FUJ00235019
FUJ00235019
oo) POA Improvements Log
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
Document Title: POA Improvements Log
Document Reference: NA
CP/CWO Reference:
Abstract: Collation of various improvements made to POA account ways of
working and interactions with POL
Document Status: DRAFT
Author & Dept: Browell, Steven
External Distribution: None
Information See section 0.9
Classification:
SPECIAL NOTE The file uses the POA standard look and feel but itis NOT a
Dimensions controlled document.
Approval Authorities:
N/A
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED Page No: 1 of 20
FUJ00235019
FUJ00235019
oo) POA Improvements Log .
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY) EE
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL
0.1 Table of Contents
0.2 Document History
0.3 Review Details .....
0.4 Associated Documents (Internal & External)
0.5 Abbreviations
0.6 Glossary....
0.7 Changes Expected
0.8
0.9
apa aRREH N
3 HORIZON DEFECTS REVIEW FORUM (HDR)........:cssscsessesesessssseseesereessstseeeeeenes
4 “REMOTE ACCESS”
6 PAM/RAM ASSURANCE REPORT FOR POL........c:scsssssessssssesersstsesseneeeseassseeeeee V1
8 TRANSACTION CORRECTION TOOL AND KEYLOGGER.......csscscseseseseseenee 12
12 ARQ.
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED Page No: 2 of 20
FUJ00235019
FUJ00235019
oo) POA Improvements Log ~
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY) EE
21 DATA PRESERVATION BOARD..
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED Page No: 3 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
0.2 Document History
Only integer versions are authorised for development.
Version No. Date ‘Summary of Changes and Reason for Issue Associated Change
CWO, CP, CCN or
PEAK Reference
0.13 08-MAY-2024 I Updated NIA
0.14 09-May-2024 I Updated after LT comments. NIA
0.3 Review Details
Review Comments by:
Review Comments to: Steven. browell,_
Mandatory Review
Role Name
Optional Review
Role Name
(* ) = Reviewers that retumed comments.
Issued for Information — Please restrict this
distribution list to a minimum
Position/Role Name
0.4 Associated Documents (Internal & External)
References should normally refer to the latest approved version in Dimensions; only refer to a
specific version if necessary.
Reference Version Date Source
PGM/DCM/TEM/0001 I See note I See note above POA Generic Document Template Dimensions
(DO NOT REMOVE) above
PGM/DCM/ION/0001 POA Document Reviewers/Approvers I Dimensions
(DO NOT REMOVE) Role Matrix
0.5 Abbreviations
Abbreviation Definition
0.6 Glossary
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED Page No: 4 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
0.7 Changes Expected
nn
0.8 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, while every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained as a result of any error or omission in the same.
0.9 Information Classification
The author has assessed the information in this document for risk of disclosure and has assigned an information
classification of FUJITSU CONFIDENTIAL (INTERNAL USE ONLY).
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED Page No: 5 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
1. Introduction
This document is a summary list of improvements that have been made on POA that improve service
delivery across several areas and enhance the ways of working with POL. The items are grouped into
categories and are not always described in detail and are written from Fujitsu's perspective. This
document is not meant to be a definitive reference, more a place to look to remember the many things
that were done. There will be additional improvements that have been made that do not appear in this
document. The entries are not in any priority order.
No decision has yet been made on how this document should be updated or on the frequency of any
updates. It is a point in time view.
2 LIVE DEFECT MANAGEMENT
e Fujitsu drafted and then refined and agreed the term Live Defect with POL which encompasses
BEDs - to provide a common definition and language. Defining Bug, Error and Defect and then
clarifying any overlap was deemed challenging where a single term would suffice (May/June
2021)
e Fujitsu drafted and then refined and agreed the term Horizon Defect Review (HDR) Defect with
POL to ensure a common understanding of what branch affecting means.
e Fujitsu designated Peak as the ONLY Fujitsu Live Defect Management platform - not TfSNow,
not KB, not separate spreadsheets - all in one system and managed using the system.
« Fujitsu updated the POA Peak system to add 2 new markers - Live Defect and HDR Defect - to
enable system driven management of Live Defects.
e Fujitsu reviewed all Peaks and had the 2 new markers assigned - this also picked up Live
Defects previously deferred under projects and changes so that they could be more intentionally
managed to a fix and enabled active project Live Defects to be made more visible through
enhanced Fujitsu reporting.
« Fujitsu changed the Customer Business Impact Forum (CBIF) to only ask for POL input where it
was needed to enable a fix to a Live Defect to be produced. If POL input was not needed, Fujitsu
would proceed to fix. To do this Fujitsu removed any cap on the amount of effort to fix an issue
before POL would be asked to fund. Fujitsu removed any relevance to the Priority of a Live
Defect - they all matter and should be fixed as promptly as possible. There have only been 2
CBIF submission in the last 2 years since this change (as opposed to around a dozen that were
under discussion prior to this), saving POL and Fujitsu time and ensuring fixes were deployed
quicker.
e Fujitsu drafted the POL Terms of Reference (ToR) for the HDR Forum (formerly the Horizon
Known Error Review Forum (HKERF)) and amended this with POL AND agreed and launched it.
* Fujitsu agreed formally handing over the chairmanship of the HDR to POL at this time.
e Fujitsu proposed a format for HDR minutes to POL that was agreed and implemented with POL -
for the Fujitsu section of the meeting.
e Fujitsu proposed to POL and implemented a format for reporting to the HDR Forum.
« Fujitsu proposed and implemented a minimum dataset for any HDR Defect reporting with POL —
including relevant fields from Peak.
e Fujitsu enhanced the Peak system to include more fields and field response options to enable
more detailed reporting and tracking.
e Fujitsu appointed a Live Defect Management lead (January 2022)
e Fujitsu performed training across the account on the Live Defect, HDR Defect and Peak system
usage guidelines.
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No 6 of 20
FUJITSU
FUJ00235019
FUJ00235019
POA Improvements Log
FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
e Fujitsu implemented guidelines to help stack owners/resolver group owners to consistently
manage Live Defects (and their meta data) in their area.
« Fujitsu changed the account culture from allowing Live Defects to be an add-on to new-feature
projects (partly driven by POL) to making Live Defects more important than projects.
e Fujitsu changed the maintenance release schedules to monthly per platform to enable more
frequent routes to Live.
e Fujitsu drove POL to introduce a counter cadence to bring 6 regular releases per year rather than
around 3 to 4 irregular project focused releases, creating more frequent routes to Live (counter
defects are the greater proportion of the whole). Fujitsu merged Business Impact Forum (BIF)
and Peak Targeting Forum (PTF) to speed up decision making to get a fix into a designated
release.
e Fujitsu identified a backlog of 122 Live Defects (February 2022) — applying all the changes
mentioned above — which were systematically managed down to circa 20 today.
°
The number of open Live Defects has remained at around 20 for many months now —
and includes approximately 4 which have been agreed are accepted by POL and require
no fix to be deployed
e Fujitsu defined and implemented ALL Live Defect reporting for POL and implemented as a
fortnightly report (August 2022)
°
Fujitsu had initially proposed and presented this to POL in December 2021, which led to
a joint follow up January 2022, a sample report shared with POL February 2022 for their
consideration, and then it went quiet. Fujitsu reminded POL in July 2022 and following
further joint discussions Fujitsu launched the fortnightly reporting on 05 August 2022 and
it remains in place
e Fujitsu defined and implemented ALL Live Defect reporting to all POA stack owners/resolver
group owners and management and implemented it as a monthly email (February 2022)
« Fujitsu added ALL Live Defect reporting to the POA Monthly Business Review reporting pack
(February 2022)
e Fujitsu defined a POA goal that 95% of Live Defects must be assigned to a numbered Release —
so it was clear how the fix would go live. This goal is consistently achieved and has been for over
a year.
e Fujitsu proposed and implemented an Approved Live Defect category to allow ongoing visibility
and reporting on Live Defects that POL did NOT want Fujitsu to fix.
e Fujitsu reviewed all Peaks referencing KBAs, and all KBs referencing Peaks, to ensure Peak was
the ONLY repository for Live Defects and that Peak contained ALL Live Defects.
°
The KBA review did identify that there were defects that Fujitsu had not been asked to
fix. To bring these into the Defect reporting, a new category of Accepted Live Defect was
created and added to the reporting so it was visible to POL and could be discussed
jointly. This was implemented in November 2022 and communicated to POL 02
December 2022. It has been on our reports ever since
ina
HDR Defects
Update Report - 02_
e Fujitsu document the POA Live Defect Management procedures and stored it in Dimensions.
e In April/May 2024, the Fujitsu Defect and Service Process Manager drove a number of cross
team improvements which were communicated to POA via Red Top.
°
Fujitsu identified an issue where that cloned Peaks of Live Defects and HDR Defects
were retaining the ##LAD, HDR-EXP or HDR-FIN tags thereby wrongly inflating the
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date: 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No 7 of 20
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
FUJ00235019
FUJ00235019
POA Improvements Log
3
counts and reporting of Live Defects. This was corrected and relevant local work
instructions updated.
o Fujitsu identified that the field “When it dates back to (when could it have started
happening)” was not always updated with the required information. Teams were
reminded of the importance of investigating fully so that this field can be accurately
updated for reporting purposes and root cause analysis.
HORIZON DEFECTS REVIEW FORUM (HDR)
This was formerly known as the HKERF and with the purpose of discussing Branch Affecting defects
In 2018, Fujitsu introduced an internal weekly review of any new Knowledge Base Articles that
could potentially refer to defects to ensure a Peak/Incident was in place if needed and POL
notification of the Peak was provided where branch impacting. This fed into the Horizon Known
Error Review Forum (HKERF)
Fujitsu introduced a weekly HKERF in late 2018 to provide POL with early visibility of branch
affecting defects
o Note: POL considered ending this in 2019 (Martin Godbold)
POL had created it's own ToR for the meeting despite not being its chair (back in September
2020), and Fujitsu had created a ToR for the meeting as it was the chair. The 2 ToRs were not
mutually agreed and were different
POL requested transfer of chairmanship of HKERF to POL in Q1 2021 with a new name HDR
Forum. Fujitsu agreed
The HDR meeting scope includes Fujitsu defects and also defects from other parties so Fujitsu
does not attend the whole meeting and the minutes POL issued initially did not differentiate
between the Fujitsu defects and others so Fujitsu was unable to accept the minutes from POL
POL did not seek to ‘sign off the ToR instead assuming its acceptance — which was reasonable
as Fujitsu had co-authored it — but not formal
In November 2021 Fujitsu proposed a new format for the HDR minutes that would allow Fujitsu to
sign off on them. This included a recommendation that the weekly meeting started with an
agreement of the minutes - POL agreed
Fujitsu proposed and introduced a target dataset for defect notification to POL and implemented
it in November 2021 after receiving POL acceptance. This was added into v2.3 of the HDR ToR.
This saw many new attributes captured and shared: release dates; release numbers;
screenshots; description of workarounds; and many fields describing the defect to help POL
understand and prepare postmaster communications
In January 2022 Fujitsu amended the ToR to reflect all recent changes to ways of working (v2.3)
and proposed to POL that this version be formally signed off. It was jointly signed off 04 February
2023
HDR ToR V2_3.msg
V3.0 of the ToR was released March 2022 and Fujitsu held a copy in Dimensions under
reference SVM/SDM/PRO/4317
ia
HDR Terms of
Reference V3_0.msg
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date: 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No 8 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
e 3.2 of the ToR was released January 2023 and the Fujitsu copy in Dimensions was updated too
inal
RE_Horizon
Implementation Def
« In August 2023, POL offered a v3.3 where they had removed the word DEFECT and changed it
to Problem. Problem is a contract defined term and we responded with various points suggesting
this was not a good idea. The discussion is ongoing. Fujitsu has stored this version in
Dimensions
M
FW_ Branch
Impacting Problems
e Fujitsu has been attending the weekly Monday HDR meetings since they started in June 2021
and provides a HDR Defects Update Report on the prior Friday.
4 “REMOTE ACCESS”
Remote Access can have various and sometimes confusing meanings. In the Horizon Audit - "RA
Report" Fujitsu stated that Remote Access relates to the following areas:
e Remote Connectivity — The ability for specialist support staff to connect to an environment to
access and provide support to a system from a location other than where it is physically located.
e Privileged Access — The ability for specialist support staff to carry out operations on the system
that they have accessed — whether such access is from a remote location or from the physical
location where the system is located.
Fujitsu described each of these in detail in the "RA Report" in February 2021 (see HORIZON AUDIT
REPORTS for POL)
Fujitsu further explained these topics in the "PAM RAM Assurance Report" in April 2023 - responding to
questions posed by Deloitte on behalf of POL (see PAM/RAM ASSURANCE REPORT for POL).
These reports remain an accurate description of "Remote Access".
Underpinning these reports, Fujitsu POA made many changes (not chronological or prioritised in any
way):
e Remote Connectivity was already comprehensively designed and implemented.
o However, Fujitsu made MFA mandatory for support specialists remotely administering
the HNG-x systems and MFA exemptions were reduced to near zero (GPO change
implemented in July 2023 — under R38.51)
« Privileged Access has seen many improvements:
o Fujitsu ensured POL completed a project to ensure counter access (which is provided by
DXC) only gave Fujitsu "read" access. Fujitsu has no ability to make changes to live
branch counters.
* October 2021 — Fujitsu sent a recommendation to POL to work with CC to
ensure that Fujitsu privileges using the CSASSH account used when connecting
to counters for remote support purposes has Least Privilege (READ ONLY level
capabilities) and CANNOT affect counter operations — as described in
REQ/SIR/SRS/2605. In Q4 2022, POL commissioned Fujitsu to test a solution
proposed by their new EUC provider DXC. This concluded successfully in
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No 9 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
December 2022. POL then rolled out this least privilege change with DXC in
January and February 2023. This now affirms that Fujitsu support staff cannot
make changes to live counters
o Fujitsu strengthened the controls within the Remote Counter Application (RCA) client on
the SSNs (Terminal Servers/Jump boxes) to lockdown the permitted controls able to be
executed on a counter within Cygwin to a specific set of commands only.
co Fujitsu supported POL to perform a pen test (performed by Nettitude) of the Remote
Counter Application (RCA) capabilities — which confirmed the Fujitsu restricted command
set mentioned previously.
o Fujitsu completed a project, with ECS, to identify and record ALL privileged accounts
across the entire estate - human and non-human.
= Q4 2021 Fujitsu commissioned its ECS team to do a review of PAM accounts
and activity. This concluded in December 2021 with a series of
recommendations
* Q1/Q2 2022 Fujitsu commissioned ECS to remediate all PAM account findings
o Fujitsu built, and maintains, a Privileged Account Register of all POA privileged accounts
— of various types.
o Fujitsu implemented a set of privileged account policy rules and introduced routine
verification of the policy rules on all privileged accounts.
o Fujitsu removed over 100 privileged accounts that were no longer needed, or had no
clear owner, as part of the discovery and verification processes
o Fujitsu implemented logging of all SQL commands executed by human users on all
Oracle databases (most notably BRDB) and ensured they were sent to the Audit Archive.
We can review any commands any of our staff issued against a database if we are ever
asked to confirm someone did, or did not, take a specific action.
= _CP2831 covered the non-BRDB databases. Implemented December 2022 under
R36.50
= CP2876 covered the BRDB database. Implemented March 2023 under R40.50
o Fujitsu removed the default APPSUP privilege from all SSC users and made it on-
demand only, with prior Fujitsu and POL approval (October 2016).
o Fujitsu and POL implemented a comprehensively documented process for APPSUP
approval using the mutual service management toolsets.
o Fujitsu documented ALL occasions and processes under which it would make changes
to Live data in HNG-x — and then shared this with POL for completeness.
o Fujitsu changed default SSC access to non-BRDB databases to be read only with a
command needed — which is logged — to escalate to the required write levels of access
(done under CP2831).
o Fujitsu implemented Security Incident and Event Management as a Service (SIEMaaS)
to enhance security information and event monitoring across the entire data centre
estate.
« — Started March 2022 and finally completed in November 2023 under CP2877
o AtPOL's request, Fujitsu implemented weekly counter access reporting for POL and
made the delivery of this contractual.
= April 2022 — under CWO0574 Fujitsu implemented weekly reporting of all remote
counter access made by Fujitsu specialist support staff to branch counters. This
showed the command executed and the result
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 40 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
o Fujitsu implemented internal checks of all failed Remote Counter Application (RCA)
commands used by support specialists to try and access branch counters. These are
logged and reviewed by SecOps monthly with ‘offenders’ challenged for explanations
(April 2022).
o Fujitsu implemented weekly reporting to POL of all Privileged Access account types
explained in the "RA Report" (May 2021).
o Fujitsu implemented monthly POL reporting of all "Break Glass" accounts released by
SecOps — with supporting ticket references and explanation (November 2021).
o Fujitsu enhanced the privileged account creation and verification processes to require
POA Leadership Team (LT) approval and review — more executive oversight (March
2023).
o Fujitsu strengthened its risk management process with POL and now routinely reviews all
Security and Service risks within the monthly POL meetings.
o Fujitsu completed a review (December 2023 — May 2024), led by ECS, to confirm the
levels of logging and retention for a specified set of privileged actions use cases taken by
Fujitsu support staff on a regular basis (observations and minor findings only).
o Fujitsu implemented internal automated reporting of actual database access accounts to
enable routine verification by SecOps against the user access database.
o Fujitsu introduced monthly SecOps reporting of checks done to validate failed remote
connections to the Horizon SSNs (Login failures) - November 2021
5 HORIZON AUDIT REPORTS for POL
e January — March 2021 — Delivered 6 detailed reports on Fujitsu ways of working to assure POL
of the current Fujitsu working practices on:
o SDLC
o Testing & QA
o BED Management
o Remote Access
o Robustness
o Detailed update on the 29 BEDs
e Follow up questions were sent by POL and Fujitsu responded to all of those formally too
e Each report contained a number of recommendations which POL have, in substantial part, not
sought to discuss or overtly action
« Fujitsu was assured it would receive formal feedback on these reports but this has never been
shared by POL
6 PAM/RAM ASSURANCE REPORT for POL
e April 2023 — Fujitsu delivered a further detailed report on PAM/RAM questions raised by POL (on
behalf of its partner, Deloitte). Feedback was only ever provided verbally to say that there were
no further questions. Fujitsu formalised this understanding by summarising this outcome back to
POL over email
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No 11 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
7 APPSUP
« 18 October 2016 18:00 — Fujitsu removed the default privilege APPSUP from all users on BRDB
under MSC 043J0451867 and made it an on-demand and approved controlled allocation of
temporary rights
e APPSUP is not used to correct branch balance discrepancies or to amend financial transactions.
Corrections relating to branch balance discrepancies are performed by POL using the POL
Transaction Correction Process. APPSUP is used for non-balance impacting actions (such as
stock unit associations, emergency branch opening, or monthly tidying of despatch reports). This
is documented in the Horizon Data Change work instruction. Some APPSUP actions can
indirectly lead to a balance impact (such as deleting a corrupt recovery message that is causing
a logon loop). Where an action being taken by Fujitsu using APPSUP could lead to a balance
impact, it is POL that decide if any balance discrepancy correction is required with the branch
and it is POL that take any corrective action required.
o Note: APPSUP can be used to correct branch balance discrepancies and to amend
financial transactions but a decision was made, but not documented or dated, that Fujitsu
would NOT use the privilege to do this. A note was added to any current work
instructions and KBAs to ensure it is clearly stated that we do not use APPSUP for that
purpose and that that has been the case for many years
e May 2021, Fujitsu implemented a new jointly defined and agreed process for APPSUP (Horizon
Data Change process) that ensures POL and Fujitsu approvals, along with evidence of action
taken are recorded in the mutual service management toolsets. The HDC document also
describes all scenarios under which Fujitsu may be required to amend live data
8 TRANSACTION CORRECTION TOOL and
KEYLOGGER
e Fujitsu decommissioned the Transaction Correction Too! with POL approval and awareness.
o 13 May 2021 (CWO0425) — Release 21.51
e Fujitsu decommissioned the misleadingly named Fujitsu Keylogger with POL approval and
awareness.
o R72.10 (CP2774) — originally implemented to help Computacenter resolve issues with
hardware peripherals
9 HIJ PROGRAMME
Fujitsu pro-actively engaged with POL relating to the HlJ findings. The actions taken were:
e Fujitsu assigned a named point of contact to help coordinate POL's HIJ improvement initiatives in
February 2021
¢ Whilst the detail of the HIJ Programme was being formulated by POL and KPMG, Fujitsu pro-
actively created and shared a POL focussed “Postmaster First” improvements initiative to jointly
address several issues on 04 March 2021.
ial
RE_ Improvement
planning ideas.msg
e The POL HIJ Programme never really materialised as the Fujitsu “Postmaster First” actions were
taken forward and tracked with weekly calls with POL. The following are examples of the content
created and shared in June 2021:
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 42 of 20
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
FUJ00235019
FUJ00235019
POA Improvements Log
( 5
Postmaster First- Postmaster First —
Improvements Plan -Improvements Plan -
In July 2021 POL shared an initial Remediation Program POAP but did not explain if Fujitsu were
involved:
al
REL
Remediation_Improy
By August 2021, POL had associated actions to the PoaP so Fujitsu could interact. It was mostly
comparing RTQs to the initiatives POL had on its PoaP. It was not a jointly planned and worked
programme by any conventional definition.
ia
RE_
Remediation_improv
In November 2021, POL issued the final update to the PoaP and in January 2022 the weekly
catch-ups were cancelled
Weekly HU
Remediation Progra
In summary Fujitsu drove the activity that created the following outcomes:
1. Supported POL/KPMG to validate and test that the 29 BEDs were remediated
2. Proposed improvements to Incident and Problem classification to enable better reporting
(POL did not respond to final action list shared)
3. Supported POL to take the Chair of what was HKERF and what was now HDR Forum —
including defining a TOR
4. Integrated CBIF with HDR in August 2021 to consolidate views of defects (See HDR below)
5. Enhanced the ARQ data sharing process with digital signing and encryption under CWO0426
leading to CCN1723a
6. Ran numerous Deep Dive sessions with POL and Fujitsu SMEs on POL selected subjects to
enhance POL/KPMG understanding of various parts of HNG-X
7. Refined the documentation of the process for granting the APPSUP role and how the
approvals and evidence of actions would be recorded. The processes around the temporary
granting of the APPSUP role were defined in Fujitsu's “Horizon Data Changes Process Work
Instruction” [SVM/SDM/PRO/4293]. POL has its own internal process document for Horizon
Data Change which Fujitsu understands is titled "Horizon Support Approval Process vx.x"
(latest version not known by Fujitsu)
8. Decommissioned the Transaction Correction Tool on 13 May 2021 under R21.51
9. Introduced weekly reporting of PAM administrator accounts for POL to review
10. Supported POL high-level discussions on its intentions to create a UAT process
11. Reviewed and contributed to POL planning around its test strategy, test policy and
regression testing approach (see TESTING)
12. Supported POL in its thinking of its new governance model and the value and relevance of
the many meetings being held between POL and Fujitsu
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date: 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 413 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
13. Offered guidance and teaching sessions on POL reconciliation actions (POL never
responded)
14. Supported POL to take action on some of its selected “Pain Point Catalogue” action items
10 ENQUIRY SUPPORT for POL
e July 2021 — Fujitsu introduced a simple enquiry mailbox for POL and its legal representatives and
assigned a multi-skilled team to be available to review and actions (PO.Enquiries@ and the
channels we proposed prior to this)
e Fujitsu offered to work with POL to check it was using all of the Horizon content it has access to
to best support an inquiry from a postmaster. This included discussions around ARQ, HORIce
and reconciliation.
« Supported POL's Investigations team to identify a series of new requirements to improve their
processes (CW00474) which led to changes being made under CWO0562
11 RISK MANAGEMENT
e January 2020 - POA continued to make internal process improvements to the account risk
management processes and platform to ensure greater alignment and clearer action tracking
across all areas
o APOA monthly Risk Meeting was initiated in January 2020 for all senior managers to
review risk entries and overall risk posture
« May 2020 — POA enhanced its risk management interactions with POL - expanding it to cover all
domains and providing a monthly report. Risks are discussed at ISMF and SMR.
o Amonthly risk governance review is performed by the POA risk lead and the POL risk
lead. POL chair this meeting
e Security risks are routinely reviewed and action plans (where viable) have been created for ALL
risks — jointly — and this is reviewed monthly as each risk review date occurs
12 ARQ
e Early 2021 — Fujitsu proposed the digitisation of the delivery of ARQ responses to POL. This was
done under CWO0426. The project finally completed in October 2022 due to protracted delays
within POL procuring, installing, and configuring the required desktop PGP software.
« March 2024 — Fujitsu updated the ARQ form to add more forms of available request in a
structured layout. Prior to this, requests could be in free form text and unclear. The form also
contained the option to request things Fujitsu no longer provides i.e. witness statements
« February 2024 — April 2024 — Fujitsu enhanced some of the ARQ queries to record settings used
by the analysts running the ARQs and to provide new output files to avoid any need for manual
copy and paste actions. To improve response times and avoid any human error risks
e April 2024 - Major update to ARQ WKI to be extremely accurate on how each action is to be
performed. To ensure absolute consistency and understanding
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No 14 of 20
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
FUJ00235019
FUJ00235019
POA Improvements Log
13
REPORTING
Numerous additional reports were introduced:
15
Horizon Defect Review Report - weekly
ALL Live Defects Report - fortnightly
Fujitsu Counter Access Report - weekly
PAM Weekly Report - weekly
Fujitsu Risk Log - monthly
Projects/Programmes PoaP — weekly
Project Status Reports — weekly
Internal Business Review Live Defect reporting - monthly
See MONITORING section as the additional events monitored are presented as HORIce reports
HEADCOUNT & CAPACITY
Added 35 heads in October 2020 to better support POL in its change aspirations predominantly
to build capacity to deliver the PBS and BEX critical strategic projects as well as recruited
specialists to aid the transition to a hybrid delivery model
ASM was introduced in 2018 to enable POL to prioritise the utilisation of 4" line resource on
project work over lower priority BAU work.
co 61 potential projects were then identified for consideration by POL (extract thumbnail
shown below)
Increased the scope of funded resource provided by Fujitsu to cover £1.2m pa (£90k per month
of testing, PM and Architecture resource from circa April 2020)
o Identified potential options to improve the service such as a mechanism for the counter
to check in to see if it is running the latest version, thereby enabling shorter lead time for
releases
In January 2024 identified further strengthening of the teams and recruited a new Head of
Applications, Network Architect, Acceptance Into Service Lead and Solution Owner
PROJECTS & CHANGE
Identified the need for a POL Demand Planning forum and setup the governance with POL and
inputs to enable this to progress and mature E.g Programme on a Page (POAP)
Fujitsu had to take on a more active leadership of Demand Planning to apply more rigour and
help POL better manage workload and change
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date: 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 45 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
o Fujitsu provided a PoaP to help POL understand the overall Delivery and demand
landscape
o Fujitsu project workload tracking improved to enable better feed into Demand Planning
o This included validating if work by Fujitsu was in fact the right option, challenging the
purpose and whether IT is the right route or whether business process amendment may
be more suitable
o Fujitsu initiated review of all open work items to identify any that would affect the BEX
delivery dates that POL are keen to achieve (BEX programme long since cancelled by
POL)
o Fujitsu presented a view of all delivery streams of work including the / impacting stage,
Programme delivery and planned service and maintenance activities. Offering a
complete view of in-flight activities allows POL to make informed decisions on resource
priorities and environment constraints.
« Formal project reporting cycle for all delivery activities; providing a weekly snapshot of project
status, key risks / issued / dependencies, planning updates and financial forecasting. This is
shared between Fujitsu and POL Project Management counter parts.
e PCI Change Request meeting set up to track key changes / additions / new requirements to
support PCI initiative. This session was relevant during the delivery of the key strategic PBS
Programme — a multi supplier implementation for a Payment and Banking solution. The
governance structure was handed over into Service at the point of Go Live.
* Fujitsu offered considerable additional support to POL to help it manage its 3° parties — to try and
reduce the frequency of project plan changes needed due to POL 3° party issues
« Following the introduction of the Release Counter Cadence that allows for an average of 6
Counter Releases to reach the Pol estate each year — Fujitsu recommended and continue to
support a formal “Counter Board”. A governance structure that meets weekly across parties and
looks at not only the progress of in-flight Counter deliveries but also any potential Counter back
log to help support the Targeting process for projects and PEAKs.
e As best Fujitsu can identify, projects to support Postmasters have included but are not limited to:
o CWO0415 Rename Settle centrally
o CWO00424 Design study for access to Branch Hub from Horizon
o CWO00348 Branch Printer Cost Reduction — Error Code Mapping and Economy Print
o CWO00224 Making test hardware more representative
o CWO00479 Horizon Help screen FIX #2
o CWO00490 Clear back-office print queue from Horizon
o CWO00466 Discrepancy investigations — progress stopped by POL and project withdrawn
o Cash management (Glory machines)
o CWO00230 Payment Banking Service
oe CWO00801 and CWO0802 Auto Stock Rems
o CWO00433 Money Gram design doc
o CW00479 help screen freeze fix
o CWO0514 Receipt text change (part of PBS)
o CWO0507 and CWO0498 - Branch Hub design and Dev
o CWO0756 BAL Gateway Connection
o CWO00693 Pre-Order Fast Cash Design
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 16 of 20
FUJ00235019
FUJ00235019
oo) POA Improvements Log
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
© CWO0669 E-Top Up
o CW0O0734 Pre-Order Fast Cash Delivery
o CWO00737 CWB counter Lock for BHOH
oe CWO0757 Auto Stock Rem
o CWO0736 Standalone Help Viewer (CWB)
e Trained & accredited POL and project teams in SAFE agile methodology to help ensure DDS
ways of working were optimised to enable delivery. Fujitsu funded external coaches full time to
assist the entire delivery mechanism from POL product managers/owners to scrum team
engineers
* Change Management update 25/09/2023 - Design Analysis (CSP/PSD) / Options Analysis (FSR)
/ Implementation
o Objective - In order to better set expectations and to remove ambiguity the following
principles have been drafted to ensure the change process is optimised
= New changes will be assessed and categorised according to the following criteria
which will each in turn enable an RTQ to progress to the next executable stage
as appropriate:
e If requirements are clear and we can respond in (ie approx 5 days effort) —
respond with a fully costed CWO as per standard process
e If the topic is complex or choices are likely to be available — respond with a
CWO for an Options Analysis
e — If the requirements are clear but the response is complex and will take more
than approx 5 days to solution — respond with Design Analysis.
«If the request is for information to help POL understand something or help
POL define requirements — recommend a call-off is used NOT an RTQ and
reject the RTQ
e Anything else will be rejected as logically it should fit into one of the above
categories
e In 2021, Fujitsu introduced an internal twice weekly RTQSR reviews. This forum helped Fujitsu
try to understand POLs objectives and that they are achieving their goals via the correct
mechanism. It improved the clarity of the requests being made and enabled more efficient
allocation to the Fujitsu leads
e Fujitsu encouraged POL to start a joint Counter Release Board — which POL implemented
« Fujitsu implemented a formal Project Change Control (PCR) process across all projects and
programmes to control change and to provide an audit trail of all approved project change
e Fujitsu introduced a fortnightly DCF RAID review meeting to help POL understand the level of
risk/RAID and the measures being taken to manage it on DCF
e Fujitsu provides comprehensive reporting at both DCF and Counter Boards to ensures POL
outcomes are well managed
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 47 of 20
FUJ00235019
FUJ00235019
POA Improvements Log
o
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
16 GOVERNANCE/COMPLIANCE
« AWeekly Priority Meeting was requested by Fujitsu and introduced in April 2019 to enable POL
to share its priorities — face to face — so Fujitsu could be clear on the context and ask questions
to avoid any confusion from emails, meetings, and other ad-hoc discussions
o Additionally, this helps POL stakeholders to be aware of the breadth of activities that
Fujitsu are undertaking.
o This meeting was ended by POL in January 2024 following changes in POL personnel
e Other joint governance meetings and Hot Topics sessions were also introduced with a regular
frequency to ensure any concerns were addressed as quickly as possible
17 TESTING
e Fujitsu assisted POL to confirm that all 62 issues comprising the 29 BEDs cited in the Horizon
Issues were closed. This was successful and confirmed by POL's partner, KPMG
e With the appointment of a new POL Head of Test, a more collaborative approach to testing was
introduced. Each release now has a joint test team POL/Fujitsu/Any appropriate 3rd party to
discuss/agree scope of activities for the changes under test.
o Good examples of this were the 29 BED testing, PRE-PAID MI and Computacenter Data
Centre migration where we worked closely with POL Test / Accenture / KPMG / CC to
complete these activities
e Fujitsu contributed to the Post Office Test Strategy, Test Policy and Regression testing approach
to help shape testing process at all levels
e Fujitsu made many recommendations in the TESTING & QA REPORT as part of the Horizon
Audit
e The Fujitsu Test Manager also cited the following changes made throughout 2023:
o Zephyr Test Management Tool — the purchase and use of this test tool has saved time
and money
o Collaborative working with POL for Counter Releases — 6 Releases this year
o Additional resources in LST — 3 altogether to start the knowledge transfer spread on the
team
co Test Architect role — setup this role to support the POA programme
o Weekly Test report reinstated giving all teams and Project Managers a view of progress
and risks
o Putin place 121s with the test team and weekly with test manager, monthly with test
team
o Adopted the GDC model of resourcing from LST for SV&l — 1 person currently
o Hired anew LST Test Manager
o Introduced a PoaP being for LST and SV&I scheduling of work
co QFP taken this back into the Test Team — for DCF working with Steve Evans to move
this across
o Releases for the CBA Test Tool, managed through to get regular fixes applied to the tool.
o Zephyr Test Management Tool — despite the current discussions the purchase and use
of this test tool has saved time and money
co QFP taken back into the Test Team — for DCF — working with Steve Evans
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 418 of 20
ee
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
FUJ00235019
FUJ00235019
POA Improvements Log
18
19
co Re-introduced the quarterly backups for the SV&l environment. Started in July 2023
o Schedule of outages in SV&l in the diary for 2023 and 2024
o More closely managed outages, where any updates that can be applied to SV&I through
the month are done as soon as available rather than leaving to the monthly updates
o Review of the content for the monthly updates completed earlier, along with the above
has reduced the outage over the last 2-3 months to half a day. This will vary at times, but
definite progress made in that area. Along with giving the responsibility to the Rig
Support team to organise and send out communications via the rig support mailbox
REQUIREMENTS/ACCEPTANCE
ECCB — extended to include a wider set of impacting Teams (including Networks and Data
Centre Teams) to reduce the number of meetings required to get to a fully impacted state.
RAM/RAB - reduced the size of the presentations
o A One-Pager is now issued to new and curious POL PMs
o reduced the number of review meetings by issuing the slides for off-line review
o Incorporated 5 slides for POL for their Business Readiness review
Service Readiness Review (SRR) — output of meeting only sent to some stakeholders, obviating
the need to attend the meeting en masse.
DEVELOPMENT
Expanded CIT. It's no longer a Counter application centric test team, whilst limited in capability it
does test elements of PODG, Host, Agent and goes beyond just the CBA but to its associated
sister applications like HBS, SMS, SSN, etc
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date: 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 419 of 20
FUJ00235019
FUJ00235019
oo) POA Improvements Log
FUJITSU FUJITSU CONFIDENTIAL (INTERNAL USE ONLY)
20 MONITORING
«The following HORIce graphs were introduced (following Incident reviews). They are used to
assess impact/observe symptoms of ongoing live issues and are used by Service Management
¢ These are visible to POL on its HORIce dashboard
eee
i
a
a
Ver
Figure 2: This is looking at the PODG transfer logs (via a HTTP interface) to
Figure 1: This is looking at the BMX metrics for Java heap detail he number of completed fle transfers
memory in the HBS (kiosk) servers. If the Java cannot free
used memory quickly enough it leads to issues
Figure 3: This is looking at Tivoli events harvested from the
BlueCoat-ProxySG, it is looking for a specific error text
‘Scheme was not delimited’ that can affect kiosks
21 DATA PRESERVATION BOARD
e Q3 2023 — Fujitsu helped POL setup a Data Preservation Board, drafting its ToR and guiding
POL on a workable end to end process. This followed almost a year of no guidance from POL on
how to proceed to decommission systems — putting the DCF programme at risk. POL are
currently having an assurance review conducted by Mason Advisor
© Copyright Fujitsu 2024 FUJITSU CONFIDENTIAL (INTERNAL USE Ref: N/A
Version: 0.14
Date 09-MAY-2024
UNCONTROLLED WHEN PRINTED. Page No: 20 of 20