INTERNAL
Document Control
1 Overview
Redacted Action Summary
James Rees
Emma McGinn
Julie George
2 Revision History
12 June 2014
POL00002356
POL00002356
vo.1 5 June 2014 James Rees I First Draft
V0.2 10 June 2014 Emma McGinn I Reviewed
v0.3 12 June 2014 Julie Final review and sign-off
George
INTERNAL
F/1222/1
POL00002356
POL00002356
INTERNAL
OFiZon Solution,
“with suggested controls Post
Redacted
4.1 Governance
4.1.1 Horizon Management Council
Since Horizon is a critical business function of the Post
Office estate a management council should be created in order
to ensure the ongoing oversight, management and support of
this business critical infrastructure going forward,
in addition to the current Information Security Management
Forum.
Risks and issues relating to the Horizon solution of a high or
critical nature should be flagged to this group who will then
review them and take appropriate action to maintain the
integrity of this business critical asset.
INTERNAL
2
F/1222/2
POL00002356
POL00002356
INTERNAL
Recommended remediation:
Creation of a Horizon Management Council made up of one
representative from eachorganisation (Post Office, Atos and
Fujitsu). This council may have additional memberships but no
more than 6 primary council members should be appointed. Any
other individuals required should be brought in as ADVISORY
members only when specialist advisory skills are required, and
do not have a say in the management of the solution, this is
the province of the primary members.
This group should meet quarterly, as a minimum, or after any
significant change or issue.
It is further recommended that a similar Management Council
should be set up for all critical business functions.
4.1.2. Documentation update and ongoing Maintenance
Current, accurate and auditable documentation is imperative to
the management of a critical business asset such as Horizon.
Recommended remediation:
A complete document pack to be created that outlines at least
the following items:
e Policies
e Procedures
e Standards
¢ Development roadmap
e Solution overviews
¢ Solution diagrams
e Risk register
e Detailed solution documentation (technical)
e Business continuity
This document pack would need to be centrally owned, managed
and maintained and would possibly also include information
regarding how Horizon handles accounting and financial
information.
INTERNAL
F/1222/3
POL00002356
POL00002356
INTERNAL
A single change control process covering all the pertinent
points will efficiently and effectively track changes that
occur in that environment from a technical and development
viewpoint. This will, in turn, need to include the updating of
the Horizon infrastructure documentation as part of the
Redacted
Recommended remediation:
The creation of a process for recording, authorising, testing
and implementing all changes within the Horizon solution which
is both effective and ensures that all appropriate parties are
informed as changes occur.
The change control process needs to be both effective and
support the reporting function to track how Horizon has
evolved over time, track the risks and the critical business
assets as well as allowing a far greater understanding of the
solution and what is required to secure it.
This should be the responsibility of all three organisations
(Post Office, Atos and Fujitsu) and all should support that
process.
4.1.4 Financial Reviews
Redacted
Technical issues and
connectivity issues will always bea risk within any technical
environment and it is strongly advised that a program is put
in place to undertake auditable controls, ongoing training,
spot checks and regular reviews from Post Office’s Audit
department to make sure that errors in processing are kept to
a minimum, and quickly identified.
Recommended remediation:
The creation of an audit program by Post Office’s Finance
department in order to review samples of data from sub-
postmasters. This would ensure consistency of accounts and
enable a higher chance of detecting errors in accounts due to
problems with Horizon.
Reports should be generated after each audit and used to
improve the Horizon product, as well as provide auditable
records of assurance; this should feed into the Horizon
Management Council for considered remediation.
Workshops should be undertaken on the financial accounting
aspects of Horizon, with appropriate controls introduced as
determined by the resultant gap analysis exercise and training
in support of the controls and system.
4.1.5 Risk Assessment
Redacted i
INTERNAL
F/1222/4
INTERNAL
I Redacted
Recommended remediation:
Undertake a full risk profiling and assessment in order to
identify the key assets and risks associated with those assets
that make up the Horizon solution. This would include full
oversight of Fujitsu’s Horizon risk management documentation
that should have been undertaken as part of the PCI DSS and
IS027001 Information Security requirements.
The risk assessment information gathered from this process
should be updated regularly and feed into the change control
process (as well as the change control process feeding into
the risk management process) to ensure that a greater level of
security oversight and involvement is promoted.
Horizon is a critical business asset to the Post Office and,
as such, risks to this environment need to be clearly
understood and treated.
INTERNAL
POL00002356
POL00002356
5
F/1222/5
POL00002356
POL00002356
INTERNAL
4.1.6 IT Assurance
Recommended remediation:
A Post Office IT Assurance function needs to have regular
reviews and updates with key Fujitsu staff, as with all
critical business systems, ensuring that the Horizon platform
is carefully developed in line with ever changing business
needs. This should to be driven by the Post Office business
process, be a function separate from operational IT Services
and with oversight from the Horizon Management Council.
It is strongly advised that, in the long term, a roadmap is
developed to outline expected changes and improvements to
Horizon, these may already be in place and, if so, need to be
carefully released in order for the risk assessment and
management to be effective.
4.2 Technical
Redacted idata is held within Horizon for seven
veSES; which
requirements,
enough in some cases.
ion period legal
I this may not be
Recommended remediation:
The retention periods should be carefully reviewed by Data
Protection professionals and key business departments that own
this data, preferably with oversight from the Finance
department. If longer retention periods are required then
this needs to be defined both from a governance and technical
perspective.
There are numerous technical possibilities to cater for this,
but this should be defined once retention periods have been
agreed.
4.2.2 Data Logging
Ri it was possible for
someone with privileged access to delete data from specific
areas of Horizon. This is always a risk with individuals
using admin or power user accounts and is a persistent risk,
one that needs to be catered for in almost any organisation.
Due to the sensitive nature of the information contained in
the databases, monitoring of those databases should be put in
INTERNAL
6
F/1222/6
POL00002356
POL00002356
INTERNAL
place using technology to detect and record deletions and
administrative changes to the databases. If possible, alerts
should also be generated for mass deletions and high level
risk changes to database schemas.
Recommended remediation:
The solution currently in place may be able to undertake the
level of logging required within the Horizon solution. It is
recommended that the current logging and logs are reviewed on
a daily basis.
This needs to be investigated further and the options on how
to handle this defined through the risk management process and
based on the solutions already in place or ones that could be
procured to handle this.
INTERNAL
7
F/1222/7