FUJ00243297 - Audit Extraction - Local Work Instruction
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
Fe}
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Document Title:
Document Reference:
CP/CWO Reference:
Abstract:
Document Status:
Author & Dept:
External Distributio:
in:
Information Classification:
Approval Authorities:
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
SVM/SEC/WKI/4517
N/A
Describes the process used to extract, check, and send Audit data
requested by POL via the ARQ process, using the Audit
Extraction Client application on the Audit Workstations
APPROVED
Farzin Denbali, POA Security Operations
None
See Section 0.1
Steven Browell
POA CISO
See Dimensions for record
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 10f8
FUJ00243297
FUJ00243297
oO AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN E€&
CONFIDENCE)
0 Document Control
0.1 Table of Contents
0
0.1 2
0.2 Document History. 4
0.3 Review Details...... 4
0.4 Associated Documents (Internal & External). 5
0.5 Abbreviation 5
0.6 Glossary... 5
0.7 Changes Expecte 6
0.8 Accuracy.......... 6
0.9 Information Classificatior 6
1 INTRODUCTION.........cccscssssssssseseseesssssstscsssssssssssesesseseesesseenenssserecseesensssseacsseeseoees 7
2 ARQ REQUESTS FROM POL........:csscsssssssssesssessssesssesessescneaserseensasecssssessesseseesaeeee 7
3 PREREQUISITE ACTIVITIES........ccccsesesssssesssssesssssesseseserassrscseneenensenesesessnsesesaseeneee 8
4 LOGGING ON TO THE AUDIT WORKSTATION...
5 ARQ DATA RETRIEVAL.......s:ecsesssssssessssssssessseseesessnsstscseneenensacssensneseseasasseneneeseens 11
6 PREPARING THE FILES TO SEND FOR CHECKING. .......cscsssesessesssesssesesereenees 36
6.1 Gaps and Duplicates.............scscscssessssssssesssssesessecsscscsssessssessssnsnsseecacscessssesesssensnereecatacetessssesesess OD
7 FILE ENCRYPTION FOR CHECKING.........ccssssssssseseseesssesesessenssrsescessssnsesseaeeenee 38
8 CHECKING........ccsscssssssseseseesessstsrseensstsesesessssssseassesseseasarersneenensatessneneanetasasassenenee! 41
9 FILE ENCRYPTION FOR SENDING TO POST OFFICE........cssssssesssessessseseeeners 41
10 SENDING THE PGP ENCRYPTED FILES TO POST OFFICE
11 CLOSING THE ARQ.......c.essssssssssssesesesesatecsesssssseseseasseseeneaeaeanscsetsensateeaseneneeeacans 49
12 RAISING A PEAK FOR SSC TO PROVIDE THE INTERFACE INTERACTION
LOGS... csesscsssssesessssssescsescsescecsrsrseseenensssersnenssnscasasssusseseassesstscneararsetseseneatacensseseesasasene® 53
13 GATHERING HSD LOGG..........cccsssesessssssssesssesseseeeeseneererseneessecssesenensseseasaseneneeses 53
14 PAN DECRYPTION..
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 20f8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
Fe}
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.2 Document History
Only integer versions are authorised for development.
Version No. Summary of Changes and Reason for Issue Associated Change
CWO, CP, CCN or
PEAK Reference
0.1 24/03/2022 Draft Version Created NIA
0.2 01/04/2022 ‘Amended following review NIA
0.3 01/03/2024 Amended section 2 to include requests from the Remediation NIA
team,
Added a new section (3) for prerequisite activities,
Added instructions for processing ARQ requests for Legacy
Horizon (effective Thursday 14th December 2023) to section 5,
Added instructions for Slow ARQ to section 5,
‘Added section 6.1 for Gaps and Duplicates.
Amended section 8 to reflect the new PGP process for sending
ARQs to POL,
‘Added instructions for closing locked ARQ to section 10,
Added section 11 for raising PEAKS for Interface Interaction
Logs.
04 20/03/2024 Amended following reviews. NIA
0s 09/04/2024 Amended following further reviews NIA
1.0 10-Apr-2024 I Approval version NIA
0.3 Review Details
Review Comments by:
Review Comments to: farzin.denbalig”
PostOfficeAccountDocumentManagement?
Mandatory Review
Role Name
ciso Steven Browell
Security Analyst Iran Khan
Security Analyst Sreydy Khun
Role Name
Information Security Governance Manager Chris Stevens
Security Analyst/Crypto Key Manager Andy Dunks
Developer (Audit-Dev) Gerald Barnes
Infrastructure Domain Architect Paul Gauntlet
(* ) = Reviewers that returned comments
Issued for Information — Please restrict this
distribution list to a
Position/Role Name
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 30f8
(ee)
FUJITSU
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
0.4 Associated Documents (internal & External)
References should normally refer to the latest approved version in Dimensions; only refer to a
specific version if necessary.
Reference Version Date Title Source
PGM/DCM/TEM/0001 I See note I See note above I POA Generic Document Template Dimensions
(DO NOT REMOVE) I above
PGM/DCM/ION/0001 POA Document Reviewers/Approvers Dimensions
(DO NOT REMOVE) Role Matrix
ARC/SEC/ARC/0003 HNG-X Technical Security Architecture Dimensions
DES/APP/HLD/0029 Audit Data Retrieval High Level Design Dimensions
DEV/APP/LLD/0071 Audit Data Retrieval Low Level Design Dimensions
DEV/APP/SPG/0016 Audit Extraction Client Support Guide: Dimensions
DEV/INF/ION/0001 Archive Server Configuration Dimensions
SVM/SDM/SD/0017 Security Management Service — Service I Dimensions
Description
DES/APP/HLD/0123 HNG-X HLD - Settlement Functions Dimensions
DEV/GEN/MAN/0015 Audit Extraction Client User Manual Dimensions
SVM/SEC/TEM/5088 Audit Record Query (ARQ) Request Dimensions
‘orm
Abbreviation
0.5 Abbreviations
Definition
AE Audit Extractor
ARQ Audit Record Query
FAD Financial Accounts Department
HNG-X Horizon Next Generation — Plan X
iKey USB security token used for two-factor authentication
IRE11 The active data centre in Ireland that replaces the Bootle data centre
IRE19 The failover data centre in Ireland that replaces the Wigan data centre
MSAD Microsoft Active Directory
PAN Personal Account Number. The number associated with a credit or debit card.
PIN Personal Identification Number
POL Post Office Limited
0.6 Glossary
SecOps
Term Definition
The team that runs ARQs and sends the results to the Post Office.
PEAK
Incident and Release Management system used by Fujitsu
0.7 Changes
Changes
© Copyright Fujitsu 2022-2024
Expected
FUJITSU RESTRICTED (COMMERCIAL IN Ref: SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 40f8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Amendments following review
0.8 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but, while every
effort is made to ensure the accuracy of such information, it accepts no liability for any loss (however caused)
sustained as a result of any error or omission in the same.
0.9 Information Classification
The author has assessed the information in this document for risk of disclosure and has assigned an information
classification of FUJITSU RESTRICTED (COMMERCIAL IN CONFIDENCE).
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 5of8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1 Introduction
This document describes the use of the Audit Extraction Client for the retrieval, filtering and querying of
audit data in response to Audit Record Queries (ARQs) received from the Post Office. It further
describes the process of data verification to ensure that the extracted data satisfies the ARQ request.
2 ARQ Requests from POL
_ team receive ARQ requests from the Post Office Security
4) and Post Office Remediation
teams via email. Requests from the Post Office Remediation team
are known as Horizon Shortfall Scheme requests and are more commonly referred to as HSS requests.
Only ARQ requests received from the Post Office Security and Remediation teams will be processed. If
a request for an Audit Record is received from a Post Office employee, they must be directed to the Post
Office Security team, who will submit an ARQ on their behalf.
Below is an example of an ARQ request email received from the Post Office Security team:
‘ARO 237-238- Forest Road
a eee
an yu ence proces he atached ARQ cages?
An example of the ARQ request form received as an attachment to the email is shown below:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 6 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
The following information is required before an ARQ request can be processed:
- The Branch Name and Branch Code
- The required date range. This is shown in the ‘Date Range From:’ and ‘To:’ fields on the ARQ
request form received from Post Office Security. For the requests received from the
Remediation team, this is shown in the ‘Dates Required’ field.
- The ARQ request number e.g., ‘ARQ No.: 519’ (from Post Office Security), or HSS2811 (from
the Remediation team). Each ARQ request is for a maximum of 1 month of data. If the
requested date range spans more than 1 month, the submitted ARQ number(s) must reflect that,
as in the example above (ARQ No.: 237-238). If the submitted ARQ request number is incorrect,
reply to the ARQ request email from POL and request an amended form.
Note that HSS ARQ requests received from the Remediation team are for Transaction and Event Logs,
and HSD calls only. However, ARQ requests received from Post Office Security may include requests
for data in addition to Transaction and Event Logs. These will be stated in the relevant field(s) on the
ARQ request form.
Contractual limits and turnaround times for the provision of Audit Record Queries are detailed in the
Security Management Service - Service Description (SVM/SDM/SD/0017).
3 Prerequisite activities
The following tasks must be completed prior to ARQ data retrieval:
- Open the ARQ Tracker (ARQ Tracking 14-22.xIsx) for each new ARQ request.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 7of8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
- Select ‘Editing’ on the top right of the screen and select ‘Open in Desktop App’:
- Add anew row for each new ARQ request as follows:
e For ARQ requests received from Post Office Security -
o Enter the new ARQ number in the ‘ARQ Ref #' field. This is the number on the ARQ
request form e.g., ARQ 571. If the ARQ request is for multiple ARQs, e.g., ARQ No.:
568-571, each request must be entered in a new row:
o Enter the date the ARQ request email was received in the ‘Date Request Received from
POL’ field.
o Enter the ARQ request details (Branch Name, Branch Code (FAD Code), Date Range
FROM’ and ‘Date Range TO) from the ARQ request form.
o Drag down the previous ‘Number of Days of Data’ value to populate this field for the new
ARQ request.
o Drag down the previous ‘Number of Days of Data (Running Total)’ value to populate this
field for the new ARQ request.
o Enter ‘YES’ in the ‘Transactions & Events’ field if both Transactions and Events have
been requested.
o Check the ARQ request form and if ‘Horizon Helpdesk call logs’ are not requested, enter
‘NO’ in the ‘HSD Calls’ field, otherwise enter ‘YES’.
o If the ARQ request is for Interface Interaction Logs, enter ‘YES’ in the ‘Interface
Interaction Logs’ field.
o Enter ‘N/A’ in the fields for ‘Call Ref for HSD Calls’ and ‘Date HSD Calls Returned’.
These are legacy fields and are no longer used.
o Enter ‘NO’ in the ‘Witness Statement’ field. We do not provide witness statements.
o Enter ‘NO’ in the ‘Events for PEAK’ field. We do not raise PEAKs for Events to be
checked.
NOTE - An ARQ request received from Post Office Security may be for ‘Interface
Interaction Logs’ only. If that is the case, a PEAK must be raised for the SSC team to
provide the requested logs. See section 11 for more details. Fujitsu Security team (Sec
Ops) do not provide ‘full counter logs’. If An ARQ request for ‘full counter logs’ is
received from Post Office Security, reply to the request stating that we can only provide
‘Interface Interaction Logs’ and confirm if they wish to proceed with the request.
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
‘STORED OUTSIDE DIMENSIONS
Page No: 8 of8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e For ARQ requests received from the Remediation team —
o Enter the new HSS ARQ number in the ‘HSS Ref #' field. This is the ‘ARQ Number in
the HSS ARQ request tracker attached to the request email from the Remediation team
e.g., HSS2811. Each request must be entered in a new row:
o Enter the date the HSS ARQ request email was received in the ‘Date Request Received
from POL’ field.
o Enter the HSS ARQ request details (Branch Name, Branch Code (FAD Code), Date
Range FROM’ and ‘Date Range TO) from the HSS ARQ request tracker. The ‘Dates
Required’ field in the tracker shows the required date range.
o Drag down the previous ‘Number of Days of Data’ value to populate this field for the new
ARQ request.
o Drag down the previous ‘Number of Days of Data (Running Total)’ value to populate this
field for the new ARQ request.
o Enter ‘YES’ in the ‘Transactions & Events’ field if both Transactions and Events have
been requested.
o Enter ‘YES’ in the ‘HSD Calls’ field. All ARQ requests received from the Remediation
team include ‘HSD Calls’ (See section 13).
o Enter ‘NO’ in the ‘Interface Interaction Logs’ field. HSS ARQs requests do not include
‘Interface Interaction Logs’.
o Enter ‘N/A’ in the fields for ‘Call Ref for HSD Calls’ and ‘Date HSD Calls Returned’.
These are legacy fields and are no longer used.
o Enter ‘NO’ in the ‘Witness Statement’ field. We do not provide witness statements.
o Enter ‘NO’ in the ‘Events for PEAK’ field. We do not raise PEAKs for Events to be
checked.
4 Logging on to the Audit Workstation
There are 6 Audit Workstations located in Bracknell (BRAO1) and Stevenage (STE04): 4 in BRAO1; and
2 in STEO4. These machines are not connected to the Fujitsu corporate network but have direct lines to
the IRE11 and IRE19 Audit Servers.
Access to the Audit Workstations is restricted, based upon the MSAD group to which the user belongs.
Access to the Audit Workstation is via two-factor authentication: an iKey token and a PIN number is
required. Insert the iKey token into a USB port on the Audit Workstation and enter the PIN number when
presented with the screen.
The following tasks must be completed on the Audit Workstation prior to ARQ data retrieval:
- Open Windows Explorer and navigate to the D drive. If you do not have a folder, create a folder
with your name to save the ARQ data in.
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
‘STORED OUTSIDE DIMENSIONS
Page No: 9of8
(ee)
FUJITSU
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
eat
# Qiks
Flora (@)
lope) ¢
chess
BE deity
> ThsPC » Leal ick)
his AROS
- Copy the “ARQ aaa” template folder from the D drive to your directory,
- Rename the copied folder to show the ARQ request number e.g., ARQ517 or HSS2738,
- Open this folder and open ‘Readme first.rtf. Edit the document to show the correct ARQ
number, financial year (e.g., 23/24), and email address (your Fujitsu email address),
- Rename the ARQ Audit folder to reflect the ARQ request number e.g., ARQ517 Audit or
HSS2738 Audit,
- Close the folder and return to the desktop.
Once the above tasks have been completed, ARQ data retrieval can begin.
5 ARQ data retrieval
Effective Thursday 14"° December 2023, ARQ requests for transactions and/or events for Legacy
Horizon (dates up to 31 October 2010) MUST be processed using the Slow ARQ method, must search
across 3 months and filter for the date range in question, as below:
ARQ Request Date Range
New process (specifying the FAD in the Slow ARQ search screen)
01 January ~ 31 January (or
part thereof)
01 February - 28/29
February (or part thereof)
01 March - 31 March (or
part thereof)
01 April - 30 April (or part
thereof)
01 May ~ 31 May (or part
thereof)
01 June - 30 June (or part
thereof)
01 July - 31 July (or part
thereof)
01 August ~ 31 August (or
part thereof)
01 September - 30
September (or part thereof)
01 October — 31 October (or
part thereof)
01 November - 30
‘Slow ARQ searching for the range 01 January — 31 March (full months) and then filtering
for transactions and/or events for 01 January — 31 January (or part thereof)
Slow ARQ searching for the range 01 February — 30 April (full months) and then filtering
for transactions and/or events for 01 February - 28/29 February (or part thereof)
Slow ARQ searching for the range 01 March - 31 May (full months) and then filtering for
transactions and/or events for 01 March - 31 March (or part thereof)
‘Slow ARQ searching for the range 01 April — 30 June (full months) and then filtering for
transactions and/or events for 01 April - 30 April (or part thereof)
Slow ARQ searching for the range 01 May ~ 31 July (full months) and then filtering for
transactions and/or events for 01 May — 31 May (or part thereof)
‘Slow ARQ searching for the range 01 June ~ 31 August (full months) and then filtering for
transactions and/or events for 01 June — 30 June (or part thereof)
Slow ARQ searching for the range 01 July ~ 30 September (full months) and then filtering
for transactions and/or events for 01 July ~ 31 July (or part thereof)
Slow ARQ searching for the range 01 August — 31 October (full months) and then filtering
for transactions and/or events for 01 August — 31 August (or part thereof)
Slow ARQ searching for the range 01 September — 30 November (full months) and then
filtering for transactions and/or events for 01 September — 30 September (or part
thereof)
Slow ARQ searching for the range 01 October — 31 December (full months) and then
filtering for transactions and/or events for 01 October ~ 31 October (or part thereof)
Slow ARQ searching for the range 01 November — 31 January (full months) and then
filtering for transactions and/or events for 01 November — 30 November (or part thereof)
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 10 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
November (or part thereof)
01 December - 31 December Slow ARQ searching for the range 01 December ~ 28/29 February (full months) and then
(or part thereof) filtering for transactions and/or events for 01 December — 31 December (or part thereof)
The resulting files should be collated and shared as per the existing processes. As this new process will
take longer to perform (current indications are 100 minutes instead of 20 minutes per month in the date
range), consideration should be made to the likely response time to POL. Any delays that would cause
the SLAs documented in SVM/SDM/SD/0017 not to be met must be escalated to SecOps management
for consideration for notification to POL.To start the data retrieval, open the AEClient application on the
desktop.
Once started, the application performs several checks to ensure that the environment has a valid
configuration, and that at least one Audit server is accessible.
Upon successful completion of the validation, the main Audit Extractor Client window is displayed:
2
#EIREN BY: Corvecied
1180 Cervecind
The Data Centres section on the left displays the status of all configured Data Centres (IRE11/IRE19)
and lists active ARQs under the Data Centre at which they were created. A green icon displayed to the
left of the Data Centre name, and the descriptive text following the name, indicates that the Data Centre
is available i.e., connected.
An ARQ can be processed as a Fast ARQ or a Slow ARQ (New ARQ). The Fast ARQ form presents
fewer options than the Slow ARQ form but once started by clicking the ‘Execute ARQ’ button, the ARQ
will proceed through the retrieving, sealing, filtering, querying and presentation steps without further user
interaction. The default for processing an ARQ is to run a Fast ARQ. However, a Slow ARQ must be run
if:
- The criteria for Legacy Horizon apply (see above),
- No data is returned when a Fast ARQ is run,
To run a Fast ARQ
- Right click on one of the Data Centres and select Fast ARQ
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 11 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
- This will open the Fast ARQ form:
Pecettel FSS
defenses [inex =]
f Fmd Due Enda ncn
- Set the selection criteria as follows:
e ‘Requester’ - Always select POCL IA,
e ‘Receipt Ref.’ - ARQ Number, as per the ARQ request. This should be a single ARQ number
e.g., ARQ517 or HSS2738,
« ‘Date Received’ and ‘Date Required’ - Don’t change,
« ‘Filter Start Date’ and Filter End Date’ - Set as per the ARQ request. If an ARQ request form
received from Post Office Security is for multiple ARQs covering a number of months, the
‘Filter Start Date’ and Filter End Date’ must be the start and end date of the month for the
relevant ARQ. If an ARQ request form received from Post Office Security is for multiple
ARQs covering several months, they must be processed one ARQ at a time i.e., one ARQ
for one month. Note - If this is an ARQ request for transactions and events for Legacy
Horizon (dates up to 31 October 2010), it MUST be processed as a Slow ARQ (see below)
with the ‘To Date’ 3 full months from the ‘From Date’ (as described at the start of this
section).
e ‘Extra days for extraction’ - MUST always be set to +3,
« ‘FAD Code’ - The Branch code, as shown on the ARQ request form or the HSS ARQ request
tracker,
* ‘Include Events’ - Do not tick
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN gag. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 12 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e ‘Select drive and folder for output’ - Navigate to the D drive and select the folder created
earlier (Section 4) e.g., D:/John’s ARQ/ARQ 517/Excel 97 Format
All HSS ARQ requests, and the vast majority of ARQ requests received from Post Office Security,
require 2 queries to be run:
- Events - The output shows all counter events generated by the Counter Branch Application at a
branch.
- lOPPANBarcodesHashed - The output shows information relating to PAN and client account
references. Note that this query only provides the hashed PAN and not the encrypted PAN. If a
full PAN is requested, another query, ''\OPPANBarcodes' which provides the encrypted PAN,
must also be run. The PAN Management dialogue screen can then be used to decrypt the
encrypted PAN (see section 14). The hashed and encrypted PANSs are only available for
transactions in a branch before that branch migrated to PBS. Post-PBS, only the ‘truncatedPAN’
is provided by the IOPPANBarcodesHashed query. The tokenized PAN, which POL would
require to obtain the full PAN, can be provided by running the PBSDetails query.
These queries are part of a set of predefined queries maintained on both Audit servers. For details of
these, and other predefined queries available, see DEV/GEN/MAN/0015, section 8.5.4.5.3 (Predefined
Queries).
For information on which queries to run for other information requested on the ARQ form (Pouch ID,
PAN Details and Address for Recorded Delivery), see below (pages 15 and 16). If other information is
requested in the “Other information” section of the form, for which there isn’t an existing predefined
query, respond to the request email with:
"There is no current facility to respond to the request you entered into the Other box. This will need to be
submitted as a feature enhancement via RTQ as it will also require changes to the contract as this is
outside the definition of an ARQ."
- Select ‘Events’ and ‘IOPPANBarcodesHashed’ queries, as shown in the above screenshot. For
information on queries to use for Pouch ID, PAN details, and Address for Recorded Delivery, see
below (pages 16 and 17).
- Start the data retrieval by clicking on the ‘Execute ARQ’ button:
Execute ARQ
- Make a note of the POIA number (found on the top banner of the FastARQ form). This must be
recorded in the ‘POIA Ref field in the ARQ Tracker for every processed ARQ request.
= POIAAEE58 on IRE @)
‘AB Dated
slIsssI — [onlaeprtelehleeherIsleI I ~
When the ARQ is completed successfully, the message ‘ARQ completed successfully’ will be displayed
in the status bar and the ‘Close ARQ’ and ‘Exit ARQ’ buttons will be enabled.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 13 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
5 st vector
eh
Penete fo =] Prenat RRQ
Odehecwes [BAUR =] Oaefeanee [RETR =]
pi ei or Oy
[nnn =) fama =) 4. Ps} fom
erate
Two Excel spreadsheets, one for Horizon and one for HNG-X, will be generated in the specified output
directory on the Audit Workstation for each query run. The name for the Horizon file begins with letters
‘Hz’ and that for the HNG-X file begins with ‘Hx’. If the queries are run for HNG-X i.e., for a date range
starting after 31 October 2010, the generated spreadsheets for Horizon (Hz) will be empty (12 KB in
size). However, if the queried date range spans the migration of the branch from Horizon to HNG-X, all
generated Excel spreadsheets (Hz and Hx) will contain data. In addition, an XML file will be created for
each query run. This file is not used and can be deleted.
Gl Hi Events era
2 Pe Events ess20t8
Hi JOPPANBarcodes
% EE HJOPPANBorcodes
He Events
Hi vents
He JOPPANBarcodes
2) He JOPPANBercoder
If the query does not return any results i.e., all generated spreadsheets are 12 KB in size, re-run the
ARQ on the other Data Centre using the Slow ARQ process (see ‘If no data is returned’ section below).
Once the requested ARQ has been processed, the ARQ Tracker (ARQ Tracking 14-22.xlsx) must be
updated with the following details:
e POIA Ref
« Audit Workstation Used
e Processed By
Requests for Pouch ID:
If the Pouch ID has been requested on the ARQ form, select the ‘\OPPouchld’ query:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS
PageNo: 14 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Fae ee ee
fovanvatet =] [aarra “=} . } . Pj fnew” iz
Requests for PAN details (credit/debit card details)
If PAN details have been requested, select the ‘IOPPANBarcodes’ query. This query provides the
encrypted PAN, which is required for obtaining the PAN details (see section 14):
FntunDae Find One Candler
She re leno ott eee oben
ne) raisin ——
[Seg ano:
ast
sou
fae SEN se
On he [ERS RETA Ta
neat
Requests for Address for Recorded Delivery
If address details for a recorded delivery has been requested, select the
‘1OPMailServiceSDAddressWithExtraAddresses’ query.
To run a Slow ARQ
- Right click on one of the Data Centres and select New ARQ
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN gag SVM/SEC/WKI/451
CONFIDENCE) ef 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR _ Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 15 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(ee)
FUJITSU
- This will open the New ARQ form:
(ther 3dPaty I DateReceived [20/02/2028 =]
Date Required 20/02/2024 ha I
Receipt Reference [SS {
I
Access Reason {
Specily Selection Criteria Save Request I Ro the I
- Select POCL IA for ‘Requester’:
Query : = =
I Requester (Other 3rd Party y] Date Received [20/02/2024 >
(Other 3rd Part
Catalogue Entry PathwaytA Date Required [20/02/2004 +
Pathway Other
Receipt Reference Pathway 3SC
POCL Other
I Access Reason POCL Security ‘
} STARTUP REQUESTER.
I
Speciy Selecion iteiaI __SaveRtequest_I Chose
- Enter the ARQ Number, as per the ARQ request, in the ‘Receipt Reference’ field e.g., ARQ517
or HSS2738. OPTIONAL - Enter the branch name, branch number (FAD), and date range
required in the ‘Access Reason’ field:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN pag. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 16 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(B) New ARQ IRET9 (W) ne #
Query
Requester POCLIA =] Date Received [20/02/2024 =I
Catalogue Enty fate Required [20/02/2004
Receipt Reference {ygsz7ig SS
Access Reason
Specity Selection Criteria Save Request Close
Click on the ‘Specify Selection Criteria’:
BD New ARQ IREIO CW) : Ly
‘Quewy
Requester (GREER) ate Received = [2002/0024
Catalogue Enty [Date Required [20/02/2024 +
Receipt Reference {11552719
Access Reason
a
= Your request to Create a new ARQ has been invoked. **
Enter the ‘From Date’. This must be the start date of the requested date range.
Enter the ‘To Date’. Note - If this is a Slow ARQ being run for transactions and/or events for
Legacy Horizon (dates up to 31 October 2010), the ‘To Date’ MUST be 3 full months from the
‘From Date’ (as described at the start of this section). Otherwise, this must be the end date of the
requested date range.
Click on ‘Select’ on the right-hand side:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 17 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
IB Specify Selection Criteria for Query - pura
1 Selection Criteria for ARQ. Reterence POIAS540W ——— = =a = <<
Dates Required
From Date [ot December 2007 eal ToDate {23 Februay 2008 +] II
‘Aust Point and FAD Det a oe a I
II [Audit Point “J Audit Sub Point [FAD Code [FAD Hash \
<Select I
PAN Details - Required Templates:
Hovizon Template [
I HNGXTemplate
Select BAN Close
- Enter the branch code in the ‘Post Office FAD Code’ field:
Audit Etracor- Update ut Points or FAD Code
To ad lect ita: Sele Aust Prt and Su Pt orp Pot ice FAD Code en ck at
Totemove secon ctr Slt tenn. en chek Delt
Lif seta uc Port Select Cita
Td Port [suit Sch Port I FAD Code [FAD Hash
or
et cs FAD Cade
fie
- Click ‘Add’ and click ‘OK’:
_ Audit Extractor - Update Audit Points or FAD Code
Toa selcion ct Selec Audt Pint and Sub Part trou Post fie FAD Code, thn hk ct
Tovamovesleton ct: Sls ctinin it than cick Delt
vas Litt sete Au Pont Slaton Catia
foro (Ce) [Sston Taos rors Tao cose Tra ish]
; os ib CLUSTER
or
ot Oca FAD Code
fue
est
SEO r
Seach Completed 19144 hat ro HG Hist fr te dae recused
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN gag SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR _Date 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 18 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
I Selection Ciera for ARG Reference POIABS4OW ————— —
Dates Requied- 35 <a =
From Date [01 December 2007 =] ToDate [23 Februay 2008 =]
t ‘Audit Point and FAD Details ————— ~ Sa
‘Audit Point [ Audit Sub Pont [FAD Code [FAD Hash I
TMS: CLUSTERZW 191434
PAN Details - Requied Templates
Horizon Template I
HNG Template [-
Select PAN ‘Search for Files I Close I
- Click ‘Search for Files’ and the following message will be displayed.
Warning: the search dates span an excessive period of: 91
days.
This exceeds the 31 day limit.
This may result in too many files being returned.
Do you wish to continue?
No
- Click ‘Yes’. This will start the data retrieval.
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN. pag SVM/SEC/WKI/451
CONFIDENCE) ef 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR _ Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS.
Page No: 19 of 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00243297
FUJ00243297
Retri
& Maintain ARO: POIABS4OW on IREI9 (W) Q
‘ARQ Detais I Retieval Citeria I Audit Tracks I Fitering I Validation and Query I Pres see
ie
Fies Names for ARQ Reference POIABS4OW -
Filename [
Size I ‘Status I
Files Found 0
Nooffiles Selected 0
Size of Selected Files:
Select AN I~
Selected File List Contol
Retiesh View Close
(“* Retrieving filenames for selection Criteria. *
ieving the files will take some time, depending on the number of files.
& Maintain ARG POIABS40W on IREI9 WW)
ARQ Detais I Retieval Citeria
waif thing I Vara winadI Baccnnbel
Files Names for ARQ Reference POIABS40W =
I Rename: [ Sie I Status =
FNOI_TMS_Cluster2w_W_1_20080229_15514600_V001. arc 70282541 Displayed
FNOT_TMS_Cluster2w_Ww_1_20080223_14370500_VO01 are 71562061 Displayed
I I FNO1_TMS_Cluster2w_w_1_2008022313114300_VO01. are 71187624 Displayed
I} FNOT_TMS_Cluster2W_W_1_20080223_11502400_V001.are 71840437 Displayed
FNO1_TMS_Cluster2w_W_1_20080223_10325300_V001.arc 74487743, Displayed
I I FNO1_TMS_Cluster2w_W/_1_20080229_09122100_VO001.arc 73673611 Displayed
FNOT_TMS_Cluster2w_W_1_20080228_18285300_VO01. are 66758471 Displayed
FNO1_TMS_Cluster2w_W_1_20080228_16170600_V001. arc. 67295968 Displayed
FNO1_TMS_Cluster2w_W_1_20080228_14564700_V001.arc 71777812 Displayed
I I FT TMS~Chsteraw_w"1_2008022813296300_VO01. are 73311808 Displayed
1 73107455 Displayed J
I Files Found 543, Selectal
No of Files Selected = 1
I Size of Selected Files: 67.67 Mb
‘Selected File List Contol:
RESTORE Files REPLACE Fies I ConfumSeaiStotus I DELETE Fies I
Refresh View Close
Click the ‘Select All’ tick box and click ‘RESTORE Files’. Make a note of the POIA number
(found on the top banner of the form). This must be recorded in the ‘POIA Ref field in the ARQ
Trac!
ker.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE) Ret
Version:
UNCONTROLLED WHEN PRINTED OR _ Date:
STORED OUTSIDE DIMENSIONS. Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
20 of 8
FUJ00243297
FUJ00243297
oO AUDIT EXTRACTION - LOCAL WORK INSTRUCTION ”
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
ARQ Detais I Retieval Citeria Audi Tracks I Fiteiing I Validation and Gueyy I Presentation]
Files Names for ARO Reference POIABS4OW
I TRitename [ Size I Status ~ I
FNOI_TMS_Chister2w_w/1_20080223_15514600_VO01. ac 70282541 Displayed I)
_ I FNOITMS_Chaster2w_w_1_2008022914370500_VOOT. ae 71582061 Displayed II
FNOI_TMS_Chuster2w_w_1_20080229_13114300_VOOT. arc 71187624 Displayed I
FNOI_TMS_Chisteraw_W_1_20080223_11502400_VOD1. ac 71840497 Displayed I I
FNOI_TMS_Chster2w_W"1_20080229_10325300_VO01. arc 74487743 Displayed I
FNOI_TMS_Chister2w_W 120080223 09122100_VOD1 are 73673611 Displayed I
FNOI_TMS_Chuster2w_w_1_20080228_ 18285300_VO01. arc 86758471 Displayed I
FNOI_TMS_Chisterw_W_1_20080228, 16170600_VOO1. ate 67235968 Displayed
FNOI_TMS_Chister2w_Ww_1_20080228_14564700_VO01. atc TI777B12——_Displayed
I I ENOI_TMS”Chistecaw_Ww_1_ 2008028, 13295300_VO01. ato 73311908 Displayed
I I FNO1_TMS_Cluster2w_w_1_20080228_12044000 O01. are 73107455 Displayed I I
Files Found 543 Selectal I
No ofFies Selected 543 I
I Size of Selected Files: 36.82 Gb i
~ Selected Fe List Contol — ee
Retiesh View Close
- Once a file has been restored, the file ‘Status’ changes from ‘Requested’ to ‘SealOk’. The
‘Filtering’ tab will be enabled once all the files have been restored:
‘ARQ Details I Retieval Citeria Audit Tracks I Fitering I Valdation and Quewy I Presentation I
Fles Names for ARQ Reference POIABS4OW
Filename [ Size I Status
FNOI_TMS_Chuster2w_W_1_20080229_15514600_VOOT.arc 70282581 Sealk
FNOI_TMS._Chister2w_W_1 71582061 Sealk »
101_TMS_Chuster2W_W_ 71187624 Seal0k
FNOI_TMS_Chuster2W_W 71840497 Seal0k
FNOI_TMS_Chuster2_W_1 74487743 Sealdk
1O1_TMS_Chuster2W_W_ 73673611 Seal
101_TMS_Chister2W_W_ 65750471 Seal0k
FNOI_TMS_Chuster2W_W_ 67295968 Sealdk
1O1_TMS_Chister2W_W- 71777812 Seal0k
FNOI_TMS_Cluster2w!W_1 73311306 Sealdk
1O1_TMS_ChusterW_W_ 73107455 Sealdk
I Fes Found 543 Select Al
NoofFiles Selected 543
Size of Selected Files: 36.82 Gb
Selected Fe List Conto -
RESTORE Files I REPLACEFiles I ConfimSealStotus I DELETE Fies I
Reltesh View Close
- Select the ‘Filtering’ tab:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN gag SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR _Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 21 0f 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
FUJ00243297
FUJ00243297
CONFIDENCE)
I Maintain ARQ: POIA9S25B on IRE! (8) _
‘ARQ Detail: I Retrieval Criteria] Audit Tracks Fitering I Validation and Queiy I Presentation I
Output Type [ABSTRACT - Only those rows that match the select a
Stat Date ovmaro08 >] End Date ovoarzo08 >]
Post Oifice FAD Code rT
Fi
"AD List 281410 ‘add
Delete
Save Fiter ‘Apply Fter
Refresh View Close
- The ‘Output Type’ box will default to “ABSTRACT - Only those rows that match the selection
criteria”. Change the ‘End Date’ and enter the end date of the requested date range, as stated on
the ARQ request form, or in the HSS ARQ request tracker.
Click ‘Apply Filter’:
& Maintain ARQ: POIA95258 on IRETI (8)
ARQDetais I Retieval CiteraI Audit Tracks Fiteting I Vaidation and Quew I Presentation I
Output Type [ABSTRACT - Only those rows that ma al
Statt Date [o1703/2008 x] EndDate '30709/2008 a
Pos Ofice FAD Code C_
FAD List aB1410
Add
Delete
[Appibing liter Please wait
Refiesh View Close
- Once the filtering has completed, the ‘Filtering completed’ message will be displayed, and the
‘Validation and Query’ tab will be enabled:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
STORED OUTSIDE DIMENSIONS.
Ref:
Version:
Date:
Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
22 of 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
FUJ00243297
FUJ00243297
CONFIDENCE)
‘ARQ Details I Retieval CiteiaI Audit Tracks Fiteing I Validation and Presentation I
Output Type [ABSTRACT - Oni those rove that match the selection citeria =)
I Start Date [o1703/2008 =] EndDate 30/09/2008 I I
I Post Office FAD Code I
FAD List 281410 ‘Add
I Delete
I I
Fiteing completed
Save Filter Apply Fiter
eliesh View Close
Select the ‘Validation and Query’ tab:
ARQ Detais I Retieval CiteiaI Audi Tracks I Fitering Vakdation and Queyy I Presentation
DataSouce —[ “y] Statue f
Sxpee War I Sues gerd Pectedon I
Reltesh View Close
- Select ‘Horizon’ from the ‘Data Source’ drop-down list (this will be the only option). The ‘Status’
will change to ‘Concatenation completed’, and the ‘Sequence Validation’ will be displayed:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Ref;
Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS.
Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
23 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
ARQ Details I Retieval CiteiaI Audi Tracks I Fitering Vaidation and Query I Presentation I
iE
DataSouce (EEEEMMIMUNNINNNNIEY =] Status [Concatenation completed
Sequence Validation I Select Query] Execute Queyy I
I és GAPS -NONE
Za1410:1 1652008
214102 3602377
2a1ei0:3 4449538 I
II 2erato:4 2316787 DUPLICATES - NONE
I 2arai0:34 294366
281410:35 253637
281410:54 4770
281410:55 187261
Reeftesh View Close
- There should be no ‘GAPS' i.e., ‘GAPS - NONE’. If Gaps are present (see example below), seek
assistance from Audit support by logging a PEAK and assigning to Audit-Dev (see section 6.1).
169B on IREL1 (0) Sel)
‘ARQ Details I Retiieval Criteria] Audit Tracks I Fitering Validation and Query I Preservation
aesove (EAN =] sie [Bsteneies
Sequence Validation I Select QuewI Execute Queyy I
I» I
5
3
=
é
2708246
(shown in ted)
342021 2708341 2708341 I
II 34203241 2708342 2708343 ee onies I
342K32:1 2708342 { 2708342 j
I we I 2708353 2708353 eet)
Es = ao I
I I 3a2as2:2 1186101 { 196102 I
} (342492:3 5134436 5134441 I
i 32432:4 4939158 4939720 SEEK, ena I
3424324 4839600 4939632 I
I 342432:5 4770713 471138 ee I
[wows arr amie zt I
Refresh View Coe I
- If there are no Gaps, select the ‘Select Query’ tab.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS
PageNo: 24 of 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
FUJ00243297
FUJ00243297
CONFIDENCE)
I Maintain ARO: POIA9S258 on IRETI (B) A
ARQ Det I Ratio GteaI Audt Tack I Feng Vakdan re y Peseta
I DataSource [Horizon “x] Status [Fameatentin conse
Sequence Validation iy] Execute Quey I
Select Requied Query a —
Quey —f
Retieve I Open _ I
Retiesh View Close
Click the ‘Retrieve’ button under the ‘Query’ box. Note that th
determine which queries can be selected. For “Horizon” Data
‘Hz_’ will be available:
ie ‘Data Source’ selected will
source, queries beginning with
I Maintain ARQ: PO1A9525 on IRENT (8).
‘ARQ Detail I Retieval Criteria) Audi Tracks I Fees Validation and Query I Presenta
otal
DataSource [Horizon
“z] Status
senaner vg IRE (Ava ais
(Select Req.
I Query
[Fireteam completed
ox
I Selected
I Avaliable Queries
id
Hz Event nal
H2_Authods gl
H2_BFwidandCF wd ea)
+) IHz_BOIOPPANBarcodes. xq
H2_BranchTradingStatement xq)
H:
I [He_Events_Num xq)
I IHz_IOP.xql
He lOP_DEST_SRC xq
I Num:
Select the ‘Hz_Events.xql’ and click ‘Select’. Click ‘Open’ and t!
the query detail will be displayed:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
STORED OUTSIDE DIMENSIONS.
R SVM/SEC/WKI/451
ef: 7
Version: 1.0
Date: 10-Apr-2024
PageNo: 250f8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(ee)
FUJITSU
I) Maintain ARQ: POLAG525B on IRETI (8) eee <
ARQ Details I Retrieval CiteriaI Audit Tracks r Fig Valder end Quen) I Pree ertetonI
Data Source ozo = Status a completed
Sequence Vakdation Select Que I Erect Quy I
+ Select Requted Que —————— Ee -
Quey [Hz Events xal
I Coe
fequery version
I GEA neon oecragdetetdate a sing) a dee
K
let $months := ("Jan Feb"."Mat'"Apr'"May" Jun’. "Jul" "Aug’."Sep"."Oct',"Nov""Dec")
let $dates'= tokenize(Sdat
return
concat{$dates{3]."-" replace{concal!"0", index-of{ months, $dates(2)}. "07710-S10-3}8)
ecules ox rene
cE vert
Relesh View Close
- Select the ‘Execute Query’ tab:
I) Maintain ARQ: POIA9525B on RET (B) ® :
ARO Details I Retrieval Catal ‘Audit Tracks I Feira Validation and ae I Proven
DataSource [Horizon = Status [Fancatensionsoeled
Sequence Validation I Select Query I Execute Query I)
Execute Query
Execute
08:31:11 Created
085439 New
08.54.49 File copy started
}03:04:01 Concatenating fies
080423 Concatenation completed
Retresh View Close
Click ‘Execute’. Once the query is executed successfully, the ‘Presentation’ tab will be enabled:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 26 of 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00243297
FUJ00243297
Data Source
ARQ Details I Retieval CrteriaI Audit Tracks I Fitering Validation and Query I Presentation}
[Horizon “z] Status [Sort completed
Sequence Validation I Select Quety Execute Query I
Execute Query
Execute
09:44:58
New
File copy started
Concatenating fies
Concatenation completed
Guery copied to ARO directory on Server.
Query Submitted
Guery execution started
Sort completed
Refiesh View Clase
- Select the ‘Presentation’ tab. Select ‘Export to Excel’ and click on ‘Change’. Navigate to the D
drive and select the folder created earlier (Section 4) e.
D:/John’s ARQ/ARQ 517/Excel 97
Format. Enter the file name (‘Events’ followed by the ARQ requested date range e.g., ‘Events 01-
30 April 2023’), and click ‘Create Output’. This will generate an Excel spreadsheet and place it in
the specified output directory on the Audit Workstation.
& Maintain ARQ: POIA9525B on IREI1 (8) =o
ARQ Details I Retieval CrteriaI Audk Tracks I Fitering I Validation and Query Presentation I
Export Results to Excel:
Expottte Excel
[D:\Report xlsx Change
Expott Events to Excel
is
[OSE vents vex
Create Output
Reliesh View Close
- Return to the ‘Validation and Query’ tab and select the ‘Select Query’ tab. Click the ‘Retrieve’
button under the ‘Query’ box to select Hz_IOPPANBarcodesHashed.xqI and repeat the above
process to generate the Excel spreadsheet for Transactions. The file name should be the ARQ
requested date range e.g., 01-30 April 2023.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
UNCONTROLLED WHEN PRINTED OR
STORED OUTSIDE DIMENSIONS.
Ref:
Version:
Date:
Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
27 of 8
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(ee)
FUJITSU
FUJ00243297
FUJ00243297
If no data is returned
If the query does not return any results, run a Slow ARQ as follows:
- Right click on one of the Data Centres and select New ARQ
- This will open the New ARQ form:
Que — SSeS SSS
Requester (Other ad Paty =I DateReceived [20/02/2024 +]
Catalogue Enty [Date Required [20/02/2024 I ‘
I Receipt Reference [———
Access Reason ‘
Speci Selection Citeia I
- Select POCL IA for ‘Requester’:
9) New ARQ-IREISCW) a I
Query 5
_ Requester Other 31d Party x] Date Received [20/02/2024 +
Other 3rd Party -
Catalogue Entry Pathway tA Date Required [20/02/2024 x]
Pathway Other
Receipt Reference (Pathway SSC
POCL Other
‘Access Reason POCL Security
} STARTUP REQUESTER
Speciy Selecion CiteiaI __SaveRtequest I Close
- Enter the ARQ Number, as per the ARQ request, in the ‘Receipt Reference’ field e.g., ARQ517
or HSS2738. OPTIONAL - Enter the branch name, branch number (FAD), and date range
required in the ‘Access Reason’ field:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE) Ret
Version:
UNCONTROLLED WHEN PRINTED OR _ Date:
STORED OUTSIDE DIMENSIONS. Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
28 of 8
FUJ00243297
FUJ00243297
oO AUDIT EXTRACTION - LOCAL WORK INSTRUCTION ~
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
BP New ana iRE19 (0) : L
Query
Requester [Poca +] DeteReceived [20/02/2028 =]
Catalogue Enty [ate Reauire [2070272028 >
Receipt Reference IHssz7igd SCS
‘Access Reason
Specify Selection Criteria Save Request Close
- Click on the ‘Specify Selection Criteria’:
BD New ARQ IREI9 (W) a
Query
Requester (GROWN =] Date Received [20/02/2024 >
Catalogue Entry: Date Required 20/02/2024 =
Receipt Reference [4552719
‘Access Reason
“Your request to Create a new ARQ has been invoked. “=
- Enter the ‘From Date’. This must be the start date of the requested date range.
For the query end date (‘To Date’), enter a date 3 days from the start date i.e., start date + 3.
The purpose of this is to determine which cluster holds the data required before the full query is
run.
Click on ‘Select’ on the right-hand side:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
‘STORED OUTSIDE DIMENSIONS
PageNo: 290f8
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00243297
FUJ00243297
IB Specty Selection Criteria for Query - POIABS4OW on IRETO(W)
‘Selection Criteria for ARO Reference POIABS40W
Dates Required
FromDate [01 December 2007+] ToDate [04December 2007 +]
Audi Point and FAD Details
‘Audit Pont — I Audt Sub Pont [FAD Code [FAD Hash I
Select PAN : Close
- Instead of entering the branch code in the ‘Post Office FAD Code’ field as before, select TMS
from the ‘Audit Point’ drop-down list:
‘Audit Extractor - Update Audit Pints or FAD Code
To edd selection cei. Select Aud Poin nd Sub Pont or rput Post Ofice FAD Code, then cick Ad
Totemove seleccn citer: Select citesiain st, then cick Delete!
Lic selected udt Pont Selection Cea
Add> I [AudiPont [Audit Sub Pont [FAD Code [FAD Hach I
«Delete
leat
- Select and ‘Add’ Cluster1, Cluster2, Cluster3 and Cluster4 Sub Points.Click ‘OK’.
e If the ARQ is being run on IRE11(B), select:
Cluster1B, Cluster2B, Cluster3B and Cluster4B
« If the ARQ is being run on IRE19(W), select:
Cluster1W, Cluster2W, Cluster3W and Cluster4W
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 30 of 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00243297
FUJ00243297
‘Ault Extractor - Update Audit Points or FAD Code
To add selection citi: Select Aud Point and Sub Port ar nput Post Dice FAD Code then clck Ad
Totemove selection ceria Select ciletiain Et then cick Dele!
Lint slected ut Port Select Cena
‘Audi Pork [ Audit Sub Port I FAD Code] FAD Hash I
[Ouserte
[Custer
‘Adit Extractor - Update Audit Poin
To add selection cite Select Audt Port and Sub Poot input Post Ofce FAD Code, then cick Ade
Totemoye selection cite: Select emerisin st. then click Delete
Ue of nlcted Aud Pat Selection Ciena
ime a udiPort [AodiSubPort [FAD Coie [FAD Hen I
Cet
New Veber
Custee
usta
ChsteB
Once the ‘Audit Point’ and ‘Audit Sub Point’ has been added, click ‘Search for Files’.
- on Cite for Query -POIABS40W AEM:
Selection teria for ARQ Reference POIABS40W
Dates Reauced
FiomDate [01 December 2007 >] ToDete [04December 2007 =]
‘usdt Pont and FAD Detale
‘Aust Pont [Audit Sub Pont FAD Code I FAD Hash I
ChstertB
™S ‘Chuster28
1™S Chutes <isee
™S: ‘Cluster4B
Ele
PAN Detais -Requced Templates:
Horizon Template [
HNGS Template
Select PAN : Close
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN poe.
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS. Page No: 31 of 8
10-Apr-2024
SVM/SEC/WKI/451
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
BD) Maintain Arce PoWRSIOW on REI) = fe
ARQ Details I Rletieval Citeria I Audit Tracks I Fitering I Valdation and Query I Presentation]
Files Names for ARQ Reference POIASS40W See
Filename i Size I ‘Status I
Fes Found 0 Select AL
Noof Files Selected 0
Size of Selected Files:
Selected File List Contol:
Refresh View Close
I“ Retrieving filenames for selection Criteria.
- Retrieving the files will take some time, depending on the number of files.
ARQ Details I Retrieval Citeria I I Fitesing I Validation and Quey I PresertationI
Files Names for ARQ Reference POIABS40W ~ =
I Rename: [ Sie I Status =
FNOI_TMS_Cluster2w_W_1_20080229_15514600_V001. arc 70282541 Displayed
FNOI_TMS_Cluster2w_W_1_20080223_14370500_V001.arc 71562061 Displayed
I I FNO1_TMS_Chuster2w_W_1_20080223_13114300_V001.arc_ 71187624 Displayed
I} FNOT_TMS_Cluster2W_W_1_20080223_11502400_V001.are 71840437 Displayed
FNO1_TMS_Cluster2w_W_1_20080223_10325300_V001.arc 74487743, Displayed
I I not =TMS~Chsteraw_w1_20080229-08122100_VO01 are 73673611 Displayed
I I FNO1_TMS_Cluster2w_W_1_20080228_18285300_V001.are 66758471 Displayed
FNO1_TMS_Cluster2w_W_1_20080228_16170600_V001. arc. 67295968 Displayed
FNO1_TMS_Cluster2w_W_1_20080228_14564700_V001.arc 71777812 Displayed
I I FT TMS~Chsteraw_w"1_2008022813296300_VO01. are 73311506 Displayed
1 73107455 Displayed
I Files Found 543, Selectal
No of Files Selected = 1
‘Selected File List Contol:
RESTORE Fes REPLACE Fies I ConfimSealStauus I DELETEFies I
Refresh View Close
- Click the ‘Select All’ tick box and click ‘RESTORE Files’.
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN. pag SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR _ Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 32 0f 8
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00243297
FUJ00243297
ARQ Detais I Retieval teria Audt Tracks I Fite
Fes Names fr ARQ Reference POIABS40W
Filename [ Size I Status ~ I
FNOI_TMS_Chister2w_w/1_20080223_15514600_VO01. ac 70282541 Displayed I) I
FNOI_TMS_Chaster2w_w_1_20080223_14370500_VOOT. ae 71582061 Displayed I I
FNOI_TMS_Chuster2w_w_1_20080229_13114300_VOOT. arc 71187624 Displayed
FNOT_TMS_Chuster€W_W_ 120080223. 11502400_VO01. arc 71840437 Displayed I I
FNOI_TMS_Chster2w_W"1_20080229_10325300_VO01. arc 74487743 Displayed I
FNOT_TMS_Chuster2W_W1_2008022908122100_VO01 are 73673611 Displayed I
FNOI_TMS_Chuster2w_w_1_20080228_ 18285300_VO01. arc 56758471 Displayed I
FNO1_TMS_ChusterW_W_1_ 20080228. 16170600.VO01 arc 67235968 Displayed
FNOI_TMS_Chister2w_Ww_1_20080228_14564700_VO01. atc TI777B12——_Displayed
FNOI_TMS_Chistew_W_1_20080228, 13295300_VOO1. ato 73311906 Displayed
I I FNO1_TMS_Cluster2w_w_1_20080228_12044000 O01. are 73107455 Displayed I I
Files Found 543 Selectal I
No ofFies Selected 543 I
Size of Selected Files: 36.82 Gb
- Selected File List Contol = =
Once a file has been restored, the file ‘Status’ changes from ‘Requested’ to ‘SealOk’. The
‘Filtering’ tab will be enabled once all the files have been restored:
ARQ Details I Retieval Citeria Audit Tracks I Ftering I Vaidation and Query I Presentation]
Files Names for ARQ Reference POIABS4OW
Filename T Size I ‘Status ~
FNOI_TMS_Chuster2w_W_1_20080229_15514600_VOOT arc 70282581 Seaidk
FNOI_TMS__Chister2w_W_1_20080229_14370600_VO0}. are 71582061 SeaiDk
FNOI_TMS_Chuster2w_w_1_20080229_13114300_VOOT. arc 71187624 Sealdk
FNOI 71840497 Sealk
5 74487743 Seaidk
5 73873611 Seal0k
5 96758471 Sealdk
je 67235968 Sealdk
1 ri777812 Sealdk
I 73311908 Sealdk
5 73107455 Seak
Files Found 943 Selectal 1
No ofFiles Selected 543
Size of Selected Fes: 36.82 Gb
Selected Fie List Contol
ESTORE Files I REPLACE Fies I ConfirmSealStatus I DELETE Fies I
Reftesh View Close
Select the ‘Filtering’ tab:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE) Refi
Version:
UNCONTROLLED WHEN PRINTED OR _ Date:
STORED OUTSIDE DIMENSIONS
Page No:
SVM/SEC/WKI/451
FUJ00243297
FUJ00243297
oO AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
‘ARQ Details I Retieval CiteriaI Auda Tracks Fitesing I Voc!
Output Type fess =]
Statt Date fortz2007s]—EndDate [oa7122007 =]
Post Office FAD Code rc
FAD List 2aI4i0 a
Delete
Save Fier Apply Fiter
Refresh View Close
- The ‘Output Type’ box will default to “ABSTRACT - Only those rows that match the selection
criteria”. Don’t change the ‘End Date’. Enter the branch code in the ‘Post Office FAD Code’ field
and click ‘Add’.
Click ‘Apply Filter’:
@ Maintain ARC: POIABS4OW on IREIS (W) s e
‘ARO Detais I Retieval Cites) Audt Tracks FReting I Vaidstion and Quewy I Presentation I
Output Type [asstri nly those rows that match the selection criteria a
Start Date [ov712/2007] End Date foartaraoor =]
Post Office FAD Code i]
FAD List 281410
a
tee
[Rootma ter Pease wai
Refresh View Close
- Once the filtering has completed, the ‘Filtering completed’ message will be displayed, and the
‘Validation and Query’ tab will be enabled:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN SVM/SEC/WKI/451
CONFIDENCE) Ret 7
Version: 1.0
UNCONTROLLED WHEN PRINTEDOR _Date 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 34 of 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
FUJ00243297
FUJ00243297
CONFIDENCE)
Maintain ARO: POLABSOW on IREI9 (W)
ARO Details I Retieval Criteria Aud Tracks Fitering I Vatdation and 0)
Ouiput Type sich the select I
Start Date foriee0c7 +] End Date owe? i
Pos Oice FAD Code I
FAD List aB14i0
—se_]
Delete
Fireing completed
Save Fiter Apply Fiter
Reltesh View Close
- Open the QueryHandle log file on the relevant Audit server (\UserArea\ARQRef folder) and note
which cluster contains data (file size is not 0). For example, Cluster2B files contain data, but
Cluster2C files are empty.
- Re-run the Slow ARQ using only the cluster that returned data e.g., Audit Point: TMS, Audit Sub
Point: Cluster2B. NOTE - ensure the correct start and end dates are selected for Legacy Horizon
queries.
6 Preparing the files to send for checking
The data files will be in the output directory specified earlier (D:/[Your Folder]/ARQxxx/Excel 97 Format)
Event
PH Events
(2) Hic Events
GP Hx JOPPANBarcodes
[2 He JOPPANBarcodes
BP He Events
He Events
Gh He JOPPANBarcodes
IS Hr JOPPANBarcodes
5 RejectedSysmendEvents
RejectedSysman3Events
Sysman2Events
I Sysman3évents
eu
- Copy and paste “Hx_Events” and “Hx_lIOPANBarcodesHashed”, or “Hz_Events” and
“Hz_lOPANBarcodesHashed” into ARQxxx Audit, depending on which files contain data (files
containing data will be over 12KB in size). As mentioned previously, both the ‘Hx’ and ‘Hz’ files
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE) Refi
Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
35 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
would contain data if the branch migrated from Horizon to HNG-X during the requested date
range. In that case, both sets of files must be moved to the ARQxxx folder.
- Rename the Excel Files to reflect the date range requested:
« “IOPPANBarcodesHashed” should be renamed with the ARQ requested date range e.g.,
01-30 April 2023,
« “Events” should be renamed as Events followed by the ARQ requested date range e.g.,
Events 01-30 April 2023,
- Once completed, there should be 3 files (2 Excel files and 1 ‘Readme first’ Word document). If
the branch migrated from Horizon to HNG-X during the requested date range, there will be 5 files
(4 Excel files and 1 ‘Readme first’ Word document).
ARQ Aut
Shave ew
» TisPC > MyUSB(E) » ARQ236 Aut
Coston tt 4 site
vents 1.3 Oct 20a: /ANENO3S Mise
SP eadne fit WUE/2N8 HL Rich Tet oma
The retrieved data must now be checked to confirm that the data matches the ARQ request, and that
there are no “Gaps”.
For ARQ requests received from Post Office Security, confirm the details in the ARQ Tracker match the
details on the ARQ request form.
For ARQ requests received from the Remediation team, confirm the details in the ARQ Tracker match
the details in the HSS ARQ request tracker attached to the request email from the Remediation team.
The following checks must be carried out:
- Open the “Readme first” file and confirm that:
a) The ARQ number is correct,
b) The financial year for the ARQ is correct e.g., 2324 for financial year 23-24
c) The email address is correct. This must be the Fujitsu email address of the team member
who processed and is sending the files to POL.
- Open the ‘Events dd-dd Month YYYY’ spreadsheet (e.g., Events 01-30 April 2023) and confirm
that:
a) Inthe ‘Summary’ tab:
I. The correct FAD is shown (The ‘Group' row),
ll. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range,
Ill. There are no ‘Gaps’ in the data i.e., column D shows ‘NONE’ under ‘Gaps’ (see 6.1
below)
b) In ‘Sheet’ tab:
I. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range.
- Open the Transactions spreadsheet (‘dd-dd Month YYYY’ e.g., 01-30 April 2023) and confirm
that:
c) In the ‘Summary’ tab:
I. The correct FAD is shown (The ‘Group' row),
IL. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range,
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 36 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Ill. There are no ‘Gaps’ in the data i.e., column D shows ‘NONE’ under ‘Gaps’ (see 6.1
below)
d) In ‘Sheet1’ tab:
I. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range.
If there are other query spreadsheets in addition to the above, the above checks must be carried out on
those as well.
6.1 Gaps and Duplicates
Duplicates are reported for Hx/Hz message data, although they are known to be benign. This is a
consequence of the harvesting software saving the messages twice i.e., duplicates for Hx/Hz message
data are true duplicate entries and are hence just additional copies of the same entries. They are not
entries that have been processed more than once, it is simply that the archive store has had multiple
copies written to it and the ARQ will rightly extract them all.
NOTE: Although Hx duplicates are checked for, no known duplicates exist; only Hz message data
duplicates have been discovered to date.
Agap in a message sequence may indicate that a message is missing from the audit data. If any Gaps
are shown in the Summary tab (column D), the following steps are to be followed:
Re-run the Fast ARQ on the other database (IRE11(B)/IRE19(W)). Also run the ARQ using the Slow
ARQ process (see section 9). Regardless of whether the returned data still has Gaps, seek assistance
from Audit support by logging a PEAK and assigning to Audit-Dev. Await confirmation from Audit-Dev on
which data can be sent to POL (revised process implemented Mar 2024).
IMPORTANT NOTE: If the investigation by Audit-Dev determines that there is a true Gap, then
this must be made VERY clear to POL when the ARQ response is sent. It will be stated on the
Summary tab already, but POL’s attention must be drawn to the presence of Gaps in the
covering correspondence sent to POL when they are notified that the ARQ response is ready. If
any true Gaps are found and the response to POL included such a warning, then this MUST be
added to the ARQ tracker for awareness by POA too. Fujitsu Legal and the POA DE MUST be
notified of any ARQ request responses that contain true Gaps BEFORE the response is sent to
POL so that it can be further reviewed prior to sending to POL.
Duplicates and Gaps MUST be recorded in the ARQ Tracker. Select YES/NO from the dropdown list in
the relevant column in the tracker. If Gaps were found and a PEAK was raised for investigation, the
PEAK reference number must also be recorded, together with any other comments.
NOTE: If the Post Office wish to view the duplicates, then FLWOR queries can be executed to identify
them. A PEAK (PC0309288) was raised on 20/02/2024 to add JSN to IOPPANBarcodesHashed which
will allow POL to immediately identify true duplicates.
7 File Encryption for checking
The processed ARQ will now be encrypted ready for checking by another member of the SecOps team,
before being sent to the relevant Post Office team. The encryption method is to create a self-extracting
PGP zip file using the Symantec Encryption Desktop application
- From the taskbar, select ‘Show hidden icons’ and locate the padlock icon:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 37 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(ee)
FUJITSU
- Right click and select ‘Open Symantec Encryption Desktop’:
Upste Poy
Current Window
Cipboues
- Select ‘PGP Zip’ and ‘New PGP Zip’
- Drag the folder for the processed ARQ containing the files into the New PGP Zip window and
select ‘Next’:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 38 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
is acorn thet you sere es are flers or rage or Vane. Orag and hop your
a) Eventzor HOKE Microsoft Excel Wovksheat
symantec
‘rents somactrowe te eecure ya
Passos
"ype Cinert PGP Monthy Pasphrace
Yi symantec.
- On the next screen, browse to the ARQ folder (ARQxxx Audit created above), name the file as
appropriate e.g., ARQ 001, and Save:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 39 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
- The file will be PGP encrypted and saved to the chosen location. Select ‘Finish’:
nt Finished
Encryption Desktop SS paca:
=O%
Creating PGP Sef Decrypting Archive Events 01-31 Oct 2017.18
=) Reporting
Encrypting wth passphrase
Files & Folders
{01-31 Oct 2017
Events 01-31 Oct 2017aiox
I Readme int
Yi symantec
Copy the PGP encrypted ARQ data to your BitLocker encrypted USB, transfer it to your laptop, and copy
it to the SecOps team member's folder on the Security Operations corporate drive who will be checking
the ARQ data.
8 Checking
The retrieved ARQ data must be checked by another member of the SecOps team, prior to sending to
Post Office, to confirm that the data matches the ARQ request, and that there are no “Gaps”.
For ARQ requests received from Post Office Security, confirm the details in the ARQ Tracker match the
details on the ARQ request form.
For ARQ requests received from the Remediation team, confirm the details in the ARQ Tracker match
the details on the ARQ request form.
The following checks must be carried out:
- Open the “Readme first” file and confirm that:
d) The ARQ number is correct,
e) The financial year for the ARQ is correct e.g., 2324 for financial year 23-24
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 40 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
f) The email address is correct. This must be the Fujitsu email address of the team member
who processed and is sending the files to POL.
- Open the ‘Events dd-dd Month YYYY’ spreadsheet (e.g., Events 01-30 April 2023) and confirm
that:
e) Inthe ‘Summary’ tab:
IV. The correct FAD is shown (The ‘Group’ row),
V. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range,
VI. There are no ‘Gaps’ in the data i.e., column D shows ‘NONE’ under ‘Gaps’ (see 6.1
below)
f) In ‘Sheet’ tab:
ll. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range.
- Open the Transactions spreadsheet (‘dd-dd Month YYYY’ e.g., 01-30 April 2023) and confirm
that:
g) In the ‘Summary’ tab:
IV. The correct FAD is shown (The ‘Group’ row),
V. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range,
VI. There are no ‘Gaps’ in the data i.e., column D shows ‘NONE’ under ‘Gaps’ (see 6.1
below)
h) In ‘Sheet1’ tab:
ll. The ‘Filter Start Date’ and ‘Filter End Date’ match the requested ARQ’s date range.
If there are other query spreadsheets in addition to the above, the above checks must be carried out on
those as well.
Once the above checks have been performed (by another member of the SecOps team), and it has
been confirmed that the extracted data is correct, the processed ARQ can be PGP encrypted using
shared keys and sent to the relevant Post Office team via Quatrix. If any issues are found during
checking, the ARQ must be returned to the originator to be processed again.
9 File Encryption for sending to Post Office
To PGP encrypt the processed ARQ for sending to the relevant Post Office team via Quatrix, follow the
below steps.
- From the taskbar, select ‘Show hidden icons’ and locate the padlock icon:
- Right click and select ‘Open Symantec Encryption Desktop’:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 41 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(ee)
FUJITSU
- Select ‘PGP Zip’ and ‘New PGP Zip’:
- Drag the folder for the processed ARQ containing the files into the New PGP Zip window and
select ‘Next’:
a
a) New Pap zip
- Select ‘Recipient keys’ and select ‘Next’:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 42 of 8
(ee)
FUJITSU
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
FUJ00243297
FUJ00243297
Encryption Desktop
GBsymantec
Encrypt
Choose how you want to encrypt to yeu reaplents. f you ae unsure of apartalar option
‘dckitto see an exlanaton baw
© Recipient keys
hove keys fr af recpents (not secure)
Passphrase
1 doithave keys fra ecpents, but they al use Enc ypton Desktop
PGP Self-Decrypting Archive
Recents donot uce Encryption Desktop
‘Sign Only
Create 3 PP Snare fe (ro enc yton)
Use ths option if youhave kes for al repents (on your Err yon Desitop keying,
bal
rectory). Itofers the hghestsecury. the enc ypted
Deskiap. Ifyou go not,
<oack (Next> enced Help
- Select ‘POL ARQ’ from the dropdown list and click on ‘Add’:
PGP Zip Assistant
ymante
Encryption Desktop
Bsymantec
‘Add User Keys
Enter User Keys for ecpients you wont to exevot
Enter the username or enad adress ofa key
Fujitsu ARQ
I Fujitsu anaz
I Fujitsu Series ADK
POL
- Select ‘Fujitsu ARQ’ from the dropdown list and click on ‘Add’:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN pag,
CONFIDENCE)
Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
43 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
PGP Zip Assistant
symant ‘Add User Keys
Encryption Desktop
Enter User Keys for ecpents you want to encrypt to,
Enter the uername or enol adress ofa key
: aa
Unknown XS are) }
I
I
I
Fujesu Services ADK I
POL Ana I
ktsuscom I
I
<tek (tet> cond te
antec Add User Keys:
neryption Deskto
Encryption De P. Enter User Keys for recixents you want to encrypt to.
Err the vere fed aes ofahey
1d
% tow ARQ Remove
Fj Services ADK
POLAR
GBsymantec
<tock (Wet) coal lo
Encrypting the files with the Fujitsu key as well as POL key will allow us to decrypt the files we
send to POL.
- Select ‘Next’ and select ‘Fujitsu ARQ’ from the dropdown list:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 44 of 8
(ee)
FUJITSU
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJ00243297
FUJ00243297
PGP Zip Assistant
Sign and Save
Encryption Desktop ‘Sgning your PGP Zp allows your redosents to verify its authenticity. Confirm your signing key
mz tse cabo beo
Seve Locabon
C:\ers\enbal nerve -FUITSUesktop rove.
GBsymantec.
<Back {Next> Cancel Heb
above), name the file as appropriate e.g., ARQ 001, and click ‘Next’:
PGP Zip Assistant
ymant Sign and Save
Encryption Desktop
‘Sone you PCP Zp alows your recbients to verify ts authentoty. Confem you sgrg key
fant te save eaton Belo
sovater
rats ARQ
I
I
Sow Keyra (
seve Lecten
C:Vieereroaioneve -UITSUDeop Seovee
Bsymantec.
<tc [uot> coe ve
- The file will be PGP encrypted and saved to the chosen location. Select ‘Finish’:
Enter the Passphrase for ‘Fujitsu ARQ’ key, browse to the ARQ folder (ARQxxx Audit created
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN. pag
CONFIDENCE)
Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SEC/WKI/451
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(ee)
FUJITSU
FUJ00243297
FUJ00243297
Finished
Your PO Zp is seared
Creating PGP Sef Decrypting Archive Events 01-31 Oct 2017.ee
=) Reporting
I Encrypting wth passphraze
= [Riles & Folders
ij 01-31 Oct 201735:
Events 01-31 Oct 2017:
Reodme fist
Copy the PGP encrypted ARQ data to your BitLocker encrypted USB and transfer it to your laptop.
10 Sending the PGP encrypted files to Post Office
Once the ARQ files have been PGP encrypted, they must be sent to the relevant Post Office team via
Quatrix. This section describes the process for sending the encrypted files to Post Office.
- Access the Quatrix login page using the below link:
Quatrix
- Login using the Post Office provided shared account credentials
(contact the ISM or OSM for the login credentials)
‘Secure File Transfer
@
Secure and compliant file sharing
- Once logged in, click on the ‘Share Files’ link on the left of the screen:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN. pag
CONFIDENCE)
Version:
UNCONTROLLED WHEN PRINTED OR Date:
STORED OUTSIDE DIMENSIONS Page No:
SVM/SEC/WKI/451
7
1.0
10-Apr-2024
46 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
=@ —etooerer
remediationteam¢ ‘(for HSS ARQs).
Enter the ARQ number’ é"g., ARQ517 or HSS2738 as the ‘Subject’.
Click on ‘Add Files’ and navigate to the folder the PGP encrypted file was saved in (e.g.,
ARQ517 Audit). Alternatively, drag the file to the grey area on the screen:
= @__ sharers
- Once the recipient's email address and the Subject have been entered, and the file added, the
‘Share’ button on the right of the screen will be enabled. Click the ‘Share’ button to send the file
to the recipient.
This should be followed by an email to the relevant Post Office team to inform them that the requested
ARQ files have been sent. The following email templates are use
- For Post Office Security (GRO
Hi Steph,
ARQxxx has been sent via Quatrix.
This is protected by a private key.
Please confirm receipt of the above documents.
NOTE - If any Gaps are shown in the Summary tab, the following line must be added:
Please note the Summary tab indicates there are Gaps in the extracted data.
- For Remediation team
Hi,
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS PageNo: 47 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
ARQ HSSxxxx has been sent via Quatrix.
Please confirm receipt of the above documents.
This is protected by a private key. Please contact Steph Ball for the key passphrase.
If you require any further information, please let me know.
NOTE - If any Gaps are shown in the Summary tab, the following line must be added:
Please note the Summary tab indicates there are Gaps in the extracted data.
- For ARQs from Post Office Security
Interaction Logs only:
equesting Interface
Hi Steph,
ARQxxx has been sent via Quatrix.
This is protected by a private key.
Please confirm receipt of the above documents.
Please note that the Interface Logs contain GDPR data (names and addresses).
Fujitsu has included Interface Interaction logs in this ARQ response. These are not
“keystrokes” as this is not captured.
Fujitsu recommends in the strongest possible terms that the Post Office should not
rely on Interface Interaction records it has received from Fujitsu in any investigation
of potential fraud, theft, breach of contract or any other impropriety which is
suspected to have occurred at relevant Post Office branches. Interface Interactions
were Created by and are used by Fujitsu for internal support purposes only and we
would refer you to Simon Oldnall who has received a fuller explanation of the
purpose of this content and its use.
Once the requested ARQ files have been sent to the relevant Post Office team, they have been
informed by email (as above), and have acknowledged receipt of files, ensure that the ARQ Tracker
(ARQ Tracking 14-22.xIsx) has been updated with the following details:
e POIA Ref
« Audit Workstation Used
e Processed By
e Checked By
« Date sent to POL
« Gaps (see section 6.1)
e PEAK reference (for Interface Interaction Logs)
A copy of the PGP file sent to Post Office must then be saved in the ‘Encrypted ARQs sent to POL’
folder in the Security Ops’ network drive.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 48 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
11 Closing the ARQ
Once an ARQ has been processed, checked, sent to the relevant Post Office team, and
acknowledgement has been received, the ARQ must be closed to free space on the Archive server and
the Audit Workstation.
An active ARQ may be closed in one of 5 ways:
1. Select ‘Close ARQ’ from the File menu.
When opened from the File menu, the Close ARQ form will be displayed with the ‘Data Centre’
frame at the top of the form:
Deatewe [SCS
Query Reference bd ‘Show Query Details
Fes Names
Fienane I Size I Status I
Files Found 0 Select al [~
NoofFles Selected 0
See dl SeciedFiex 0
ee fe]
This allows the selection of the data centre from which the ARQ is to be closed. Select the
relevant data centre, select the ‘Query Reference’ e.g., ARQ517 or HSS2738, from the drop-
down list and click ‘Close Query’.
2. Click the ‘Close ARQ’ button in the toolbar.
When opened from the toolbar, the Close ARQ form will be displayed with the ‘Data Centre’
frame at the top of the form (see above). This allows the selection of the data centre from which
the ARQ is to be closed. Select the relevant data centre, select the ‘Query Reference’ e.g.,
ARQ517 or HSS2738, from the drop-down list and click ‘Close Query’.
3. Right click on the required data centre and select ‘Close ARQ’ from the drop-down menu.
When opened by right clicking a data centre, the ‘Data Centre’ frame is not shown in the form as
the data centre will automatically be set to the one which was clicked. Select the ‘Query
Reference’ e.g., ARQ517 or HSS2738, from the drop-down list and click ‘Close Query’.
4. Right click on an ARQ in the Data Centres window and select Close from the drop-down menu.
When opened by right clicking an ARQ, the ‘Data Centre’ frame is not shown in the form as the
data centre will automatically be set according to the data centre of the selected ARQ. In
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 49 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
addition, the ‘Query Reference’ drop down list will be disabled and pre-populated with the
selected query reference. Click ‘Close Query’.
5. Click the ‘Close ARQ’ button on a Fast ARQ form.
When opened by clicking the ‘Close ARQ’ button, the ‘Data Centre’ frame is not shown in the
form as the data centre will automatically be set according to the data centre of the ARQ. In
addition, the Query Reference drop down list will be disabled and pre-populated with the query
reference of the ARQ.
Reeth
- Toclose a Slow ARQ, right click on the ARQ in the Data Centres section on the left and select
“Close ARQ”.
- Confirm by clicking “Close Query”:
Quety Reference [Poia77945 ad ‘Show Query Details
Access Reason
faRaor
--Fles Names for AAG Relerence POIA77348
Filename I Size] Status ~
NO\_BROE-AUD 6 AUT aizioocy' soa azioan.tzai2. S362 Sealdk I=
FNOT_BROB_AUD_8 AUDIT 20210202113002_20210203.02042. 8081531 Seatdk =I
AUDIT 20210202113001 20210203 02042. 8161682 Sealdk
“AUDIT 2021020111300 2021020202024. 6031085, Sealdk
‘AUDIT 20210201113002 20210202 02226. 7890731 Sealdk
“AUDIT 2020201113001 20210202 02224: 808086 Sealdk
“AUIT20210131113001_2021 321225373 Sealdk
AUDIT 2021013011 3002 202N01H1~OzI64. 1278322 SeaDk
AUDIT 20210130113001_20210131-02164.. 8280955 Soak.
‘AUDIT 2021012911 3002 20210130_02424" 7808633, Sealk
Fo BROE-AUD8 AUDITZGZIOt2st13001 2021013000624... S248021 Sead v
Files Found a Select Al I
No ofFles Selected 1
Sive of Selected Files: $22.03 Kb
“Please note: Closing will mean no further updates are possible for this query.
- Acknowledge the message by clicking “OK”:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 50 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
e [ARQ POIAT7S4B has been closed.
An audit fog, named: 'RFIPOIA77948.tet,” has been created in
F\USERAREA
- When the Query has been closed click “Exit” to close the window.
QueyAeterence [SS ‘Show Quawy Detsis
‘Access Raton
faRaaor
Fes Names fo ARQ Reference POIA77348
ry a IY
FHOI_BROB_AUD_B AUDIT 2ozvoqn2T sta. mmaT0a0s Waa. S34862 Seabk Ig
FNOI_BROB_AUD_8_AUOIT 0710202113002 20210203 02242 S031 Sead
FRO1ZBROB_AUD_B-AUDIT20210202113001_ 20210203 02242. S16 1892 Sead
1"BROB_ALO_8_AUDIT2n210201 112008 202T0n2.02228.. 6031035 Sead
NOT_BRDB_AUO_®_AUDIT2021020111300220210202_02204.. 7890731 Seabk
FNO1_BROB_AUD_B-AUOIT20210201113001_2n210202_02204 8005086 Sead
FNOIIBROB_AUD_B-AUOIT20210131113001_2na10201-02232.. 1205373 Seadk
** Query Closed. No further updates to this query are possible. **
If an ARQ is locked (G3) or requires attention (8), it must be reset using the AEAdmin tool before it can
be closed. To reset the ARQ, open the AEAdmin tool on the desktop.
This will open the AEAdmin logon sceen:
Enterpassword: = =[
i Change User
ae Password
Enter the password and click ‘Continue’ (contact the ISM or OSM for the login credentials):
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 51 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
= AEAdministration Toolkit
Administration Audit Extractor Client Version
Administration I — AEC SSeS
Auditors I I Check connection Check Link
I Requesters I eee Reset ARQ. i
I I Close ARQ Close ARG I
View ARG list ARQ List
Select ‘Reset ARQ’:
em -
EnterARQ reference. [I chow details
Machine name:
dee nice tin ine SI
ARQ details
Exit Bockiomeny I Clear form I Resel th a I
Select the relevant data centre from the drop-down list, enter the ARQ reference’ e.g., ARQ517 or
HSS2738, click ‘Show details’, and select ‘Reset this ARQ’. This will reset the ARQ, and the status will
change to ‘Normal’ (@3) in the AEClient window. The ARQ can then be closed as described above.
Once the ARQ has been closed, the relevant folder (D:/[Your Folder]/ARQxxx) can be deleted. Note -
Ensure a copy of the PGP file sent to Post Office is saved in the ‘Encrypted ARQs sent to POL’ folder in
the Security Ops’ network drive, before the ARQ folder is deleted.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS
Page No: 52 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
12 Raising a PEAK for SSC to provide the Interface
Interaction Logs
If an ARQ request for ‘Interface Interaction Logs’ is received from Post Office Security, a PEAK must be
raised for the SSC team to provide the requested logs. Before raising the PEAK, save the ARQ request
form attached to the ARQ request email received from the Post Office Security team. Compose an
email and enter the following:
Recipient: news
Subject: [ARQ number] [Branch name] [FAD] Request for Interface Logs
e.g., ARQ 513 Swaffham 052131 Request for Interface Logs
Body: Hi SCC,
Please can you provide the interface logs for the attached ARQ request.
Regards,
Attach the ARQ request form saved earlier. Before sending the email, ensure your email signature is just
your name and contact details. Remove all other icons and links to simplify what gets sent to Peak.
Sending the email will generate a PEAK assigned to SSC and you will receive an automated email from
PEAK with the PEAK reference number. This must be entered in the ‘PEAK Ref field in the ARQ
Tracker.
Fujitsu has explained to POL what the Interface Interaction logs are. This is important to note:
The feature to capture interface interactions within the POC log (“Interface Interactions”) was created by
Fujitsu for the sole purpose of helping its internal support teams. The Interface Interactions only contain
the interactions that the Fujitsu development team chose to include in such diagnostic logs for internal
support purposes. The logging does not include all clerk interactions and the diagnostic log content was
not designed to be shared with the Post Office. The diagnostic log content is embedded within the POC
log which contains log content from many other parts of the CBA and it needs to be carefully extracted
from the overall content within the POC log. The POC log is only held on the local counter for a finite
period of time in a flat text file that is not subject to any encryption or tamper controls. It is not backed up
to Fujitsu's knowledge, and is also lost if a counter is replaced by Computacenter. The content of the
Interface Interactions has not been tested to validate that it always captures all interactions as it is not a
required functional part of the Horizon CBA. It is simply diagnostic log content to help Fujitsu support
Staff.
The Interface Interactions are therefore a manifestly inadequate formal record of the interactions a clerk
may have at a counter in Post Office branches.
Furthermore, the responses sent to POL which contain Interface Interaction logs must include the
following text as mentioned above:
Fujitsu has included Interface Interaction logs in this ARQ response. These are not ‘keystrokes’ as this is
not captured.
Fujitsu recommends in the strongest possible terms that the Post Office should not rely on Interface
Interaction records it has received from Fujitsu in any investigation of potential fraud, theft, breach of
contract or any other impropriety which is suspected to have occurred at relevant Post Office branches.
Interface Interactions were created by and are used by Fujitsu for internal support purposes only and we
would refer you to Simon Oldnall who has received a fuller explanation of the purpose of this content and
its use.
13 Gathering HSD logs
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 53 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION .
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
Access the HSD database using the following link:
TES Branch Search (fujitsu.com)
Branch Search: ___] Start Date:/sa/mm/yyyy I End Date:Iod/mmiyyyy ©
Progress Search: I) Start Date:
‘Text Search(DSAR)
Enter the Branch code (FAD) in the ‘Branch Search’ field.
Enter the ‘Start Date’. This must be the start date of the requested date range.
Enter the ‘End Date’. This must be the start date of the requested date range.
‘Start Date’ and ‘End Date’ must be the start and end date of the month for the relevant ARQ. If an ARQ
request is for multiple ARQs covering several months, they must be processed one ARQ at a time i.e.,
one ARQ for one month.
Once the above details have been entered, click on ‘Branch Search’.
- If there are no HSD calls for the specified period, a blank screen will be returned:
Branch Search: 22311 ‘Start DaterIoijos/200e ©) End Dater(20/00/2008 _)
Progress Search: I Start Dote!Iss/menvyyyy_8) End Date! sine yyy 5) [Pro
‘Text Search(O5AR): I I_ Start Date:/da/men/yrry_)_End DatesIae/mm/vvvy _©) (1 Exclude Address Matches [Text Search
- If there are HSD calls for the specified period, they will be displayed on the screen:
Tet Sere
Se ec eon 8 (at cue nd)
Sates Oe eet Raia cine eect ‘sae "aie
- Save the HSD calls by clicking on ‘Export TFS tickets to Zip’:
‘ranch Sar sa ‘So ate) Ent tise Sa Src sn 98 th ot de
Drones Sanh [Pes Ss
“ot snc O548 I icine Ans Mtr [Tea Soh
- The file will be saved to the Downloads folder and will contain the HSD calls in html format:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIAL IN oe SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 54 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
ee]
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
@ 71538.ntmI
@ 76941.ntmi
@ 79251.ntmi
@ 82727:ntmI
- Each file can then be saved to the relevant ARQ folder.
HSD calls after June 2018, must be obtained from TfS. Search for incidents by searching for the branch
code:
Tac Ines *
6 results for "200405" Poop Usa 4
Poop Leatons a
Tesks-Incdens tof)
200405:176-072.0) fle to nse sateen ransaction ecard
NexP-200405--0P-2408-18:RR-0903:Unexpected provide respons: ¢
Fes changes on BAL servers
14 PAN Decryption
As previously stated, the IOPPANBarcodesHashed query only provides the hashed PAN. If a full
PAN is requested, the 'IOPPANBarcodes' query, which provides the encrypted PAN, must also be
run. The PAN Management dialogue screen can then be used to decrypt the encrypted PAN.
NOTE - The hashed and encrypted PANSs are only available for transactions in a branch before that
branch migrated to PBS. Post-PBS, only the ‘truncatedPAN’ is provided by the
IOPPANBarcodesHashed query. The tokenized PAN, which POL would require to obtain the full
PAN, can be provided by running the PBSDetails query.
To obtain the decrypted PAN:
- Select ‘Tools’ and select ‘PAN Manipulation’:
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 55 of 8
FUJ00243297
FUJ00243297
o AUDIT EXTRACTION - LOCAL WORK INSTRUCTION 7
FUJITSU FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
1 IRE19 (W)-Comected
- The PAN Management dialogue screen will be displayed:
‘Data Cente I ea)
Enter PAN : : oo
Enty Type [Cleat =] Bet I
PAN [ :
Hached PAN ‘ <
Let — — — SSS +
- Select the relevant Data Centre:
{IRE11 (B)
IRE13 [w) 7
EntyType [ler Decynt I I
I
ee
- Select ‘Encrypted’ from the ‘Entry Type’ drop-down list:
© Copyright Fujitsu 2022-2024 FUJITSU RESTRICTED (COMMERCIALIN gag SVM/SEC/WKI/451
CONFIDENCE) ef 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS. Page No: 56 of 8
FUJ00243297
FUJ00243297
AUDIT EXTRACTION - LOCAL WORK INSTRUCTION
FUJITSU RESTRICTED (COMMERCIAL IN
CONFIDENCE)
(ee)
FUJITSU
Data Centre [iRE11 (8) eal
Enter PAN
Entiy Type Clear x
PAN Clear
Hashed PAN Hached
Exit
- Enter the Encrypted PAN (from the 'l\OPPANBarcodes' query) in the ‘Enter PAN’ field and click
‘Decrypt’. The ‘PAN’ and ‘Hashed PAN’ fields will be populated. The ‘PAN’ field will show the full
decrypted PAN. The entry in the ‘Hashed PAN’ field must match the ‘Hashed PAN’ in the
‘IOPPANBarcodes’ query. Save the decrypted PAN in a text file named “Decrypted PAN” and
provide the file alongside other ARQ data. The Transactions file (output from
IOPPANBarcodesHashed) MUST NOT be edited to include the decrypted PAN.
NOTE - A PEAK (PC0309286) was raised on 20/02/2024 to generate a file containing the decrypted
PAN. Once the solution has been provided, this file must be supplied as a separate file containing
the decrypted PAN i.e., the Excel file (output from IOPPANBarcodesHashed) must not be edited to
show the decrypted PAN. This document will be updated once the solution is in place.
© Copyright Fujitsu 2022-2024
FUJITSU RESTRICTED (COMMERCIAL IN por. SVM/SEC/WKI/451
CONFIDENCE) 7
Version: 1.0
UNCONTROLLED WHEN PRINTED OR Date: 10-Apr-2024
STORED OUTSIDE DIMENSIONS Page No: 57 of 8