FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Document Title: Post Office Account User Access Work Instructions
Document Reference: SVM/SEC/PRO/0012
Document Type: Work Instruction
Abstract: This document describes the controls that Post Office Account
follow to manage user access to its assets, based on its contractual
requirements to protect assets, systems and data.
Document Status: APPROVED
Author & Dept: ISM Jason Muir
External Distribution: None
Security Risk Assessment YES
Confirmed
Approval Authorities:
Jason Muir Information Security Manager See Dimensions for record
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR _ Date 49-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 1 of 20
FUJ00235012
FUJ00235012
Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0 Document Control
0.1 Table of Contents
0.1 Table of Contents
0.2 Document History
0.3 Review Details .
0.4 Associated Documents (Internal & External)
0.5 Abbreviations/Definitions
0.6 Changes Expected ..
0.7. Accuracy...
0.8 Security Risk Assessment.
1 INTRODUCTION...
1.1. Purpose
2 USER SYSTEM ACCESS 9
21 Pre-requisites for allocation and removal of Access
2.2 CSPOA User Registry...
4 PROCESSEG......... 1
4.1 Post Office Account New Joiner...
42
4.2.1 Fujitsu Staff not on the POA .....
4.2.2 POL Staff and 3” parties...
4.2.3 Requests for TESQA & APPSUP access elevated privilege:
43
4.3.1 POL Staff.......
4.3.2 Staff who are leaving Fujitsu.
4.3.3 Staff who are terminated with immediate effect
4.3.4 Fujitsu staff whose assignment with POA has been complete
4.3.5 POAstaff who are moving to another part of Fujitsu
Moving within POA or amendment to access ..
Leavers..
5 MANAGEMENT... 16
5.1 Review
5.2 Reporting
5.3 Audit...
6 APPENDIX A... 17
6.1 Fujitsu EMEIA Master Security Policy Manual
6.2 Security Requirements...
7 APPENDIX B: POA ROLE-BASED TEAM ACCESS..
8 APPENDIX C: LIST OF POA SYSTEMG.............. 17
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIALIN Ref SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 2 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
APPENDIX D: URL FOR USER ACCESS FORMG..........cccccssssessesesseseseseeseesseteeseeeeeee 20
8.1 New user access form
8.2 Revocation Form.
8.3 Mover Form.......
9 APPENDIX E: LIVE SYSTEMS EMERGENCY ACCESS ........ccsccsesesesseeeseseseee 20
© Copyright Fujitsu 2008-2020
FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 3 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.2 Document History
0.1 12/12/08 Initial Draft version N/A
0.2 27/07/09 Amended following full review NIA
1.0 47/07/2009 Approved version N/A
14 09/02/2010 Amended CSPOA and CISO details NIA
2.0 15/02/2010 Approval version NIA
24 27/07/2010 Minor updates and improvements NIA
2.2 27/08/2010 Insertion of new bullet in 2.5 NIA
23 13/10/2010 Updated in response to review comments. NIA
3.0 25-Oct-2010 Approval version NIA
3.4 30 Jul-2011 Amendments made to add additional responsibilities NIA
3.2 21-09-2011 Amendment to process and additional flow diagrams added NIA
3.3 23-Sep-2011 Prep for formal review NIA
34 18-Oct-2011 Revised following review NIA
40 18-Oct-2011 Approval version NIA
44 27-Nov-2012 Updated with comments from POL NIA
42 12-02-2013 Updates made to process NIA
43 12-Mar-2013 Amended manager role to Line/Assignment Manager. N/A
5.0 9-Jul-2013 Approved version N/A
6.0 16 Dec 2013 Review - Final
6.4 03 Jun 2014 Updated after internal audit and annual review Annual Review
7.0 06-Jun-2014 Approval version
7 01-Apr-2016 Diagrams updated & aligned to Fujitsu Security Policy Manual I N/A
72 21-Apr-2016 Amendment to section 6.2 NIA
8.0 22-Apr-2016 Approval version
8.4 23-Jun-2016 Minor Amendments as a result of 2016 1SO27001 audit, I N/A
remove reference to paper forms, add links to forms,
rationalise review and reporting sections.
9.0 28-Jun-2016 Approval version
9.4 27-Jul-2017 Minor Amendments to document Hyperlinks as a result of NIA
SharePoint migration
10.0 28-Jul-2017 Approval version
10.1 26-Oct-2017 Addition of TESQA & APPSUP access management
11.0 07-Nov-2017 Approval version
11.4 16-Jan-2019 Update to Appendix B — POA Role based Access NIA
12.0 18-Jan-2019 Approval version
124 21-Jan-2019 Update to Appendix C — List of POA systems.
13.0 22-Jan-2019 Approval version
13.4 04-Feb-2020 Update to Section 8 Appendix C — List of POA systems
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIALIN Ref SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 4 of 20
Fe)
FUJITSU
FUJ00235012
FUJ00235012
Post Office Account User Access Work Instructions
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
13.2 30-Mar-2020 Various minor updates
13.3 09-Jun-2020 Approval version, downgrade to LWI, update links, names
13.4 04-Aug-2020 Changes to address remaining comments from review of 13.2
14.0 49-Aug-2020 Approval version
0.3 Review Details
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ON/0001) for guidance on completing the lists below. You
may include additional reviewers if necessary, but you should generally not exclude any of the mandatory reviewers
shown in the matrix for the document type you are authoring.
Jason Muir and Post Office Account Document Management
Role Name
ciso. Steve Browell
Crypto Key Manager ‘Andy Dunks
Security Analyst Niall Vincent
Security Analyst Chris Stevens
Security Analyst fran Khan
Position/Role
Name
Security Operations Manager Farzin Denbali
Quality and Compliance Manager Bill Membery
Document Manager
Matthew Lenton
PMO
Abi Loveday; James Guy
(* ) = Reviewers that retuned comments.
0.4 Associated Documents (Internal & External)
PGM/DCM/TEM/0001 See Dimensions for I POA HNG-X Generic Document Dimensions
(DO NOT REMOVE) latest version Template
ARC/SEC/ARC/0003 See Dimensions for I HNG-X Technical Security Architecture I Dimensions
latest version
SVM/SDM/SD/0017 See Dimensions for I Security Management Service: Service I Dimensions
latest version Description
SVM/SEC/POL/0005 See Dimensions for I Post Office Ltd Community Information I POL—-owned
[POL Ref: latest version Security Policy (CISP) and /
RM/POL/002]} Dimensions
SVM/SEC/POL/0003 See Dimensions for I POA HNG-X Information Security Dimensions
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR _Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS Page No: 5 of 20
Fe)
FUJITSU
FUJ00235012
FUJ00235012
Post Office Account User Access Work Instructions
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
latest version ‘olicy
SVM/SEC/STD/0026 See Dimensions for I POA ISM Terms Of Reference Dimensions
latest version
See EMEIA Fujitsu EMEIA Security Master Policy EMEIA
Connect for latest Manual Connect
version
See EMEIA Fujitsu EMEIA Security Policy EMEIA
Connect for latest Connect
version
See EMEIA Minimum Security Controls — Access EMEIA
Connect for latest Management Connect
version
NWE PAM process __I http://emeia.fujitsu.local/emeia/c/P0004/ I EMEIA
Process_Maps/PAM_Process.htm Connect
NEW PAM http://emeia. fujitsu.local/emeia/sites/cde I EMEIA
Procedure /d/EBMS/Security/PAM_procedure.htm I Connect
Unless a specific version is referred to above, reference should be made to the current approved
0.5 Abbreviations/Defini
versions of the documents.
BM Business Management
EBMS EMEIA Business Management System
ccD Contract Controlled Document
ciso Chief Information Security Officer
CISP Post Office Ltd Community Information Security Policy
CSPOA Post Office Account Operational Security Team
HR Human Resources
ISMF Joint Fujitsu and POL Information Security Management Forum known as M6
POL Post Office Limited
POA Post Office Account
Line/Assignment Manager I Manager responsible for resources working in their area of responsibility
System Owners Team who maintain access to specific systems in the Post Office Account
TISNow Triole For Service: Help Desk Call Management System
ISM Information Security Manager
0.6 Changes Expected
None
0.7 Accuracy
© Copyright Fujitsu 2008-2020
FUJITSU RESTRICTED (COMMERCIAL IN Ref. SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR _ Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS PageNo: 6 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained because of any error or omission in the same.
0.8 Security Risk Assessment
There are no specific risks associated with the content of this document.
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 7 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1. Introduction
This Post Office Account User Access Work Instruction details how access is given to both physical and
technical assets within the POA and Fujitsu supporting functions, and is managed by a central point,
namely the CSPOA Security Operations Team.
This document sets out how access to these assets shall be created, managed and removed and reports
and monitors these requirements. The CSPOA Security Operations Team controls the access to systems
and any asset dedicated to POA and receives reports from other functions within Fujitsu who provide a
shared service to the account.
1.1 Purpose
This document establishes the controls that POA has to meet to manage user access to its assets, based
on its contractual requirements in particular those shown below from Schedule A4 Legislation Policies
and Standards:
4.1.2 Fujitsu Services shall be compliant with ISO 27001.
4.1.3 Security for the Services, HNG-X Development, Associated Change Development and
Equipment shall be managed and organised by Fujitsu Services in accordance with the CCD
entitled POA Information Security Policy" (SVM/SEC/POL/0003) as applicable and, ...the CCD
entitled "Security Management Service: Service Description" (SVM/SDM/SD/0017).
4.1.4 Security Standards Fujitsu Services shall adhere to all parts applicable to the Fujitsu
domain, as defined in Section 2 Definitions of the CRD entitled “Community Information Security
Policy for Horizon” (SVM/SEC/POL/0005) and co-operate with Post Office to assist Post Office in
complying with this standard and requirement.
4.1.5 Data Security The confidentiality, integrity, availability, and completeness of data shall be
maintained throughout all storage, processes, and transmissions, including during periods of
Service Failure and recovery from Service Failure.
Fujitsu shall adhere to all applicable parts of the NEW Security Legal Register.
Appendix A Section 6.1 refers to the control sections required for user management in the Fujitsu EMEIA
Security Master Policy Manual.
Section 9.2 explains user access management requirements and also refers to Fujitsu Corporate
Procedures that are required to follow Fujitsu's EMEIA Business Management System (EBMS).
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 8 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
2 User System Access
2.1 Pre-requisites for allocation and removal of Access
Prior to access being requested for Post Office Account specific assets, Fujitsu HR processes for joiners
and movers onto POA, including MINATO, where Shared Services are used, shall be followed.
For Shared Services, Assignment Managers will apply for resources via MINATO according to Fujitsu
corporate procedures.
Once employment is confirmed the Line Manager will initiate the relevant security clearance process that
is carried out by Fujitsu Group Security if the resource is new to Fujitsu. If an existing employee then
clearance will already exist and will be checked by POA.
Once the individual is accepted into the role and the relevant FPVS clearance level is granted or under
way, the Assignment Manager can then apply for support system accesses to be set-up and for Fujitsu
Facilities management to provide physical access to relevant locations for the role.
If the individual fails clearance, HR and the Line Manager will be notified and the circumstances
discussed with the POA Information Security Manager and Operational Security Manager to determine
how to proceed.
In addition, if an individual moves away from POA or leaves Fujitsu then the Fujitsu HR processes are to
be invoked by the individual's Line/Assignment Manager, and the CSPOA Security Operations Team
notified of this to ensure revocation of their access from all POA specific assets.
For those individuals who are leaving Fujitsu Services completely, the Line/Assignment Manager must
follow HR policies and procedures for a termination. These can be found on EMEIA Connect.
All 3% party access also follows the same guidance as detailed in this document.
2.2 CSPOA User Registry
The User Access Process on the POA is based on the creation and control of a registry of all personnel
who work on the account.
This register is controlled by the CSPOA Security Operations Team, and is maintained and updated in
line with requests being submitted and tracks all personnel working on the account, the system access
they have been given, and any security clearance level that they have been granted. It is also subject to
a monthly review as described in section 5.1
It will also aid any audit that may be required, by providing the details of personnel and access levels
granted.
The Post Office Account User Access Database (Secure and Restricted access) holds the information
about each individual who have been granted access and the systems that they have been granted
access to. In addition it contains details of the requestor, and dates that this access was granted and
revoked. Details of the systems held within this registry are shown in Appendix C.
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 9 of 20
FUJ00235012
FUJ00235012
Post Office Account User Access Work Instructions
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
HR
Fujitsu Corporate
Process Starters, movers and Leavers to
Fujitsu
Site Facilities
Fujitsu Corporate
Process passes to allow access to Fujitsu
buildings and rooms
Group Security
Fujitsu Corporate
Process clearances for individuals joining
Fujitsu including special clearances for those
joining POA.
Line/Assignment Managers
POA
Manager responsible for resources working in
their area of responsibility
System Owners
POA / Fujitsu
Teams that maintain access to specific
Corporate systems for the Post Office Account
CSPOA Security Operations POA The team on POA that manage, control and
Team report on both physical and system access.
7 The individual responsible for all aspects of
CISO (if appointed) POA Security on POA.
7 The individual responsible for all aspects of
Information Security Manager POA Security on POA in the absence of a CISO.
a POA Test Managers who work jointly with
Fujitsu Test Managers POA POL Test Teams
Responsible for organising and maintaining
User Management Team (part of 7
. POA Account induction. Review and report on
Programme Management Office) Joiners, Movers and Leavers
. An organisation or person that is not a
Contractor/Third Party Supplier member of Fujitsu or POL staff
POL Staff POL An individual that is employed by POL
POL Test and Release POL POL staff who work jointly with POA Test
Managers Teams
© Copyright Fujitsu 2008-2020
FUJITSU RESTRICTED (COMMERCIAL IN Ref.
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS.
SVM/SEC/PRO/0012
Version: 14.0
19-Aug-2020
Page No: 10 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
4 Processes
4.1 Post Office Account New Joiner
Detailed below are the steps that must be followed for an individual who is new to Fujitsu Services and/or
joining the POA from another area within Fujitsu and these are shown in the Figure 1.0 Diagram of User
System Access Process Flow for New Joiners/movers.
1. The Assignment Manager should complete the latest New User Access Form from the POA
Security Operations PORTAL and complete all informa’ ind return to CSPOA
Security Operations Team by emailing to CSPOA.Securit
2. The New User Access Form must be completed and returned in the following manner:
e The Line/Assignment Manager shall complete all information on the form for the required
individual and then email the completed form to POA Security Operations.
e Where a New User form is completed by or on behalf of a new user, the Line/Assignment
Manager must be copied in (cc'd) on the email request as a means of awareness &
authorisation.
3. CSPOA Security Operations Team shall check the form is completed correctly, and in line with
NEW Fujitsu Security Policy. If any information is missing or incorrect then the form will be
rejected and returned to the Line/Assignment Manager to amend.
e The new starter form has a “Start Date” stated on the form, however POA Sec Ops may
receive a completed form well in advance of the start date by some weeks. In this case
POA Sec Ops hold onto the form and set a Outlook reminder to not process the access
request until a maximum of one week prior to the requested date.
4. CSPOAwill check that FPVS Security Clearance is in place or has started.
5. When a correct form has been received and checked, and clearance in place/started then the
CSPOA Security Operations Team shall arrange for all relevant access to be set up for the user.
6. CSPOA Security Operations Team shall notify the relevant system owners via an e-mail (Which is
generated from the user management database). A TfSNow call will be raised for back-end
system requirements and a copy of the completed request form will be attached to the TfSNow
call, where required.
7. The System Owners shall follow their own processes and work instructions to configure the user.
8. CSPOA Security Operations Team shall then close the TfSNow call and update the register.
9. All forms and records are securely stored electronically, and kept for audit purposes...
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 11 of 20
FUJ00235012
FUJ00235012
oO Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Figure 1.0 Diagram of User System Access Process Flow for New Joiners
Starter for to
5 CSPOA Security
:
1
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date 19-Aug-2020
STORED OUTSIDE DIMENSIONS Page No: 12 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
4.2 Moving within POA or amendment to access
In addition to individuals who join POA as new staff to POA and/or Fujitsu, there are cases where people
are moved within the POA. The Assignment Manager should complete the latest new Mover form from
the POA Security Operations PORTAL and complete all
Security Operations Team by emailing to CSPOA.Securit
Details of the process flow are shown in the Figure 1.0 Diagram of User system access flow under the
POA Movers/Amendments heading on the right hand side.
4.2.1 Fujitsu Staff not on the POA
For any Fujitsu shared services that are provided to POA, the Line Manager shall notify the CSPOA
Security Operations Team of the relevant Assignment Manager on the account. The Assignment
Manager shall then follow the process in Section 4.1 for obtaining access to the relevant systems for the
user.
4.2.2 POL Staff and 3" parties
Post Office Ltd staff (and 3% parties) that are provided with access to Fujitsu systems are the
responsibility of POL to verify and authenticate, and to ensure that appropriate access has been granted.
Access should be granted as detailed in section 4.1 but replacing Line Manager with Post Office
assigned line manager.
4.2.3 Requests for TESQA & APPSUP access elevated privileges
The APPSUP role and TES_TESQA_USER accesses are temporarily applied to user accounts when
required for investigations into TESQA & BDB queries. The roles are then removed again once work is
complete. Temporary access is managed via change control (TfS) and that it should reference a
Peak/TfSNow Change reference as justification on the requirement for the elevated access. Access is
only granted upon approval of Post Office, Fujitsu require three written approvals from POL (Service,
Security, Commercial). This approvals process is managed by POA Service team. Details of the
approvals are added to the associated TfS ticket.
4.3 Leavers
Detailed below are the steps that must be followed prior to or upon an individual leaving the POA, and
these are detailed in the Figure 1.2 Diagram of User system access flow for Leavers.
4.3.1. POL Staff
Post Office Ltd staff that are provided with access to Fujitsu systems are the responsibility of POL.
Access should be revoked as detailed in section 4.3.3 but replacing Line Manager with Post Office
Assigned Line manager.
4.3.2 Staff who are leaving Fujitsu
Detailed below are the steps that must be followed for an individual who is leaving Fujitsu Services and/or
the POA and these are shown in the Figure 1.2 Diagram of User system access flow for Leavers.
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIALIN Ref SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR _ Date 19-Aug-2020
STORED OUTSIDE DIMENSIONS PageNo: 13 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1. The Line/Assignment Manager shall contact CSPOA Security Operations Team by e-mail
providing the leaver's details and complete the necessary form from the POA Web PORTAL
page.
2. The Revocation form must be completed and returned in the following manner:
e The Line/Assignment Manager shall complete all information on the form for the required
individual and email the completed form to POA Security Ops’ button
These forms shall be filed and stored securely, and kept for audit purposes.
3. CSPOA Security Operations Team shall check the form is completed correctly. If any information
is missing or incorrect then the form will be rejected and returned to the Line/Assignment
Manager to amend.
4. When a correct form has been received and checked then the CSPOA Security Operations Team
shall arrange for all relevant access to be removed for the user.
5. CSPOA Security Operations Team shall arrange for floor/door access to be revoked using Fujitsu
Corporate Processes using an automated function from the CSPOA Security Operations
database.
6. CSPOA Security Operations Team shall notify the relevant system owners via an e-mail, and
where backend system access is held, a TfS call shall be raised and progressed to the system
owners requesting revocation of access.
7. The System Owners shall follow their own processes and work instructions to remove the user,
confirm revocation to CSPOA and CSPOA will update the TfS call.
8. CSPOA Security Operations Team shall then close the TfSNow call and update the register and
confirm with relevant teams that access has been revoked.
4.3.3 Staff who are terminated with immediate effect
For those users whose employment is terminated either from the POA or Fujitsu Services with immediate
effect, the Line/Assignment Manager must immediately contact HR and the CSPOA Security Operations
Team via telephone and then follow the Fujitsu Corporate Leaver's Process making sure all the relevant
forms are completed. The process in Section 4.3.2 is applied retrospectively to individuals that are
terminated with immediate effect.
4.3.4 Fujitsu staff whose assignment with POA has been completed
For all Fujitsu shared services provided to POA the Assignment Manager shall notify the Line Manager of
the expiry of the individual's assignment to the account. The Assignment Manager shall then follow the
process in Section 4.3.2 for removing access to the relevant systems for the user.
4.3.5 POAstaff who are moving to another part of Fujitsu
Line/Assignment Managers whose staff are directly employed as part of Post Office Account and move to
another part of Fujitsu shall follow the process in Section 4.3.2 for the termination of user's rights that are
associated directly with systems dedicated to POA.
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIALIN Ref SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR _ Date 19-Aug-2020
STORED OUTSIDE DIMENSIONS PageNo: 14 0f 20
Post Office Account User Access Work Instructions
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJITSU
Figure 1.2 Diagram of User system access flow for Leavers
Leavers with Immediate Effect is covered in RED
avers with immediate effect
FUJ00235012
FUJ00235012
Complete form Providing]
ALL information and
Tetum to CSPOA for
© Copyright Fujitsu 2008-2020
FUJITSU RESTRICTED (COMMERCIAL IN Ref SVM/SEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS Page No: 15 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5 Management
Key steps within this User Access Procedure are reviewed, reported and audited to ensure that it is
functioning effectively and efficiently. Below are the details of how this is achieved.
5.1 Review
The POA User Management Team shall undertake a monthly review of the access granted to individuals
and its continued appropriateness.
To achieve this:
1. POA User Management Team shall produce details of all users contained in the registry and their
access levels and shall email these to the relevant Line/Assignment Managers.
2. Line/Assignment Managers shall review whether the current access of their employees is still in
line with their job role.
3. Line/Assignment Managers shall consider whether any users require their access be amended
and they shall follow the process defined in Section 4.2 to do so.
4. Line Mangers shall confirm each employee's current access rights requirements and shall email
these details to POA User Management Team within 10 working days of receipt of the original e-
mail from POA User Management Team.
5. CSPOA Operational Security will audit access rights and roles with each functional area; audits
will be conducted on a minimum monthly basis.
6. CSPOA security will review all human accounts that have HNG-X live access for accounts that
have been unused for a period of 90 days or over.
7. CSPOA security will review individuals added to the Ikey Exemption List.
8. CSPOA security will review Joiners, Leavers and movers to the Account.
9. Card swipe/floor access attempts report.
5.2 Reporting
Post Office User Management Team provide a report on a monthly basis detailing all joiners, leavers and
movers on the Account.
5.3 Audit
All areas involved in the processes detailed in Section 4 must have records available to enable POA to
provide evidence of the following for audit purposes.
1. That any joiners, movers and leavers into POA follow the planned Processes in Section 4
2. Only authorised individuals have access to the assets that their role requires
3. The access provided is managed, monitored, reviewed and controlled.
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 16 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
6 AppendixA
6.1 Fujitsu EMEIA Master Security Policy Manual
All framework controls that we are required to meet are detailed in full in the Fujitsu EMEIA Security
Policy Manual, which aligns to 1S027001:2013, and also follows the Fujitsu Minimum Security Controls
Framework.
6.2 Security Requirements
Controlling access to IT resources requires a combination of directive, preventive, detective, corrective,
and recovery controls that are used to manage hardware, software, operations, data, media, network
equipment, support systems, physical areas, and personnel. They involve both manual procedures as
well as technical controls on the IT system.
Documents defining the Corporate Fujitsu (UK & Ireland) related policies, processes and procedures that
are used are held on EMEIA Connect at:-
¢ Minimum Security Controls
Post Office Account's own policies, processes and procedures are held on Dimensions and follows
guidance provided in the Fujitsu EMEIA Master Security Policy Manual which is aligned to
1$027001:2013.
7 Appendix B: POA Role-based Team access
POA system access is governed on a role based structure so individual's access is pre-determined by
their Team membership. See Team Access below for the corporate systems applicable on an individual
team basis
r
iC
Team Access.xlsx
8 Appendix C: List of POA systems
See below a complete list of all systems managed by POA Security Operations under their Joiners,
Movers & Leavers Process with attached Excel file for Azure systems administration.
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 17 of 20
Fe)
FUJITSU
CONFIDENCE)
Post Office Account User Access Work Instructions
FUJITSU RESTRICTED (COMMERCIAL IN
FUJ00235012
FUJ00235012
Annual Leave Calendar
Azure - Development
Azure - EPaaS
Azure AD Global Admin (Restricted)
Azure ADNP
Azure ADPR
Azure Confluence (AD)
Azure Github (AD)
Azure Jira (AD)
Azure Nexus (AD)
Azure POUKO1
BCMS
CACTI
CISCO Prime (NCP)
Confluence (APT)
Database Access
DEV Lan to Integration/SVI
Dimensions 12
DRS Workstation
Floor Access
FMNOS Platform
Fortinet Firewalls
Franjiban
GDC Jump Box POL Azure
HORice
Impacting Tool
ITG Network Access
Jenkins (APT)
Jira (APT)
Juniper SRX
MSAD
MSAD (Terminal Services Only)
PEAK
POUKO1 Root Management Group
Quality Centre
Qualys
Rig Owner Account (02 account)
SCM Workstation Users
Shared TfSNow
Sharepoint
© Copyright Fujitsu 2008-2020
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
STORED OUTSIDE DIMENSIONS.
Ref:
Version
Date:
Page No:
SVM/SEC/PRO/0012
14.0
19-Aug-2020
18 of 20
FUJ00235012
FUJ00235012
Post Office Account User Access Work Instructions
Fs)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Slack
Spectrum (NCS)
Spinnaker
Splunk
SVN/APT
TACACS
Tesqa
Test Rig Access
TfSNow - Change
TfSNow - Incidents
Tivoli
Tripwire
VMware vCentre
POA Systems
vO9xlsx
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 19 of 20
FUJ00235012
FUJ00235012
co Post Office Account User Access Work Instructions
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Appendix D: URL for user access forms
The latest user access forms to be used can be found as detailed in the URL's below.
8.1 New user access form
8.2 Revocation Form
__Acopy of the Revocation form can be found here
9 Appendix E: Live Systems Emergency Access
If emergency access is required for a user to the live system, then the request needs to be approved by
the requestor's assignment manager - this in turn then needs to be approved by the Sec Ops Manager
(or alternative cover such as CISO or other Manager as agreed cover), the request cannot be actioned
until we have approval.
Once approved by all parties a TfSNow call needs to be raised and sent to POA-NT Team for MSAD
account to be created/re-instated and approval email MUST be attached to the call, it is imperative that
how long the access is required is stated on the call. CSPOA Security will then need to call NT Team to
inform them of the request.
The emergency access request then shall be updated on the User Management Database and will need
to be recorded as ‘Users with heightened Privileges’.
© Copyright Fujitsu 2008-2020 FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMISEC/PRO/0012
CONFIDENCE) Version: 14.0
UNCONTROLLED WHEN PRINTED OR Date: 19-Aug-2020
STORED OUTSIDE DIMENSIONS. Page No: 20 of 20