HANDOVER NOTES FROM DAVE KING - 02/09/98
HORIZON/POCL SIE Roles
Horizon Technical Assurance will continue to be responsible for the security of the
technical aspects of the service provided by ICL Pathway Ltd, and ensuring it meets
the requirements and standards of the sponsors. Horizon business assurance will
perform the same function in respect of the business procedural side of the service.
The main point of contact between Horizon and the POCL security community will be
through Ruth Holleran, for the operational aspects, and Peter Charlton, for the
technical ithin Horizon, the technical assurance team is managed by Jeremy
and the business assurance team by Colin Oudot; GRO}
Horizon Product Assurance will continue to ensure that Pathway comply with the
requirements specified by the sponsors, and work with Pathway towards achieving an
acceptable service.
There are a number of areas which have previously been dealt with by Horizon, but
which are, strictly, outside of the contracted service, and should properly be dealt with
by the sponsor organisations directly.
Information Systems Security Issues
These issues appear to be proper to Mike Harris as the POCL Information Systems
Security Manager. Historically a number of these issues have been taken forward by
Horizon as the role of IS security manager had not been allocated within POCL. Asa
result, the standards for the service provided by ICL Pathway Ltd were formulated
from BS7799, and the DSS DITSS documents, and through consultation with the
sponsors.
The responsibility of the IS Security Manager with respect to Horizon is to be the main
contact in POCL for assurance that the standards being applied to the IS system
provided by ICL Pathway Ltd, comply with those of POCL. This will involve the
review, and sign-off, of various documents detailing technical and procedural aspects
of the service.
Technical assurance will conduct audits of the physical security at sites in their
assurance role, but will apply the standards of the sponsor organisations. Documented
standards will be required by Ian Stevenson in order to conduct that work.
In the area of EPOSS Access controls, which are being dealt with by business
assurance (Graeme Seedall) the IS Security Manager will need to provide the
appropriate standards to be applied, for instance parameters password control. There
are also procedures required for the registration of users, and the provision of non-
standard access to the office platform. These need to be formulated to comply with
POL00029136
POL00029136
the standards of the business.
The design to date has been to comply with BS7799, DITSS, and Post Office
corporate standards, and a considerable amount of work has already been done. There
would not appear to be a great deal of design work needed, unless POCL standards
deviate dramatically from those already applied.
Horizon will continue to monitor security events which arise in the Pathway service,
but there will need to be a contact within POCL, and a feed into, and out of, POCL’s
own Security Event Management system.
Documents detailing the security aspects of the service will be provided, together with
an update on the current position, prior to my departure
Business/Operational Security Issues
The Fraud Case Management Service, in so far as the BA contracted service, will
continue to be managed by Horizon business assurance (John Cunningham) until
transfer of responsibility to BA Security. A demonstration of the Fraud Case
Management Service has been arranged for 17/9, and any further negotiations with
regard to undertaking a scoping exercise on behalf of POCL should be direct with
Graham King. If POCL do decide to purchase Pathway system Horizon business
assurance will negotiate with Pathway for the provision of a service to satisfy the
requirements provided by POCL. The technical assurance of the service provided
would be dealt with by horizon Technical assurance
The slides used during the Horizon facilitated Regional Awareness visits have been
passed to POCL SIE, and any further such events will be undertaken by Bob Martin.
Horizon Service Management currently pass details of any incidents with a security
implication to Sarah Jury-Onen or John Cunningham. Where these indicate the
possibility of fraud within the BA services, they are passed to BA Security. There
needs to be a similar link for POCL related incidents, into SIE, and this should be
negotiated directly with service management.
Security Assurance, acceptance, and release authorisation will continue to be managed
by Horizon, and recognised channels into the sponsor organisations have been
instituted. For POCL, the contact points with Horizon are Ruth Holleran, for business
matters, and Peter Charlton, for technical matters. The previous SLA between SIE
and the, now defunct, Fraud and Security Group, should now be with these people.
SIE will need to take more ownership of the security related business requirements,
which appear across a number of Acceptance Test Specifications.
Contact with BA Security, currently Darryl Dixon, will need to be maintained to
ensure that access to POCL information, supplied to BA security for fraud and risk
management, continues. There is a need to ensure that the interests of POCL with
regard to the investigation of any suspected dishonesty by their staff, and agents, are
protected.
POL00029136
POL00029136
The POCL business owner for the Benefit Payment Service is Mike Hannon, to would
queries may be addressed, and who will require input to the security related aspects of
that service. A similar role for the other automated products is taken by Mark Burley.
Business security controls, await contact from Sarah JO. [DN: Bob, I’m not sure
what this means.I
Security Testing will continue to be managed by Horizon, and an established forum is
in place for the review of any test failures. Input from SIE will be required towards
the end to the testing phases for the allocation of business impact to any technical
deficiencies, and procedural work-arounds.
Work has been undertaken under the guise of Business Audit, with Tom Patterson, to
cover various aspects which have a security and audit interest. Contact with this
group should be maintained to ensure that continued consideration is given to the
needs of POCL staff investigating potential dishonesty.
The technical tests which are required to ensure the system can be certified under
PACE are being devised by technical assurance and Pathway. The procedures for the
production of the certificates, and any joint work with BA Security on the formulation
of a “test” case should be undertaken by SIE. These procedures, in so far as they are
completed by ICL Pathway, are part of the Security Assurance Specification, and the
subject of a separate document. A copy of the current proposed Pathway certificate,
which has been reviewed by both BA and POCL lawyers, will be provided.
SIE will be responsible for the formulation of relevant procedures for the conduct of
investigations, and prosecution, and copies of the previous work by Horizon on this
subject will be provided.
POL00029136
POL00029136