si
personnel outside secure areas.
All desktop monitors should be positioned
the building or from general public area:
9.2.1.3. Environmental Conditio:
Excessive heat and humidity
equipment placed in rackin,
spection and maintenance of supporting utilities of Fujitsu locations providing Services to
the POA is the responsibility of Group Property and is in line with the Fujitsu UK&l BMS Security
Policy Manual.
Fujitsu Data Centres are audited frequently in accordance with the Group Security Site Audits
Process (Ref:- GB/BSA/0002).and they hold current ISO/IEC 27001:2005 Certification.
9.2.2.2 Uninterruptible Power Supplies (UPS)
All critical system components should have a UPS attached so that an orderly shutdown of
equipment can be carried out in the event of a power outage.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 51 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Plug sockets or multiple adapters shall not be overloaded and surge protection devices should be
applied to critical system components.
9.2.2.3 Emergency Contingencies
All key staff members maintaining critical system components should know the location of
emergency power off switches in case the need arises for a rapid power down in case of an
emergency. The building emergency lighting should activate in case of main power failure.
9.2.3 Cabling Security
As described in HNS Data Centres Blueprint for Availability Management
Centre Managers are ultimately responsible for all IT and infrastructurean
thereof of all equipment within the Data Centre(s).
9.2.4 Equipment Maintenance
Owners of equipment must ensure that it is correctly maintai
availability and integrity.
HNS Data Centres Blueprint for Availability Managem
Managers are responsible for planning all maintenance an
continuous availability is achieved ‘
9.2.4.1 Faults
All faults with Fujitsu assets are to:
the requirements set out in the Ft
Hardware or Software error
9.2.5 Security of Equipment Off-Premises
Off site equipment must be stored securely and adequately protected. Additionally equipment
movement must be controlled and subject to appropriate authorization.
Regardless of ownership, any use of POA IT equipment by Fujitsu POA personnel outside of all
POA premises must be authorised by Line Management who is responsible for ensuring that the
user is aware of the security requirements and the access controls requirements.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 52 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
The Information and Technology Group Care of IT Equipment Policy (Ref:- TGSM-POL-0017)
requires that all permanent, temporary employees, agency staff and contractors are required to
take all reasonable precautions to ensure the safety and security of IT equipment in their care.
9.2.5.1 Security Advice — Top 10 Tips to Protecting Laptops and Portable Media
There is guidance on the Fujitsu UK& I Security Portal for Fujitsu staff in protecting laptops and
portable media:-
e Only devices registered with and provided and built by Fujitsu may be connected to the
Fujitsu network. Item such as Modems, PDAs, Mobile Telephones and ot
peripherals must not be connected to a PC or laptop which is or can be
to any network that is supporting the Fujitsu business. Such actioy i
enable unauthorised users to access Fujitsu systems.
in use.
e Avoid displaying any sensitive information on your [é
never know who may be looking over your shoulder.
Make sure that your password is a mix of at I
punctuation symbols.
* Before you take your laptop out 6
stored out of sight in the boot of the car and
ays put your laptop and valuables out of site
e When travelling by car:
must not be left in unal
prior to starting your jot
for cars to stop and.th
resale and safe disposal of redundant IT equipment within the POA is provided by
Supply and Lifecycle Services based in Warrington under the Manage Recycle Service
(Ref:- SC002).
The Service cover all aspects associated with the recycling and refurbishment of IT equipment;
from cleaning, auditing, data purging, testing and disposal and in addition Supply and Lifecycle
Services provides a guarantee of compliance with all environmental legislation.
Removal and or Destruction of Electronic Media (Ref:- SVM/SDM/PRO/0039) defines the
procedures for handling the removal and or destruction of electronic media that is faulty, or
requires replacement that holds (or may have held) Sensitive information.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 53 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
9.2.7. Removal of Property
The removal from site of any equipment (not personally issued laptops etc) which may have been
used for storage of sensitive POA or POA data and information must be authorised in advance
by appropriate Line Management avoiding any conflict of interests.
9.2.7.1 General
The Fujitsu UK&l BMS Security Policy Manual requires that all equipment moves (with the
exception of the personal allocation of Laptop PCs, PDAs, mobile phones or oth
specifically allocated for personal use) are to be registered on the relevant equipme
register in accordance with the relevant Asset Management process.
9.2.7.2 Data Centre Procedures
The Data Centres Data Handling Policy (Ref:- ISNO06632) is com
policies on handling and transporting data and media (as captures
Security Policy Manual) and explicitly states that with the e: i
(Break-Fix Data Handling SOP (Ref:- ISNO7358))an MSC must be: by the account for all
transportation of Data and Equipment irrespective of r J is MSC must detail
the name of the courier or Trusted Person as well as tl
data.
9.2.7.3 Security Staff - Random Ch
The Fujitsu UK&l BMS Security Policy Mani
undertake random checks to ensurt f
(with the exceptions stated above
it Security employees may
being removed from Fujitsu UK&l premises
ithorised documentation.
9.2.7.4 Decommissioning
All decommissionin:
including backups and must ensure that any
ly stored and documented or disposed of in a secure
manner (ini pment). This includes all equipment used to provide the POA
service.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 54 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10 Communications and Operations Management
10.1 Operational Procedures and Responsibilities
10.1.1 Documented Operating Procedures
The Configuration Plan for HNG-X (Ref:- PGM/CM/PLA/0001) provides an overview used to
provide version control and Configuration Management of all Software, Docume! l]anagement
and Change Management configuration items used within the POA solution.
as such, with unique identification and strict version control. Document:
from each of the programme lifecycle stages which describe and suppo!
This is also the case for documents originating from sources '
Operating procedures must be treated as formal docum
and a Security Classification applied and any Change:
authorised management.
10.1.1.1 Support Guides
The HNG-X Design & Build Methodology I
(Ref:- PGM/PAS/PRO/0007) states:th
provide technical support staff wit
gone live. “
upport Documentation Process
nt for a Support Guide (SPG), which will
able them to support that system once it has
Support guides are also req
SVM/SDM/PRO/0875) and g
product and the developers of
to End Application Support Strategy (Ref:-
y a combination of the architect / designer for the
id are based on the DEV/GEN/TEM/0009 document
idenced by the Account Security Management participation in the Change Boards (PCCB &
\d the Managed Service Change (MSC) process.
The inge Boards have the total authority and responsibility to accept, reject or defer a Change
Proposal (CP) irrespective of its origination (Customer or Internal) and as such acts on behalf of
the POA Management Team.
10.1.2.1 Change Owner
This is the individual who owns the change and will progress it through from inception through
impacting to Board Presentation, agreement to implementation, support and finally to closure.
The Change Owner has the following responsibilities:-
e Understand and own the business need identified within the CP on behalf of the POA.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. ‘SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 55 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
e Ensure the requirement is clearly identified on the CP and ensure that it is understood
and supported.
e Be familiar with and agree all documentation prepared for the Change Boards.
e Where the change is a Change Request (CR) or Request for Work Package (RWP)
related construct and complete Commercial Terms (CT) and/or Change Control Note
(CCN) for presentation to CCB prior to submission.
e Review impacts, comments, assumptions entered against the Change before attending
the CCB, resolving and mitigating all issues.
e Ensure that all aspects of the change have been considered and any as:
are included in the impacts to be presented.
e Attend the CCB to represent the Business Case for the CP.
« Ensure that any impact on the HNG-X Release Plan is included
submission to the CCB (having been discussed with the ri
Manager).
«Ensure that all changes presented to CCB are targete
Maintenance Release Slot or Major Release where soft
e Ensure that all changes presented to CCB in
support costs, not just one-off project costs, wh
and agreed with Finance before pre ation.
been communicated to
10.1.2.2 Change Originator
This is the individual who owns co)
‘and other forms) and supplies them to
Change Management — norm i
ection of the Change Owner.
The Change Originator has.
are targeted at a specific Maintenance Release Slot or
@.delivery is required.
Collectively their responsibilities are:-
« Confirming that the requirement is clearly documented.
e The technical solution meets the requirement and is in line with the solution architecture
and does not compromise the integrity of the solution.
e Ensure that a migration path to the proposed change is documented.
e Ensuring the solution is clearly documented within the CP.
e Participating in a Design Approval Board (DAB) as required.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 56 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.1.3 Segregation of Duties
Accountability of individuals is essential and segregation of duties will be enforced where
deemed necessary.
It is the responsibility of Line Management to facilitate such separation and to brief staff on any
special responsibilities in order to reduce opportunities for unauthorised modification or misuse of
information or services.
Specific requirements for banking keys are described within CS/OLA/051/052 and
CS/OLA/051/053 for POA Network Banking Key Management. .
10.1.4 Separation of Development, Test and Operatio
Security testing is a critical part of the HNG-X programme. It is vitally i
security principles have been followed and that the subsequent security
deployed correctly.
The test environments are ,
e Solution Validation & Integration (SV&l) (Ref:- DEV/I
e Live System Test (LST) (Ref:- DEV/INF/LLD/
IRE19 will host the Live System Test (LST) and Syste:
environments during normal (IRE11 Live) o}
network connection with operational systen
ms shall only share logical
rolled circumstances.
During each subsequent phasé. xpécted that the security testing load will change
as the initial tests will not ni d and the testing focus will move to cover integration
features and the validation
Development, test, and oper
10.2.1 ServiceDelivery
pliers processes and is the central repository for all 3 Parties engaged by the POA and
m allows the POA to capture all evidence of compliance with and approval of the project
steps belonging to these processes. It also captures Third Party Governance and Supplier
Performance Management.
10.2.2 Monitoring and Review of Third Party Services
Within the POA, the management of 3" Party Suppliers is governed by the Supplier Management
for Non-Procurement Supplier Managers (Ref:- Il-Mco1.3) to ensure the continuous ongoing
management, assessment and evaluation of the performance of POA Suppliers.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 57 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Service Delivery Managers hold monthly meetings with Suppliers and produce a monthly report.
These are in turn sent to the MI Systems Lead who collates the findings and produces a monthly
Service Review Book and Dashboard which is presented monthly to POL at the Service Review
Meeting.
10.2.3 Managing Changes to Third Party Services
All changes to third party contracts will be managed in accordance with POA Change
Management procedures as documented in Paragraph 10.1.2.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 58 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.3 System Planning and Acceptance
10.3.1 Capacity Planning
The HNG-X Capacity Management and Business Volumes (Ref:- PA/PER/033) documents the
process of managing the business workload volumes that the HNG-X system will support and the
capacity required to support this workload under contract extension.
The following agreed principles under which business volumes and capacity will be. managed
include:-
e Post Office estimates the business volumes that the system nee
this assessment they need to decide how much headroom or
unexpected growth in volumes is required.
* Fujitsu Services will support the Contracted Volumes and
needed to support that level of business volumes. This infr
implemented in several phases if all of the addition: i
Appropriate lets are given against Service Le
10.3.2
established and suitable test
prior to acceptance.
ose of this formal Project Initiation Review is to confirm and ensure that all project
requirements, including definitions and control mechanisms are in place for full implementation of
the plan/timetable and that the project has a sound basis to proceed.
In addition, the Service Readiness Checklist should be used to guide preparation for acceptance
and introduction of the final solution into the live service environment.
Although this is the first formal documented project initiation review within the business delivery
procedure, it is expected that the definition will have evolved with the appropriate level of
verification from project delivery managers during the bidding cycle.
This is the formal confirmation, which authorises the definitive Project Initiation Document.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 59 of 1114
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.3.2.2 Design Approval Board
The CISO is a member of the Design Approval Board (DAB) which provides technological and
financial approval based on strategic solutions, products, and technologies. The DAB assesses
the submitted design and offers adjudication to the Designer.
10.3.2.3 Operational Readiness Review
The purpose of an Operational Readiness Review is to verify the readiness status of all activities
and work streams within a programme, to ensure the successful transition into delivery.
These reviews will cover the following areas:-
+ Confirm the appropriate organisational structure
+ Confirm that effective governance is in place, both with the custom
+ Demonstrate that requirements are fully understood, the technic
and governance of any third parties and the associated .
10.3.2.4 Service Readiness Review
The purpose of a Service Readiness Review is to ensure that projes iverables are ready for
release into the live environment.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 60 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.4 Protection against Malicious and Mobile Code
10.4.1 Controls against Malicious Software
HNG-X Architecture — Security Architecture (Ref:- ARC/SEC/ARC/0003) describes that the HNG-
X uses the Sophos anti-virus product and is implemented on all Microsoft Windows 2003 Data
Centre platforms and Microsoft Windows XP Support Workstations connected to a Data Centre
network (i.e. from a remote site).
Anti-virus signatures and updates will be subject to LST testing to ensure their integ}
be applied using the Tivoli software distribution system rather than the So;
tools to ensure consistency of delivery to system-managed platforms.
onto any HNG-X Counter.
Remote support workstations that are not under the control of the HN
updated as required by the Fujitsu Corporate Security Policy decum:
10.4.2 Controls against Mobile Code
Mobile code is software code which transfers from.one compu! other computer and then
executes automatically and performs a spe ion with little or no user interaction.
The HNG-X Secure Coding Gui
coding guidelines for develop:
configurations for HNG-X.
HNG-X Java Coding Stand:
se guidelines are:
mon layout of source code. A common layout makes it easier for
with these guidelines to maintain code that they are unfamiliar with.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 61 of 1117
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.5 Backup
10.5.1 Information Backup
Data backups are an essential component of HNG-X and are potentially critical in ensuring data
availability in the event of data corruption or system failure.
Data corruption may occur as a result of user error, application error, middleware error,
hardware failure or firmware bugs. Data corruption means that the data is no long readable, or
is no longer the data that was written.
In the context of POA HNG-X very little data cannot be recovered from "pt
data in an upstream system or from a previous processing step.
The Backup and Recovery sub-system delivers the functionality re
corruption and forms part of the overall solution architecture, as fe
e Section 6, “Availability” - HNG-x Solution Architectur
ARC/SOL/ARC/0001)
rf fecovery requirements, and
e appropriate, as these are tried
¢d in HNG-X Backup and
also to maximise the reuse of existing Hori:
and tested solutions and the overall back
site. IRE11 and IRE19 are used to hold
twork or the SAN. There is no requirement
duplicate copies, and all replicati
II such transfer is performed via the SAN.
to transfer media between IRE’
database backups are written to both the IRE11 and IRE19 SANs.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 62 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.6 Network Security Management
10.6.1 Network Controls
The network architecture provides facilities to securely transmit data, to provide remote access
and to segment networks. In addition analysis and reporting facilities are provided to report
against SLAs and to enable base-lining and trending to be performed.
The following facilities are supplied by the service;
e Provides secure network capabilities
* Provides secure remote access facilities.
e Provides network segmentation.
e Enables network analysis and reporting,
Controls and manages network access control.
he HNG-X Network
Detailed information on the HNG-X network infrastructure is contained
Architecture (Ref:- ARC/NET/ARC/0001)
10.6.2 Security of Network Services
Network-based intrusion detection is dep}
This will provide notification of an attempt
through malicious activity or mali
This capability is provided usi
(Ref:- DEV/INF/LLD/0051).
Although these devices are
as IDS sensors on selected t
assessment durin:
process for new services, additional paths may be included in the
IDS Appliance LLD as required.
w the monitoring of multiple physical network segments from a single
s are designed to prevent traffic flowing between sensor ports. l.e. itis
ce to act as a Router and connect networks, thereby bypassing other
ing-alerts of malicious activity, the IDS sensors will send feed event logs into the
anagement service, to provide an audit trail and to enable additional event
Firewall, Router and other network device logs.
10.6.2.1 Tivoli Event Management System
Intrusion attempts will be detected through the use of the Tivoli event management system and
specifically, alerts raised as a result of failed attempts to logon or to access data with invalid
permissions.
10.7 Media Handling
10.7.1 Management of Removable Media
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 63 of 111
FUJ00235006
FUJ00235006
ee)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
The Removal and or Destruction of Electronic Media (Ref:- SVM/SDM/PRO/0039) defines the
procedures for handling the removal and or destruction of electronic media that is faulty, or
requires replacement that holds (or may have held) Sensitive information.
This procedure is consistent with the Fujitsu UK & Ireland Business Management System
Security Policy Manual requirements which also place the following policy requirements upon the
POA:-
e Transferring data within Fujitsu UK&l or between Fujitsu UK&l and other parties such as
customers, vendors or partners is an important part of business and must be achieved
without loss, unauthorised disclosure or damage.
e Loss or unauthorised disclosure of data/media can result in significant rep\
damage, fines for Fujitsu, customers or suppliers from the Informati
Office, breach of contract, loss of existing business and exclu:
e Where the system writing the media is capable of encrypting the
mandatory.
e Data owned by customers or other third parties must be hi
contractual requirements or other formal agreement
* Customer data must not be stored on removal
o Agreed system backups;
o during agreed data migration; or
o as part of a documented operati ed with the customer
, such as memory sticks or
10.7.2 Disposal of Medi
Fujitsu's Supply and Lifecycl Warrington under the Manage Recycle Service
(Ref:- SC002).
The Service co\
from cleanin:
lated with the recycling and refurbishment of IT equipment;
purging, testing and disposal and in addition Supply and Lifecycle
of compliance with all environmental legislation.
lion of Electronic Media (Ref:- SVM/SDM/PRO/0039) defines the
removal and or destruction of electronic media that is faulty, or
Handling Procedures
guidance is a corporate responsibility and is captured in Fujitsu UK & Ireland
3s Management System Security Policy Manual.
10.7.4 Security of System Documentation
System documentation can contain information where unauthorised disclosure could have
significant impact, such as application procedures, data structures, access controls etc. and as
such must be suitably classified and protected accordingly.
The Configuration Plan for HNG-X (Ref:- PGM/CM/PLA/0001) provides an overview of the
processes to be used to provide version control and Configuration Management of all Software,
Document Management and Change Management configuration items (Cl's) used within the
POA solution.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 64o0f 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
System documentation is held within Dimensions and has access controls applied to it.
Only members of staff working specifically on the Account are given access which is controlled
by the Business Management Function.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 65 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.8 Exchange of Information
10.8.1 Information Exchange Policies and Procedures
All forms of information exchange including email, telephone conversations, meeting notes and
minutes, relevant to the scope of this policy, are subject to the high level statements made in the
Fujitsu UK&l BMS Security Master Policy (Ref:- CPM20), Fujitsu UK&l BMS Security Policy
Manual, the POA Information Security Policy (Ref: - SVM/SEC/POL/0003) and this ISMS Manual.
10.8.2 Exchange Agreements
The exchange of information and software with external organisations
agreed controls appropriate to the classification of the information.
which is governed by the ISMF Terms of References (Ref:
in the ISMF Minutes (Ref:- SVM/SEDC/MAM/0003).
The exchange agreements for software used for HNG:
agreements and software ownership is governed by tl
The Fujitsu UK & Ireland Business Manag ity Policy Manual requires that
media is to be transported by cou! red according to classification rules and/or any
relevant contract.
been via project based work and disposal
Sentencing Rules.
To date all Post Office interacti
procedures is set via a defi
IMS equipment capture that the SLS Recycle Administration Team
any collections.
just be well packaged and boxes/totes all sealed. Goods will not be accepted at
lepot from the engineer if this is not the case.
ist have an “Engineer Manifest Sheet” attached to the outside of the box,
marked with Project/customer name and Goods Return Note (GRN) number. Do
not attempt to return anything without obtaining a GRN number from the project team.
sure all hardware is listed on the “Engineer Manifest Sheet” this enables Warrington to
easily identify any missing items whilst in transit.
10.8.3.2 PIN Pads
The Post Office Chip and Pin Project Sentencing Rules (Ref:- RCYSRPOfCP-WOW) identify
that collections are arranged through the courier TNT.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 66 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.8.4 Electronic Messaging
As required by the Fujitsu UK & Ireland Business Management System Security Policy Manual all
employees using Fujitsu UK&l e-mail system are subject to Fujitsu UK&l regional employee
acceptable use and e-mail usage policies.
10.8.5 Business Information Systems
As required by the Fujitsu UK & Ireland Business Management System Security
employees using Fujitsu UK&l business information systems are subject to Fujitsu: J
employee acceptable use policies.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
Manual
UNCONTROLLED IF PRINTED Page No: 67 of 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.9 Electronic Commerce Services
10.9.1. Electronic Commerce Security
The HNG-X solution meets the requirements of Post Office CR-957, (CCN 1202), introduced as a
result of the Payment Card Industry Data Security Standard as described in HNG-X Architecture
— Security Architecture (ARC/SEC/ARC/0003).
10.9.1.1 PCI-DSS Definition
The PCI-DSS definition of Sensitive Authentication Data and Cardhold:
naty Accour
‘Number (Pat
CCarsholder Warne yest No
Sonviea Coser yest no
yes" No
NO NA NA
No NR MA
PINPINBeskI NO Nis NA
* These data elements must be protected if stored in contunction with the PAN. This protection srust be consistent with PCI DSS requirements for general protection of the
carcholder environment Aaditonaly, other legisiation (for example, related fo consumer pereanal data protection, privacy, kaentty thet, or data security) may require
specific protection of this data, or proper alsciosure of a company's practices if consumer-refated personal data's being colected during the course of business. PC! DSS,
however, does not apply if PANS are net stored, processed, or transmitted
** Sensitive autmentication data must not be stored subsequent to authorization (even if encrypted),
will be hashed, encrypted or otherwise obfuscated by overwriting.
10.9.1.3 it Tracks
As described in Horizon (On-Line) Architecture — Support Services (Ref:- ARC/SVS/ARC/0001)
Audit Tracks generated after the implementation of CP4305 do not contain the PAN in clear text.
Instead there is an encrypted version of the PAN and, in a separate field, a securely hashed
version of the PAN. Audit Tracks that were generated pre CP4305 continue to contain a clear
text version of the PAN.
10.9.2 On-Line Transactions
As captured in the HNG-X Architecture — Security Architecture (ARC/SEC/ARC/0003) the
solution has been designed to ensure that for online transactions.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 68 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
e No card full track information is stored anywhere in the system
o The Network Banking Service requires that the full track image is available for up to
5 days, post-authorisation, in the event that reversal is required.
* No Sensitive Authentication Data is stored post-authorisation for card transactions.
o The Network Banking Service requires that the full track image is available for up to
5 days, post-authorisation, in the event that reversal is required.
e No Sensitive Authentication Data is stored post-authorisation for card t
e Any PAN stored in the system will either be in hashed format, encrypted al
expiry data and issue number, or will otherwise be obfuscated by «
10.9.3 Publicly Available Information
This paragraph refers to the equivalent ISO/IEC 27001:2005 Contro
scope for the Services being provided by Fujitsu on the PO,
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 69 of 111
FUJ00235006
FUJ00235006
ee)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.10 Monitoring
10.10.1 Audit Logging
Within the HNG-X system, Fujitsu Services are required to provide facilities to produce, store and
present to (customer) auditors for analysis Audit Track data in support of the security policy and
audit requirements laid down for the system.
The Horizon (On-Line) Architecture — Support Service (Ref:- ARC/SVS/ARC/0004
within HNG-X, audit data is collected from a number of subsystems. The basic typ
data that is collected are:
e Counter application messages as received by the Branch Acces
Branch Database message journal table. This will include counter
events
e Data transferred across HNG-X system boundaries. E.g
Post Office and their clients °
e Host database systems audit and archive dat base audit data refers
to the saving of logs of updates applied to the b tabase archive data
refers to the saving of old data that has been the primary databases.
e HNG-X system events — including se:
e Logging of activities undertaken
system
e System scheduler logs
« Post Office Auditors
be presentedsas evid
ount Security Operations Team monitoring compliance
g enquiries regarding banking transactions
yystem Support Centre for diagnostic information
IC Centera storage array located at each campus
A number of audit workstations situated at Bracknell & Lewes.
Dedicated HP Atalla Network Security Processors situated at Bracknell & Lewes.
Each Audit Server is responsible for gathering Audit Tracks from subsystems and securing them
on the local Centera array (secure long term storage). This data is subsequently replicated to the
Audit Server at the other campus to ensure that two copies of all Audit Tracks are maintained.
As well as gathering and storing audit data on EMC Centera, the Audit Server provides services
to retrieve data from the Audit Archive. These services are utilized by the Audit Workstations.
The Audit server hosts two Microsoft SQL Server 2000 databases, which are resident on its local
storage:
e The Sealer database which is used to manage the Gathering & storage of Audit tracks
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 70 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
e The ARQ database which is used to manage the Audit track retrieval process
10.10.2 Monitoring System Use
The Enterprise Management software suite, known as SYSMAN3, is an integration of Software
Distribution, Asset Management, Event Monitoring, Remote Support and Remote Diagnostics,
based around IBM Tivoli software.
The HNG-X System and Estate Management: Monitoring (Ref:- ARCISYM/ARG/0003) defines
the Monitoring functions of SYSMAN3.
Service Monitoring will be performed by event flow; events may be collected in bi
and passive manner, and alerts may be created by sampling, aggregating,
other rules on the raw incoming events.
active
relevant Event Logs. The IBM Tivoli Monitoring and TEM suite of
monitoring within the solution.
Passive monitoring is the process of collecting events that
environment (e.g. in the Unix Syslog or Windows Evet
The events selected, after the rules are applied at the
network infrastructure to an event collection layer whic!
will remain in the underlying source but are not, ard
10.10.2.1 Tivoli Event Management Sys
Intrusion attempts will be detected e of the Tivoli Event Management (TEM)
i iled attempts to logon or to access data with
‘Tripwire and is integrated within the HNG-X systems
ent management and for software distribution and is in
its of Post Office in support of PCI Compliance.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 71 of 1114
FUJ00235006
FUJ00235006
ee)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.10.3 Protection of Log Information
HNG-X Architecture — Security Architecture (Ref:- ARC/SEC/ARC/0003) describes that all events
from each Data Centre Platform Instance system event log are read in real-time and captured by
the Tivoli software.
Each entry to the file is read, converted into Tivoli Common Format and forwarded to the Tivoli
collection layer as soon as it has been written.
The log files are then securely managed by the Tivoli event management system.through a
ensure that the users of the system, (administrative or otherwise), can
functions that they need.
The administrative users of the Tivoli system will use the Identity z
service for access control and will require a token to be able.
be executed on specific systems and will have very resi
access for obtaining
specific diagnostic or log data.
ef:- ARC/SEC/ARC/0003) event
analysis and alerting take place in real-time it correlation reduces the number of
events seen by the operator.
Furthermore the Horizon (On:
states that within Horizon i
following categories of audit
port Service (Ref:- ARC/SVS/ARC/0001)
* Counter applicati
counter transacti
e systems audit and archive data. In this context database audit data
logs of updates applied to the databases, and database archive data
inline) system events — including security events
activities undertaken by Fujitsu Services Post Office Account staff during
nance of the system
e System scheduler logs
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 72 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
10.10.5 Fault Logging
10.10.5.1 Fujitsu Corporate Assets
All faults with Fujitsu assets are to be reported to the Fujitsu Services 7799 Helpdesk in line with
the requirements set out in the Fujitsu UK&l BMS Manage Incidents Policy (Ref:- SM-5).
10.10.5.2 Service Delivery Units / 3" Party HNG-X Assets
Hardware or Software errors within the HNG-X environment are reported
managed to closure in accordance with the POA Operations Incident Mané
(Ref:- SVM/SDM/PRO/0018).
Where hardware device support is provided by other Service Deli
Systems Management & Global Cloud (SMC) contact them direct
(document to be provided by SMC)
10.10.6 Clock Synchronisation
As documented in HNG-X Network Architecture (Ret
the service will be synchronised with a reliabl
It is further documented in HNG-X Syste
ARC/SYM/ARC/0001) that there is a hieré
e = The first stratum is the prim sds to be a highly reliable and the
choice is the GPS satellite: rk. centre resident GPS time server uses rooftop
ment — Overall Architecture (Ref:-
isting of several layers (or strata):
network appliances.
These platforms poll:the prim: f using version 3 of the NTP protocol as defined in
UTC format. The NTP product on the platform is
ond accuracy but will also protect against large clock shifts in a
nchronisation on reboot.
ich Router uses an NTP Server on the Boot platform.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual Page No: 73 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11 Access Control
11.1 Business Requirement for Access Control
11.1.1 Access Control Policy
The Fujitsu UK & Ireland Business Management System Security Policy Manual has a clear
statement that, “Access must be controlled to Fujitsu UK&l sites, logical and physi
business processes and functionality”.
Access may be the result of direct user action, or automatically initiated acti
Control is the fundamental requirement in managing these access activiti
services on information processing systems to preserve the Confidential
Availability of POA and POL business information, services and pi
business and security requirements.
11.1.1.1 Key Principles
e Physical and logical access to all areas, syste'
consistent, with access granted selecti
ist be controlled and
ly where there is a specific
rol roles, e.g. access request,
st work on the principle that “access
itted” and the principle of “least privilege” must
ication level of information and the requirement
* Access shall be gov
Ss. The higher the classification the more selective
for separation and s
rovided with access to the facilities and services that they have
horized to use and permitted only where there is a specific need
isers and applications must be authenticated to IT systems and his authentication
must identity them as individuals. (Note:- All access to POA Systems will be monitored).
Initial default accounts must be renamed where possible and initial default passwords
ust always be replaced by secure passwords.
e The safety and security, including confidentiality, of access credentials is the
responsibility of the each individual issued with the credentials and of those issuing the
credentials.
11.1.1.2 Help Desk Environment
e Help Desks must maintain the information required to authenticate the callers and their
Branches/offices as required for the type of call. If the call needs to be passed onto
another internal POA help desk, the call must be forwarded only after the initial
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual Page No: 74 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
authentication has been carried out.
« Wherever authorisation is given orally, normally over a telephone link, additional
verification methods must be used. This is achieved by asking callers to confirm their branch
code, post code and telephone number.
11.1.1.3. Third Party Considerations
e There must be a demonstrable need for Third Party access and all access to POA
information processing facilities by third parties must be controlled.
e Arisk assessment must be carried out to determine the security implication:
requirements for any forms of physical and electronic access by tt
e On-site third parties must be identified and documented.
¢ Allsecurity requirements resulting from third party access
Teflected in the third party contract. Where there is a.speci
the information, non-disclosure agreements must bi
e Access to information and information proces:
provided until the appropriate controls have be
signed defining the terms for the conne:
11.1.1.4 Exceptions
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 75 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.2 User Access Management
11.2.1 User Registration
The User Access Process on the Account is based on the creation and control of a registry of all
personnel who work on the account and shall be consistent with User Registration Management
Procedure (Ref:- ISNO06654).
on the account, the system access they have been given and any
they have been granted.
the systems that they have been granted access to. I
authoriser, approver and dates that this access was gr:
11.2.2 Privilege Management
The Post Office Account User Access Pri
ers shall confirm each employee's current access rights requirements and
these details to the POA Security Operations Team within 10 working days of
d th Operations Security Manager (OSM) shall provide a monthly update of Privilege
ment at the Information Security Management Forum (ISMF).
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 76 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.2.3 User Password Management
Passwords within the HNG-X environment are managed as per Microsoft standards within Active
Directory as outlined in the HNG-X Architecture — Security Architecture (Ref:-
ARC/SEC/ARC/0003).
Active Directory group policy is configured to enforce the requirements of the Fujitsu UK & Ireland
Business Management System Security Policy Manual, including but not exclusively the
following:
e Force users to change temporary passwords at the first log-on
e Enforce password changes
e Maintain a record of previous user passwords and prevent re-use’
By design Microsoft Active Directory will ensure passwords are stored securel a
transmitted in an unencrypted form. .
11.2.4 Review of User Access Rights
The Security Operations Team conducts a regular revi
regular intervals for users who have access to POA S\
As captured in the Post Office Account User Access Pri
POA Security Team achieve this by:
ights and privileges at
ed appropriateness.
VM/SEC/PRO/0012) the
e Account Security Operations Teai
e Line Managers shall re
with their job role.
yee's current access rights requirements and
ecurity Operations Team within 10 working days of
ym Account Security Operations Team.
is Team will review all human accounts that have live access for
unused for a period of 90 days or over these will be disabled
. This will be carried out on a biannual basis as minimum and will report findings in
I Security monthly dashboard report.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 77 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.3 User Responsibilities
11.3.1 Password Use
All Fujitsu staff are required to follow good security practices in the selection and use of
passwords in accordance with the Fujitsu UK & Ireland Business Management System Security
Policy Manual.
This is further enforced as passwords within the HNG-X environment are managé E
Microsoft standards within Active Directory (as previously mentioned in the HNG-X Architecture —
Security Architecture (Ref:- ARC/SEC/ARC/0003).
Active Directory group policy is configured to enforce the requirements
Business Management System Security Policy Manual, including but not
following: <
e Enforce a choice of quality passwords
e Enforce password changes
e Force users to change temporary passwords
11.3.2 Unattended User Equipment
Equipment that is accessible by unauthorised:
tampering and theft.
ble to disclosure, misuse,
protect unattended user
Ireland Business Management
All Fujitsu staff are required to follow gooc
equipment that they use in accord:
System Security Policy Manual
All Fujitsu staff are
for papers and ret
UK & Ireland Bu;
lia ‘and a clear screen policy in accordance with the Fujitsu
system Security Policy Manual
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 78 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.4 Network Access Control
11.4.1 Policy on Use of Network Services
The Post Office Account User Access Procedure (Ref:- SVM/SEC/PRO/0012) is controlled by the
POA Security Operations Team, and is maintained and updated on a regular basis in line with
requests being submitted and tracks all personnel working on the account, the system access
they have been given and any security clearance level that they have been granted.
The user registry holds the information about each individual who has been grant
the systems that they have been granted access to.
11.4.2 User Authentication for External Connections —
11.4.2.1 Remote User Access Authentication
Remote users must use Microsoft Remote Desktop Client
through the SSN terminal servers.
ilternative to the standard
is then prompted for their user PIN,
ard. Since the PKI credentials
recognizes insertion of the smart card into tl
CTRL+ALT+DEL key sequence, to initiate ;
which controls access to his private data:
and/or passwords are stored on the card o}
providing scope for a very flexible
s a ticket to the user which grants access to
no longer be challenged to provide their
. SN server to another Microsoft Terminal Server,
as currently Microsoft does not support pass-through
tage of pass-through authentication, commercial third party
it rejected by the business.
challenges the u:
authentication.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 79 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
A number of third parties connect to the Data Centres using diverse connectivity mechanisms
and not all are owned or managed by Fujitsu.
Third parties will connect to a Transit LAN. The Transit LAN is considered to be the boundary
between the HNG-X network and any externally administered organisation that HNG-X connects
to. The transit LAN exists both for security and to provide an unambiguous demarcation between
HNG-X and that organisation.
This clearly defined demarcation is necessary to assist fault and service resolution, to facilitate
technical interface specification and to prevent administrative conflicts or inter-penetration
between HNG-X and an external organisations network. .
This demarcation exists at the physical for routers or switches, at the logical for
routing and at the service level for the traffic between application endpoint:
Transit LAN should not be confused with the DMZ; the Transit LAN is
unpopulated perimeter of the HNG-X network, beyond which no further
devices exist.
As documented in the HNG-X Technical Network Architecture (Re
Transit LAN models are identified as available for use:
e Remote High Availability Transit with Layer 2
e Remote High Availability Transit without Laye!
e Remote Solitary Transit with Layer 2 Pr
e Local High Availability Transit wit!
e Wide Are Transit
¢ Internal Transit
11.4.3
itecture (Ref:- ARC/NET/ARC/0001) the Network
mantics of an IP address may be both locality and
pplication interprets the source IP of an incoming TCP.
ie identity of the endpoint and assumes persistence of this identity.
used in the case where the need to attribute identity does not
ing IP address space will either be under administrative control of the 3’
IG-X control and shall be specified in the relevant Technical Interface
be defined / referenced in any OLA/SLA or contractual agreements for
and incident management.
case they specify the address space. In the HNG-X case the IP address space is
r non-peering HNG-X IP addresses stated above.
11.4.4 Remote Diagnostic and Configuration Port Protection
In order to ensure that only authorised devices may be connected to any component of the HNG-
X system, (with the exception of passive devices within the Branch) all network devices will be
configured with either a static MAC address allowing only the authorised host to connect, or a
single-entry dynamic-learned MAC permission as documented in HNG-X Technical Network
Architecture (Ref:- ARC/NET/ARC/0001).
Prior to Live operation, all MAC addresses will be recorded and validated, and all ports not
connected will be administratively shut down. This position will be monitored with network
management event reporting.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 80 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.4.5 Segregation in Networks
There are a number of defined security domains with the HNG-X security model and
therefore data traffic will always be either intra-domain traffic or inter-domain traffic.
The only permitted connections to the POA network must be:
e — Intra-domain traffic - Data traffic moving between systems in the same domain.
e — Inter-domain traffic — Data traffic moving between systems in different domains.
There is a third class of traffic consisting of data moving into and out of the HNG-X infrastructure.
Intra-domain traffic may be unrestricted because the systems share a LAN segm:
restricted through the implementation of logical separation, (using Virtual L«
segments, firewalls or other network security controls
The security domain model can therefore be viewed a:
subnets to assist in the development of Firewall.
Domains can also span physical location
Data Centre systems as well as workstati
‘ey Management Domain contains
ns such as Bracknell and Lewes.
ation can be implemented to tightly
‘g)
control communication to, from X platform instances.
using a combination of preventive and detective
ideFrame configuration, switch configuration
Separation between environmé
controls such as access cot
flow of'data around the network is controlled following the principle of least
pose of network segmentation is to reduce the scope of any potential attack. By
ting the ‘attack surface’ to a limited number of systems, any damage caused as a
consequence of an attack, can be kept to a minimum.
The network segmentation is achieved using a combination of physical and virtual controls.
Dependent on the Security Domain and any specific contractual agreements with third parties,
the network segmentation is enforced using VLANs, Stateful Inspection Firewalls, Access Control
Lists and physical separation.
Each different network media type is authenticated using a dedicated RADIUS server instance
for network device access, with different Challenge-Handshake Authentication Protocol
credentials per Branch Router.
Each human support user accessing a network device is authenticated using the Identity and
Access Management Service.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 81 of 117
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.4.7 Network Routing Control
All access in and out of the HNG-X environment must be restricted to the required traffic from/to
the authorised sources/destinations for business and system traffic using routers and firewalls.
The HNG-X network is divided into 11 Security Domains. The term Security Domain is defined to
mean a collection of platforms and network components grouped together based on type,
perceived vulnerability and risk rating. Even so, it may be necessary to restrict traffic between
platforms in a common Security Domain (intra-domain traffic) through the imple!
logical separation, (using VLANs), or physical separation, (using separate network
the same domain).
Any traffic which crosses network domain (inter-domain traffic) bound:
enforcement point that restricts data flow based on its source, destinatiot
content/format. This can be a firewall, router or other in-line contre i
(i.e. The control is physically part of the data path).
The Domain structure places a logical ring around the logic:
More specifically, this perimeter can be best describes
monitored) by Fujitsu Services, At the boundary of thes¢
or software-based) will be located, and the peri ired’according to firewall
‘ef:- ARC/NET/ARC/0001).
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 82o0f 111
FUJ00235006
FUJ00235006
ee)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.5 Operating System Access Control
11.5.1. Secure Log-on Procedures
Access to operating systems will be controlled by in-build Operating Systems procedures that
request the user to log-on using approved, valid credentials.
HNG-X Architecture — Security Architecture (Ref:- ARC/SEC/ARC/0003) describes that all human
access to any component of a platform will be controlled using strong authentication. The strong
authentication solution uses the Vintella Pluggable Authentication Module (PAM
Quest Software to enable UNIX and Linux systems to become objects in Act i
e RC/SEC/ARC/0003) the
ctory tree which controls access to
it Directory Access Protocol
resources through the Windows 2003 Ki
implementations.
UNIX and Linux systems are manage
installed on each UNIX system
controlled by the directory service in the following way.
»Microsoft platform instance will use native authentication
Interactive acces:
Access to a SQL.
ation of the user to the underlying operating system. This also means that
juthentication token to logon to the Active Directory domain, prior to
getup externally to Active Directory and will be managed using a script-driven manual
itabase over the network, (such as from an application or from a management
be controlled through a combination of database access rights and network
permissions. In all cases, over the network access to any database will still require that the user
be setup within the database and access permissions provided accordingly. Users of any
management too! will also have needed to authenticate themselves to Active Directory prior to
using the tool.
11.5.3 Password Management System
Passwords within the HNG-X environment are managed as per Microsoft standards within Active
Directory (as previously mentioned in the HNG-X Architecture — Security Architecture (Ref:-
ARC/SEC/ARC/0003).
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. ‘SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 83 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Active Directory group policy is configured to enforce the requirements of the Fujitsu UK & Ireland
Business Management System Security Policy Manual, including but not exclusively the
following:
Enforce a choice of quality passwords
Enforce password changes
Force users to change temporary passwords at the first log-on
Maintain a record of previous user passwords and prevent re-use
Passwords not displayed on the screen when being entered
By design Microsoft Active Directory will ensure passwords are stored securely and
transmitted in an unencrypted form. r
11.5.4 Use of System Utilities
Management domains using system management applications wi
control appropriate to the operational functions they offer.
access and role
Where appropriate, this will utilise the capabilities of Acti
This is defined in the HNG-X System and Estate Manage:
{ARC/SYM/ARC/0001}.
11.5.5 Session Time-out
e e Remote Desktop Protocol (RDP) to logon to AD
rs has a session time-out set of 15 minutes of inactivity.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 84of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.6 Application and Information Access Control
11.6.1 Information Access Restriction
A key principle with the HNG-X Architecture — Security Architecture (Ref:- ARC/SEC/ARC/0003)
is that of Least Privilege
Access must be provided using the principle of “that which is not explicitly granted is denied” or a
“default deny”, by only granting the permissions necessary to carry out the action’
performed. These permissions include application, platform, network and manag
policy and process), or any combination necessary to perform the action
This approach assumes that, subject to risk assessment and given the
system or other software, any entity such as a user, an application, a de’
application code has no permissions to perform any action before: is
assumes that the default configuration of all systems is to deny acc
ensure that the permissions matrix is developed correctly to,
access they need to perform their function.
11.6.2 Sensitive System Isolation
The HNG-X Architecture — Security Archite:
principles of Security Tiers and Domains
that a compromise of one Platform Instant
entire estate and campus. This model gro!
vulnerability and risk rating.
There are three tiers in this m lard architecture for web applications, with
posed in Tier 3. Exposed, in this context,
Asecurity domain model has
such that systems wit
similar level of
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 85 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
11.7 Mobile Computing and Teleworking
11.7.1. Mobile Computing and Communications
Fujitsu UK & Ireland Business Operations, Information and Technology Group Internal IT Policy
(Ref:- ITG-PO1) captures that there is a single approved method for full remote access into the
Fujitsu UK&I network, consisting of the Cisco Remote Access client and the iPass Connect
software.. This solution is for the use of individuals using Fujitsu PCs, not for connecting sites or
remote offices.
Only standard-build Fujitsu UK&l devices may be connected to CVPN and
on the remote device is checked for conformant settings during logon.
As defined in HNG-X Technical Network Architecture (Ref:- ARC/NET/AR(
authenticated onto the Fujitsu UK&l network all remote users mus! Mi
Desktop Client (RDP) in order to logon to AD domain throug}
11.7.1.1
Avoid leaving equipment in your c:
e Most hotels provide safe:
equipment and informati:
e Avoid displaying any
never know who mi
11.7.1.2 Overseas Ti
Fujitsu subscrib
provides two
welling overseas are also recommended to seek advice from the UK Foreign and
Office or, if based outside the UK, from their relevant Government department.
11.7.1.3. Mobile Phones
Fujitsu advocates flexible working and as such issues a large amount of mobile phones to their
employees.
The use of these mobile phones is governed by the Information and Technology Group Fujitsu
Managed Mobile Service Security Policy (Ref:- ITGSM-05)
11.7.2 Teleworking
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 86 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Fujitsu does employ some members of staff whose default working location is from home and the
principles for home based working are captured in A Managers Guide to Home Based Working.
There is further guidance on the Fujitsu UK& I Security Portal for Fujitsu staff working from Home
or Away from the office. The Working away from the Office requirements is captured in
Paragraph 11.7.1.
11.7.2.1 Home
« Carry out work in a dedicated and lockable work area (where possible) designating a
particular room or area of the room solely for that use.
e The work area should minimise and control unexpected interruptions from
visitors
« Exercise a clear desk policy when out of the room, unless you are
and secure access to the work area
« Keep all your backups safe and secure, preferably away fr
When papers are no longer required bring the documents
secure disposal .
e Ensure that valuable equipment is locked away when
time
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: = 87 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
12 Information Systems Acquisition, Development
and Maintenance
12.1 Security Requirements of Information Systems
12.1.1. Security Requirements Analysis and Specification ..
Fujitsu uses an architectural approach to methodologies. Recogni
address a common set of concerns, Fujitsu has a methodology fre
project-specific methodology to be dynamically created from,
methodologies can be composed from predefined pract
appropriate tools can be combined to support th:
development that enables linear
derstood phases.
The HNG-X Design & Build Met
BMS ADBM Build and Ui
that a correct and valid solution can be built.
nts are analysed a Design Proposal is created using the Design
igh level description of the proposed technical and operational solution
rt dialogue with the Business and Service Requirements stakeholders in order to
demonstrate compliance to their requirements.
identify the primary technologies that will be used to deliver the solution
e Elaborate on the areas of business change and their impact on the HNG-X Solution and
Services
e — Identify any impact on the existing HNG-X Architecture and core Solution Designs
e Identify the how the Functional and Non-Functional requirements will be met
e Identify the nature of any Security solution changes
e — Identify the nature of any impact on existing contractual obligations or measures
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 88 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
e — Identify how the solution will be delivered into live service and the manner by which on-
going service operation will be achieved
If products are bought in, a formal evaluation and procurement process must be followed.
Contracts with suppliers must address the security requirements.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual Page No: 89 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
12.2 Correct Processing in Applications
12.2.1 Input Data Validation
The HNG-X Design & Build Methodology (HNGxDBM) Code, Build and Component Test process
(Ref:- PGM/PAS/PRO/0003) defines the activities required for the Post Office Account to build
solution components, based on an understanding of agreed requirements, test them as individual
components, integrate those components with others developed internally or by third parties and
then conduct component integration testing.
The process details the activities that are necessary to:
e Plan the testing to be carried out on the individual component ai
combinations of components
«Develop the code on the basis of the LLD and applicable '
e Undertake code reviews to determine standards cot
Conduct component level testing to identify defects
AComponent Test Plan is generated and code revie
Code Review Template (Ref:- DEV/GEN/TEM/0003)
‘comments / defects.
upport Documentation Process
nt for a Support Guide (SPG), which will
3)) describes the activities required for the POA to build solution
ased on an understanding of agreed requirements, test them as individual
itegrate those components with others developed internally or by third parties and
conduct component integration testing. .
The ess details the activities that are necessary to:
e Undertake code reviews to determine standards compliance and identify code defects
Conduct component level testing to identify defects
12.2.4 Output Data Validation
The HNG-X Design & Build Methodology Code, Build and Component Test process (Ref:-
PGM/PAS/PRO/0003) defines the activities required for the Post Office Account to build solution
components, based on an understanding of agreed requirements, test them as individual
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 90 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
components, integrate those components with others developed internally or by third parties and
then conduct component integration testing.
The process details the activities that are necessary to:
e Plan the testing to be carried out on the individual component and any required
combinations of components
e Develop the code on the basis of the LLD and applicable coding standards
e Undertake code reviews to determine standards compliance and identify code defects
Conduct component level testing to identify defects
AComponent Test Plan is generated and code review undertaken using the HNG-X Generic
Code Review Template (Ref:- DEV/GEN/TEM/0003) to generate com y
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
Manual
UNCONTROLLED IF PRINTED Page No: 91 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
12.3 Cryptographic Controls
12.3.1 Policy on the Use of Cryptographic Controls
Services will comply with Post Office Cryptographic standards, contractual and relevant
regulatory requirements, including PCI-DSS, for the handing of cryptographic key material and
staff are to follow all UK and European standards regulations and directive detailing where and
how encryption algorithms may be used as captured in the HNG-X Crypto Services HLD (Ref:-
DES/SEC/HLD/0002)
Government specified algorithms and key lengths must be used where POL:
are specifically required by HM Government.
e All cryptographic key lengths shall be at least 128 bits for symm:
1024 bits for asymmetric keys where the associated crypt
integrity or confidentiality of Horizon Online Business Dat:
Application Software.
« PCl requirements state that for PCl Card holder.data all
128 bit TDES in length.
Approved keys must be protected in line with Gi
directed by POL Ltd.
documents. All keys used for signing data
greater than the highest levels of d: i
Encryption key management
confidentiality of POL traffic is
or the encryption system.
ist unauthorised use, modification, loss, and
ys need protection against unauthorized disclosure.
All cryptographic keys must be
destruction. In addition, secre
ecover the system to a secure operating state from the compromise of any
indirectly expose plain text PIN values.
cribed in more detail in the HNG-X Key Management High Level Design (Ref:-
3 0003) and the HNG-X Key Management Support Guide (Ref:-
P/SPG/0004).
The -X Key Management solution has simplified Key Management for the Post Office. The
HNG-X Key Management system replaces the Horizon Key Management.
12.3.2.1 Keys
Keys are managed using the HNG-X Key Management Workstation (on the KSN platform),
stored on the NPS database and fetched from the NPS database via the Key Service (KSS
application on the KMN platform) to the Key Service Client (KSC) located on the various HNG-X
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 92 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
business application platforms (e.g. Network Banking Services). The KSC passes the keys to
the Crypto Application Programming Interface (API) for use by the business applications.
12.3.2.2 Master File Key
The Master File Key is protected by being stored on the networked HSM (Hardware Security
Module) devices introduced for HNG-X. New functionality is introduced at HNG-X to enable the
networked HSMs to be shared and used by the business applications that require PAN
encryption and decryption services. The business application's Crypto APIs use the HSM Access
Service API to access the HSMs. The HSMs are used with the Secure Configuration Assistance
and the Key Management Workstation to generate the AKB keys.
12.3.2.3 Traffic Keys
destination. The TKs themselves are unprotected and must be dé
a separate secure mechanism (ie:- delivered manually via a key dis}
delivered by the KSC/KSS mechanism).. In both cases theTK,is requ
Service at server start-up and held by that service for use within!
cryptographic layer..
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 93 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
12.4 Security of System Files
12.4.1 Control of Operational Software
The HNG-X Design & Build Methodology Integration Process (Ref:- PGM/PAS/PRO/0009)
describes the activities undertaken to collect and prepare system components that are to be
released into the test or live environment.
This process is applicable to integration and release activities during the HNG-X«
project and will be reviewed and updated to reflect the different constraints appli
integration and release in a live environment at that time.
Furthermore, Fujitsu personnel engaged in the provision of the Services
use proprietary software within the terms of the licence conditions. Unauth
distribution of software and documentation is prohibited. .
The Account configuration management system will maintain an ii
software used by all services. ‘
to ensure that no
ssion facility.
The Account Change Management Processes must be.utilised
changes are made to operational software without au
12.4.2 Protection of System Test Da
All test data and test cases for POA servi
protected and controlled as captured in HI
Test Process (Ref:- PGM/PAS/PI
Operational databases or live d
needs to be used, for testing re:
in the test environment.
Operational information will bs
the testing is complet
Source Repository — location of code with the repository which is required by the
Software Support
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 94o0f 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
12.5 Security in Development and Support Processes
12.5.1 Change Control Procedures
Changes to the provision of services, must be formally managed, taking account of the criticality
of business, systems and processes involved and the re-assessment of risks.
The Fujitsu POA has a dedicated Change Management function governed by the Fujitsu Manage
Change Policy (Ref: SM-3) and Manage Change Process (Ref: C-MSv1.5).
(CP) irrespective of its origination (Customer or Internal) and as
Management Team. ‘
12.5.2 Technical Review of Applications after O
Changes :
Prior to any operating system upgrade or change, a re'
procedures must be carried out to ensure thi
changes.
When operating systems are cl
to ensure there is no adverse it
0002), and a key management solution has been developed in the absence of
natives.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 95 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
12.5.4 Information Leakage
12.5.4.1 Obfuscation of Logs
The End to End Application Support Strategy (Ref:- SVM/SDM/PRO/0875) stipulates that certain
log files must be processed to obscure personal details that exist within before they can be
passed to support teams outside the European Union.
As new log files are generated by system enhancements development units need.to be aware of
the Data Protection Act (DPA) and ensure that information in any new log files is ei
DPA terms or that appropriate changes are made to the obfuscation tool.
Areas currently identified as potentially containing personal data are capt
Counter/BAL-OSR Data For 4LS (Ref:- DES/APP/DPR/0008) and inclu
e Counter OSR / BAL message log file
Counter application log file
*Not handled by obfuscation tool
In order to allow the use of such informal scation tool has been developed for
formation before passing to any external
into Peak.
The HNG-X Tool for Obfuscati
DEV/GEN/SPG/0023).documer
mp file brdb_rx_rep_session_data.cvs
lessage log
BS Application log
Audit logs are not supported by this tool.
Although sensitive data is already obfuscated to comply with PCI when generated, this tool will
be used to remove personal identification data that may be logged according to PCI but which
must not be sent offshore to India. An individual piece of data may not be sufficient alone to
identify a person but combined with other data might be.
The tool obfuscates any individual piece of data that might, in combination with other data,
identify a person although it does not check whether any other such data exists.
12.5.5 Outsourced Software Development
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 96 of 111
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
The POA outsources some Software Development to GDC India. Where this occurs it is
provisioned under a documented “Statement of Works’ ie:- Statement of Work Post Office
Account Fourth Line Support &System Management Centre From the India GDC (Ref:- PO SMC.
4LS GDC SoW).
The Statement of Work (SoW), for the provision of services (resources) by the Fujitsu India
Global Delivery Centre (GDC) for the Post Office Account (Account), is performed in accordance
with the terms and conditions set forth in the Master Services Agreement effective 30' January
2009 between the Fujitsu India Global Delivery Centre (GDC), Fujitsu Consulting India Private
Ltd. (FCl), and Fujitsu UK & Ireland, Fujitsu Services Ltd (UK&l).
The GDC are required to adhere to the specific Security Policies in place betwee!
UK&l Post Office Account and the GDC.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 97 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
12.6 Technical Vulnerability Management
12.6.1 Control of Technical Vulnerabilities
The vulnerability management service ensures security patches and updates are maintained at
the appropriate level. The service provides secure platform builds that have been hardened to
reduce the vulnerability of the standard platform. The service provides protection against
malware in the form of Viruses, Trojans, and Worms etc. and detects and prevents. malicious
code and malicious activity on the network. This service supplies the assurance
platform and application vulnerabilities have been reduced to a minimum.
The following facilities are supplied by the service;
e Provides System Hardening
« Provides Vulnerability Management.
e Provides Patch Management.
e Provides Malware Management.
Controls Vulnerabilities within HNG-X.
errors as well as software bugs.
12.6.1.1 Vulnerability Scanning
The McAfee Foundstone vuinet
This appliance will be confi
basis.
itch Management
luce vulnerability to exploitation and ensure that all systems within the HNG-X environment
he relevant and appropriate patches applied within a reasonable timeframe, there will be a
patch management system described in full in the HNG-X Patch Management Process (Ref:-
SVM/SEC/PRO/0009) with the design for the patch management system is described in the
HNG-X Patch Management HLD (Ref:- DES/SEC/HLD/0006).
This system will provide mechanisms for
* Gathering patches and updates to major operating systems and applications
e Evaluating and filtering the patches and updates
e Testing the patches and updates
e Deploying the patches and updates.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 98 of 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
The Patch Approval Board is a virtual team that meets monthly and reviews the HNG-X Patch
Deployment Spreadsheet and seeks agreement on the patch set to be deployed and in what
timescale for example an emergency fix or include at next release.
The team is able to use the criteria established by the manufacturer of the product to assist in
making its decision, these take account of the following:
« How likely it is that the vulnerability will affect the operating systems, applications,
databases, or network equipment.
e How easy or difficult it is for someone to make use of the vulnerability and use it to create
a threat to the POA operating systems, applications, databases, or network equipment,
its simplicity.
e The severity of the damage that can occur if this patch is not appl
The filtered patches will then go through LST testing and be distribute:
using the Tivoli software distribution mechanism.
Data integrity of each patch or update, (and of software distribu'
a file hashing mechanism. This does not give the same level.of pro’
the software installed is the software delivered by the
system.
Due to the technical and management security control
infrastructure, there is considered to be a gi
than that from malicious code.
The software distribution mechanism is des
s HNG-X System and Estate
Management Software Distribution and Asset
‘Ref:- ARC/SYM/ARC/0002)
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 99 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
13 Information Security Incident Management
13.1 Reporting Information Security Events and Weaknesses
13.1.1 Reporting Information Security Incidents
An Information Security Incident is defined as "an adverse event or series of events that
compromises the confidentiality, integrity or availability of POA information or infc
technology assets, having an adverse impact on Fujitsu reputation, brand, } Perform
to meet its regulatory or legal obligations."
Information security events must be reported through the POA Servic
Procedure (Ref:- SVM/SDM/PRO/0018), or via 7799 for supportit
Fujitsu UK&l BMS Security Incident Process (Ref:- I-IS1.1) as qui ible. This Process
iffect the support
upon as outlined in the POA Operations Incident Mana:
All security incidents reported to the Service
handled in accordance with the incident
It is recognised by the POA!
nt Team that no system can be 100% secure
and the POA may be vulneral
curity Weaknesses.
As required by th
a security weakn where in the systems being supported by the Account (including
ity Management Service), then they must report these matters to
nt Team via Line Management at the earliest opportunity in
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref: SVM/SEC/MAN/0003-
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual
Page No: 100 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
13.2 Management of Information Security Incidents and
Improvements
13.2.1 Responsibilities and Procedures
The management of Incidents is captured in the POA Operations Incident Management
Procedure (Ref:- SVM/SDM/PRO/0018). This procedure identifies some key roles within the POA
for Information Security Incident Management:
13.2.1.1 Service Desk Agent
The Service Desk Agents provide a single point of contact for users, de:
management of routine and non- routine Incidents, Problems and
13.2.1.2 Incident Manager
The Incident Manager's principle responsibility is to dri
monitor its effectiveness and make recommendations
ensure that service is improved through the efficient re
agement process,
ment. The key objective is to
dncidents.
13.2.1.3 Incident Resolver
The Incident Resolver is to accurately diag!
and to assess, plan, build/test an
Management Process. This role \
delivery units
ducting any lessons learnt from Information Security Incidents.
ito the Information Security Policy review and potentially
controllers of potentially compromised sensitive information.
Should it be considered necessary the incident might be passed to an external investigator or
forensics team, who will ensure that any data required for evidential purposes is captured and
investigated using a systematic approach which ensures that an auditable record of evidence is
maintained and can be retrieved
In some cases, where a compromise to card data is involved, two Forensic Investigation teams
may be involved. One team operating on behalf of POL gathering the required audit logs to use
to analyse and investigate the problem. A second Forensic Investigations team may be imposed
to investigate on behalf of the card acquirer and card schemes. In all incidences where a
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 101 of 111
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Forensic Investigation is involved, the Forensic Investigators will be shadowed by POL's Legal
and Security Teams.
Incident investigation procedures must ensure that evidence is collected such that it is admissible
and of sufficient weight by keeping original documents, copies of information held on hard discs,
removable media and log files.
13.2.3.1 Audit Track Retrieval and Analysis
The Horizon (On-Line) Architecture — Support Service (Ref:- ARC/SVS/ARC/0001) describes in
detail that the outputs of Audit Track retrieval is initiated by a request (either fro! ithin Fujitsu
Services or Post Office) for access to audit data. This data may be provided either ini
form, i.e. a simple copy of the Audit Track files or may be subject to som
application on the Audit workstation. The audit client application i
to perform certain actions.
e Online extraction of data from the Audit Archive
e Seal Checking to ensure extracted
* Server based tools to filter Audit 1
e Workstation based tools to analyze.
e Decryption of encrypte
The vast majority of Audit Tract
event data. Thus the servi
types of request.
dit track Retrieval and Analysis is available in Audit Data Retrieval
HLD/0029).
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 102 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
14 BUSINESS CONTINUITY MANAGEMENT
14.1 Information Security aspects of Business Continuity
14.1.1 Including Information Security in the Business Continuity
Management Process
Fujitsu are committed to Business Continuity as demonstrated by the Fujitsu UK&
Business Continuity Master Policy (Ref:- CPM31).
This Corporate policy advocates that actual or potential Major/Serious ir
the Activities that support Fujitsu UK and Ireland key products and servi
Ireland Business Process (Ref:- I-AB 1.9)), executing those plans,
occur and proactively reducing the impact that incidents wil
products and services, where it is appropriate to do so.
The POA Business Continuity Manager is responsib!I
to minimize the impact on the Account and delivery
information assets. This process will identify the critical
Information Security management requirement:
continuity requirements.
The HNG-X Business Continuity Frame’
principle requirement specified with
Continuity Plans which conform
Information Security.
The POA CISO and / or thi
development and mainten:
reviewer on any changes to
requirements are adeq:
Risk and Assurance Lead will be involved in the
, and any continuity plans, by contributing as a
juity Plans, to ensure that Information Security
ind impact of such interruptions and any consequences for Information Security
ecorded in accordance with the HNG-X Information Security Risk Management
e (Ref:- SVM/SEC/PRO/0033).
A ccoordinated approach between Business Continuity and the Account Security Team is required
to measure the Information Security Risk exposure.
14.1.3 Developing and Implementing Continuity Plans including
Information Security
The POA Business Continuity Manager must ensure that effective business continuity plans are
agreed and maintained. The POA Security Management Team under the direction of the CISO
should ensure that Information Security is an integral part of the overall business continuity
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
Manual
UNCONTROLLED IF PRINTED Page No: 103 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
process to reduce the risks from deliberate or accidental threats to deny access to vital services
or information including deliberate loss of confidentiality and integrity of POA assets.
The HNG-X Business Continuity Framework (Ref:- SVM/SDM/SIP/0001) captures that there shall
be four Continuity Plans for HNG-X and by definition Information Security will have a footprint is
all of the following:
« HNG-X Services Business Continuity Plan (Ref:- SVM/SDM/PLA/0002)
* HNG-X Support Services Business Continuity Plan (Ref:- SVM/SDM/PLA/0001)
* HNG-X Security Business Continuity Plan (Ref:- SVM/SDM/PLA/0031)
* HNG-X Engineering Service Business Continuity Plan (Ref:- SVM/SDM/PI
These plans must be maintained, to enable internal operations and busi
maintained following failure or damage to vital services, facilities or infot
The POA maintains a framework of Business Continuity Plan:
Framework (Ref:- SVM/SDM/SIP/0001).
The Business Continuity Framework defines the meth
(Post Office Account) and POL for handling all aspect:
Continuity Plans to satisfy both Contractual
Continuity as required by Fujitsu UK&l BN
The HNG-X Business Continuity Fi
ervices (POA) deliverables associated with
review and assurance.
testing ‘Applicable Services’ by verifying the operational continuity of the HNG-X operational
services and related infrastructure.
This testing will provide the necessary assurance that all possible business continuity risks have
been identified and that appropriate plans are in place to mitigate against such risks.
The HNG-X Business Continuity Test Plan (Ref:- SVM/SDM/PLA/0003) brings together the
testing requirements of all Post Office Account Business Continuity plans and documents the
schedule and methodology to be adopted for both initial and on-going tests.
The POA Business Continuity Management Team produces an annual Business Continuity Test
Schedule Planner (Ref:- NSN). Tests will be conducted either through procedural walk-through or.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 104 of 114
FUJ00235006
FUJ00235006
2 ®
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
through full activation of the contingency plans. Where appropriate, and when agreed, POL will
participate in tests which require their input.
The POA Business Continuity Manager is responsible for ensuring that the Business Continuity
Plan is regularly reviewed.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref: SVM/SEC/MAN/0003-
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual
PageNo: 105 of 111
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
15 COMPLIANCE
15.1 Compliance with Legal Requirements
15.1.1 Identification of Applicable Legislation
As documented in Fujitsu Way Code of Conduct Global Business Standards (Pa:
placed upon it by its stakeholders.
Stakeholders cascade policies, standards, contractual and legisla
and POA is then required to capture these and manage how it wil
series of controls or rules. POA is also required to monitor
The Quality and Compliance Framework (Ref:=:
needed to ensure it meets the obligations of:
managed, monitored and reviewed.
To supply services to POL POA uses shar
POA is mandated to follow the frame
within the whole of Fujitsu; therefore
ss and procedures documented by Fujitsu
are the sources of these requirements and are individuals and organizations
»port or provision of POA services to POL and its other customers.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 106 of 114
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
15.1.2 Intellectual Property Rights (IPR)
Fujitsu Way Code of Conduct Global Business Standards (Paragraph 4) captures Fujitsu's
commitment to protect IPR.
The Copyright, Designs and Patents Act 1988 states “The owner of the copyright has the
exclusive right to copy the work." It is illegal to copy software without the copyright owner's
permission.
Proprietary software must be used within the terms of the licence conditions and unauthorised
copying of software and documentation is prohibited.
Where practicable the POA will use vendor-supplied software packages without any ©
modifications. However, if changes are deemed necessary, these sho!
Whilst it would be preferably that the changed software should be.
supplier it is recognised that any bespoke modifications may be o!
lifecycle.
The POA will not permit any unauthorised modified or non-stani
incorporated.
An inventory of all proprietary software used by the Se!
As captured in Fujitsu's Documentation an
is defined by ISO 9000 as being “
activities performed” that can be 4
y fained for the contractual period will be accessible
throughout the required retentio will be safeguarded against loss due to future
technology change as.refere
Data will be retri
required can b:
15.1.4 Data Protection and Privacy of Personal Data
ly stated policy to comply with all laws and regulations relating to the protection
lications handling personal data on individuals must comply with data protection legislation
iples. POA shall process personal data only in accordance with the instructions of each
troller as set out in the Agreement and applicable provisions of CCDs dealing with such
processing.
15.1.5 Prevention of Misuse of Information Processing Facilities
Itis a clearly stated Fujitsu Policy that users shall be deterred from using information processing
facilities for unauthorized purposes as captured in Fujitsu UK & Ireland Business Management
System Security Policy Manual and the policy on the Acceptable Use of IT Within Fujitsu
Services.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 107 of 114
FUJ00235006
FUJ00235006
cO &
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Under the Computer Misuse Act, it is an offence to access or modify material without proper
authority, or to access material with intent to commit further offences. Warning notices to this
effect must be displayed to potential users prior to system log-on.
15.1.6 Regulation of Cryptographic Controls
Services will comply with Post Office Cryptographic standards, contractual and relevant
regulatory requirements, including PCI-DSS, for the handing of cryptographic key material and
staff are to follow all UK and European standards regulations and directive detailing where and
how encryption algorithms may be used as captured in the HNG-X Crypto Servi HLD (Ref:-
DES/SEC/HLD/0002)
Government specified algorithms and key lengths must be used where P'
are specifically required by HM Government.
e All cryptographic key lengths shall be at least 128 bits for symm
1024 bits for asymmetric keys where the associated crypt i
integrity or confidentiality of Horizon Online Business Dat
Application Software.
e PCl requirements state that for PCI Card hol
128 bit TDES in length.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 108 of 114
FUJ00235006
FUJ00235006
2 e
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
15.2 Compliance with Security Policies and Standards and
Technical Compliance
15.2.1 Compliance with Security Policies and Standards
Compliance with the requirements defined in the POA Information Security Policy is mandatory.
The policy is to be applied throughout POA for the secure management and operation of all
systems and Services designed, built, implemented, operated, used, supplied ot
Fujitsu POL Account.
Regular audits are carried out under the direction of POA CISO and/or P\
Assurance Manager, to verify that POA is operating in accordance wit!
procedures.
Security Audits can also be initiated by POL, its clients or regulato
specific incident or on a regular basis.
ordinated, reported and corrective action plans acted
(Ref:- PGM/PAS/PLA/0014) which is maintained by th
Where relevant, POA will comply with customer.
standards and regulatory requir
Technical compliance chec!
erts specifically contracted for this purpose. Caution should be exercised in case
ration test could lead to a compromise of the security of the system and
d and co-ordinated as part of the Integrated Audit Schedule (Ref:- PGM/PAS/PLA/0014)
which is maintained by the POA Quality Manager.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Manual Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Page No: 109 of 114
FUJ00235006
FUJ00235006
ee)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
15.3 Information Systems Audit Considerations
15.3.1 Information System Audit Controls
Fujitsu Services are required to provide facilities to store audit data and subsequently present it
for analysis as described in the Horizon (On-Line) Architecture — Support Services (Ref:-
ARC/SVS/ARC/0001).
This is in support of the audit requirements laid down for HNG-X Technical Secutity Architecture
(Ref:- ARC/SEC/ARC/0003).
Audit data may be requested by a number of different end users, for a nui
reasons. These include:
e Post Office Auditors in connection with Fraud investigati
may be presented as evidence in court .
e Fujitsu Services Post Office Account Security Ope!
with security requirements
« Post Office users handling enquiries regardin
e Fujitsu Services System Support Centre for di
Within Horizon (Online), audit data is collect. f subsystems. The following
categories of audit data are collected:
e Post Office Auditors in connection Jations — in which case the data may
be presented as evidenc:
e Branch Access Layer. This will include
© Data transferred ac system boundaries. E.g. Bulk file transfers to
and from Post Office
audit and archive data. In this context database audit
ving of logs of updates applied to the databases, and database
othe saving of old data that has been purged from the primary
Online) system events — including security events
tivities undertaken by Fujitsu Services Post Office Account staff during
System scheduler logs
15.3.2 ‘otection of Information System Audit Tools
As described in the Horizon (On-Line) Architecture — Support Services (Ref:-
ARC/SVS/ARC/0001) The Audit Data Gathering and Storage facilities must be generic and
extensible; in particular any new applications introduced into the Horizon (Online) system should
interface to the Audit Server.
Tools to extract and prepare data for analysis are provided together with facilities to manage
internal Post Office Account data retrieval activities. Access, by Post Office Account staff, to the
retrieval and extraction facilities is via the user interface provided on the Audit Workstation.
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual Page No: 110 of 114
FUJ00235006
FUJ00235006
Fe)
FUJITSU Post Office HNG-X Account ISMS
Manual
FUJITSU RESTRICTED
COMMERCIAL IN CONFIDENCE
Access to the Audit servers and workstations is limited to authorised personnel and is policed
using two factor authentication and the Horizon (Online) Identity and Access Management
System.
The Audit Workstation provides facilities for authorised Fujitsu Services staff to access the Audit
Server in order to retrieve Audit Track data from the Audit Archive and to either select or prepare
Audit Track data for presentation to Post Office or in support of internal audit activities. The Audit
workstation is dedicated to this task & provides no other facilities.
Browse and filter tools are configured on the Audit Workstation enabling subsequent
searches/filters on files to be performed.
There is no automated synchronisation between the Audit Data Extraction and th
filtering facilities
©Copyright Fujitsu Ltd 2014 FU JITSU RESTRICTED Ref. SVM/SEC/MAN/0003
COMMERCIAL IN CONFIDENCE Version: 5.0
Date: 30-Apr-2014
UNCONTROLLED IF PRINTED Manual Page No: 111 of 114