FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Document Title: Post Office Account User Access Guide
Document Reference: SVM/SEC/PRO/0012
Document Type: Guide
Abstract: This document describes the controls that Post Office Account
follow to manage user access to its assets, based on its contractual
requirements to protect assets, systems, and data.
Document Status: APPROVED
Author & Dept: Farzin Denbali, Security Operations Manager
External Distribution: None
Information Classification: See section 0.8
Approval Authorities:
me Role
Steven Browell Chief Information Security Of
i Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMI/SEC/PRO/0012
me ” CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED ale 01-Sep-2022
OUTSIDE DIMENSIONS ‘age 4 of 24
No
FUJ00235014
FUJ00235014
Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL..
0.1 Table of Contents
0.2 Document History
0.3 Review Details .
0.4 Associated Documents (Internal & External)
0.5 Abbreviations/Det
0.6 Changes Expected.
0.7 Accuracy...
0.8 Information Classification
1 INTRODUCTION
411 Purpose......
2 USER SYSTEM ACCESG......
2.1 Pre-requisites for allocation and removal of Access
2.2 CSPOA User Database .....
2.3 Privileged Access Management (PAM
4 PROCESSES, PROCEDURES & CONTROLS...
41 Joiners...
4.44 Fujitsu Staff not on the POA ..
4.1.2 POL Staff and 3" parties...
4.2 Moving within POA or amendment to access ..
4.2.1 Requests for TESQA & APPSUP access elevated privileges
4.2.2 Emergency Access to Live Systems.
43 Leavers...
4.3.1 Staff who are terminated with immediate effect. .
4.3.2 Fujitsu shared services staff whose POA assignment has. been completed
4.3.3 POA staff who are moving to another Part of Fujitsu
43.4 POL Staff... ceseeeseese
5
5.1
5.1.1 Team Verification (Standard User Access Verification).
5.1.2 Privileged User Access Verification ....
5.1.3 Floor Access (Dedicated POA areas).
5.1.4 Other Access......
5.1.5 Other CSPOA Regular Checks.
5.2 Audit...
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS Fage 2 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide ”
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.2 Document History
Version No. Date Summary of Chai \d Reason for Issue sociated Change -
CP/PEAKIPPRR
Reference
0.4 12/12/08 Initial Draft version NIA
02 27107109 Amended following full review NIA
1.0 17/07/2009 Approved version NIA
14 09/02/2010 Amended CSPOA and CISO details NIA
20 16/02/2010 Approval version NIA
24 2710712010 Minor updates and improvements NIA
22 27/08/2010 Insertion of new bullet in 2.5 NIA
23 13/10/2010 Updated in response fo review comments. NIA
3.0 25-Oct-2010 I Approval version NIA
3.4 30 Jul-2011 I Amendments made to add additional responsibilities NIA
3.2 21-09-2011 ‘Amendment to process and additional flow diagrams added I N/A
33 23-Sep-2011 I Prep for formal review NIA
34 18-Oct-2011 _I Revised following review NIA
40 18-Oct-2011 I Approval version NIA
44 27-Nov-2012 I Updated with comments from POL NIA
42 12-02-2013 I Updates made to process NIA
43 12-Mar-2013 I Amended manager role to Line/Assignment Manager, NIA
5.0 -Jul-2013 Approved version NIA
60 46Dec 2013 I Review — Final
61 03 Jun 2014 I Updated after internal audit and annual review ‘Annual Review
7.0 06-Jun-2014 I Approval version
7.4 01-Apr-2016 I Diagrams updated & aligned to Fujitsu Security Policy Manual I N/A
72 21-Apr-2016 I Amendment to section 6.2 NIA
80 22-Apr-2016 I Approval version
at 23-Jun-2016 I Minor Amendments as a result of 2016 18027001 audit, remove I N/A
reference to paper forms, add links to forms, rationalise review
and reporting sections
9.0 28-Jun-2016 I Approval version
4 27-Jul-2017 I Minor Amendments to document Hyperlinks as a result of NIA
SharePoint migration
10.0 28-Jul-2017 I Approval version
10.1 26-0ct-2017 _I Addition of TESQA & APPSUP access management
11.0 07-Nov-2017 I Approval version
141 46-Jan-2019 I Update to Appendix B — POA Role based Access NIA
12.0 18-Jan-2019 I Approval version
12.4 2i-Jan-2019 I Update to Appendix C — List of POA systems
13.0 22-Jan-2019 I Approval version
13.4 (04-Feb-2020 I Update to Section 8 Appendix C — List of POA systems
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS Fage 3 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Version No. Summary of Changes and Reason for Issue Associated Change -
CP/PEAK/PPRR
Reference
13.2 30-Mar-2020 I Various minor updates
13.3 09-Jun-2020 I Approval version, downgrade to LWI, update links, names
13.4 04-Aug-2020 I Changes to address remaining comments from review of 13.2
14.0 19-Aug-2020 I Approval version
14.4 25-Aug-2021 I Amended CSPOA details
Diagrams updated
Amendment to section 4.2.3.
Amendment to section 5.1
Update to Appendix B - POA Role based Access
14.2 08-Sep-2021 Changes to address comments from review of 14.1
14.3 20-Sep-2021 Changes to address comments from review of 14.2
Removed Appendices and incorporated the text into the body of
the document.
Added screenshots to various sections.
Added section 5.1.5 (CSPOA Spot Checks)
14.4 27-Sep-2021 Changes to address comments from review of 14.3
14.5 04-Oct-2021 Changes to address comments from review of 14.4
15.0 48-Oct-2021 _I Approval version
15.1 09-May-2022 I Amended ISM details
Amendments to section 4.3
15.2 31-Aug-2022 I Amended the approval Authority
Amended sections 1.1, 2.2 and 4.3 following review
16.0 01-Sep-2022 I Approval version
0.3 Review Details
See HNG-X Reviewers/Approvers Matrix (PGM/DCM/ION/0001) for guidance on completing the lists below. You
may include additional reviewers if necessary, but you should generally not exclude any of the mandatory reviewers
shown in the matrix for the document type you are authoring.
Review Comments by:
farzin.denbalit. Vand
PostOfficeAccountDocumentManagement
Review Comments to:
Mandatory Review
Role Name
ciso Steven Browell
Security Governance Manager Chris Stevens
Crypto Key Manager Andy Dunks
Security Analyst Ifran Khan
Security Analyst Beverly Brown
Position/Role Name
Document Manager Matthew Lenton
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref SVMI/SEC/PRO/0012
CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED Pane 01-Sep-2022
OUTSIDE DIMENSIONS 4 of 24
No
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
PMO l James Guy ]
(*) = Reviewers that retumed comments
0.4 Associated Documents (Internal & External)
Date Title Sour
PGM/DCM/TEM/0001 See Dimensions for I POA HNG-X Generic Document Dimensions
(DO NOT REMOVE) latest version Template
ARC/SEC/ARC/0003. See Dimensions for I HNG-X Technical Security Architecture I Dimensions
latest version
SVM/SDM/SD/0017 See Dimensions for I Security Management Service: Service I Dimensions
latest version Description
SVM/SEC/POL/0005 See Dimensions for I Post Office Ltd Community Information I POL—owned
[POL Ref: latest version Security Policy (CISP) and /
RM/POL/002] Dimensions
SVM/SEC/POL/0003 See Dimensions for I POA HNG-X Information Security Dimensions
latest version Policy
SVM/SEC/STD/0026 See Dimensions for I POA ISM Terms Of Reference Dimensions
latest version
SVM/SDM/PRO/4293 See Dimensions for I Horizon Data Changes Process Work Dimensions
latest version Instruction
See NWE Connect I Fujitsu Europe Security Master Policy I NWE
for latest version Manual Connect
See NWE Connect I Fujitsu Europe Security Policy NWE
for latest version Connect
See NWE Connect I Minimum Security Controls — Access NWE
for latest version Management Connect
NWE PAM process I http://emeia.fujitsu.local/emeia/c/P0004/ I NWE.
Process_Maps/PAM_Process.htm Connect
NEW PAM http://emeia.fujitsu.local/emeia/sites/cde I NWE
Procedure /d/EBMS/Security/PAM_procedure.htm I Connect
Unless a specific version is referred to above, reference should be made to the current approved
versions of the documents.
0.5 Abbreviations/Definitions
BM Business Management
ccD Contract Controlled Document
ciso Chief Information Security Officer
cIsP Post Office Ltd Community Information Security Policy
CSPOA Post Office Account Operational Security Team
EBMS Europe Business Management System
HR Human Resources
ISM Information Security Manager
ISMF Joint Fujitsu and POL Information Security Management Forum known as M6
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS Fage 5 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide ”
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Abbreviation Definiti
Line/Assignment Manager I Manager responsible for resources working in their area of responsibility
Minato The resource management platform for authorised Fujitsu NWE users
POL Post Office Limited
POA Post Office Account
SOM Security Operations Manager
System Owners: Team who maintains access to specific systems in the Post Office Account
TASNow Triole For Service: Help Desk Call Management System
0.6 Changes Expected
Changes
None
0.7 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, whilst every effort
is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused) sustained
because of any error or omission in the same.
0.8 Information Classification
The author has assessed the information in this document for risk of disclosure and has assigned an information
classification of FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE).
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS Fage 6 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide ”
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1 Introduction
This Post Office Account User Access Guide details how access is given to both physical and IT system
assets within the Post Office Account (hereafter referred to as POA) and Fujitsu supporting functions, and
is managed by a central point, namely CSPOA.
This document sets out how access to these assets shall be created, managed, removed and how these
requirements are reported and monitored. CSPOA controls the access to systems and any asset dedicated
to POA and receives reports from other functions within Fujitsu who provide a shared service to POA.
1.1 Purpose
This document establishes the controls that POA must meet to manage user access to its assets, based
on its contractual requirements, in particular those from Schedule A4 Legislation Policies and Standards:
4.1.2 Fujitsu Services shall be compliant with ISO 27001.
4.1.3 Security for the Services, HNG-X Development, Associated Change Development and
Equipment shall be managed and organised by Fujitsu Services in accordance with the CCD
entitled POA Information Security Policy” (SVM/SEC/POL/0003) as applicable and, ...the CCD
entitled "Security Management Service: Service Description" (SVM/SDM/SD/0017).
4.1.4 Security Standards Fujitsu Services shall adhere to all parts applicable to the Fujitsu domain,
as defined in Section 2 Definitions of the CRD entitled “Community Information Security Policy for
Horizon” (SVM/SEC/POL/0005) and co-operate with Post Office to assist Post Office in complying
with this standard and requirement.
4.1.5 Data Security The confidentiality, integrity, availability, and completeness of data shall be
maintained throughout all storage, processes, and transmissions, including during periods of
Service Failure and recovery from Service Failure.
Fujitsu shall adhere to all applicable parts of the NEW Fujitsu Security Legal Register.
Controlling access to IT resources requires a combination of directive, preventive, detective, corrective,
and recovery controls that are used to manage hardware, software, operations, data, media, network
equipment, support systems, physical areas, and personnel. They involve both manual procedures and
technical controls on the IT system. The Fujitsu Europe Business Management System (EBMS) outlines
the processes to be followed to create, amend, and revoke Privileged Access for a given account. The
Fujitsu Corporate Procedures below follow EBMS:
All framework controls that POA is required to meet are detailed in full in the Fujitsu Europe Security
Policy Manual, which aligns to 1S027001:2013, and follows the Fujitsu Minimum Security Controls.
Framework.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS, Fage 7 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide ”
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
2 User System Access
2.1 Pre-requisites for allocation and removal of Access
Prior to access being requested for POA specific assets, Fujitsu HR processes for joiners and movers onto
POA, shall be followed.
For Shared Services, Assignment Managers will apply for resources via Minato according to Fujitsu
corporate procedures.
Once employment has been confirmed, the appropriate security clearance is initiated and managed by
Fujitsu Group Security. If an existing employee, then clearance will already exist. Note that there is no POA
specific security clearance required.
Once the individual has been accepted into the role, the Assignment Manager can apply for access to the
support systems to be set-up and for Fujitsu Facilities management to provide physical access to relevant
locations for the role.
If the individual fails clearance, HR and the Line Manager will be notified, and the circumstances discussed
with the POA Information Security Manager and Security Operations Manager to determine how to
proceed.
In addition, if an individual moves away from POA or leaves Fujitsu, the Fujitsu HR processes are to be
invoked by the individual's Line/Assignment Manager, and CSPOA notified, to ensure revocation of their
access from all POA specific assets.
For those individuals who are leaving Fujitsu Services completely, the Line/Assignment Manager must
follow HR policies and procedures for a termination. These can be found on NWE Connect.
All 3° party access also follows the guidance detailed in this document.
2.2 CSPOA User Database
The User Access Process on the POA is based on the creation and maintenance of a User Access
Database (Secure and Restricted access) of all personnel who work on POA.
This database is controlled by CSPOA and is maintained and updated in line with requests being submitted.
It tracks all personnel working on POA, details of the requestor, the system access they have been given,
dates access was granted and revoked and any security clearance level they have been granted. It is also
subject to a monthly review as described in section 5.1.
The database also aids any audit that may be required, by providing the details of personnel and access
levels granted.
Below is an example from the User Access Database (with redactions as necessary) showing the system
access granted to the user. Other tabs (Events, Security Info, Floor Access, MSAD and Network Drives)
will show any additional system access and security clearance.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS Fage 8 of 24
FUJ00235014
FUJ00235014
Post Office Account User Access Guide
[oe]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
a I
ware
Saas
CSPOA manage the following systems under their Joiners, Movers and Leavers Process:
Annual Leave Calendar
APT Access (includes Jira,Clf,SVN/APT)
Atlassian/Jira Cloud
AWS Access
BCMS
CACTI
CISCO Prime (NCP)
CONSOLE Server access
Database Access
Dimensions 14
DRS Workstation
FMNOS Platform
Franjiban
HORice (LIVE/LST/SV&I)
Impacting Tool
Ingenico e-Portal
Ingenico e-Portal Test
Ingenico My Service
ITG Network Access
MSAD Live
MSAD LST
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS Fage 9 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide ”
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
MSAD SV&I
MVM Vulnerability Scanner
Network Security Manager (NSM)
PEAK
Peak - SSC website only
POL Jira Access
Quality Centre
Shared TfSNow
Sharepoint & POA Teams (UK-POA)
Spectrum (NCS)
TACACS (Live)
TACACS (LST)
TESQA (User)
TESQA (Admin)
Test Rig Access
TfSNow - Change
TfSNow - Incidents
Tivoli
Tripwire
2.3 Privileged Access Management (PAM)
Some specialist support staff require Privileged Access to be able to keep systems working, investigate
issues, and make necessary and required updates. Such access relies on PAM processes.
A privileged account has additional abilities to a "standard" user account and may include access rights
to operating systems or to application software and databases.
System privileges and levels of access required to perform management functions are higher than those
assigned to standard users. Therefore, the allocation and use of privileges is restricted and controlled,
and the principle of least privilege is used. The principle of least privilege refers to the concept and
practice of restricting access rights to only those resources required to perform the authorised activities.
Individuals are not granted unnecessary privileges.
The management of PAM accounts is completed using a variety of tools such as an Access database,
Excel spreadsheets, email, and SharePoint. A central database is held which records all access across
all environments.
Privileged Access is reviewed monthly as explained in Section 5.1.2 below.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 16.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 01-Sep-2022
OUTSIDE DIMENSIONS, Fage 10 of 24
Post Office Account User Access Guide
FUJ00235014
FUJ00235014
Fe)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
3 Roles
The table below lists the Fujitsu, POA, POL and Third-Party teams and individuals, and the functions they
perform in relation to user access.
Role POA or Corporate Function
HR Fujitsu Corporate process Joiners, Movers and Leavers to
ujitsu
Site Facilities Fujitsu Corporate Process passes to allow access to Fujitsu
4 i buildings, floors, and rooms
Group Security Fujitsu Corporate process clearances for individuals joining
‘ujitsu.
. : Manager responsible for resources working
Line/Assignment Managers POA in their area of responsibility
System Owners POA / Fujitsu Teams that maintain access to specific
y Corporate systems for POA
CSPOA Security Operations The team on POA that manage, control and
POA
Team report on both physical and system access.
The individual responsible for all aspects of
CISO (if appointed) POA Security on POA.
1 The individual responsible for all aspects of
Information Security Manager POA Security on POA in the absence of a CISO.
- POA Test Managers who work jointly with
Fujitsu Test Managers POA POL Test Teams
User Management Team (part of Responsible for organising and maintaining
Programme Management POA POA induction. Review and report on
Office) Joiners, Movers and Leavers
An organisation or person that is not part of
Contractor/Third Party Supplier Fujitsu or POL
POL Staff POL An individual who is employed by POL
POL Test and Release POL POL staff who work jointly with POA Test
Managers Teams
© Copyright Fujitsu Services
Limited 2008-2022
UNCONTROLLED WHEN PRINTED OR STORED.
OUTSIDE DIMENSIONS
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Ref: SVM/SEC/PRO/0012
Version: 16.0
Date: 01-Sep-2022
Page 41 of 24
No
FUJ00235014
FUJ00235014
Post Office Account User Access Guide ~
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Fe)
FUJITSU
4 Processes, Procedures & Controls
4.1 Joiners
Detailed below are the steps that must be followed when an individual joins Fujitsu and POA, or joins the
POA from another area within Fujitsu. The Assignment Manager will apply for role-based access to the
support systems to be set-up for a new user, and for Fujitsu Facilities management to provide physical
access to relevant locations for the role. The process flow is shown in Figure 1.0, Diagram of User
System Access Process Flow for New Joiners.
© Copyright Fujitsu Services
> FUJITSU RESTRICTED (COMMERCIAL IN Ref SVM/SEC/PRO/0012
1d 2008-:
Limited 2008-2022 CONFIDENCE) Version 16.0
UNCONTROLLED WHEN PRINTED OR STORED P20 01-Sep-2022
OUTSIDE DIMENSIONS ‘age 42 of 24
No
FUJ00235014
FUJ00235014
Post Office Account User Access Guide ~
Fs)
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Figure 1.0 Diagram of User System Access Process Flow for New Joiners
E Submits New Starter
form to CSPOA
A Process will be
2 terminated
3
<
Database and update
their agreement
User access
setup as requested
© Copyright Fujitsu Services Limited 2008-2022 7
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE) Ref SVM/SEC/PRO/0012
Version: 15.1
Date: 09-May-2022
UNCONTROLLED WHEN PRINTED OR STORED OUTSIDE DIMENSIONS.
Page No: 13 of 24
FUJ00235014
FUJ00235014
Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
The following steps must be followed:
1. The Assignment Manager shall complete the latest New User Access Form from the POA Security
Operations Portal with all required information. The completed form shall be returned to CSPOA via
email to CSPOA.Security! H
Privileged Access requests mus! e from either a Fujitsu or POL email address. All access follows
least privilege and role-based principles as outlined in Fujitsu EBMS.
Where a New User form has been completed by or on behalf of a new user (by a person other than the
Line/Assignment Manager), the Line/Assignment Manager must be copied in on the email request for
awareness and authorisation.
Below is an example of the email CSPOA receive for an individual who has joined the POA (with
redactions as necessary):
I
pete x I 95 et eH ash et fer
2. CSPOA shall check the form to ensure that it has been completed correctly, and in line with Fujitsu
Security Policy. If any information is missing or incorrect, the form will be rejected and returned to the
Line/Assignment Manager for amendment.
e A “Start Date” will be stated on the New User Access Form. However, CSPOA may receive a
completed form weeks in advance of the stated start date. In that case, CSPOA shall retain the form
and set an Outlook reminder to not process the access request until a maximum of one week prior
to the requested start date.
3. CSPOA shall email the new starter to:
e Inform them that their personal data (name and personnel number) may be shared with POL in
accordance with our obligations.
e Seek acknowledgement, and agreement for their Name and Personnel number to be supplied to
POL.
This is a GDPR compliance requirement and access to POA systems cannot be granted without this
agreement.
4. Once both the correct New User Access Form and the GDPR agreement have been received, CSPOA
shall arrange for all relevant access to be set up for the user.
5. CSPOA shall e-mail (generated from the user management database) the relevant system owners and
request user access to be set up. A TfSNow call will be raised for back-end system requirements and a
copy of the completed request form will be attached to the TfSNow call, where required. In addition,
POL and Ingenico Jira ticket(s) will be raised for Post Office Cloud and Ingenico access, where required.
NOTE - System owners must only make changes to User accounts when instructed to do so by CSPOA.
Below are examples of the emails CSPOA send to the relevant system owners for user access to be
set up (with redactions as necessary):
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Dale: 09-May-2022
OUTSIDE DIMENSIONS, Fage 14 of 24
FUJ00235014
FUJ00235014
Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
ew aisietes
pis se tie asso yer spt
vs aa Feu Line My StutDae Peak, Cooge TPS, Ctowe
Ronee Seo
6. The System Owners shall follow their own processes and work instructions to configure the user access.
7. CSPOA shall then close the TfSNow call and the Jira ticket(s) and update the register.
8. Electronic copies of all forms and records are stored securely and retained for audit purposes.
4.1.1 Fujitsu Staff not on the POA
For any Fujitsu shared services staff who are provided to POA, the Line Manager shall notify CSPOA of
the relevant Assignment Manager on POA. The Assignment Manager shall then follow the process in
Section 4.1 for obtaining access to the relevant systems for the user.
4.1.2 POL Staff and 3 parties
It is the responsibility of POL to verify, authenticate, and ensure that appropriate access has been
granted to POL staff (and its 3" parties) who have been provided with access to Fujitsu systems.
The PAM processes and principle of least privilege still apply. Access should be granted as detailed in
Section 4.1, replacing Line Manager with Post Office assigned line manager.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Date: 09-May-2022
OUTSIDE DIMENSIONS, Fage 15 of 24
FUJ00235014
FUJ00235014
Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
All POL requests for TESQA and HORice access must be authorised by POL’s Head of Contract
Management & Deployment - Franchise Partnering.
4.2 Moving within POA or amendment to access
In addition to individuals who join POA and/or Fujitsu as new staff, there are cases where people are moved
within the POA. The Assignment Manager should complete the latest new Mover form from the POA
Security Operations. Portal with all information required, and return to CSPOA by emailing to
CSPOA.Security! GRO
Details of the process flow are shown in the Figure 1.0, Diagram of User system access flow under the
POA Movers/Amendments heading on the right-hand side.
Below is an example of the email CSPOA receive for an individual moving within the POA (with redactions
as necessary):
AW: POA Movers Form
4.2.1. Requests for TESQA & APPSUP access elevated privileges
The TES_TESQA_USER access is applied to user accounts when required for investigations into
TESQA queries. Such requests must be authorised by POL’s Head of Contract Management &
Deployment - Franchise Partnering. There are a limited number of TESQA licences available and the
request for access from POL involves removing the licence from one user and assigning it to another.
SVM/SDM/PRO/4293 describes the process for granting temporary APPSUP access.
4.2.2 I Emergency Access to Live Systems
If a user requires emergency access to the live system outside business hours, the request must be
approved by the CSPOA duty manager. Note that the access may not be given outside business hours if
the system owners are not available to set up the required access.
4.3 Leavers
Detailed below are the steps that must be followed prior to or upon an individual leaving Fujitsu and/or the
POA. The process flow is shown in Figure 1.2, Diagram of User system access flow for Leavers.
ff Copyright Fults Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/PRO/0012
mite . CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Pale: 09-May-2022
OUTSIDE DIMENSIONS, eae 16 of 24
No
FUJ00235014
FUJ00235014
oO Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE)
Figure 1.2 Diagram of User system access flow for Leavers
Leavers with Immediate Effect is covered in RED
Post Office Account Leavers Proces
Leavers with immediate effect — Follow red steps _
© Copyright Fujitsu Services Limited 2008-2022
FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE) Ref. SVM/SEC/PRO/0012
Version: 15.1
Date 09-May-2022
UNCONTROLLED WHEN PRINTED OR STORED OUTSIDE DIMENSIONS
Page No: 17 of 24
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00235014
FUJ00235014
The following steps must be followed:
1. Assignment managers must submit a Leaver form as soon as possible prior to user leaving Fujitsu
and/or the POA. The Assignment Manager should complete the latest Leaver Form from the POA
Security Operations Portal with all information required, and return to CSPOA by emailing to
CSPOA Security!
leaving Fujitsu and/or the POA (with redactions as necessary):
Below is an example of the email CSPOA receive for an individual
ceaver For
Bear Sue 08
ee ee te setae tore: toc AA
2. CSPOA shall check the form to ensure that it is completed correctly. If any information is missing or
incorrect, the form will be rejected and returned to the Assignment Manager for amendment.
3. When a correct form has been received and checked, CSPOA shall arrange for all relevant access to
be removed for the user, on the day user leaves Fujitsu and/or the POA. Below is an example of the
email CSPOA send to the relevant system owners for user access to be removed (with redactions as
necessary):
Dear Administrators
Piease revoke the following user on your system:
Full name PN Email Team Line Mgr
PN System
Annual Leave Calendar
APT Access (inchides Jira,CILSVN/APT)
Impacting Too!
Peak
Sharepoint
Regards CSPOAScewity
EndDate
4. CSPOA shall arrange for floor/door access to be revoked by emailing Fujitsu Facilities Management
and requesting removal of Floor/door access. CSPOA shall arrange for Network drive access to be
revoked using Fujitsu Corporate Processes.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ref.
Limited 2008-2022 CONFIDENCE) Version:
Date:
UNCONTROLLED WHEN PRINTED OR STORED.
OUTSIDE DIMENSIONS Page
No:
SVM/SEC/PRO/0012
15.1
09-May-2022
18 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5. CSPOA shall notify the relevant system owners via e-mail, and where backend system access is held,
a TfSNow call shall be raised and progressed to the system owners requesting revocation of access. In
addition, POL and Ingenico Jira ticket(s) will be raised for revocation of access to Post Office Cloud and
Ingenico, where required.
NOTE — System owners must only make changes to User accounts when instructed to do so by CSPOA.
6. The System Owners shall follow their own processes and work instructions to remove the user and
confirm revocation to CSPOA. CSPOA will then update the TfSNow call.
NOTE - All access (including MSAD) must be revoked within 5 days of user leaving the Account.
7. CSPOA shall then close the TfSNow call, the Jira ticket(s), update the register and confirm with
relevant teams that access has been revoked.
8. Electronic copies of all forms and records are stored securely and retained for audit purposes.
4.3.1. Staff who are terminated with immediate effect
For those users whose employment is terminated with either the POA or Fujitsu with immediate effect, the
Line/Assignment Manager must immediately contact HR (via AskHR portal) and CSPOA (by phone) and
then follow the Fujitsu Corporate Leaver's Process making sure all the relevant forms are completed. The
process in Section 4.3 will be applied retrospectively to individuals whose employment is terminated with
immediate effect.
4.3.2 Fujitsu shared services staff whose POA assignment has
been completed
For all Fujitsu shared services staff on POA assignment, the Assignment Manager shall notify the Line
Manager of the expiry of the individual's assignment to POA. The Assignment Manager shall then follow
the process in Section 4.3 for removing access to the relevant systems for the user.
4.3.3. POAstaff who are moving to another part of Fujitsu
Line/Assignment Managers whose staff are directly employed as part of POA and move to another part of
Fujitsu shall follow the process in Section 4.3 for the termination of user's rights that are associated directly
with systems dedicated to POA.
4.3.4 POL Staff
POL staff who are provided with access to Fujitsu systems are the responsibility of POL. Access should
be revoked as detailed in section 4.3, replacing Line Manager with Post Office Assigned Line manager.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Date 09-May-2022
OUTSIDE DIMENSIONS Frage 19 of 24
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5 Management
All access is validated monthly to ensure that the access supplied is still required and appropriate, including
standard user access for all POA systems and privileged user access for the Production environment.
Access is revoked if verification is not possible, for instance:
« When requested by Assignment Manager, and within a short timeframe, or on a date specified
¢ When verification of the continued need for access is not received
e Where roles change and access is no longer appropriate or required
« Where a user account has not been used for more than 90 days
Key steps within this User Access Procedure are reviewed, reported, and audited to ensure that it is
functioning effectively and efficiently. Below are the details of how this is achieved.
5.1 Review
The POA User Management and CSPOA Teams shall undertake a monthly review of the access granted
to individuals and its continued appropriateness.
5.1.1 Team Verification (Standard User Access Verification)
1. POA User Management Team shall produce details of all users contained in the register and their
access levels and shall email these to the relevant Line/Assignment Managers.
2. Line/Assignment Managers shall review whether the current access of their employees is still in line
with their job role.
3. Line/Assignment Managers shall consider whether any users require their access be amended and they
shall email these details to POA User Management Team within 10 working days of receipt of the
original e-mail.
4. Line Mangers shall confirm each employee's current access rights requirements and shall email these
details to POA User Management Team within 10 working days of receipt of the original e-mail from
POA User Management Team. If a response has not been received by POA User Management Team
within 10 working days, CSPOA will be informed, and users' access may be removed
5. CSPOA will audit access rights and roles with each functional area; the results of which will be presented
at the monthly Team Access Review meeting with POA User Management.
Below is an example of the Team Verification email and the System Access Report (user access levels,
with redactions as necessary):
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Date: 09-May-2022
OUTSIDE DIMENSIONS Fage 20 of 24
Post Office Account User Access Guide
ee)
FUJITSU
CONFIDENCE)
FUJ00235014
FUJ00235014
FUJITSU RESTRICTED (COMMERCIAL IN
STthe teem members ave correct
2yThe current lvels of acco are ati requed,
Please send confirmations
ewok
Thanks and regard
POA vier Management
‘You hove been sent this monthiy mall becnute you ave ited asthe POA Assignment Manager ef the people othe etached reports
lease note that itis vital that a sesponse is sent to tha POA User Management Tear failure of cantrmation may result acces being
system access report for assignment manage
acme
‘SeHESe RMI 2 9 ere Cobeorer ans acces shsernt
REARS PARI 68 2000 coreter soommpme
ERE IE oe teem seep
ff Copyright Fults Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/PRO/0012
imi . CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED ale 08-May-2022
OUTSIDE DIMENSIONS ‘age 21 of 24
No
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
ees)
eee MI serve cede 7), sane hud A es, ene
fran pact Toot sy carre.Suarepene
5.1.2 Privileged User Access Verification
1. A more detailed access verification check is conducted monthly, specifically for Production Privileged
Access. CSPOA shall produce details of all users with Privileged Access and email these to the relevant
Line/Assignment Managers. As part of this monthly verification process, segregation of duties is also
checked to ensure there are no segregation issues e.g., due to changes to a user's role or
responsibilities.
2. Line/Assignment Managers shall review whether the current Privileged Access of their employees is still
in line with their job role.
3. Line/Assignment Managers shall consider whether any users require their Privileged Access to be
amended and they shall email these details to CSPOA within 15 working days of receipt of the original
e-mail
4. Line Mangers shall confirm each employee's current Privileged Access rights requirements and shall
email these details to CSPOA within 15 working days of receipt of the original e-mail. If a response has
not been received by CSPOA within 15 working days, users' Privileged Access will be removed. This
will be presented at the monthly Team Access Review meeting with POA User Management.
5. Below is an example of the Privileged User Access email (with redactions as necessary):
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Pale: 09-May-2022
OUTSIDE DIMENSIONS 29° 22 of 24
No
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5.1.3. Floor Access (Dedicated POA areas)
1. CSPOA shall produce details of all users with floor access and email these to the relevant
Line/Assignment Managers.
2. Line/Assignment Managers shall review whether the current floor access of their employees is still in
line with their job role.
3. Line/Assignment Managers shall consider whether any users require their floor access to be amended
and they shall email these details to CSPOA in a timely manner.
4. Line Mangers shall confirm each employee's current floor access requirements and shall email these
details to CSPOA. If a response has not been received by CSPOA in a timely manner, users’ floor
access may be removed.
5. CSPOA will produce and review the card swipe/floor access attempts report.
6. This will be presented at the monthly Team Access Review meeting with POA User Management.
5.1.4 Other Access
In addition to the above, the following checks are carried out:
1. A weekly spreadsheet is supplied to CSPOA which details all Production AD accounts, the last login
date/time stamp as well as AD groups applied to the accounts. CSPOA review the spreadsheets
monthly to challenge requirements to retain accounts not used in the last 90 days, and to check
appropriateness of AD groups based on RBAC, as derived from the CSPOA User Database. An
example can be seen below (with redactions as necessary):
ff Copyright Fults Services FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/PRO/0012
iimite . CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Pale: 09-May-2022
OUTSIDE DIMENSIONS 29° 23 of 24
No
FUJ00235014
FUJ00235014
eo Post Office Account User Access Guide
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
2. CSPOA will review the list of individuals who have been added to the iKey Exemption List.
3. POA User Management Team provide a monthly report detailing all Joiners, Movers and Leavers on
POA for CSPOA to review.
5.1.5 Other CSPOA Regular Checks
Over and above the Assignment Manager and PAM access monthly verifications, CSPOA conduct other
regular checks of systems. These regular checks are performed on a number of selected systems each
month. The current active user account list is obtained and then compared to the central records held.
Inconsistencies are investigated and appropriate action taken. A record is kept of which system has been
checked, when, and the outcome.
5.2 Audit
All areas involved in the processes detailed in Section 4 must have records available to enable POA to
provide evidence of the following for audit purposes:
1. Any Joiners, Movers and Leavers into POA follow the planned processes detailed in Section 4.
2. Only authorised individuals have access to the assets that their role requires.
3. The access provided is managed, monitored, reviewed, and controlled.
The reports and reviews can be found in CSPOA Monthly Report.
© Copyright Fujitsu Services FUJITSU RESTRICTED (COMMERCIAL IN Ret: SVM/SEC/PRO/0012
Limited 2008-2022 CONFIDENCE) Version: 15.1
UNCONTROLLED WHEN PRINTED OR STORED Date: 09-May-2022
OUTSIDE DIMENSIONS Fage 24 of 24