FUJ00243292
FUJ00243292
(ce) PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
Document Title: PAM RAM ASSURANCE REPORT
Document Reference: COM/MGT/REP/4818
CP/CWO Reference: NIA
Abstract: Response to POL PAM RAM External Assurance questions
Document Status: APPROVED
Author & Dept: Fujitsu
External Distribution: Restricted. See section titled Information Distribution.
Information See section 0.8
Classification:
Approval Authorities:
Name
Fujitsu Fujitsu Responders (POA) See Dimensions for record
Sonn Fujitsu FUJITSU CONFIDENTIAL Ref. COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED _Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 1 of 34
FUJ00243292
FUJ00243292
eo PAM RAM ASSURANCE REPORT -
Table of Contents
0 DOCUMENT CONTROL.........s:scscssssssesesssssesesssssssstsssesessescasssarseseesensneeseneneeteeesaeaee 3
0.1 Document History. 3
0.2 Review Details.. 3
0.3. Associated Documents (Internal & External, 3
0.4 Abbreviations. 4
0.5 Glossary... 4
0.6 Changes Expecte 5
0.7 Accuracy......... 5
0.8 Information Cla: ‘atio 5
1 PURPOSE & INTRODUCTION.........cscsesscsssssssesssessssssssesteeesenessstecsesseenssaseeseeeesesees 6
2 BACKGROUND.........scscsssessesessststsersensssseecsnenssessasesscsessesesssensenensoneceesenessesesensseenesed 6
3 TERMINOLOGY........ccscssssssseseseescsssesesnenssrssscssssssssseassesseseasaescscseeensseasessutenseesasanees 8
4 TYPES OF PRIVILEGED ACCESS.........cssssssssessseesesessescensasscssssesenstesssnsenetacases 8
5 RESPONSEG.......ccsssssssssesessessseseseescnssnscsesssnesssssesesnseeseasarenseteestecscesenesestesasacsseeasasen 9
6 FORMAL AUDIT REPORTS.......cssssssessessssessssesssseesssnssseaseneasensseeassesseeateessteeseeotee 24
7 CONCLUSIONG........scccessssssssessseseseseesestseseseensstesssssseeseacaesestsetsensaeaneceneatenacasenanee 24
8 RECOMMENDATIONG.........cssssssessesessesessessssesscenssesnssnenssneoesnsrecectecacteseteseseaseaeenes 24
9 INFORMATION DISTRIBUTION........scsssessssssssssssessseseeeessseseseeenessesscessesneesasaeaneee 24
© Copyright Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
2028 Version: 1.0
UNCONTROLLED WHEN PRINTED ORSTORED _ Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 2 of 34
FUJ00243292
FUJ00243292
PAM RAM ASSURANCE REPORT
Fe)
FUJITSU FUJITSU CONFIDENTIAL
0 Document Control
0.1 Document History
Version No. Date Summary of Changes and Reason for Issue Associated Change
CWO, CP, CCN or
Peak Reference
1.0 20-Apr-2023 I Approved for release NIA
0.2 Review Details
Mandatory Review
Role Name
Fujitsu Responders Fujitsu
0.3 Associated Documents (Internal & External)
Reference Version Date Title Source
PGM/DCM/ION/0001 168.0 13-Feb-2023 POA Document Reviewers/Approvers I Dimensions
(DO NOT REMOVE) Role Matrix (internal)
PGM/DCM/PRO/0001 4.0 14-Apr-2023 POA Document Control Guidance Dimensions
Note (internal)
Europe Business 10.0 09-Feb-2023 Europe Business Management EBMS
Management System — System — Information standard (internal)
Information standard
COM/MGT/REP/4165, 1.0 12-Feb-2021 RA Report Dimensions
(external)
ISAE3402 Report N/A 21-Mar-2022 Description of Fujitsu’s System of IT Shared
Infrastructure Services supporting
Post Office Limited’s Horizon
application
SVM/SDM/PRO/4293 1.0 01-Aug-2022 Horizon Data Changes Process Work I Dimensions
Instruction (internal)
POL: POL/HNG/CIS/001 I 4.0 13-Oct-2011 Community Information Security Dimensions
SVM/SEC/POL/0005 Policy for Horizon & Horizon Online _ I (external)
SVM/SDM/SD/0016 6.0 07-Jan-2022 Dimensions
(external)
SVM/SEC/PRO/0012 17.0 17-Mar-2023 Post Office Account User Access Dimensions
Guide (internal)
SVM/SEC/POL/4538 2.0 23-Mar-2023 POA Privileged Account Policy Dimensions
(internal)
SVM/SEC/PRO/4537 1.0 28-Jul-2022 POA Privileged Account Release Dimensions
Procedure (internal)
Europe Business 2.0 07-Dec-2022 Europe Business Management EBMS.
Management System — System — Privileged Access (internal)
Privileged Access Management Process
Management Process
Europe Business 2.0 07-Dec-2022 Europe Business Management EBMS
Management System — System — Privileged Access (internal)
Privileged Access Management Work Instruction
Management Work
Sonn Fujitsu FUJITSU CONFIDENTIAL Ref. COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED _Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 3 of 34
FUJ00243292
FUJ00243292
oe PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
Instruction
REQ/SIR/SRS/2605 12.2 03-Mar-2023 End User Compute Towers Dimensions
Responsibilities and Requirements (external)
for Horizon Anywhere
DEV/GEN/MAN/0015 15.0 26-Sep-2022 Audit Extraction Client User Manual Dimensions
(internal)
REQ/GEN/ACS/4252 1.0 10-Jun-2021 ACCEPTANCE REPORT FOR HNG- I Dimensions
X - Release 21.51 - Transaction (external)
Correction Tool — Decommissioning
DES/APP/HLD/0029 4.0 07-Sep-2016 Audit Data Retrieval High Level Dimensions
Design (internal)
LST SYS.AUD Log N/A 21-Mar-2023 LST SYS.AUD Log example N/A
example 21.03.2023 21.03.2023
0.4 Abbreviations
Abbreviation Definition
AD Active Directory
ARQ Audit Retrieval Query
BRDB Branch Database
Europe Business Management System (Fujitsu internal documents) — a Fujitsu
EBMS internal system managed by Fujitsu corporate
ISMF Post Office Information Security Management Forum
LST Live System Test
MFA Multi-Factor Authentication
PAM Privileged Access Management
POA Fujitsu Post Office Account
POL Post Office Limited
RAM Remote Access Management
SAN Storage Area Network
SOD Segregation Of Duties
TACACS Terminal Access Controller Access Control System
VPN Virtual Private Network
0.5 Glossary
Term Definition
Dimensions Fujitsu internal Document Management repository
HNG-A The HNG-X Counter Business Application adapted to run on Windows operating
systems other than NT4, providing all of the functionality of the HNG-X Counter
Business Application.
HNG-X HNG-X was a project that replaced the Horizon message-based branch network
with the Horizon on-line branch service. Also known as Horizon Online. This was
rolled out in 2010.
0.6 Changes Expected
© Copyright Fujitsu
2023
FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED ORSTORED _Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 4 of 34
FUJ00243292
FUJ00243292
ce) PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
0.7 Accuracy
Fujitsu has endeavoured to ensure that the information contained in this report is accurate. Fujitsu accepts no
liability for any loss sustained (however caused), as a result of any information contained herein
0.8 Information Classification
The author has assessed the information in this document for risk of disclosure and has assigned an information
classification of . This report is also subject to the Information Distribution statements in Section 9.
© Copyright Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
2023
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS
Page No: 5 of 34
FUJ00243292
FUJ00243292
(ce) PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
1 Purpose & Introduction
The purpose of this report is to provide responses to the 22 questions presented by POL to Fujitsu on 06
March 2023. These responses are based on Fujitsu’s understanding of the questions presented by POL.
The responses relate to the current HNG-X environment for which Fujitsu is responsible for PAM and
RAM and seek to describe the position as at the date of issue of this document.
Although every effort has been made to avoid confusing technical jargon in this document, the very
nature of the service delivered to POL necessitates the use of many acronyms and phrases that may
need expanding upon to ensure the correct understanding. Fujitsu accepts that further explanation may
be necessary and encourages POL to seek clarifications if anything is unclear.
This report has been prepared with the input of numerous Fujitsu individuals and attribution of any
statements made in this report should be made to Fujitsu only. In preparing this report, the authors have
collectively characterised and summarised many internal Fujitsu documents. They have also described
processes and procedures which have been established over many years and may not be in written
form. Many of the documents, processes and procedures described in this report are continuously
updated and Fujitsu reserves the right to make changes to the way it works in the ordinary course of its
operations and business without obligation to update this document. POL should verify the position with
Fujitsu before relying upon any information or content from this document in the future.
The author has assessed the information in this report for risk of disclosure and has assigned an
information classification of FUJITSU CONFIDENTIAL. This report is also subject to further Information
Distribution statements at Section 9 in this report.
POL is invited to comment on this report to seek any additional clarifications it needs. Fujitsu will
endeavour to respond to any comments or clarifications requested and may, if it deems necessary,
provide an updated version of this report.
Fujitsu welcomes the opportunity to provide this report and looks forward to a constructive dialogue with
POL.
2 Background
On 06 March 2023, POL sent an email to Fujitsu titled “HIJ Remediation - PAM/RAM & Transaction
Processing External Assurance”. In this email POL stated, “please see below the areas that Post Offices
wishes to cover in relation to PAM and RAM for which we need Fujitsu support and engagement.” A
table was included as follows — comprising 22 questions:
General Scop
area Specific Scope Ref
Governance Documentation detailing processes to grant Privileged Access to system is in place 14
and Process _ I (including processes for approvals, new joiner, changes in access and leavers
Roles and responsibilities in the granting of Privileged Access are clearly identified and I, 5
defined =
Management Information on the usage of Privileged Access is created and 13
communicated appropriately
‘Appropriate change management processes exist over any changes to this process 14
PAM General Process documentation exists for all known ways a user can be granted Privileged 24
Controls Access to the system
Privileged access to each of the above categories is granted in accordance with the 2
documented process, to appropriate users after appropriate approval =
Privileged access is only granted to authorised and appropriate personnel oRY
Privileged access is removed from leavers (by account disablement) in a timely oi
manner following the user leaving
25.
Sonn Fujitsu FUJITSU CONFIDENTIAL Ref. COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED _Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 6 of 34
Fe)
FUJITSU
PAM RAM ASSURANCE REPORT
FUJITSU CONFIDENTIAL
FUJ00243292
FUJ00243292
Where possible, privileged access is only granted for a set time, for a specifically
documented task
Privileged access to each of the above identified systems, is via accounts with
password settings in line with Post Office password policy
2.6
There is a regular monthly review performed of all users with privileged access
27
When privileged access is granted, there are logging & monitoring controls over what
activity users perform; specifically.
§ All transactional activity performed by privileged users is written to the audit log on
the audit SAN
§ There is an adequate SOD between users with privileged access (as defined in the
Fujitsu report [COM/MGT/REP/4165] & users access to audit log files (Audit SAN).
§ There are alerting controls over any changes to the audit log files and/or all access
to the Audit SAN is read only
28
The audit SAN has remote access disabled & only authorised individuals can access
the Audit SAN locally
29
‘Access to privileged generic or system accounts is appropriately restricted and
monitored, specifically
§ All administrator accounts are individual where possible
§ Where generic or system accounts have to exist, access is restricted via an
appropriately secured password
§ Where generic or system accounts are required to be used directly, this is
appropriately approved via a ‘break glass’ approval
2.10
[sic]
‘Any changes to Privileged access process and/or controls are subject to change
management, including approval of changes by all required parties.
Remote
Privileged
Access
Remote access to the counter, does not allow a privileged user to create or amend
basket transactions
34
Remote access to BRDB, does not allow a privileged user to create or amend
transactional records, except the functionality listed below by the APPSUP role:
§ File change
§ Change Counter data
§ Assisted roll over
3.2
The Transactional Correction tool functionality has been deleted
3.3
Remote Connectivity to HNG-A requires use of at least two of the following
authentication systems:
§ Local workstations
§ Fujitsu corporate virtual private network (VPN)
§ Active Directory (AD) + multi-factor authentication (MFA)
§ Terminal Access Controller Access Control System (TACACS)
§ Console servers
34
Access
Limitations and
Reporting
Where Fujitsu staff with Privileged Remote Access are not UK based, appropriate
security measures are in place to bring the access in line with UK based access
practices
44
No third parties / contractors have Remote Privileged Access
42
A monthly security report is provided to POL by Fujitsu detailing information on all
Privileged access in the month
43
During a discussion with POL on 21 February 2023, where an early draft of the questions was shared
with Fujitsu for discussion purposes, Fujitsu stated that it would prepare a report to respond to the
questions identified by POL once they were formally submitted.
The spirit of the discussion between POL and Fujitsu in relation to this report was to share content that
would allow both organisations to confirm the efficiency of the current ways of working together, and to
identify any ways to make meaningful improvements. Fujitsu believes in collaboration and welcomes
constructive suggestions from POL.
© Copyright Fujitsu
2023
FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED ORSTORED _Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 7 of 34
FUJ00243292
FUJ00243292
ce) PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
Terminology
In the “RA Report” [COM/MGT/REP/4165] Section 4 (extract here for ease of reference), Fujitsu
provided clarity on terminology:
“Remote Access relates to the following areas:
Remote Connectivity — The ability for specialist
support staff to connect to an environment to access
and provide support to a system from a location
other than where it is physically located.
Privileged Access — The ability for specialist
support staff to carry out operations on the system
that they have accessed — whether such access is
from a remote location or from the physical location
where the system is located.”
There are number of references within the questions POL has posed that Fujitsu wishes to map to these
definitions so that its responses can be correctly interpreted.
Term used by P' Fujitsu corresponding term
_ “Privileged Access” Privileged Access
“privileged generic or system accounts” Privileged Access
I “Remote access” Remote Connectivity
“privileged user” Privileged Access
“Privileged Remote Access" Remote Connectivity and Privileged Access
_“Remote Privileged Access" Remote Connectivity and Privileged Access _
3 Types of Privileged Access
In the “RA Report” [COM/MGT/REP/4165] Section 7 (extract here for ease of reference), Fujitsu
provided clarity on the types of Privileged Access required to support and maintain the systems that
comprise the contracted responsibilities.
“In summary, it stated the following types of Fujitsu Privileged Access:
e Windows Domain (NT) Administrators —- who administer the Windows platforms
e Unix Domain Administrators — who administer the Unix platforms
« Database Administrators — who administer the Oracle and MSSQL databases
e APPSUP Role - used for non-balance impacting actions (such as stock unit associations,
emergency branch opening, or monthly tidying of despatch reports). APPSUP is not used to
correct branch balance discrepancies or to amend financial transactions
* Transaction Correction Tool — used to insert transactions
The first three administrator types are used on a regular basis as required to keep the HNG-x systems
working as required.”
Additionally, in Section 2 of the “Horizon Data Changes Process Work Instruction”
[SVM/SDM/PRO/4293] Fujitsu explains the situations that mean it needs to make changes to data in the
Live HNG-X System in Belfast.
© Copyright Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
2023
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 8 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
4 Responses
Fujitsu has provided its response by appending a column to the table of questions provided by POL. Numerous references are made to the “RA Report”
[COM/MGT/REP/4165] and ISAE3402 audit output titled “Description of Fujitsu's System of IT Infrastructure Services supporting Post Office Limited’s Horizon
application” (latest version dated March 2022). This report should therefore be read in conjunction with both these documents.
Fujitsu is currently being audited for ISAE3402 for the period 01 April 2022 to 31 December 2022 by Ernst & Young LLP for POL under CWO0703 with the report
estimated for release in May 2023. Fujitsu understands that Deloitte is an ISAE3402 auditor and will be familiar with the depth and breadth of the control reviews needed
to provide the responses for the ISAE3402 report.
General pecific Scope Ref I F u Response
Scope area I
Governance I Documentation detailing processes 1.1 All access is granted as described in the “RA Report” [COM/MGT/REP/4165] Section 6.2. This was
and Process _ to grant Privileged Access to derived from the “Post Office Account User Access Guide” [SVM/SEC/PRO/0012] which provides more
system is in place (including details on the steps taken and the alignment to the Fujitsu Europe Business Management Systems
processes for approvals, new (EBMS) Privileged Access Management Process and Work Instruction
joiner, changes in access and This is within the scope of ISAE3402 (Control Objectives 10.1, 10.4, 10.5, 10.6 and 10.7).
leavers
Fujitsu also has a defined “Privileged Account Release Procedure” [SVM/SEC/PRO/4537] for providing
access to Break Glass accounts. Usage of this procedure results in Break Glass account usage being
reported on in the monthly Security Report (tab “Last Resort Password”) that is provided to POL for the
monthly ISMF meeting
The processes around the temporary granting of the APPSUP role are also defined in Fujitsu's “Horizon
Data Changes Process Work Instruction” [SVM/SDM/PRO/4293] Section 5. POL has its own internal
process document for Horizon Data Change which Fujitsu understands is titled "Horizon Support
Approval Process vx.x" (latest version not known by Fujitsu).
Roles and responsibilities in the 1.2 All access is granted as described in the “RA Report” [COM/MGT/REP/4165] Section 6.2. This was
granting of Privileged Access are derived from the “Post Office Account User Access Guide” [SVM/SEC/PRO/0012] which provides more
clearly identified and defined details on the steps taken. Section 3 of this document states all roles and the function they perform.
This is within the scope of ISAE3402 (Control Objective 10.4, 10.5 and 10.6).
SooPytiant Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 9 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
I Fujitsu also has a defined “Privileged Account Release Procedure” [SVM/SEC/PRO/4537] for providing
I access to Break Glass accounts which explains the roles applicable.
I The roles and responsibilities around the temporary granting of the APPSUP role are also defined in
I Fujitsu's “Horizon Data Changes Process Work Instruction” [SVM/SDM/PRO/4293]. POL has its own
I internal process document for Horizon Data Change which Fujitsu understands is titled "Horizon Support
_I Approval Process vx.x" (latest version not known by Fujitsu).
Management Information on the 1.3 _I It is not clear what POL means by “Management Information on the usage of Privileged Access’.
usage of Privileged Access is I
created and communicated I There is also no reference to this in the “Management Information Service: Service Description”
appropriately I [SVM/SDM/SD/0016].
I Privileged Access is used by Fujitsu to perform its day-to-day obligations. Many of these obligations were
I described in the “RA Report” [COM/MGT/REP/4165] Sections 7.1.1, 7.2.1, 7.3.1, 7.4.1, and 7.5.1.
I The “RA Report” [COM/MGT/REP/4165] also described reporting in Sections 6.4, 7.1.4, 7.2.4, 7.3.4,
I 7.4.5, 7.5.5 and 8. This information is readily available to both Fujitsu and POL via the mutual service
I management toolsets.
I Question 4.3 below also seems related.
I Fujitsu provides POL with a weekly report of the users that have the Privileged Access as described in
I the “RA Report” [COM/MGT/REP/4165] Sections 7.1, 7.2 and 7.3. This is also provided as a monthly
I view as part of the monthly Security Report that is provided to POL for the monthly ISMF meeting (tab
I “PAM — Admins’).
I
I Fujitsu also provides a list of the occasions (with associated references) when POL permitted Fujitsu to
I temporarily grant the APPSUP role to stated Fujitsu specialist support staff. This is also shown in the
I monthly Security Report (tab “PAM — APPSUP”) that is provided to POL for the monthly ISMF meeting.
I Fujitsu also conducts an internal Team Access Review (see references in the “Post Office Account User
I Access Guide” [SVM/SEC/PRO/0012]) to ensure all access verifications have been received.
I It should be noted that there is no specific PAM tooling within the HNG-X solution.
Appropriate change management F414 I “This process” is understood to refer to those processes described in relation to question 1.1 above.
rocesses exist over any changes I
g x 2 _ Fujitsu's Europe Business Management System (EBMS) is subject to change control. The “Post Office
SooPytiant Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 10 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
I to this process I Account User Access Guide” [SVM/SEC/PRO/0012] is held in Dimensions and is also subject to change
I control — showing version history, reviewers and feedback, and approvals. It can be seen in the
I documents provided with this response that there are “Document History” and “Change Control” sections
I showing iterations of the versions.
I I Poa uses Dimensions as its document management repository. Documents are maintained following the
I “POA Document Control Guidance Note” [PGM/DCM/PRO/0001] supported by the “POA Document
I Reviewers/Approvers Role Matrix” [PGM/DCM/ION/0001]. Fujitsu's EBMS document management is
I_also governed by “EBMS -— Information standard”.
PAM General I Process documentation exists for 2 I All access is granted as described in the “RA Report” [COM/MGT/REP/4165] Section 6.2. This was
Controls all known ways a user can be I derived from the “Post Office Account User Access Guide” [SVM/SEC/PRO/0012] which provides more
granted Privileged Access to the I details on the steps taken and the alignment to the Fujitsu “EBMS Privileged Access Management
system I Process” and “EBMS Privileged Access Management Work Instruction”.
I This is within the scope of ISAE3402 (Control Objective 10.1, 10.4, 10.5, 10.6 and 10.7).
I Fujitsu also has a defined “Privileged Account Release Procedure” [SVM/SEC/PRO/4537] for providing
I access to Break Glass accounts which explains the processes applicable.
I The processes around the temporary granting of the APPSUP role are also defined in Fujitsu's “Horizon
I Data Changes Process Work Instruction” [SVM/SDM/PRO/4293]. POL has its own internal process
I document for Horizon Data Change which Fujitsu understands is titled "Horizon Support Approval
I Process VX.x" (latest version not known by Fujitsu).
Privileged access to each of the. 2254 hiti is unclear what "the above categories" refers to. However, all access is granted as described in the
above categories is granted in I I I “RA Report” [COM/MGT/REP/4165] Section 6.2. This was derived from the “Post Office Account User
accordance with the documented I I Access Guide” [SVM/SEC/PRO/0012] and the Fujitsu “EBMS Privileged Access Management Process”
process, to appropriate users after ‘I and “EBMS Privileged Access Management Work Instruction”.
I appropriate approval I This is within the scope of ISAE3402 (Control Objective 10.1, 10.4, 10.5, 10.6, 10.7, 11.2, 11.3,
(11.4, and 11.6).
Privileged access is only granted to 2.3. I This question seems to overlap with question 2.2 above.
authorised and appropriate I
personnel I All access is granted as described in the “RA Report” [COM/MGT/REP/4165] Section 6.2. This was
I derived from the “Post Office Account User Access Guide” [SVM/SEC/PRO/0012] which provides more
I details on the steps taken and the alignment to the Fujitsu “EBMS Privileged Access Management
I
SooPytiant Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 11 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
I Process” and “EBMS Privileged Access Management Work Instruction”.
I This is within the scope of ISAE3402 (Control Objective 10.1, 10.4, 10.5, 10.6, 10.7, 11.2, 11.3,
I11.4, and 11.6).
Privileged access is removed from 24 I All access is removed as described in the “RA Report” [COM/MGT/REP/4165] Section 6.2. This was
leavers (by account disablement) in I derived from the “Post Office Account User Access Guide” [SVM/SEC/PRO/0012] which provides more
a timely manner following the user I details on the steps taken and the alignment to the Fujitsu “EBMS Privileged Access Management
leaving I I Process” and “EBMS Privileged Access Management Work Instruction”.
I This is within the scope of ISAE3402 (Control Objective 10.5 and 10.6).
Where possible, privileged access 2.5 I All access is granted as described in the “RA Report” [COM/MGT/REP/4165] Section 6.2. Where
is only granted for a set time, fora I possible, it is only granted for a set time - such as in the granting of the temporary APPSUP role. The
specifically documented task I processes around the temporary granting of the APPSUP role in Fujitsu's “Horizon Data Changes
I Process Work Instruction” [SVM/SDM/PRO/4293] Section 5 (the latest version was shared with POL on
I 04 August 2022 along with a recommendation that a format of this be added to the contract). POL has its
I own internal process document for Horizon Data Change which Fujitsu understands is titled "Horizon
I Support Approval Process vx.x" (latest version not known by Fujitsu).
I This is within the scope of ISAE3402 (Control Objective 10.1, 10.4, 10.5, 10.6, 10.7, 11.2, 11.3,
I 11.4, and 11.6).
I Fujitsu also has a defined “Privileged Account Release Procedure” [SVM/SEC/PRO/4537] for providing
I access to Break Glass accounts. Usage of this procedure results in Break Glass account usage being
I reported on in the monthly Security Report (tab “Last Resort Password”) that is provided to POL for the
I monthly ISMF meeting. Accounts released under this procedure are for a set time and for a specifically
I documented task.
Privileged access to each of the 2.6 I It is unclear what "the above identified systems" refers to, or what the “Post Office password policy”
above identified systems, is via document reference is. The POL owned “Community Information Security Policy for Horizon & Horizon
accounts with password settings in I Online” document [POL: POL/HNG/CIS/001, SVM/SEC/POL/0005] is the current Contract Reference
line with Post Office password I Document. Section 11.3.1 provides a reference to “Password use” as shown below:
policy I
I
I
I
I
SooPytiant Fujitsu FUJITSU CONFIDENTIAL Ref. COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED ORSTORED _Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 12 of 34
fe)
FUJITSU
FUJ00243292
FUJ00243292
PAM RAM ASSURANCE REPORT
FUJITSU CONFIDENTIAL
2023
Password use
Control A11.3.1: Users must be required to follow good security practices in the
selection and use of passwords.
All domains must comply with the following password policy for individuals:
a) Where passwords are used for authentication, the user must be forced to change
the initial password before any other access to the system is permitted.
b)
Passwords must expire in 30 days.
°)
Re-use of the same password must not be permitted for either a specified time or
until at least 4 other passwords have been used.
d) Passwords must be a minimum of 7 characters long and must be alphanumeric
(ie. a mix of letters and numbers). There must not be more than two consecutive
identical characters. The passwordI must not be the same as the username.
e)
After 3 consecutive unsuccessful attempts to log-on, the user must be locked out
for at least 30 minutes or until an administrator has replaced the password in
accordance with §11.2.2.
Passwords used to authenticate one process to another must be longer (12 characters
minimum) but need not expire. Such passwords may be stored on the system to which
they apply but must not be deductible by any users other than authorised system
management staff.
The following are the password rules POA implements for privileged accounts as documented in “POA
Privileged Account Policy” [SVM/SEC/POL/4538]:
FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED _Date’ 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 13 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
a
Password Policy Rule
is at least 16 characters
Contains at least 2 upper case characters
Contains at least 2 lower case characters
Contains at least 1 special character (non-aiphanumenic characters:
THQ HS %6°B"_-+ =" NODE <>. 2)
I Contains at least 3 numeric characters
Does not contain back-to-back characters in sequence (e.g. abc)
Has not used a recycled modified password and is unique in format
The password is rotated every 30 days
I I ‘The date of last password rotation is recorded I
I I There is a regular monthly review Be: This was described in the “RA Report” [COM/MGT/REP/4165] Section 6.2.3.2 “Privileged User Access
I performed of all users with Verification’. All access is routinely validated monthly to ensure that the access supplied is still required
I privileged access and appropriate, including standard user access for all POA systems and privileged user access for the
I Production environment. Access is revoked if verification is not possible, for instance:
I « When requested, and within a short timeframe, or on a date specified
I I « When verification of the continued need for access is not received
I « Where roles change and access is no longer appropriate or required
I « Where a user account has not been used for more than 90 days
I This is within the scope of ISAE3402 (Control Objective 10.6).
I I Fujitsu provides POL with a weekly report of the users that have the Privileged Access as described in
I the “RA Report” [COM/MGT/REP/4165] Sections 7.1, 7.2 and 7.3. This is also provided as a monthly
view as part of the monthly Security Report that is provided to POL for the monthly ISMF meeting (tab
“PAM - Admins’).
I Fujitsu also provides a list of the occasions (with associated references) when POL permitted Fujitsu to
temporarily grant the APPSUP role to stated Fujitsu specialist support staff. This is also shown in the
I monthly Security Report (tab “PAM — APPSUP”) that is provided to POL for the monthly ISMF meeting.
SooPyriant Fujitsu FUJITSU CONFIDENTIAL, Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 14 of 34
Fe)
FUJITSU
FUJ00243292
FUJ00243292
PAM RAM ASSURANCE REPORT
FUJITSU CONFIDENTIAL
When privileged access is granted,
there are logging & monitoring
controls over what activity users
perform; specifically
§ All transactional activity
performed by privileged users is
written to the audit log on the audit
SAN
§ There is an adequate SOD
between users with privileged
access (as defined in the Fujitsu
report [COM/MGT/REP/4165] &
users access to audit log files
(Audit SAN).
§ There are alerting controls over
any changes to the audit log files
and/or all access to the Audit SAN
is read only
I Fujitsu also conducts an internal Team Access Review (see references in the “Post Office Account User
I Access Guide” [SVM/SEC/PRO/0012]) to ensure all access verifications have been received.
I It should be noted that there is no specific PAM tooling within the HNG-X solution.
2.8 I The “RA Report” [COM/MGT/REP/4165] described logging in Sections 7.1.2, 7.2.2, 7.3.2, 7.4.3, and
17.5.3.
I This question also appears to relate to:
I * Question 1.2 (roles & responsibilities and relationship to SOD)
I e¢ Question 3.2 (transaction records)
I Fujitsu refers to the “audit log on the audit SAN” as the Audit Archive.
I Bullet 4
I Fujitsu understands “transactional activity” to mean any actions taken on any Oracle production
I databases (not just BRDB) to amend branch transaction data by users with Privileged Access. All actions
I taken are logged to the SYS.AUD$ table which is then written to the Audit Archive.
I The actions that are logged are: LOGON; LOGOFF; SELECT; UPDATE; DELETE; INSERT; and
I EXECUTE (stored procedures). Using the LST system, each of these actions was taken on the BRDB
I iT), and the following was written to SYS.AUD$. LST was chosen to avoid unnecessary actions
being taken on the Live system. The Live system would have recorded the same output. An example
I LST SYS.AUD$ log is shared with this response. The filename is “LST SYS.AUD Log example
I 21.03.2023. pdf’. Please note that the user identity has been redacted and contains “XXXX".
Bullet 2
Access to the Audit Archive is restricted to
e Audit workstations (which have read only access to the Audit Archive and cannot be accessed
I remotely). This is described in “Audit Extraction Client User Manual” [DEV/GEN/MAN/0015]
I Section 7 — and is summarised here:
I o Audit workstations located at both the Bracknell and Stevenage Fujitsu offices. These
I machines are not connected to the Fujitsu network but have direct lines to the IRE11
and IRE19 Audit Servers. The Audit workstation implements the HDCR Windows 10
Secure Workstation build. Access to the Audit workstation is via two-factor
authentication
« Three groups exist for Audit workstation access:
e Audit Users - the standard user account. Members of this group will be
able to perform extraction and analysis of data held on the Audit system.
© Copyright Fujitsu
2023
FUJITSU CONFIDENTIAL Ref. COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED _Date’ 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 15 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
e Audit Admin - grants access from the Audit workstation, to the
operational area of the Audit servers to allow investigative and
maintenance tasks to be performed.
I I e Audit User Administrator - users in this group have administrator rights
I I on the Audit workstations and in particular can run the card
reconciliation tooling - see Section 11 “Card Reconciliation tool”.
I «Audit Server - which writes to the Audit Archive — applying the delete protection attributes
I I I ¢ System administrators
Users with Privileged Access who perform “transactional activity” do not have the ability to amend the
SYS.AUD$ table. The 07_DICTIONARY_ACCESSIBILITY is set to FALSE on Live databases:
I SQL> show parameter 07_DICTIONARY_ACCESSIBILITY
I I I Refer to - -
information (Oracle website content shown below too).
}for additional
“O7_DICTIONARY_ACCESSIBILITY:
I
I I I Property [Description
I I Parameter type [Boolean
I I Default value false
I I Modifiable INo
I I I Range of values true I false I
I I 07_DICTIONARY_ACCESSIBILITY controls restrictions on SYSTEM privileges. If the I
I i parameter is set to true, access to objects in the SYS schema is allowed I
SoopPynant Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 16 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
(Oracle7 behavior). The default setting of false ensures that system
privileges that allow access to objects in "any schema" do not allow access to
objects in the SYS schema.
For example, if O7_DICTIONARY_ACCESSIBILITY is set to false, then the SELECT
ANY TABLE privilege allows access to views or tables in any schema except the
SYS schema (data dictionary tables cannot be accessed). The system privilege
EXECUTE ANY PROCEDURE allows access on the procedures in any schema except the
I SYS schema. I
If this parameter is set to false and you need to access objects in the SYS
I schema, then you must be granted explicit object privileges. The following
} roles, which can be granted to the database administrator, also allow access
I to dictionary objects:
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE”
The APPSUP role does have "ANY TABLE" privileges (e.g. DELETE ANY TABLE/SELECT ANY TABLE
etc) - but the role is only applicable to BRDB, and the role cannot DELETE from the SYS.AUD$ table
due to Oracle parameter O7_DICTIONARY_ACCESSIBILITY being set to FALSE.
I Bullet 3
To assure the integrity of the audit data while on the Audit Archive, the checksum seal for the file is re-
calculated by the audit file sealer and compared to the value calculated when the file was originally I
I written to the Audit Archive. The result is maintained in a check seal table. (as documented in the “Audit I
Extraction Client User Manual” [DEV/GEN/MAN/0015] Section 6.1.3). I
I I Any discrepancies — which would indicate tampering or omission — are automatically detected and alerts
I I are generated. This is described in “Audit Extraction Client User Manual” [DEV/GEN/MAN/0015] Section
I
8 I
SoopPynant Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 17 of 34
FUJ00243292
FUJ00243292
o PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
Also, for branch transaction data queries, the data integrity checks are described as follows:
I “The following integrity checks will be applied to the data I
* Completeness of data — contiguous message sequence numbers
e Integrity of individual messages
°
o For HNG-X data the message signature will be verified
Separate Riposte & HNG-X summaries of the results of the integrity checks are generated. They
should detail: I
« Summary of the message sequence runs broken down by counter Id. This should
include start & end date/times and start & end message sequence numbers. Any gaps I
in the message sequence runs must be highlighted. I
« Summary of messages that have failed individual message integrity checks
Any failure of the data integrity checks will not prevent subsequent execution of the query. The
audit workstation user will be warned of the failure via the server process status notification
mechanism.”
_I (As documented in the “Audit Data Retrieval High Level Design” [DES/APP/HLD/0029] Section 6.1.6).
IThe audit SAN has remote access 2.9 I Itis not clear what POL means by "remote access disabled" and "can access. ..locally".
disabled & only authorised
individuals can access the Audit I Fujitsu use Remote Connectivity (as described in the “RA Report” [COM/MGT/REP/4165] Section 5) to
SAN locally I gain access to systems - including the Audit Archive.
The Audit Archive is not part of the HNG-X domain and access is via local logon once the user has
remotely connected into the environment. Local logon to the Audit Archive is only available to the UNIX
support specialists. Direct logon as “root” is part of the break glass process as the “root” account is
centrally managed by SecOps. See question “2.10” [sic] below for more detail on the break glass process I
and the reporting it generates.
Access to the Audit Archive is restricted to
SooPytiant Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 18 of 34
Fe)
FUJITSU
PAM RAM ASSURANCE REPORT
FUJITSU CONFIDENTIAL
FUJ00243292
FUJ00243292
Access to privileged generic or
system accounts is appropriately
restricted and monitored,
specifically
§ All administrator accounts are
individual where possible
§ Where generic or system
accounts have to exist, access is
restricted via an appropriately
I secured password
§ Where generic or system
accounts are required to be used
directly, this is appropriately
2.10
[sic]
I
I
I
I
e Audit workstations (which have read only access to the Audit Archive and cannot be accessed
remotely). This is described in “Audit Extraction Client User Manual” [DEV/GEN/MAN/0015]
Section 7 — and is summarised here:
o Audit workstations located at both the Bracknell and Stevenage Fujitsu offices. These
machines are not connected to the Fujitsu network but have direct lines to the IRE11
and IRE19 Audit Servers. The Audit workstation implements the HDCR Windows 10
Secure Workstation build. Access to the Audit workstation is via two-factor
authentication
« Three groups exist for Audit workstation access:
e Audit Users — the standard user account. Members of this group will be
able to perform extraction and analysis of data held on the Audit system.
e Audit Admin - grants access from the Audit workstation, to the
operational area of the Audit servers to allow investigative and
maintenance tasks to be performed.
e Audit User Administrator - users in this group have administrator rights
on the Audit workstations and in particular can run the card
reconciliation tooling - see section 11 “Card Reconciliation tool”.
e Audit Server - which writes to the Audit Archive — applying the delete protection attributes
e System administrators
I Bullet 1
I All administrator accounts are individual where possible.
I Bullet 2
I Generic and system accounts, and break glass are described in the “RA Report” [COM/MGT/REP/4165]
I Section 6.3.
I
I Bullet 3
I Fujitsu has a defined “Privileged Account Release Procedure” [SVM/SEC/PRO/4537] for providing
I access to Break Glass accounts. Usage of this procedure results in Break Glass account usage being
I
The “POA Privileged Account Policy” [SVM/SEC/POL/4538] states the policy that applies to all
Privileged Access accounts. This is routinely validated to ensure that policy compliance is recorded.
© Copyright Fujitsu
2023
FUJITSU CONFIDENTIAL
UNCONTROLLED WHEN PRINTED OR STORED
OUTSIDE DIMENSIONS.
COM/MGT/REP/4818
1.0
20-Apr-2023
19 of 34
FUJ00243292
FUJ00243292
PAM RAM ASSURANCE REPORT
(ce)
FUJITSU FUJITSU CONFIDENTIAL
I reported on in the monthly Security Report (tab “Last Resort Password”) that is provided to POL for the
I approved via a ‘break glass’ I
I monthly ISMF meeting.
I approval
Any changes to Privileged access 2.11 I Fujitsu's Europe Business Management System (EBMS) is subject to change control.
process and/or controls are subject
I
to change management, including I The “Post Office Account User Access Guide” [SVM/SEC/PRO/0012] is held in Dimensions and is also
approval of changes by all required I subject to change control — showing version history, reviewers and feedback, and approvals.
parties. I
I The “POA Privileged Account Policy” [SVM/SEC/POL/4538] is also held in Dimensions and is also
I subject to change control — showing version history, reviewers and feedback, and approvals.
I It can be seen in the documents provided with this response that there are “Document History” and
“Change Control” sections showing iterations of the versions.
I POA uses Dimensions as its document management repository. Documents are maintained following the
I “POA Document Control Guidance Note” [PGM/DCM/PRO/0001] supported by the “POA Document
I Reviewers/Approvers Role Matrix” [PGM/DCM/ION/0001]. Fujitsu's EBMS document management is
I also governed by “EBMS — Information standard”.
Remote Remote access to the counter,
3.1 I Fujitsu is not in control of live counter access permission: access permission to live counters is managed
Privileged does not allow a privileged user to I by POL’s End User Computing (EUC) provider, DXC.
Access create or amend basket I
transactions I Fujitsu's requirements for remote counter access are described in “End User Compute Towers
I Responsibilities and Requirements for Horizon Anywhere” [REQ/SIR/SRS/2605].
I Fujitsu provides POL with a weekly report on Post Office Branch counter access made by its support
I specialists. This was delivered under CWO0574 — New Counter Access Report. The production of this
I report was incorporated into the Management Information Service (MIS), added into Section 2.1.6
I ‘Reporting for Information Only’ of the “Management Information Service: Service Description”
I [SVM/SDM/SD/0016]. “CCN1718 — Changes in Respect of Ongoing Provision of the Counter Access
I Report” was produced to formalise the update to the CCD.
I
I By way of further background, Fujitsu is aware that POL recently conducted a piece of work in this area
I as Fujitsu contributed under a Change Work Order (CW00623 -— Testing of branch counter Fujitsu
I Services remote support least privilege changes).
I
SooPytiant Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 20 of 34
Fe)
FUJITSU
FUJ00243292
FUJ00243292
PAM RAM ASSURANCE REPORT
FUJITSU CONFIDENTIAL
Remote access to BRDB, does not
allow a privileged user to create or
I amend transactional records,
except the functionality listed below
by the APPSUP role:
§ File change
§ Change Counter data
§ Assisted roll over
The Transactional Correction tool
functionality has been deleted
Remote Connectivity to HNG-A
requires use of at least two of the
following authentication systems:
§ Local workstations
§ Fujitsu corporate virtual private
network (VPN)
§ Active Directory (AD) + multi-
factor authentication (MFA)
§ Terminal Access Controller
I Fujitsu also understands that POL is intending to “arrange, manage and carry out a PEN test” - as stated
I in the Post Office Responsibilities section of CWO0699 — Cygwin Counter Software Upgrade. Fujitsu is
_already assisting POL with this work.
3.2 I The question seems to relate to Privileged Access and Fujitsu users that have been temporarily granted
I the elevated APPSUP role. It is not clear what POL means by “File change” or “Change Counter data”.
I To create or amend records in BRDB requires the temporary granting of the APPSUP Privileged Access
I role to the Fujitsu user. POL must approve the granting of the APPSUP Privileged Access. Fujitsu has a
I defined process for the use of the APPSUP role which has been agreed with POL and is documented in
I the “Horizon Data Changes Process Work Instruction” [SVM/SDM/PRO/4293].
I
I The APPSUP role was described in the “RA Report” [COM/MGT/REP/4165] Section 7.4 and is further
I explained in Fujitsu's “Horizon Data Changes Process Work Instruction” [SVM/SDM/PRO/4293] Section
I 5 (the latest version was shared with POL on 04 August 2022 along with a recommendation that a format
I of this be added to the contract).
I POL has its own internal process document for Horizon Data Change which Fujitsu understands is titled
I "Horizon Support Approval Process vx.x" (latest version not known by Fujitsu).
3.3. I The Transaction Correction Tool was decommissioned under release 21.51 on 13 May 2021
I (CWO0425). POL was involved and provided sign off for the release on 11 May 2021. The “Acceptance
I Report For HNG-X - Release 21.51 - Transaction Correction Tool - Decommissioning”
I [REQ/GEN/ACS/4252] was issued 10 June 2021. Fujitsu confirmed to POL via email on 17 May 2021
I that the Transaction Correction Tool was decommissioned, and POL HM Horizon IT Director responded
to acknowledge this on the same day.
3.4 I Please note the Glossary definition of HNG-A and HNG-X.
I Remote Connectivity meets the stated criteria and is performed as described in the “RA Report”
I [COM/MGT/REP/4165] Section 5.
I
I
I
© Copyright Fujitsu
2023
FUJITSU CONFIDENTIAL Ref. COM/MGT/REP/4818
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED _Date’ 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 21 of 34
FUJ00243292
FUJ00243292
PAM RAM ASSURANCE REPORT
(ce)
FUJITSU FUJITSU CONFIDENTIAL
Access Control System (TACACS)
I § Console servers _
Access Where Fujitsu staff with Privileged 41
Limitations I Remote Access are not UK based,
and Reporting appropriate security measures are
in place to bring the access in line
[with UK based access practices
mote Connectivity is performed as described in the “RA Report” [COM/MGT/REP/4165] Section 5.
This applies irrespective of the location of the user or whether they have Privileged Access or not.
I No third parties / contractors have I 4.2 I Fujitsu uses contract staff (contractors) in addition to its full-time employees. Contractors are considered
Remote Privileged Access I I Fujitsu staff. They are granted the levels of access needed to perform their roles and are required to
I adhere to all applicable obligations and restrictions as full-time employees. Contractors, therefore, may
I have Remote Connectivity and Privileged Access to the HNG-X systems as applicable to their role.
I Fujitsu does not use any external third-party organisations to manage the HNG-X systems.
I
I Fujitsu does not control who POL grants access to in respect of its Post Office Cloud environment —
I where that comprises part of the Live HNG-X solution.
I
I
Fujitsu does not control who Ingenico/Worldline grants access to in relation to their solution — where that
comprises part of the Live HNG-X solution.
A monthly security report i is 43 I I There is no definition of “all Privileged access”.
provided to POL by Fujitsu I
detailing information on all I In May 2021, POL requested a weekly report of the users that have the Privileged Access as described
Privileged access in the month I in the “RA Report” [COM/MGT/REP/4165] Sections 7.1, 7.2 and 7.3. Fujitsu continues to provide this on
I a weekly basis. This is also provided as a monthly view as part of the monthly Security Report that is
I provided to POL for the monthly ISMF meeting (tab “PAM - Admins”).
I POA also provides a list of the occasions (with associated references) when POL authorised Fujitsu to
I temporarily grant the APPSUP role to stated Fujitsu specialist support staff. This is also shown in the
I monthly Security Report (tab “PAM — APPSUP’) that is provided to POL for the monthly ISMF meeting.
Outside of these 2 reported areas, POL has not yet provided any specific requirements to Fujitsu for a
I formal response.
© Copyright Fujitsu FUJITSU CONFIDENTIAL Ref. COM/MGT/REP/4818
2023 Version: 1.0
UNCONTROLLED WHEN PRINTED ORSTORED _Date: 20-Apr-2023
OUTSIDE DIMENSIONS. Page No: 22 of 34
FUJ00243292
FUJ00243292
ce) PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
5 Formal Audit Reports
POL commissions annual ISAE3402 audits which cover several of the areas of interest in this report.
References to the applicable Control Objectives within ISAE3402 have been made where possible.
Furthermore, POA are periodically requested to contribute to internal Fujitsu corporate audits to support
Fujitsu UK in attaining and maintaining a variety of certifications such as 1027001, ISO9001 and
1$022301
6 Conclusions
Although there are no contractual requirements or processes in place with POL for Fujitsu to report on
Privileged Access activities, the monthly Security Report that is provided to POL for the ISMF meeting
includes information on the Privileged Access types mentioned in the “RA Report”
[COM/MGT/REP/4165]. Fujitsu also provides that information weekly as described in the response to
question 4.3 above. Fujitsu also provides a list of the occasions (with associated references) when POL
permitted Fujitsu to temporarily grant the APPSUP role to stated Fujitsu specialist support staff. This is
also shown in the monthly Security Report that is provided to POL for the ISMF meeting.
7 Recommendations
POL and Fujitsu have discussed the topics of Remote Connectivity and Privileged Access on many
occasions over the years and during recent meetings. A compilation of recommendations was provided
in Appendix A of the “RA Report” [COM/MGT/REP/4165]. Progress has been made on all of the
recommendations.
Fujitsu strives for continual improvement and is committed to having an open dialogue with POL on
additional recommendations that could be further implemented where appropriate.
8 Information Distribution
This report and any enclosed materials (the “External Assurance Materials”) are being provided to POL
pursuant to POL's request “HIJ Remediation - PAM/RAM & Transaction Processing External Assurance”
(the “External Assurance Request”) — received by email on 06 March 2023 from POL. The External
Assurance Materials comprise work product prepared by Fujitsu pursuant to questions from POL. Fujitsu
has confined this report to the specific requests from POL and does not seek to address any other
matters. The External Assurance Materials relate to the current HNG-X environment as at the date of the
release of this document.
The External Assurance Materials are confidential and provided to POL for the sole purpose of the
External Assurance Request. The External Assurance Materials may only be shared by POL with
Deloitte, the external auditors appointed by POL in connection with the External Assurance Request.
POL shall take all necessary precautions to ensure that any External Assurance Materials are: (i) not
used for any purpose other than the External Assurance Request and; (ii) not disclosed to any third party
(apart from Deloitte), without Fujitsu's express consent in writing. In particular, it should be noted that:
(i) the External Assurance Materials may contain highly confidential and sensitive information
which, if disclosed, is likely to significantly increase the risk of cyber and engineering attacks on
the live HNG-X environment;
(ii) the External Assurance Materials may contain personal data within the meaning of the General
Data Protection Regulation (“GDPR”); and
(iii) any system architectural content may be subject to copyright and/or other intellectual property
rights and cannot be shared or disseminated.
Prior to making any permitted disclosure of the External Assurance Materials (or any part thereof), POL
shall provide Fujitsu with reasonable advance notice of such intended disclosure and shall permit Fujitsu
© Copyright Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
2023
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 23 of 34
FUJ00243292
FUJ00243292
ce) PAM RAM ASSURANCE REPORT
FUJITSU FUJITSU CONFIDENTIAL
the opportunity to redact information including but not limited to any privileged information, personal data
and/or other commercially sensitive or proprietary content.
This report refers to various documents that are confidential and internal to Fujitsu. Such confidential
documents are proprietary to Fujitsu and are not intended for sharing outside of Fujitsu. Fujitsu in no way
waives or intends to waive confidentiality in these documents by describing, referring to, reproducing
extracts of, or in any way referencing these documents in this report.
The External Assurance Materials, or any part thereof, may not be altered or amended without Fujitsu’s
express consent in writing. Under no circumstances shall any Fujitsu personnel be named or identified in
any reports or other documents created by POL based on information from the External Assurance
Materials (or any part thereof). Attribution of any External Assurance Materials shall be to Fujitsu only.
Unless agreed specifically in writing to the contrary Fujitsu does not accept any duty of care or any other
legal responsibility whatsoever to any person or entity in relation to this External Assurance Materials,
any related enquiries, advice, or other work. Any person who receives a draft or copy of this External
Assurance Materials (or any part of it) or discusses it (or any part of it) or any related matter with Fujitsu,
does so on the basis that he or she acknowledges and accepts that he or she may not rely on the
External Assurance Materials or any related information given by Fujitsu for any other purpose. Fujitsu
accepts no liability for any loss sustained (however caused) as a result of any information contained
herein.
© Copyright Fujitsu FUJITSU CONFIDENTIAL Ref: COM/MGT/REP/4818
2023
Version: 1.0
UNCONTROLLED WHEN PRINTED OR STORED Date: 20-Apr-2023
OUTSIDE DIMENSIONS Page No: 24 of 34