INTERNAL
Zebra Action Summary
Document Control
1 Overview
James Rees
Emma McGinn
Julie George
2 Revision History
12 June 2014
POL00031409
POL00031409
vO. 5 June 2014 James Rees IFirst Draft
v0.2 10 dune 2014 Emma McGinn I Reviewed
v0.3 12 June)2014 Julie Draft review and sign-off
George
INTERNAL
POL00031409
POL00031409
INTERNAL
1 Introduction
This document is in response to the Zebra review and
highlights specific areas regarding the Horizon solution,
outlined in Deloitte’s report, with suggested controls Post
Office could implement to mitigate the areas the project
highlighted.
2 Scope
The scope of this document is those areas covered in the Zebra
report only and does not include any other areas outside the
scope of that report.
3 Zebra - Overview a
Deloitte’s Zebra report has outlined a number, of areas
relating to the Horizon solution requiring remediation and/or
changes in order to protect and maintain the integrity of
Horizon on an ongoing basis. These would provide a greater
level of support and assurance ofthe Horizon platform through
Fujitsu as the service provider, Post Office as the customer
and, potentially, Atos,as.a key service provider for the IT
governance service. I
Other areas of the Horizon solution highlighted in the report
that require further investigation and remediation are the
audit and risk management aspects together with the oversight
and governance of the»Horizon solution. ©
4 Zebra-— Remediation Items ’
are the, recommendations for the remediation of the items
outlined in the, zebra report as well as the board summary
4.1 Governance I :
There wereé.a number of governance items outlined as failings
in the report that need to be addressed and recommendations
pertinent to these, items are as follows:
4.1.1 Horizon Management Council
Since Horizon is a critical business function of the Post
Office estate a management council should be created in order
to ensure the ongoing oversight, management and support of
this business critical infrastructure going forward, this is
in addition to the current Information Security Management
Forum.
Risks and issues relating to the Horizon solution of a high or
critical nature should be flagged to this group who will then
review them and take appropriate action to maintain the
integrity of this business critical asset.
INTERNAL
INTERNAL
Recommended remediation:
Creation of a Horizon Management Council made up of one
representative from eachorganisation (Post Office, Atos and
Fujitsu). This council may have additional memberships but no
more than 6 primary council members should be appointed. Any
other individuals required should be brought in as ADVISORY
members only when specialist advisory skills are required, and
do not have a say in the management of the solution, this is
the province of the primary members.
This group should meet quarterly, as a minimum, or after any
significant change or issue.
It is further recommended that a similar Management Council
should be set up for all critical business functions.
4.1.2. Documentation update and ongoing Maintenance
Current, accurate and auditable documentation is imperative to
the management of a critical business asset such as Horizon.
One significant failing outlined throughout the main report
was the lack of information available to Deloitte when
reviewing Horizon, including process, procedure and governance
documents, and this should be resolved as soon as possible.
Recommended remediation:
A complete document pack to be “created that outlines at least
the following i ems , i: :
¢ Policies.
Procedures
Standards ©
‘Development roadmap
Solution overviews
eee
Solution diagrams
Risk register
Detailed solution documentation (technical)
Business continuity
This document pack would need to be centrally owned, managed
and maintained and would possibly also include information
regarding how Horizon handles accounting and financial
information.
4.1.3 Change Control
A number of items outlined in the report related to the lack
of an effective governance process for recording and
maintaining changes to the Horizon infrastructure. This was a
common theme throughout the report and is an item high on the
list for resolution within Post Office (ISAG), Atos and
Fujitsu.
INTERNAL
POL00031409
POL00031409
POL00031409
POL00031409
INTERNAL
A single change control process covering all the pertinent
points will efficiently and effectively track changes that
occur in that environment from a technical and development
viewpoint. This will, in turn, need to include the updating of
the Horizon infrastructure documentation as part of the
process as the documentation was highlighted in the report as
failing.
Recommended remediation:
The creation of a process for recording, authorising, testing
and implementing all changes within the Horizon solution which
is both effective and ensures that all appropriate parties are
informed as changes occur.
The change control process needs to be both effective and
support the reporting function to track how Horizon has
evolved over time, track the risks and the critical business
assets as well as allowing a far, greater und
solution and what is required to se
This should be the responsibility of all three org. 1
(Post Office, Atos and Fujitsu) and all should support that
process. ce ‘ ae
4.1.4 Financial Reviews Py ;
One of the main concerns within the Deloitte report is the
balancing of financial accounts and the potential for errors
should certain technical issues arise.Technical issues and
connectivity issues 1 ays be a risk within any technical
environment and it is strongly advised that a program is put
in place to undertake auditable controls, ongoing training,
spot checks and regular reviews from Post Office’s Audit
department»to make sure that»errorsin processing are kept to
imum, and. quickly identified.
Recommended remediation:
The creation of an audit program by Post Office’s Finance
department in order to review samples of data from sub-
postmasters. This would ensure consistency of accounts and
enable a higher chance of detecting errors in accounts due to
problems with
Reports should be generated after each audit and used to
improve the Horizon product, as well as provide auditable
records of assurance; this should feed into the Horizon
Management Council for considered remediation.
Workshops should be undertaken on the financial accounting
aspects of Horizon, with appropriate controls introduced as
determined by the resultant gap analysis exercise and training
in support of the controls and system.
4.1.5 Risk Assessment
The Deloitte report advised that Horizon should undergo a full
risk assessment to highlight the key assets that comprise the
INTERNAL
POL00031409
POL00031409
INTERNAL
Horizon solution, including the risks associated with those
assets. This should be undertaken exclusively by Information
Security professionals together with key Fujitsu staff.
Recommended remediation:
Undertake a full risk profiling and assessment in order to
identify the key assets and risks associated with those assets
that make up the Horizon solution. This would include full
oversight of Fujitsu’s Horizon risk management documentation
that should have been undertaken as part of the PCI DSS and
IS027001 Information Security requirements.
The risk assessment information gathered from this process
should be updated regularly and feed int the change control
process (as well as the change control ‘ocess feeding into
the risk management process) to ensu lat. a greater level of
security oversight and involvement is promo
Horizon is a critical business a:
as such, risks to this enviro
understood and treated.
et to the Post. Office and,
need to be clearly
INTERNAL
INTERNAL
4.1.6 IT Assurance
Deloitte highlighted in the report that there was a lack of
assurance in the technical oversight of the Horizon solution
throughout the Horizon lifetime. This was quite specific to
traceability as well as the tracking of changes and oversight
into future development.
Recommended remediation:
A Post Office IT Assurance function needs to have regular
reviews and updates with key Fujitsu staff, as with all
critical business systems, ensuring that the Horizon platform
is carefully developed in line with ever changing business
needs. This should to be driven by the Post, Office business
process, be a function separate from operational IT Services
and with oversight from the Horizon Mapegement Council.
It is strongly advised that, in the long term, a roadmap is
developed to outline expected changes and improvements to
Horizon, these may already be in place and, if so, need to be
carefully released in order for the risk assessment, and
management to be effective. : 7
4.2. Technical /
There were a number of tectiiical items” outlined as failings in
the report that need to be, addressed; recommendations
pertinent to these issues are as follows:
4.2.1 Data Retention : »
The report outlined that data ig held within Horizon for seven
years, which isin line with the UK retention period legal
requirements, though the, report infers that this may not be
enough in ssome cases, —
Recommended retiediation:
The ‘retention periods should be . carefully reviewed by Data
Protection professionals and key business departments that own
this data, preferably with oversight from the Finance
department. If longer retention periods are required then
this needs to be defined both from a governance and technical
perspective.
There are numerous technical possibilities to cater for this,
but this should be defined once retention periods have been
agreed.
4.2.2 Data Logging
One point raised in the report was that it was possible for
someone with privileged access to delete data from specific
areas of Horizon. This is always a risk with individuals
using admin or power user accounts and is a persistent risk,
one that needs to be catered for in almost any organisation.
Due to the sensitive nature of the information contained in
the databases, monitoring of those databases should be put in
INTERNAL
POL00031409
POL00031409
POL00031409
POL00031409
INTERNAL
place using technology to detect and record deletions and
administrative changes to the databases. If possible, alerts
should also be generated for mass deletions and high level
risk changes to database schemas.
Recommended remediation:
The solution currently in place may be able to undertake the
level of logging required within the Horizon solution. It is
recommended that the current logging and logs are reviewed on
a daily basis.
This needs to be investigated further and the options on how
to handle this defined through the risk mamagement process and
based on the solutions already in place mes that could be
procured to handle this.
INTERNAL