POLO00114566
POLO0114566
POLO00114566
POL00114566
ald daarenk CSISELHIOllo
agie cod oxy sym] som) SD [oo 41
Alan X Simpson To: John D Cole/e/POSTOFFICE}
Sal ce:
16/06/2008 09:59 Subject: Fujitsu ARQ contract
John,
Following a voicemail that I left for Liz Tuddenham re the above, she has pointed me in your direction
as I am trying to locate a copy of the FS/POL contract which covers the adhoc banking queries. These
are submitted by both the POL Fraud team and the Network Banking teams to Fujitsu Services asking
for FS to check the banking data for specific transactions.
I am afraid that I do not know the reference for the contract but it has been in place for at least4 years,
possibly longer. I have drawn a blank with FS and am hoping that you will be able to help.
We will shortly be holding workshops with the relevant teams to review the current situation as the
volumes of requests are now far higher than the original agreement. So a copy of the original set up
would be very useful to give us an idea of costs etc.to enable us to progress this.
Happy to discuss if necessary.
Many thanks.
Alan Simpson
Security Incident Senior Ly 4 \ Besiom pacaic
Post Office Ltd Staak ds SShon Wok
Operations
1st Floor, Ashford Crown Office
Tufton Street
ASHFORD
Kent
TN23 1AA
Postline: N/A, STD Phone:{_ GRO ax: N/A, Mobil
cone Your Laptop - Your Responsibility - Leash It - Don't Lose It ----
POLO00114566
POL00114566
Seo PAro.qreey =
4 _
Fujitsu Services Service Description for the Security Management _Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
Document Title:
Document Type:
Release:
Abstract:
Document Status:
Originator & Dept:
Contributors:
Internal Distribution:
External Distribution:
Service Description for Implementation and maintenance of
security policy and procedures
Customer Services Specification
N/A
A description of the Implementation and maintenance of the
security policy and procedures
For Approval
Graham Hooper / Pete Sewell, Fujitsu Services Customer
Services
Graham Hooper / Pete Sewell
(For Originator to distribute following approval)
(For Document Management to distribute following approval)
Approval Authorities: (See PA/PRO/010 for Approval roles)
Name Position Signature Date
Martin Riddell Director of Customer Service
Sue Lowther Post Office Information
Security Manager
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 1 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POL00114566
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Fujitsu Services Service Description for the Security Management —_Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
0.0 Document Control
0.1 Document History
Version No. I Date 4 Reason ‘for Issue Associated.
: SS < CP/PinICL
0.1 19/12/01 Initial Draft
0.2 23/12/02 Masons’ comments on v0.1
0.3 31/12/02 Sue Lowther (POL) comments on version 0.2
0.4 31/12/02 Graham Hooper / Masons’ comments on Version
0.3
1.0 6/01/2003 Issued for Approval
0.2 Review Details
Review Comments by: I Date
Review Comments to: I Originator
Mandatory Review Authority Name :
Director of Customer Service Martin Riddell
Post Office Information Security Manager Sue Lowther
Optional Review (Issued for Information
(*)= Reviewers that returned comments.
0.3 Associated Documents
Reference _I Version I Date Title ‘I Source
PA/TEM/001 7.0 2" April 2002 Fujitsu Services Document PVCS
Template
RS/POL/002 Security Policy PVCS
RS/FSP/001 I Security Functional I pycs
I specification
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 2 of 20
POLO00114566
POL00114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
RS/FSP/003 Statements on Security
Objectives and Methods for
the Protection of Siemens
Metering Code and Data
BP/POL/002 Post Office Counters I post Office Ltd
Information System Security
Policy
BP/ION/002 A code of Practice for Post I post Office Ltd
Office Information Systems
Security
RS/CSD/001 dss/itstds Departmental IT Security
Standards
RS/PRD/004 Security Incident Management I pycs / Post
Office
BP/SPE/nnn NBS Definition PVCS
RS/POL/003 Access Control Policy PVCS
Unless a specific version is referred to above, reference should be made to the current
approved versions of the documents.
0.4 Abbreviations/Definitions
Abbreviation Definition
0.5 Changes in this Version
Version Changes
0.6 Changes Expected
Changes
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 3 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POLO0114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
0.7 Table of Contents
1.0 SERVICE SUMMARY...
2.0 SERVICE PRINCIPLES....
3.0 SERVICE DEFINITION...
3.1 SECURITY ORGANISATION AND MANAGEMENT.
3.2 COMPLIANCE MONITORING AND AUDIT .
3.3 CRYPTOGRAPHIC KEY MANAGEMENT.
3.4 SECURITY EVENT MANAGEMENT AND FIREWALL EVENT ANALYSIS
3.5 SYSTEM AND PHYSICAL ACCESS CONTROL ...
3.6 ANTI-VIRUS AND MALWARE MANAGEMENT...
3.7 SECURITY INCIDENT REPORTING AND PROBLEM MANAGEMEN
3.8 SYSTEM SECURITY CHANGE MANAGEMENT
3.9 SECURITY AWARENESS AND TRAINING..
3.10 INFORMATION RETRIEVAL AND AUDIT.
3.11 SUBJECT INFORMATION REQUESTS
4.0 SERVICE AVAILABILITY ....
5.0 SERVICE LEVELS AND SERVICE TARGETS...
6.0 SERVICE DEPENDENCIES & POST OFFICE RESPONSIBILITIES
6.1 SERVICE DEPENDENCIES
6.2 POST OFFICE RESPONSIBILITIES
7.0 DOCUMENTATION.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 4 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POL00114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
1.0 Service Summary
This Security Management Service provides a wide range of security-related activities that
assists the establishment and maintenance of an ISO17799 compliant infrastructure, supports
legal and contractual obligations and minimises and controls liabilities to Fujitsu Services,
Pathway and Post Office Ltd. The service monitors operations and introduces specific
protective security controls on a risk assessment basis to maintain the integrity, availability
and confidentiality of information used and produced by the various Services and the support
environment.
Fujitsu Services’s overarching obligations for delivering and continuing to provide a secure
system are set out in Clause 8 of the Agreement.
The elements of the Security Management Services are as follows:
¢ Implementation and maintenance of security policy and procedures
¢ Compliance monitoring and audit
¢ Cryptographic key management
¢ Security event management and firewall event analysis
e System and physical access control
¢ Anti-Virus and malware management
© Security incident reporting and problem management
¢ System security change management
¢ Security awareness and training
e Audit data retrievals and prosecution support
e Subject Information Requests management
Each of these services are described in Section 3.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 5 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
POLO00114566
POL00114566
2.0 Service Principles
2.1.1
The following service principles will apply in the provision of the Security
Management Service. Security Management staff will:
a)
b)
°)
be appropriately trained to carry out the service;
provide the appropriate balance between contractual and legal obligations and the
need to maintain delivery of the various Services;
be responsive to prevailing threats and vulnerabilities. Resource is therefore
allocated on a flexible, risk management basis.
The Fujitsu Services’ Information Security Manager shall be responsible (but may
nominate a representative to act on his behalf) for:
a)
b)
c)
d)
©)
co-operating with the Post Office Information Security Manager in the
development of Post Office’s network banking automation security policy as
specified in paragraph 7.3.1 of Schedule 2 (Policies and Standards);
establishing Fujitsu Services's revised security policy as specified in paragraph
7.3.2 of Schedule 2 (Policies and Standards);
Communicating to the Post Office Information Security Manager the identity of
the persons authorised to receive sensitive security-related material (including
cryptographic key components) on behalf of Fujitsu Services;
receiving from the Post Office Information Security Manager the identity of the
persons authorised to receive such security-related material on behalf of Post
Office;
liasing with the Post Office Information Security Manager in the manner
described in the CCD entitled "Security Incident Management" and paragraph
74.2 of Schedule 2 (Policies and Standards); and
f) liaising with the Post Office Information Security Manager and security representatives of
other parties involved in the End to End Banking on such security-related matters as may
be agreed.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 6 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POLO0114566
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
3.0
3.1
3.1
3.1.2
3.2
3.21
Service Definition
Security Organisation and Management
This element of the service provides a number of organisational and management
activities required for compliance with ISO17799:
Co-ordination of security activities and prioritises activities according to risk;
Input to contractual and liability issues and assessments of the security impact of
new service requirements and the associated processes necessary to implement
them;
Creation and maintenance of security-related procedural and process
documentation to assist compliance and help maintain correct operation by staff;
Regular reviews of other Pathway documentation to provide appropriate security
input and compliance to the requirements of ISO9001;
Management of ISO17799 gap analysis, preparation of plan for implementation in
accordance with agreed TOR and monitoring of corrective actions.
Fujitsu Services’s obligations for the establishment of an organised security
infrastructure, compliant to ISO17799 are set out in Schedule 2 — paragraphs 4.1.1 to
4.1.3.
Fujitsu Services’s obligations for compliance with Post Office security standards are
set out in Schedule 2 ~ paragraph 4.1.4.
Fujitsu Services’s rights and obligations with regard to the security and processing
of Personal Data are set out in Schedule 2 — paragraphs 2.4 to 2.8.
Fujitsu Services’s rights and obligations with regard to the processing of Personal
Data are set out in Schedule 2 — paragraph 2.4.6.
Compliance monitoring and audit
This element of the service provides a number of compliance monitoring and audit
activities required for compliance with ISO17799:
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 7 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Fujitsu Services Service Description for the Security Management —_ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
POLO00114566
POL00114566
e Undertaking of periodic physical security and system security audits of
operational sites on a risk management basis to provide ongoing assurance of
compliance to security policies and procedures. Activities include reviews of
operational processes, provision of reports covering IT, environmental, physical,
personnel security etc. and the monitoring of identified corrective actions;
¢ Provision of advice and guidance on issues affecting personnel security within
Fujitsu Services including the investigation of personnel security issues and staff
vetting queries.
3.3. Cryptographic key management
3.3.1 This element of the service provides a number of cryptographic key management
activities:
° Management of the automated Key Management System (KMS) for the creation,
distribution and installation of required cryptographic material to the live estate.
Maintenance of periodic key replacement for all Branches;
© Operation of functionality & configuration changes to the automated service to
optimise service;
© Management of KMS event logging and incident handling to assist 1", 2’, 3
and 4" line support in error resolution and problem management;
¢ Management of the manual cryptographic estate by maintaining the creation,
distribution, auditing and periodic replacement of cryptographic keys within
agreed timescales;
© Supplier management of cryptographic key suppliers;
© Provision of contingency arrangements for Key Management Service to maintain
continuation of service in the event of absence etc.
3.3.2 PIN Pads
The use of PIN Pads and the associated cryptographic management shall be
supported by the NBS. PIN Pads shall comply with the requirements of ISO 9564.
Fujitsu Services's key management for any key directly or indirectly protecting the
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 8 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POLO0114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE. Date: 06-JAN-2003
secrecy of PIN values (together, "PIN Encryption Keys") shall comply with ISO
11568 Parts 1 to 3. The key management scheme used between each PIN Pad and
the rest of the Post Office Service Infrastructure shall be the DUKPT scheme as
described in section 4.7 and Appendix A of the ANSIX9.24-1998 standard. Moved
to Schedule 2 paragraph 10.6.1 3.3.3 In the event of an actual or suspected key
compromise in respect of a PIN Encryption Key used within the Post Office Service
Infrastructure, Fujitsu Services shall implement key change mechanisms in
accordance with the principles stated in ISO 11568 Parts 1 to 3. Where the actual or
suspected compromise affects a key shared with the NBE the parties’ obligations in
respect of key change mechanisms shall be as documented in the CCD entitled
“NBE — Horizon Application Interface Specification” (NB/IFS/008).
3.4 Security event management and firewall event analysis
3.4.1 This element of the service provides a number of security event management and
firewall event analysis activities:
e Management of audit mechanisms to monitor detect and record events that might
threaten the security of the Horizon system and associated services;
© Operation of the Security Event Management system utilising the Systems
Management system to track and report events of security significance and daily
monitoring of the system to identify relevant events and logging of details;
e Regular analysis of audit trails to identify new features and vulnerabilities
introduced by new systems to facilitate trend analysis and to assist the
investigation of security breaches;
e Reviewing security configurations of event filters to optimise efficiency and
minimise security weaknesses;
* Undertaking risk assessments to establish adequate firewall policies / rulebases
and the subsequent monitoring of events generated by the system;
e Analysis of firewall event logs using trend analysis software to identify the
presence of any potential attacks or of areas of vulnerability and the provision of
advice for any remedial action;
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 9 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
POLO00114566
POL00114566
Prompt investigation and remedial action in order to minimise the impact of any
security breach.
3.5 System and physical access control
3.5.1 This element of the service provides a number of system and physical access
controls:
Management of the process for validating that Users of the Horizon system are
authorised before being permitted access to the live network;
Management of the allocation and auditing of SecurID tokens where used to
validate that Users who access the live system from locations remote from the
Data Centres do so via secondary token authentication. Undertaking of supplier
management of tokens and licencing costs.
3.6 Anti-Virus and malware management
3.6.1. This element of the service provides a number of anti-virus and malware
management activities:
Management of the distribution of updated anti-virus software across the live
estate to maintain protection of the service from malicious software;
Initial configuration of alerting mechanisms and event filters to provide
automatic notification and prompt virus incident response;
Provision of regular DAT updates to identify and cleanse new and emerging
virus strains;
Daily checks of emerging viruses and other malicious software to inform threats
and determine the required defensive measures;
Provision of event monitoring and incident response via normal incident
handling procedures. Analysis of details to understand the threat and inform
corrective actions.
3.6.2 Protection against malicious software for NBS
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 10 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POLO0114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
Fujitsu Services shall provide protection against malicious software as set out in
paragraph 8.1 of the CCD entitled “NBS Definition”.
3.7 Security incident reporting and problem management
3.7.1
This element of the service provides a number of security incident reporting and
problem management activities:
¢ Provision of a central point of contact for all security-related issues;
e Investigation and reporting to Post Office of any actual or potential threats or
breaches that may have a material effect on the Services in accordance with
agreed procedures;
e Provision of ongoing liaison with Post Office and support to the Fujitsu
Services’ Security Board as defined in the CCD entitled “Pathway Security
Policy” (RS/POL/002).
3.8 System security change management
3.8.1
This element of the service provides a number of system security change
management activities:
Management of security compliance with agreed change processes and the
assessment of the business and security impact of PinICLs and other problem
management systems including the provision of options for resolution and
containment of security and business risk;
Assessment of the business and security impact of change proposals and the
assessment and approval/rejection of security related operational change
proposals.
3.9 Security awareness and training
3.9.1 This element of the service provides a security awareness programme for Fujitsu
Services and relevant Post Office personnel. The service covers the provision of
periodic awareness activities and training including induction training, presentations
and briefing notes and input to magazines, journals and other periodicals.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 11 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POL00114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003.
3.10 Information Retrieval and Audit
3.10.1 For the purpose of this paragraph 3.10
“Banking Transaction Record Query” means a Record Query in respect of a
Banking Transaction which the Data Reconciliation Service has reconciled or has
reported as an exception, the result or records of which are subsequently queried or
disputed by Post Office or a third party;
“Audit Record Query” means a Record Query which is not a Banking Transaction
Record Query and which relates to Transactions;
“Old Format Query” means the extraction of records created before
commencement of NB Pilot (Soft Launch) relating to Transactions (other than
Banking Transactions) meeting the Search Criteria, such extraction being limited to
the following specific types of information/data fields: the ID for the User logged-
on, Counter Position ID, stock unit reference, Transaction ID, Transaction start time
and date, Customer Session ID, mode (e.g. serve customer), product number and
quantity, and sales value;
“Period One” means, in respect of each Transaction the period of 90 days
commencing on the date of that Transaction;
“Period Two” means, in respect of each Transaction the period commencing the
day after expiry of Period One for that Transaction, expiring the earlier of the date:
a) 18 months (in the case of Transaction records created before
commencement of NB Pilot Soft (Soft Launch)) or 7 years (in the case
of Transaction records created after commencement of NB Pilot Soft
(Soft Launch)), after the records of that Transaction were first created;
or
b) of completion of transfer of Post Office Data (including the record of
that Transaction) in accordance with Schedule 22:
“Query Day” means each date against which an Audit Record Query or an Old
Format Query is raised;
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 12 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POL00114566
Fujitsu Services Service Description for the Security Management _ Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
“Record Query” means the extraction of records created after commencement of
NB Pilot (Soft Launch) in accordance with the terms of this paragraph 3.10 relating
to Banking Transactions (and, in the case of Audit Record Queries relating to all
Transactions) meeting the Search Criteria, such extraction being limited to specific
types of information/data fields as follows:
e in the case of an Audit Record Query - the ID for the User logged-on,
Counter Position ID, stock unit reference, Transaction ID, Transaction
start time and date, Customer Session ID, mode (e.g. serve customer),
product number and quantity, and sales value; and
e in the case of a Banking Transaction Record Query - Banking Transaction
ID, Banking Transaction type, receipt date, receipt time, the reason code
(in the case of a discrepancy) and DRSH sub-value(s) (eg CO
Confirmation, C1 Confirmation, NB Decline); and
“Search Criteria” means:
e in the case of an Audit Record Query or Old Format Query either of:
a) date or dates (not exceeding 31 consecutive days), time-range, Branch
and PAN (or equivalent identifier); or
b) date or dates (not exceeding 31 consecutive days), time-range and
Branch; and
e in the case of a Banking Transaction Record Query either of:
a) date, time-range, Branch and PAN; or
b) date, time-range and Branch,
to be specified for cach individual Record Query or Old Format Query (as
applicable).
3.10.2 Fujitsu Services shall have access (such access being restricted to properly
authorised Fujitsu Service staff) to records of each Banking Transaction during
Period One and Period Two.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 13 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE, Date: 06-JAN-2003
3.10.3 Limits and target times for Record Queries
a) The table below sets out the limits on Record Queries and/or Old
Format Queries which Fujitsu Services shall be obliged to carry out
and the target times for carrying out each Record Query and/or Old
For Query:
g
a
@ Limits on Banking I (@Q) Aggregate Limits on I @) Limits on Old Format
Transaction Record Queries Audit Record Queries and Old I Queries
- Format Queries : :
“ Period One I Period Two I Period One and Period Two Period One and Period Two
Limits I 900 per year I 100 per year I Subject to paragraph 3.10.6 I The limit per year (on a rolling
(on a rolling I (on a rolling I below, the limit per year (on a I year basis) shall be the first of the
year basis) I year _ basis) I rolling year basis) shall be the I following to be reached: (i)
with no more I with no more I first of the following to be a .
than 126 in I than 14 in any I reached: (i) 330 (in aggregate) I 5° Old fomet Gucris * Gi) 700
any calendar I calendar month I Audit Record Queries and Old Query: ae th sh ‘ll he ae Pe
month Format Queries; or (ii) 4620 I C#/endar month shall be the first o!
-_ the following to be reached: (i) 7
Query Days, and the limit per I Oy "femur ‘ os
calendar month shall be the first I O18 SO Queries; or (i)
of the following to be reached (i) I 2U°TY PAYS:
46 (in aggregate) Audit Record
Queries and Old Format Queries,
or (ii) 650 Query Days
Target I 5MSUDays I 7MSU Days I Subject to paragraph 3.10.4 I Subject to paragraph 3.10.4 below,
Time below and applicable only in I 14 working days (for queries of 14
respect of Audit Record Queries, I or less days’ duration) and 28
7 working days (for queries of 14 I working days (for queries of
or less days’ duration) and 14 I greater than 14 days’ duration).
working days (for queries of
greater than 14 days’ duration).
b) The limits set out in columns numbered 1 and 2 in the table above and
the provisions of this paragraph 3.10 relevant in connection with the
application of those limits shall apply with effect from commencement
of NB Pilot (Soft Launch).
ec) The limits set out set out in the column numbered 3 in the table above
and the provisions of this paragraph 3.10 relevant in connection with
the application of those limits shall apply with effect from the date of
approval by both parties of the CCN which introduces the NBS
(CCN850) and shall cease to be applicable 18 calendar months after
the commencement of NB Pilot (Soft Launch).
© 2002 Fujitsu Services
SECURITY CLASSIFICATION
Page: 14 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POL00114566
POLO00114566
POL00114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
3.10.5 For the avoidance of doubt, the limits set out in paragraph 3.10.3 in respect of
Banking Transaction Record Queries shall not apply in respect of reconciliation
incident management and settlement reporting carried out as a function of the Data
Reconciliation Service.
3.10.6 Post Office may at any time on three months’ notice (such notice expiring no earlier
than commencement of NB Pilot (Soft Launch) vary the aggregate limits of Audit
Record Queries and Old Format Queries which Fujitsu Services is required to carry
out as specified in column numbered 2 in the table in paragraph 3.10.3,
3.10.6.1 between
a) the limits specified in paragraph 3.10.3; and
b) the following substitutes for those limits (applicable on the
same basis): 550 Audit Record Queries or 7700 Query Days
per year on a rolling year basis, and 77 Audit Record Queries
or 1078 Query Days per calendar month;
3.10.6.2 and between
a) the substitute limits set out in paragraph 3.10.6.1(b); and
b) the following substitutes for those limits (applicable on the
same basis): 800 Audit Record Queries or 11200 Query Days
per year on a rolling year basis, and 112 Audit Record Queries
or 1568 Query Days per calendar month,
and in each case Fujitsu Services’s charges in respect of dealing with
any Audit Record Queries and/or Old Format Queries up to the limits
as varied in accordance with this paragraph shall be as specified in
Schedule 10.
3.10.7 Post Office shall submit:
(a) Banking Transaction Record Queries to the Horizon System Help Desk
which will pass the Record Query to Fujitsu Services’s customer service
management support unit; and
(b) Audit Record Queries and Old Format Queries to Fujitsu Services’s
customer service security prosecution support section.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 16 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
Fujitsu Services
Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
POLO00114566
POL00114566
4)
e)
3.10.4 Where:
a)
b)
2)
For the purpose of applying the limits in column 3 from the date of
approval by both parties of the CCN which introduces the NBS
(CCN850), the equivalent of Old Format Queries (and associated
Query Days) carried out in the 12 months prior to that date shall count
towards the annual limit (on a rolling year basis) and the equivalent of
Old Format Queries carried out in the calendar month in which the
NBS CCN is approved (prior to the date of such approval) shall count
towards the limits for that month.
For the purpose of applying the limits in columns 2 and 3 after
commencement of NB Pilot (Soft Launch), any Old Format Queries
(and associated Query Days) carried out in the 12 months prior to
commencement of NB Pilot (Soft Launch) shall count towards the
annual limits (on a rolling year basis) and Old Format Queries carried
out in the calendar month in which NB Pilot (Soft Launch) commences
(prior to that commencement) shall count towards the limits for that
month.
anew Audit Record Query or Old Format Query is received by Fujitsu
Services or Post Office requires analysis of an existing Audit Record
Query or Old Format Query; and
a member of Fujitsu Services’s personnel is needed to deal with that
new or existing Audit Record Query or Old Format Query; but
that person is unavailable due to his or her attendance at court or other
proceedings in connection with an Audit Record Query or Old Format
Query,
the target times specified in paragraph 3.10.3 shall not apply to that new or existing
Audit Record Query or Old Format Query referred to in paragraph 3.10.4 (a) which
Fujitsu Services shall instead deal with as soon as reasonably practicable.
© 2002 Fujitsu Services
SECURITY CLASSIFICATION Page: 15 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POLO0114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
Fujitsu Services shall accept Record Queries and Old Format Queries only from
properly authorised Post Office staff.
3.10.8 Litigation Support
Where Post Office submits an Audit Record Query or Old Format Query, at Post
Office’s request Fujitsu Services shall, in addition to conducting that query:
a) present records of Transactions extracted by that query in either Excel
95 or native flat file format, as agreed between the parties; and
b) subject to the limits set out below:
(i) analyse:
. the appropriate Fujitsu Service’s Help Desk records for
the date range in question;
° Branch non-polling reports for the Branch in question;
and
. fault logs for the devices from which the records of
Transactions were obtained
in order to check the integrity of records of Transactions extracted by that
query;
(ii)
(iii)
request and allow the relevant employees of Fujitsu Services to
prepare witness statements of fact in relation to that query, to
the extent that such statements are reasonably required for the
purpose of verifying the integrity of records provided by Audit
Record Query or Old Format Query, and are based upon the
analysis and documentation referred to in this paragraph 3.10.7;
and
request and allow the relevant employees to attend court to give
evidence in respect of the witness statements referred to in (ii)
above,
provided that:
(iv)
(vy)
Fujitsu Services’s obligations set out in (i) and (ii) above shall
be limited, in aggregate, to dealing with a maximum of 150 (in
aggregate) Record Queries and Old Format Queries per year
(on a rolling year basis); and
Fujitsu Services’s obligations in the case of provision of
witnesses referred to in paragraph (iii) above shall be to provide
© 2002 Fujitsu Services
SECURITY CLASSIFICATION Page: 17 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POL00114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
witnesses to attend court up to a maximum (for all such
attendance) of 60 days per year (on a rolling year basis).
For the avoidance of doubt the target times set out in paragraph 3.10.3
for dealing with Audit Record Queries and Old Format Queries shall
not apply in respect of Fujitsu Services’s obligations under paragraph
3.10.7.(b).
3.10.9 Any information requested beyond that available by Record Query and/or any
witness statements or witness attendance beyond that available in accordance with
this paragraph 3.10 shall be agreed on a case by case basis and shall be dealt with in
accordance with the Change Control Procedure.
3.10.10 Sensitive Card Data included in records of Banking Transactions extracted by
Record Query and provided to Post Office (but, for the avoidance of doubt, not that
included in records for Transactions extracted for Audit Record Queries in respect of
any other Post Office Service) shall be in the encrypted form in which they are held
by the NB System.
3.10.11 Audit Access
Reasonable access to the audit trail of Banking Transactions for Post Office auditors
for audit purposes shall be by request (and reasonable notice to) Fujitsu Services’s
Audit Manager.
3.11 Subject Information Requests
3.11.1 The management and provision of responses in respect of Subject Information
Requests will be as defined in Schedule 2.
4.0 Service Availability
41 The Service will be available between the hours of 08:00 to 17:30 Monday to Friday
excluding all Bank and public holidays.
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 18 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POLO0114566
Fujitsu Services Service Description for the Security Management —_Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
5.0 Service Levels And Service Targets
5.1 Relevant SLA targets relate primarily to Audit Record Queries, which are defined in
Section 3 of this document and Subject Information Requests which are defined in
Schedule 2.
6.0 Service Dependencies & Post Office Responsibilities
6.1 Service Dependencies
6.1.1. The dependencies on the provision of Information Retrieval and Audit are set out in
Section 10 of this document CS/SER/016.
6.1.2 The dependencies on the provision of Subject Information Requests are set out in
Schedule 2 - paragraph 2.4.10.
6.2 Post Office Responsibilities
6.2.1 Post Office’s security — related responsibilities as set out in Schedule 16.
6.2.2 Post Office’s authority and obligations with regard to compliance with the Data
Protection Act are set out in Schedule 2 ~ paragraphs 2.4 to 2.5.
6.2.3 Post Office responsibilities with regard to Subject Information Requests are set out
in Schedule 2 - paragraphs 2.4.9 and 2.4.12.6.2.4 Post Office responsibilities with
regard to the provision of an Information Security Manager are set out in Schedule 4.
7.0 Documentation
7A The CCDs applicable to the service are:
a. Security Policy (RS/POL/002);
b. Security Functional Specification (RS/FSP/001);
Security Incident Management (RS/PRD/004);
Statements on Security Objectives and Methods for the Protection of Siemens
Metering Code and Data (RS/FSP/003);
e. Post Office Counters Information System Security Policy (BP/POL/002);
f. A code of Practice for Post Office Information Systems Security (BP/ION/002);
g. Departmental IT Security Standards (RS/CSD/001).
© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 19 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
= 9
POLO00114566
POL00114566
Fujitsu Services Service Description for the Security Management Ref: CS/SER/016
Service
Version: 1.0
COMMERCIAL IN-CONFIDENCE Date: 06-JAN-2003
‘© 2002 Fujitsu Services SECURITY CLASSIFICATION Page: 20 of 20
(CONTRACT CONTROLLED - Leave Blank if Not Applicable)
POLO00114566
POL00114566
Impact Assessment Due Date: I 3 September 2004
Programme Impact Assessment Form _I Change Control Note No: 1135
CCN Title: Exercising Option to Increase Volume of Audit Record Queries
Business Owner: John D Cole Tel:
Fax:
Impact Assessment:
No impact on my area CE
(If no impact tick the box, sign and date the form and return)
Accept LE] Reject
Provide estimates for your area to make the change
Man days effort to implement the change
Cost (£k)
Earliest possible implementation date
Dependencies
Other Documentation:
(if vou know of any additional documentation that could be affected by the change please specify)
Additional Comments: Documents/papers attached I
(Tick box if additional papers or documents attached to your impact)
This CCN is rejected, as a separate CCN is required, which will allow for the increase in Audit
Record Queries as per Colin Lenton-Smith’s letter of 9 June 2004, but excluding the proposed
increase for DWP queries.
It is also expected that should any DWP queries arise these will be dealt with on an ad-hoc basis,
and will be charged separately.
Impact Assessor I Horizon Contract Author
Signature I John Cole
Date I 03/09/04
Return completed form to the Change Control 2™ floor, Calthorpe House, 15-20 Phoenix Place, London WC1X 0DG
iaform.doc Version 3 September 97
POLO00114566
POL00114566
Commercial Team In Commercial Confidence
Post Office Ltd Change Request POLCC_FSL_
Number:
\aoy_ I Change Request Form (Allocated by PSO)
Confidentiality:
(Any constraints on access to the Change Request)
Project: N/A
(Project against which change is raised)
Change Request Title: Exercising option to increase volume of Audit Record Requests,( but dealing
with any queries for DWP on ad-hoc basis).
(A few words to identify the change)
Authorised Person: Originator Business Owner:
Keith Baines John Cole John Cole
Date Change Date issued to
Request Raised: 03/09/04 Supplier:
Are there any attachments to this I Summary of attachments:
Change Request?Yes (A summary list of attached documents)
Description of Change:
(A full description of the context of the change and the required change outcome — with any business or technical detail needed to
clearly interpret I
To provide a new annual total of Audit Record Requests of 720, within The Agreement, but dealing with
any requests for DWP on an ad-hoc basis , ( this means that should a DWP query arise a separate work
order and purchase order will be raised for this specific activity).
Required Outputs from Change:
(Specific items to be delivered to satisfy the change requirement)
To provide a new annual total of Audit Record Requests of 720, within The Agreement.
Required Implementation Date or Release:
New totals to be available from 1* September 2004
Priority: HIGH
(Show stopper / High / Medium / Low with supporting explanation)
Business Reason for Change Request:
(A brief description of the business reason for raising this change; identified benefits; dependencies; and impact if the change is
not implemented) Current contractual limits are not adequate to meet mandatory requirements from PO
Security Team and Clients
CRS Reference Number: N/A
(Reference number of the initiative from the Common Radar Screen)
Business Case Title: N/A
(Title of the business case under which this change is justified)
Business Case Log Number: N/A. Business Case Authority Number: N/A
Budget Holder: Finance Analyst: Cost Centre Code:
(for any costs incurred) (for budget area) (for budget area)
Keith Baines Liz McKinstry
Tel.No. Tel.No.
Urgent: Yes Reason for Urgency : New limits required from 01/09/04.
(Yes/No)
Change Request Template Page 1 of 2 Version: 1.0
In Commercial Confidence Version Date: 6th January 2004
IT Commercial Team
POLO00114566
POL00114566
In Commercial Confidenc
(If 'Yes' state reason why)
Should the Change be sent to External Suppliers without Initial Sponsor / Business Assessment?
Suppliers impacted by change (Circle Yes / No / Not Known)
(if yes, provide details including details of any authority)
PO Ltd Yes Alliance & Leicester Yes / No / Not Known
Fujitsu Yes Streamline Yes / No / Not Known
IBM Yes / No / Not Known I Royal Mail Group Yes / No / Not Known
EDS Yes / No / Not Known I Prism Alliance Yes /-No / Not Known
Government Yes / No / Not Known I Other (please state)
LINK Yes_/ No _/ Not Known
PO Ltd Change Plan: Yes
Will the change require a revision to the current PO Ltd Change Plan? No
Uncertain
Document(s) Affected: (Give full document fitle, reference and version number / date.)
(e.g. Product Description — NB It may not be
possible to identify documents at this stage)
Change Impacts:
(Information on the potential impacts of the change to ensure that all relevant activities and dependencies are understood and
addressed ~ see guidelines)
. FS charges will increase by circa £93k (plus VAT) in year 2004/05, this will be covered by other
savings on other FS charges
. There will be recurring costs of £160k, plus VAT per annum, PO Security will need to bid for this
money. (Financial Year 2005/06)
Assumptions:
(List any assumptions that have been used to document this change)
Change Request Template Page 2 of 2
In Commercial Confidence
Version: 1.0
Version Date: 6th January 2004
POL00114566
POL00114566
a
1) POS
etn
S we Yo Gerakan MAN Seg crichang ate 1 70.Veg)
a
U lume Or DAL ergs es , Che onttmorvad
daira fraboltse; se Aa Ache tron,
C & AID serYarean Wl cond he OrdsI th
Co ®&
AA SES) ( Mmoagch Zac) a I
Ye alSa whacred shot Pat wee, Unchefrakseg
Since Voauals, (ot
esd) BAG LIE, Wore dey =p?
\
ib Rae exfeciiad Wroatr Ke eaquif (Rn rol
“6 : Sopsse 6 OO
Shy of tary Ho > Seohoaest
{ oh Hock sy MISSES RIG Wan
hole (agoss ry ‘
sade Soa 2 Kafe wele Brads
alk Go ¢ a
NOBUS S des dase) §) @oSior besehs -
DAE ;
I asked INS SRG NS 04 chosqicg DIS, do
‘ mnigns SaalWqrt Bey AK GAG SK
thinks ae
MOoCcess, cebu 8
wBeJAn Ca ap Shs sh ( (20M
aS
ow Chal Gop.
pOIS
on (Ase OER @:
Ask ay §S
GReogNe ak bWwisel
POL00114566
POL00114566
Keith K Baines To: John D Cole/e/POSTOFFICEL
. ce:
27/08/2004 17:40 Subject: CCN1135 (Audit Queries)
John - (you will need to refer to the email from Chris with the CCN in it)
On the extra DWP queries - I had expected that these would be priced separately as an optional extra,
so that we could bill DWP for them if used; it seems to be bundled in as one price which we pay
whether the DWP extras are used or not, and with no identifiable price that we can recharge.
Can you check and investigate please.
Regards,
Keith
« « Pan
Iecue IS oll asee Fi DNF eng vi feos
ding hon Tes UR SSO See tet ado thos I
i \
ak fossQe ReckS
chase dd That
execsterg cto fe -
Raa wi Qs
is TU
IK(S oaheyched dhoe tNise oes Bows (ay ox
Yacts Sem I Wi eee Goo esd F Mod Sesh"
Boo Value SS) Gre chs pe: Mo oe Poessed Wil
osctea nm Ae de Joseds Wor, rete la ypc s 85S
Gy (Lents ostincles I (Lem Seamus Sesllice)
2078 ot -— 24m Gis
oy oS — Sam 2 3 SS%
oS _ +208" _ -
ob/s) -
POLO00114566
POL00114566
Colin Lenton-Smith
Commercial and Finance Director, Post Office Account Team
Fujitsu Services Limited
Forest Road
Feltham
MIDDLESEX TW13 7EJ
ve .
26.07.04
“an essential part of everyday life”
Dear Colin
Re: Audit Record Queries
Further to your letter of 9"° June 2004, in which you outlined the principles
relating to an increase in the annual limits and the increased costs in the
number of Audit Record Queries.
I can now confirm that Post Office wish to exercise the option to increase
the number of Audit Record Queries as per your letter, and by this letter is
giving you notice that we want the new arrangements to apply from 1*
September 2004..
From that date we also expect that the volume of additional queries and é
charges will be pro rata ( e.g. 7/12 of those quoted in your letter) for the
remainder of this financial year.
I can also confirm that the ‘counting period’ for queries and charges will
run from April — March each year.
Yours Sincerely
Page 1 of 2
Post Office Ltd
Registered in England and Wales number: 2154540
Registered Office: 80-86 Old Street
London ECIV 9NN
The Post Office.and the Post Office symbol are
registered trade marks of Post Office Ltd in the
UK and other countries,
Page 2 of 2
Keith Baines
Contract Manager
Post Office Ltd
IT Department
IT Commercial
Calthorpe House
15-20 Phoenix Place
LONDON WC1X ODG
POLO00114566
POL00114566
a
OFFICE
POLO00114566
POL00114566
Keith K Baines To: John D Cole/e/POSTOFFIC
ce:
26/07/2004 15:47 Subject: Re: Horizon data requests
— Forwarded by Keith K Baines/e/POSTOFFICE on 26/07/2004 15:46 -----
lan O'Driscoll To: Keith K Baines/e/POSTOFFICE’
. ce:
26/07/2004 08:08 Subject: Re: Horizon data requests
For info
~---- Forwarded by lan O'Driscoll/e/POSTOFFICE on 26/07/2004 08:08 -----
David X Smith To: lan ODriscol/e/POSTOFFICE...
26/07/2004 07:54 Subject: Re: Horizon data requests
As spoken,
Dave
Acting IT Director
Post Office Ltd
Directorate
4th Floor, 80 Old Street, LONDON, ECIV 9NN
“Mobex:I_ GRO_ Mobile:
External Email: david.x.smith¢_ k
----- Forwarded by David X Smith/e/POSTOFFICE on 26/07/2004 07:54 -----
Tony Marsh To: David X Smith/e/POSTOFFICE
, cc: David W Miller/e/POSTOFEIC!
28/07/2004 11:00 Holleran/e/POSTOFF!
Utting/e/POSTOFFICE
Subject: Re: Horizon data requests
Dave
Many thanks for your support with this "between two stools" problem.
As you can see John Cole is forecasting approximately £100k for the remainder of the FY.
If we do not have a more flexible solution in place for 05/06 Tony U will make sure that the requisite
budget is bid for and obtained.
Regards
Tony
—_ Forwarded by Tony Marsh/e/POSTOFFICE on 23/07/2004 10:56 -----
John D Cole To: Tony R Utting/e/POSTOFFICE
cc: Graham C Ward/e/POS
2107/2004 18:46 Marsh/e/POSTOFFICEC
Baines/e/POSTOFFICE”
Subject: Re: Horizon data requests
Tony, Thank you for this information.
POLO00114566
POL00114566
Firstly, the total number of Audit Record Queries, under the proposed increase available for a"
complete" year is 720 (or 15,000 query days) , which ever is reached first.
This equates on a monthly basis to 60 per month (or 8750 query days)
Secondly, as we have to give 1 months' notice to bring the revised limits into operation, we would be
able to have 7 months at the new levels until the end of the financial year ( March 2005). This means
that the quoted amount of £170k, per annum, equates to approx £100k for the 7 months until the end
of the financial year.
I should also mention that for DWP queries an additional 84 queries can be accommodated,
equivalent to 7 per month, although 10 per month could be accommodated provided the annual total
does not exceed 84.
Finally, FS are asking that if the proposed new limits are agreed, could we regularise the "query year"
(currently based on calendar years), with the financial year and run in future with the fiscal year.
Regards. John Cole.
Tony R Utting
Tony R Utting To: John D Cole/e/POSTOFFICE!
: ce: Graham C Ward/e/POST(
2107/2004 14:59 Marshle/POSTOFFICE@”
Subject: Horizon data requests “~
, Tony
As discussed, we are looking at achieving 50 requests per month for the remainder of the year, at
present End of December, but from what you were saying potentially end of March.
Can you just confirm that the incremental step process is the only avenue open to us and that we will
have the required request numbers using this process. If you could give us the exact figures, it would
be most helpful, as we will use whatever requests are available.
As you can imagine, with the changes taking place in the business at present, we are in increasing
need of Horizon data and are still avoiding asking for it wherever possible in order to preserve our
requests. This means that we will inevitably be looking for further increased access in due course and
I will be preparing a blueprint to gain direct access in the next few weeks.
Thanks again for all of your help
Tony Utting
_— Forwarded by Tony R Utting/e/POSTOFFICE on 22/07/2004 14:34 -----
< Ey, Graham C Ward To: Tony R Utting/e/POSTOFFICE Gs
. ce:
Qa 22/07/2004 12:36 Subject: Horizon data requests
Tony
this year we have submitted the following:
Jan 44
Feb 46
March 51
April 44
May 46
Jun 42
July 40
Aug 20 7?
Total 330 (our annual limit)
POLO00114566
POL00114566
predicting how many we will want isn't straightforward as people in our own team / RLM's / NBSC /
Legal Services are aware of the problems/restrictions in obtaining these logs and thus don't bother
asking for them. If we had greater access, I am sure once the ‘word’ got around, we would use up
whatever was available.
That said, with a monthly limit of 46 I didn't have to turn many away, so I would guess that having 50
per month for the rest of this year would see us through until the contract is amended. Therefore my
guesstimate for the remaining year (up till the end of December) would be 220 (50 x 4 months with a
few extra to cover the likely queue in September due to the limited number available for August)
Regards
Graham
POLO00114566
POL00114566
John D Cole To: Tony R Utting/e/POSTOFFICE@-
cc: Graham C Ward/e/P
22/07/2004 15:46 Marsh/e/POSTOFFIC
Bainesie/POSTOFFICEI GRO
Subject: Re: Horizon data requests
Tony, Thank you for this information.
Firstly, the total number of Audit Record Queries, under the proposed increase available for a"
complete" year is 720 (or 15,000 query days) , which ever is reached first.
This equates on a monthly basis to 60 per month (or 8750 query days)
Secondly, as we have to give 1 months' notice to bring the revised limits into operation, we would be
able to have 7 months at the new levels until the end of the financial year ( March 2005). This means
that the quoted amount of £170k, per annum, equates to approx £100k for the 7 months until the end
of the financial year.
I should also mention that for DWP queries an additional 84 queries can be accommodated,
equivalent to 7 per month, although 10 per month could be accommodated provided the annual total
does not exceed 84.
Finally, FS are asking that if the proposed new limits are agreed, could we regularise the "query year"
(currently based on calendar years), with the financial year and run in future with the fiscal year.
Regards. John Cole.
Tony R Utting
Tony R Utting To: John D Cole/e/POSTOFFICEL__._ GRO
. cc: Graham C Ward/e/POSTOFFIC
22107/2004 14:39 Marsh/e/POSTOFFICEC.
Subject: Horizon data requests
As discussed, we are looking at achieving 50 requests per month for the remainder of the year, at
present End of December, but from what you were saying potentially end of March.
Can you just confirm that the incremental step process is the only avenue open to us and that we will
have the required request numbers using this process. If you could give us the exact figures, it would
be most helpful, as we will use whatever requests are available.
As you can imagine, with the changes taking place in the business at present, we are in increasing
need of Horizon data and are still avoiding asking for it wherever possible in order to preserve our
requests. This means that we will inevitably be looking for further increased access in due course and
I will be preparing a blueprint to gain direct access in the next few weeks.
Thanks again for all of your help
Tony Utting
--+-- Forwarded by Tony R Utting/e/POSTOFFICE on 22/07/2004 14:34 —---
Va C ® Graham C Ward To: Tony R Utting/e/POSTOFFICEC
( . ce:
22107/2004 12:36 Subject: Horizon data requests
Tony
this year we have submitted the following:
Jan 44
Feb 46
__March 51.
April 41
POLO00114566
POL00114566
May 46
Jun 42
duly 40
Aug 20 7?
Total 330 (our annual limit)
predicting how many we will want isn't straightforward as people in our own team / RLM's / NBSC /
Legal Services are aware of the problems/restrictions in obtaining these logs and thus don't bother
asking for them. If we had greater access, I am sure once the ‘word’ got around, we would use up
whatever was available.
That said, with a monthly limit of 46 I didn't have to turn many away, so I would guess that having 50
per month for the rest of this year would see us through until the contract is amended. Therefore my
guesstimate for the remaining year (up till the end of December) would be 220 (50 x 4 months with a
few extra to cover the likely queue in September due to the limited number available for August)
Regards
Graham
POLO00114566
POL00114566
Nic jj Pe b ley oh 21/F, qjer, x Fey Pte a7
John D Cole To: Tony R Uting/e/POSTOFFICE
cc: Keith K Baines/e/POSTOFFIC
13/07/2004 15:22 Subject: Fujitsu Contract changes - email
Tony, As you know, our earlier deliberations were based on the proposal to increase the number of
audit record queries, this still needs financial approval to progress, can you confirm that this
proposition is still required, please?
Moving to your new proposal to allow POL to have ‘direct access to process Horizon Data’, I can
confirm that this is not something we have broached with Fujitsu Services. You will need to progress
the Business Solutions team ( contact Karen Molloy) Regards. John Cole.
Keith K Baines
Keith K Baines To: John D Cole/e/POSTOFFICE,
" cc:
13107/2004 09:44 Subject: Fujitsu contract changes - email 1
John,
Can you let me know the current state of play please.
Keith
— Forwarded by Keith K Baines/e/POSTOFFICE on 13/07/2004 09:43 -----
Tony R Utting To: Keith K Benas/eiPOSTOFFICE, GRO}
. ce: Tony Marsh/e/POSTOFFICES
98/07/2004 08:20 Pardoe/elPOSTOFFICE( Gi
Subject: Fujitsu contract changes = 6iiail' T
Please see the email below from Tony Marsh, Can you please give an update to what activity has
been undertaken with regard to gaining direct access to Horizon data for use within the business.
I believe Tony raised the idea of us having our own access to the audit data from within the business
via a terminal (probably at Chesterfield) via which, we would be able to obtain data for all parts of the
business and remove the need for us to make data requests of Fujitsu. I understand that Alan Barrie
was aware of this suggestion and had been supportive of our approach. We had considered the
download tat Tony mentions, but had felt that this would simply be a recreation of the data warehouse
and probably cost more than simply gaining access to our own data via the existing one.
This issue has become considerably more important recently, as investigators are finding it
increasingly difficult to pursue criminal cases without having access to audit data. Defence team have
also identified this as a means of delaying and in some cases potentially ceasing prosecution activities
and as you can see from Tony's email this has meant that we have had to increase our use of audit
requests to a point whereby we will run out at the end of August, with potentially serious consequences
thereafter.
A further complication will come next year when much of the paper based evidence that the business
uses to prove events that have taken place at branches will disappear. This will require even more
data requests, possibly including requests from elsewhere in the business, almost certainly in excess
of the agreed increase we have been allocated, albeit nobody seems to have the money to pay. -
I would be happy to meet up and discuss our options and opportunities in respect of this issue and
would be happy to assist in developing a business case to support our gaining greater access to the
data warehouse.
Regards
Tony Utting
POL00114566
POL00114566
Tony Marsh To: David W Miller/e/POSTOFFICE
. ce: Tony R Utting/e/POSTOFFICEC.
98/07/2004 10:05 Subject: Fujitsu contract changes - email 1
Dave
The circumstances detailed in the email chain below, which I understand made a significant
contribution to the overall cost reductions in the renegotiated Fujitsu contract, and the reply in the
email immediately following this one, now appear likely to curtail effective investigation activity from
next month for the remainder of the calendar year.
I felt with my highlighting the issue in January 2003 (4th entry down) I had done enough to gain IT and
Operations buy-in to the Security position whilst behaving in a business-focussed manner in not
demanding a high-cost comfort zone or safety net.
John Cole's reply in the accompanying email suggests otherwise. I'd be grateful if you'd take a look
and decide whether you concur with his reading of decision making and consequent responsibilities.
Very briefly, it is not now possible to conduct an enquiry involving branch trading, Post Office Ltd or
client products without making an information request to Fujitsu. As we still do not own our own data
or the tools to analyse it we cannot circumvent Fujitsu in any way on this. Although IT (Keith Baines)
have been asked to look at the possibility of a data download for Security use this request has not
been progressed as a priority, I have asked Tony Utting to get this moving again with IT.
I am awaiting a breakdown of costs, I understand the cost of buying a further 420 information requests
(i.e. to bring the annual total to 750) will be £170k
Tony
Forwarded by Tony Marsh/e/POSTOFFICE on 06/07/2004 09:33
Tony R Utting To: John D Cole/e/POSTOFFICE
05/07/2004 15:07 cc: Tony Marsh/e/POSTOFFICE
° Subject: Fujitsu contract changes
I have received your reply and would contest that the decision to reduce our request numbers was
made in the Operations Directorate. The email below records that when I spoke to Keith Baines, he
suggested to me that the decision was made by the EC.
We now have 22 requests left to last us until January next year and are currently utilising them at a
rate of over forty per month in the expectation that the business was going to find funding for this.
Should we run out, then we there will be an impact on our ability to investigate crimes against the
business and in at least one case we may be in breach of a contractual obligation to investigate fraud
against a client product.
Has this issue been raised within the business from you side, as I have not been notified until today
that the extra requests were not going to happen.
Thanks
Tony Utting
—_ Forwarded by Tony R Utting/e/POSTOFFICE on 05/07/2004 15:00 -----
POLO00114566
POL00114566
Tony R Utting
15/06/2004 09:03
Patel/e/POSTOFFICE
Marsh/e/POSTOFFIC
Ward/e/POSTOFFIC
Subject: Fujitsu contract changes
As discussed, there are reams of emails about this (as you can imagine). This appears to be the most
succinct.
As discussed, we have no money to pay for this.
Tony Utting
—_ Forwarded by Tony R Utting/e/POSTOFFICE on 15/06/2004 09:01 -----
ce: S&A SMs
bee:
Hard Copy To:
Hard Copy cc:
Date: 16/01/2003 12:38
From: Tony Marsh
Subject: Fujitsu contract changes
Dave
This refers to the reduction, without any prior reference to anyone in my team, of the number of
pre-paid audit and investigation information requests agreed in the contract from 500 to 330. I had
previously agreed with Mike Hannon that our original figure of 750 (itself reduced from a rather
comfortable 1000) could be reduced to 500 provided that our bid for funding to cover any additional
requests would be met. We have a bid in for £50k for this purpose.
With the introduction of banking and the proposal to remove the hard copy cash account facility (which
lam disposed to endorse despite resistance from both my own investigators and Legal Services
provided that the retail line agrees to enforce compliance around Horizon passwords) every
investigation, whether full or preliminary, may require access to data held by Fujitsu.
I was surprised that such a change was made without any reference to the primary stakeholder.
Provided I have your commitment that POL will meet any additional costs which may be caused as a
result of this decision however I am comfortable if this has contributed to the reduction in the overall
Fujitsu contract costs.
Tony
Tony R Utting To: Duncan MoFadyenle/POSTOFFICE
. cc: Laury Callan/e/POSTOFFICE;
15/01/2008 16:54 FerlinclelPOSTOFFICEC.
Gerrish/e/POSTOFFIC
Marsh/e/POSTOFFICE...-
Subject: Re: SALT ACTION POINTSL]
I think I have disposed of my action point from SALT as follows.
POLO00114566
POL00114566
I have today spoken with Keith Baines The Client Manager for Fujitsu, who tells me that the proposed
reduction in requests has been agreed at EC level (Dave Miller and co) and that the business is
aware, that should we exceed the number of requests in the contract, further resources will have to be
found by the business to pay for them.
The rationale behind the decision was that it was felt that we should not pay for anything in the
contract we did not use and there was no certainty that we would reach the previously agreed
numbers.
Hope this clarifies matters
Tony U
POL00114566
POL00114566
John D Cole To: Tony R Utting/e/POSTOFFICE
ce:
06/07/2004 07:57 ce:
Subject: Re: Fujitsu contract changes[]
Tony, Regarding the costs, yes the amount for the additional queries is still £170k. Please see small
table below, of how this was arrived at:
Increased No of Queries 390
Increased Price £170,000.00
Price per query £ 435.90
C2 Daily Rate” £ 1,039.00
C2 Hourly Rate £ 129.88
No of hours per query 3.36
The new annual limits will be 720 queries or 15,000 query days, which ever is reached first.
We have examined the proposed additional costs and consider this is not unreasonable, compared to \ 4
the charges for the existing facility ( which is 330 queries for the annual cost of £670k) x
* C2= Consultant 2 rates,( this is because all Fujitsu Services costs are based on consultancy
charges)
Tony R Utting
Tony R Utting To: John D Cole/e/POSTOFFICE¢
05/07/2004 16:51 oe:
Subject: Re: Fujitsu contract changes)
I think you have hit the proverbial nail on the head. I don't know if there ever was a formal response.
I have contacted Tony Marsh and one of us will raise it with Dave as a matter of urgency. We are
going to have problems if we don't sort it soon.
Were you able to discover why the costs were so high when you last went back to Fujitsu? and are we
still looking at £170k for this
Thanks for your help to date
Tony U
John D Cole
John D Cole To: Tony R Utting/e/POSTOFFICE@_
os/07i2004 16:33 ce: Keith K Baines/e/POSTOFFICI
° Subject: Re: Fujitsu contract changes["]
Tony, Further to your latest reply, I think the principal point in the various e-mails is Tony Marsh's
statement to Dave Miller in which he asks;"Provided I have your commitment that POL will meet
any additional costs which may be caused as a result of this decision however I am
comfortable if this has contributed to the reduction in the overall Fujitsu contract costs".What
was Dave Millers reaction to this statement?.
I still believe the additional funding is an operational matter which needs to be pursued with Dave
Miller by yourselves, we are as keen as you are to see resolution of this issue so that the you can
carry out your contractural obligations. Thanks John Cole.
Tony R Utting
Tony R Utting To: John D Cole/e/POSTOFFICE@
cc: Tony Marsh/e/POSTOFFICE@R
POL00114566
POL00114566
05/07/2004 15:07 Subject: Fujitsu contract changes
I have received your reply and would contest that the decision to reduce our request numbers was
made in the Operations Directorate. The email below records that when I spoke to Keith Baines, he
suggested to me that the decision was made by the EC.
We now have 22 requests left to last us until January next year and are currently utilising them at a
rate of over forty per month in the expectation that the business was going to find funding for this.
Should we run out, then we there will be an impact on our ability to investigate crimes against the
business and in at least one case we may be in breach of a contractual obligation to investigate fraud
against a client product.
Has this issue been raised within the business from you side, as I have not been notified until today
that the extra requests were not going to happen.
Thanks
Tony Utting
----- Forwarded by Tony R Utting/e/POSTOFFICE on 05/07/2004 15:00 -----
Tony R Utting To: John D Cole/e/POSTOFFICE(
. ce: Dave Pardoe/e/POSTOFFICE}
19/08/2004 09:08 Patel/e/POSTOFFICE I
Marsh/e/POSTOFFIC!
Ward/e/POSTOF FICE
Subject: Fujitsu contract changé
As discussed, there are reams of emails about this (as you can imagine).This appears to be the most
succinct.
As discussed, we have no money to pay for this.
Tony Utting
—— Forwarded by Tony R Utting/e/POSTOFFICE on 15/06/2004 09:01 -----
To: David W Miller/e/POSTOFFICI
ce: S&A SMs
bec:
Hard Copy To:
Hard Copy cc:
Date: 16/01/2003 12:38
From: Tony Marsh
Subject: Fujitsu contract changes
Dave
This refers to the reduction, without any prior reference to anyone in my team, of the number of
pre-paid audit and investigation information requests agreed in the contract from 500 to 330. I had
previously agreed with Mike Hannon that our original figure of 750 (itself reduced from a rather
comfortable 1000) could be reduced to 500 provided that our bid for funding to cover any additional
requests would be met. We have a bid in for £50k for this purpose.
POL00114566
POL00114566
With the introduction of banking and the proposal to remove the hard copy cash account facility (which
I am disposed to endorse despite resistance from both my own investigators and Legal Services
provided that the retail line agrees to enforce compliance around Horizon passwords) every
investigation, whether full or preliminary, may require access to data held by Fujitsu.
I was surprised that such a change was made without any reference to the primary stakeholder.
Provided I have your commitment that POL will meet any additional costs which may be caused as a
result of this decision however I am comfortable if this has contributed to the reduction in the overall
Fujitsu contract costs.
Tony
Tony R Utting To: Duncan NanOPOSTOFFICH
’ ce: Laury Callan/e/POSTOFFICI
15/01/2008 16:54 FerlinclelPOSTOFFICEC Phil
Gerrishie/POSTOFFICI GRO”) Tony
Marsh/e/POSTOFFICE 1
Subject: Re: SALT ACTION POINTSLY
I think I have disposed of my action point from SALT as follows.
I have today spoken with Keith Baines The Client Manager for Fujitsu, who tells me that the proposed
reduction in requests has been agreed at EC level (Dave Miller and co) and that the business is
aware, that should we exceed the number of requests in the contract, further resources will have to be
found by the business to pay for them.
The rationale behind the decision was that it was felt that we should not pay for anything in the
contract we did not use and there was no certainty that we would reach the previously agreed
numbers.
Hope this clarifies matters
Tony U
Increased No. of Queries 390
Increased Price £ 170,000.00
Price per query g£ 435.90
C2 Daily Rate £ 1,039.00
C2 Hourly Rate £ 129.88
No. of hours per query 3.36
POLO00114566
POL00114566
POL00114566
POL00114566
Tony R Utting To: John D Cole/e/POSTOFFICE
ce:
01/07/2004 17:14 Subject: Horizon requests
John
tam sure that it is nothing to do with your team and you may not be aware, but due to problems with
Horizon MIS, we have just had our first (hopefully not of many) request to provide audit data to the
Retail Line.
We are also currently issuing 46 requests per month, which will take us past our current yearly limit
somewhere around August, so can you confirm that we will be moving to the new increased levels as
discussed recently.
Should this not be the case, then we have a serious risk that we will be unable to undertake
investigative activity where Horizon data is required for a considerable period, until we are allowed a
new set of requests.
Thanks for you help
Tony Utting
POLO00114566
POL00114566
Keith K Baines To: John D Cole/e/POSTOFFICI
21/06/2004 09:14
ce:
Subject: Forest Gate & Urmston - Reported Issues
r Graham C Ward To: Keith K Baines/e/POSTOFFICE(_
\ " cc:
es 15/06/2004 12:03 Subject: Forest Gate & Urmston - Reported Issues
Keith
Further to the e mail below, Fujitsu have now finished checking all previously submitted ARQ's (only
those that have proceeded to prosecution) and have found errors (i.e. incomplete transaction/event
logs) in data supplied for another 4 offices. I am in the process of ascertaining at what stage these
prosecutions are at and the potential impact on the evidence. Hopefully, as with Forest Gate &
Urmston, we can overcome the problem with a supporting statement, but I am aware that one of the
cases has already been completed with a successful prosecution.
Regards
Graham
Casework Manager
Operations
Post Office Ltd Security
PO BOX 1
Croydon
CR9 1WN
STD Phonef GRO Fax: {GRO} Mobexd GRO} Mobilel.6RO
External Email: graham.c.ward GRO
Forwarded by Graham C Ward/e/POSTOFFICE on 15/06/2004 11:48 --
Graham C Ward To: Keith K Baines/e/POSTOFFICI
. cc: Dave Pardoe/e/POSTQFEICE
01/06/2004 09:05 Utting/e/POSTOFFICE!
Subject: Forest Gate & Urmston =
Keith
please see the e mail below from Bill Mitchell, Fujitsu Security Manager. Basically, some of the
transaction log requests we have submitted have been returned ‘incomplete’ due to human error on
their part. This could invite some criticism from Defence counsel in cases where the logs have been
used in evidence. Fujitsu are submitting ‘complete’ data with a supporting statement, so hopefully the
issue will not be a great problem
This is forwarded to you for your information and any action you deem appropriate from a commercial
/ contractual perspective.
POLO00114566
POL00114566
Regards
Graham
Casework Manager
Operations
Post Office Ltd Security
PO BOX 1
Croydon
CRO 1WN
Mitchell William
<William.Mitchell@uk.
fujitsu.com> Penny +
27/05/2004 08:57
>
Graham,
tn
With reference to your emails dated today 25" May, I've noted the request for statements for ARQ 137
& 138 (St Kew Highway), the linking with ARQ 231 - 233 and the court date which is schedules for 4"
Sept 2004, I've ask Penny to contact you directly regarding these.
I've prepared the following update on the issues with ARQ for Forest Gate and Urmston, I have also
as far as is possible quantified the scale of the problem and actions we have already taken to restore
confidence in the quality of the information normally provided. The overall cause for the data being
omitted is regretfully operator error. I've detailed each FAD and corresponding ARQ below together
with an update as to the root cause.
Forest Gate: This request is split over 3 ARQ, No's 198, 199 & 200
ARQ 198 - The ARQ covers the period 14/10/02 to 13/11/2002, totalling 31 query
days. The root cause for the omission of data from this ARQ is that the retrieval was
executed as a single task with the resultant data retrieval exceeding the available 1Gb
limit of the Message Store area on the Audit Server. This forced the Audit Server to
randomly drop 11,135 data entries. A total of 10 days have been affected these dates
are:
16/10 - Partial, no end of day
17/10 - Partial, no end of day
19/10 - No data retrieved.
21/10 - Partial, no end of day
22/10 - Partial, no end of day
23/10 - Partial, no end of day
25/10 - Partial, no end of day
POLO00114566
POL00114566
26/10 - No data retrieved
29/10 - No data retrieved
30/10 - Partial, no end of day
ARQ 199: The ARQ covers the period 14/11/02 to 11/12/2002, totalling 28 query days.
The root cause for the omission of data from this ARQ is when an ARQ is retrieved it
is necessary to add additional days to the end of the requested date span to ensure a
full and complete capture of the data which may have been harvested at different
times. The operator should then confirm that an end of day log off is present and
extract only the required data files. In this case the operator added two additional
days to each ARQ, which is normally sufficient, but it appears did not confirm that an
end of day log off was present, consequently an additional 235 data entries were not
included in the data extraction. The affected dates are:
ARQ 198 - 27/11/2002 - Partial, no end of day
ARQ 200: The ARQ covers the period 12/12/2002 to 08/01/2003, totalling 28 query
days. The root cause for the omission of data from this ARQ was the same as ARQ
199 above and 679 additional data entries were not included in the data extraction.
The affected dates are:
ARQ 200 - 03/01/2003 - Partial, no end of day
We are currently repeating the exercise to extract the ARQ for Forest Gate and these
will be forward as soon as is practicable.
Rumson: This request equates to ARQ 320 only
ARQ 320 - The ARQ covers the period of the 03/01/2003, totalling 1 query days. The
root cause for the omission of data from this ARQ was the same as ARQ 199 above
consequently an additional 235 data entries were not included in the data extraction.
The affected date is:
ARQ 320: The ARQ covers the period 03/01/2003, totalling 1 query days. The root
cause for the omission of data from this ARQ was the same as ARQ 199 and 200
above and 796 additional 796 entries were not included in the data extraction. The
affected dates are:
ARQ 299 - 03/01/2003 - Partial, no end of day
The extraction of data for Rumson has already been repeated and dispatched to you.
This ARQ is now correct and only requires an additional statement to complete the
task.
In addition to the above we have checked the following other ARQs for which statements have been
requested. No discrepancies have been found
Ashford - ARQ 213 - 215
Borehamwood - ARQ 155 - 159, 201, 259 - 262, 278 - 281, 346 - 349
Carbis Bay - ARQ 231 - 233
Chigwell - ARQ 132
East Grimstead - ARQ 236 & 283
Eastern - ARQ 284, 253 - 283
Newport
Shobnall
I am out of the office tomorrow (Wednesday 26" May), but should be available on 0208 730 4561,
which will diverted to my mobile automatically if you need to discuss the above details.
Regards
Bill Mitchell
Rimswell - ARQ 427 - 432 & 411
Ruscote - ARQ 255 & 289
City of London - ARQ 210
Kingshurst - ARQ 381 - 382
Heathway - ARQ 169
Leyton - ARQ 221 - 224
Marchington - ARQ317 - 319
Marchmont - ARQ 238
- 160 - 162,193 - 229
- 228
Security Manager
Post Office Account
FUJITSU,
Forest Road, Feltham, Middlesex, TW13 7EJ
Tel:
Mob:
E-mail: william.miteh
Internal: b.
Web: hitp:/uk-fujitsu.com
POLO00114566
POL00114566
POLO00114566
POL00114566
Fujitsu Services Registered in England no 96056, Registered Office 26, Finsbury Square, London, EC2A 1SL
This e-mail is only for the use of its intended recipient. Its contents are confidential and may be privileged. Fujitsu Services does not
guarantee that this e-mail has not been intercepted and amended or that it is virus-free.
POL00114566
POL00114566
Tony R Utting To: John D Cole/e/POSTOFFICEC,
ce: Dave Pardoe/e/POSTO!
15/06/2004 09:03 Patel/e/POSTOFFICE@
Marsh/e/POSTOFFICE@E.
Ward/e/POSTOFFICE¢
Subject: Fujitsu contract change:
Manish
Tony
Graham C
As discussed, there are reams of emails about this (as you can imagine).This appears to be the most
succinct.
As discussed, we have no money to pay for this.
Tony Utting
— Forwarded by Tony R Utting/e/POSTOFFICE on 15/06/2004 09:01 -----
To: David W Miller/e/POSTOFFICE”
cc: S&A SMs
bee:
Hard Copy To:
Hard Copy ce:
Date: 16/01/2003 12:38
From: Tony Marsh
Subject: Fujitsu contract changes
Dave
This refers to the reduction, without any prior reference to anyone in my team, of the number of
pre-paid audit and investigation information requests agreed in the contract from 500 to 330. I had
previously agreed with Mike Hannon that our original figure of 750 (itself reduced from a rather
comfortable 1000) could be reduced to 500 provided that our bid for funding to cover any additional
requests would be met. We have a bid in for £50k for this purpose.
With the introduction of banking and the proposal to remove the hard copy cash account facility (which
I am disposed to endorse despite resistance from both my own investigators and Legal Services
provided that the retail line agrees to enforce compliance around Horizon passwords) every
investigation, whether full or preliminary, may require access to data held by Fujitsu.
I was surprised that such a change was made without any reference to the primary stakeholder.
Provided I have your commitment that POL will meet any additional costs which may be caused as a
result of this decision however I am comfortable if this has contributed to the reduction in the overall
Fujitsu contract costs.
Tony
----- Forwarded by Tony Marsh/e/POSTOFFICE on 16/01/2003 12:17 --—--
Tony R Utting To: Duncan McFadyen/e/POSTOFF,
ce: Laury Callan/e/POSTOFF
15/01/2005 16:54 Ferlinc/e/POSTOFFICE(.,
Gerrish/e/POSTOFFICE@
Marsh/e/POSTOFFICE®”
Subject: Re: SALT ACTION POINTSE]
I think I have disposed of my action point from SALT as follows.
POLO00114566
POL00114566
I have today spoken with Keith Baines The Client Manager for Fujitsu, who tells me that the proposed
reduction in requests has been agreed at EC level (Dave Miller and co) and that the business is
aware, that should we exceed the number of requests in the contract, further resources will have to be
found by the business to pay for them.
The rationale behind the decision was that it was felt that we should not pay for anything in the
contract we did not use and there was no certainty that we would reach the previously agreed
numbers.
Hope this clarifies matters
Tony U
POLO00114566
POLO0114566
ray Darryl Judd To: PostOfficeAccountChangeManz
ce: John D Cole/e/POSTOFFI
\ 28/07/2004 11:50 Rendora/e/POSTOFFICE
; Subject: POLCC_FSL_CR0032_CCI tion to increase volume
of Audit Record Requests
Ken,
I have been asked to raise the attached Post Office Ltd Change Request,
POLCC_FSL_CR0032_CCN - Exercising option to increase volume of Audit Record Requests, with
Fujitsu Services Ltd with a request that a Contract Control Note (CCN) is produced to meet the work
requirement.
id iW]
POLCC FSL CR0032 CCN.c POLCC FSL CR0032 CCNattt.«
The change provides for the increase in the number of Audit Record Requests as per attachment.
The output required from this change will be for Fujitsu Services to provide a new annual total of Audit
Record Requests of 720, and reflected within The Agreement
The POLtd business
addressed to him}
iries on its development should be
Please get back to me if you have any concerns or queries about this change.
Regards
Darryl Judd
Commercial Change
Post Office Ltd
IT Directorate
2nd Floor, Calthorpe House, 15-20 Phoenix Place, LONDON, WC1X ODA
Postline:{__"GRO"""] STD Phone: {GRO
External Email: darryl judd GRO
POL00114566
POL00114566
IT Commercial Team In Commercial Confidence
Gea) Post Office Ltd Change Request POLCC_FSL_CR0032_CCN
Number: -
Change Request Form (Allocated by PSO)
Confidentiality: No
(Any constraints on access to the Change Request)
Project: N/A
(Project against which change is raised)
Change Request Title: Exercising option to increase volume of Audit Record Requests
(A few words to identify the change)
Authorised Person: Originator: Business Owner:
Keith Baines John Cole John Cole
Date Change Request Raised: 28/07/04 Date issued to Supplier: 28/07/04
Are there any attachments to this I Summary of attachments: “Audit Record Queries”
Change Request? Yes correspondence between FS/POL dated 09/06/2004
(A summary list of attached documents)
Description of Change:
(A full description of the context of the change and the required change outcome ~ with any business or technical detail needed to
clearly interpret it)
To increase the number of Audit Record Requests as per attached letter
Required Outputs from Change:
(Specific items to be delivered to satisfy the change requirement)
To provide a new annual total of Audit Record Requests of 720, within The Agreement.
Required Implementation Date or Release:
New totals to be available from 1* September 2004
Priority: High
(Show stopper / High / Medium / Low with supporting explanation)
Business Reason for Change Request:
(A brief description of the business reason for raising this change; identified benefits; dependencies; and impact if the change is
not implemented) Current contractual limits are not adequate to meet mandatory requirements from PO
Security Team and Clients
CRS Reference Number: N/A
(Reference number of the initiative from the Common Radar Screen)
Business Case Title: N/A
(Title of the business case under which this change is justified)
Business Case Log Number: N/A il Business Case Authority Number: N/A
Budget Holder: Finance Analyst: Cost Centre Code:
(for any costs incurred) (for budget area) (for budget area)
Keith Baines Liz McKinstry
Tel.No. Tel.No.
Urgent: Yes Reason for Urgency: New limits required from 01/09/04, FS
(Yes/No) require 1 months notice to implement new limits.
Should the Change be sent to External Suppliers without Initial Sponsor / Business Assessment?
(If 'Yes' state reason why)
Suppliers impacted by change (Circle Yes / No / Not Known)
PO Ltd Yes Alliance & Leicester Yes / No / Not Known
Fujitsu Yes / Streamline Yes / No / Not Known
IBM Yes / [No / Not Known I Royal Mail Group Yes / No / Not Known
EDS Yes / No / Not Known I Prism Alliance Yes / No / Not Known
Government Yes / No. / Not Known } Other (please state)
LINK Yes / No / Not Known
Change Request Template Page 1 of 2 Version: 1.0
In Commercial Confidence Version Date: 6th January 2004
POLO00114566
POL00114566
IT Commercial Team In Commercial Confidence
PO Ltd Change Plan: Yes
Will the change require a revision to the current PO Ltd Change Plan? No
Uncertain
(if yes, provide details including details of any authority)
Document(s) Affected: (Give fuil document title, reference and version number / date.)
(e.g. Product Description ~ NB It may not be I The Agreement
possible to identify documents at this stage)
Change Impacts:
(Information on the potential impacts of the change to ensure that all relevant activities and dependencies are understood and
addressed ~ see guidelines)
e FS charges will increase by circa £100k (plus VAT) in year 2004/05, this will be covered by
other savings on other FS charges.
* There will be recurring costs of £170k, plus VAT per annum. PO Security will need to bid for
this money. (Financial Year 2005/06)
Assumptions:
(List any assumptions that have been used to document this change)
Change Request Template Page 2 of 2 Version: 1.0
In Commercial Confidence Version Date: 6th January 2004
FUJITSU SERVICES
Forest Road, Feltham, Middlesex TW13 7EJ
Tet: { GRO. ie GRO ]
Email: askfulitsug “TT Web: Services fujitsu.com
9 June 2004
Keith Baines
Contract Manager (FS)
Post Office Limited
Change & IS
Calthorpe House
15-20 Phoenix Place
London WC1 ODA
Dear Keith,
Audit Record Queries
POL00114566
POL00114566
Our Ref: CLS/jla/549
At the Commercial Forum held on 28 April 2004 you asked for information on increase
costs if Post Office Ltd were to exercise the option of increasing the number of Audit
Record Queries.
Further to the update I provided to Commercial Forum held on the 26 May 2004 Office Ltd
and action point 17.07 I can confirm the following principles:
1. Fujitsu Services would be able to accommodate a “one step” increase to revised
annual limits of 720 queries or 15,000 query days, which ever is reached first;
2. Old Format Queries and New Format Queries can be included in the above revised
limits, but with the differential Target Times remaining;
3. For DWP an additional 84 queries per annum can be accommodated, equivalent to
7 queries per month with a burst rate of 10 queries per month provided the annual
total doesn’t exceed 84;
4. The increase in the Security Management Service would be £170,000 per annum.
5. A notice period of I month is required to establish the new limits.
At present the number of queries is counted on a calendar year basis whilst the charge in on
a financial year basis ending 31 March. I would suggest that if the change to the revised
principles are agreed the query count period be changed to a financial year basis.
All other elements comprising the Security Management Service remain unchanged.
Please let me know if you require any further information.
Yours sincerely,
Colin Lenton-Smith
POL00114566
POL00114566
FUJITSU SERVICES
Forest Road, Feltham, Middlesex TW13. 76. ann
GRO. }
“I Web: services fujitsu.com
9 June 2004
Keith Baines Our Ref: CLS/jla/549
Contract Manager (FS)
Post Office Limited
Change & IS
Calthorpe House
15-20 Phoenix Place
London WC1 ODA
Dear Keith,
Audit Record Queries
At the Commercial Forum held on 28 April 2004 you asked for information on increase
costs if Post Office Ltd were to exercise the option of increasing the number of Audit
Record Queries.
Further to the update I provided to Commercial Forum held on the 26 May 2004 Office Ltd
and action point 17.07 I can confirm the following principles:
1. Fujitsu Services would be able to accommodate a “one step” increase to revised
annual limits of 720 queries or 15,000 query days, which ever is reached first;
2. Old Format Queries and New Format Queries can be included in the above revised
limits, but with the differential Target Times remaining;
3. For DWP an additional 84 queries per annum can be accommodated, equivalent to
7 queries per month with a burst rate of 10 queries per month provided the annual
total doesn’t exceed 84;
+ 4. The increase in the Security Management Service would be £170,000 per annum.
5. A notice period of 1 month is required to establish the new limits.
i
4
At present the number of queries is counted on a calendar year basis whilst the charge in on
a financial year basis ending 31 March. I would suggest that if the change to the revised
principles are agreed the query count period be changed to a financial year basis.
All other elements comprising the Security Management Service remain unchanged.
Please let me know if you require any further information.
Yours sincerely,
Colin Lenton-Smith
POLO00114566
POL00114566
Tony R Utting
04/06/2004 13:59
john D Cole/e/POSTOFFICE€ GRO
ct
Subject: Horizon data via Fujitsu
As you can see we are in a difficult position this month and if something really serious were to
happened (as happened in April) we would be in severe difficulties.
Has there been any progress on getting us extra requests etc.
Thanks
To ny Utting
—— Forwarded by Tony R Utting/e/POSTOFFICE on 04/06/2004 13:57 -----
Graham C Ward To: Investigation All
. cc: Tony R Utting/e/POSTOFFII , Dave
04/06/2004 13:37 Pardoe/e/POSTOFFICEf
Subject: Horizon data via Fujitsu
All
Just to let you all know that we have already taken up all of our limit for this month, so no further
requests can be processed until the 01st July.
Regards
Graham
POLO00114566
POL00114566
Tony R Utting To: John D Cole/e/POSTOFFICEC
cc: Charles Brown/e/POST(
10/05/2004 16:35 Ward/e/POSTOFFIC!
Subject: DWP requests Horizon data
John
You may recall we spoke a couple of weeks ago regarding our limited access to Horizon data and the
pressure we are being out under to provide ever larger volumes in support of ongoing prosecutions
being undertaken by DWP.
To illustrate the point, please see below the schedule of requests we have received from DWP.
investigators over the past year, which shows that they are making increasing demands on this
resource. Some of the requests are dated as 1 June as that is when we are next able to request data
under the current contract.
We discussed previously asking Fujitsu to deal with all DWP requests separately and charge for each
individually, has this been progressed at all, as there is an opportunity here to relieve some of the
current pressure and we could find that they become more reasonable in their requests if they are
charged. At present, despite our own opinions about the possible validity of what they are asking for, it
is very difficult to argue in a court of law that the data is not necessary, when the prosecuting counsel
is the person who has asked for it to be provided. eglead
Bearing in mind the negative publicity that we and DWP regularly receive in the press, if one of these
cases were to fail because we could not, or would not provide the data as requested, then we would
be in the firing line. ¥.
Please get back to me if you need to discuss further
Thanks
Tony Utting
----- Forwarded by Tony R Utting/e/POSTOFFICE on 10/05/2004 16:26 -----
(EA Graham ¢ Ward To: Tony R Uting/e/POSTOFFICE
; 10/05/2004 14:28 Subject: DWP requests Horizon data
A
OWP requests.xis
POL00114566
POL00114566
Tony R Utting To: John D Cole/e/POSTOFFICE.
; cc: Tony Marsh/e/POSTOFEICEtvers
26/04/2004 16:05 Ward/e/POSTOFFICE@....
Subject: Horizon data
Thanks for the call now for the more difficult task of deciding how much we need to increase our
request numbers by.
You will see below some figures provided by Graham Ward from our casework team here at Croydon.
Graham manages the data requests from Fujitsu for ourselves and fends off as many as he can to
ensure that we do not go over our limits.
Estimating our requirements is difficult for a number of reasons, not least because we have asked
investigators to be selective in what they ask for due to the low number of requests we have available
to us.
Just for your information we raise something in the region of 1000 investigations each year, most of
which are never likely to get to a point whereby Horizon data becomes necessary, but potentially many
more will if we have the data available to us to examine (bearing in mind resource limitations etc).
The figures below relate to both our own and DWPs requests for this year and so far about a third of
the requests are from DWP. This has caused Graham to hold back, or refuse requests for our own
investigators and for other areas of the business.
We are also looking at the reduction in paperwork exercise currently in progress and estimate that in
the absence of some of the paper documentation we have relied upon in the past, that we will require
more data in the future in order to provide sufficient evidence to prove dishonesty. It is also possible
that the business may need to obtain audit data in order to refute claims, that transactions that have
caused errors to be raised did not take place as described in those errors.
From our experiences of the numbers of requests received from our team and the wider business we
estimate that to be sure of not hitting our limits in the future the request number should be raised to
720 per year and the number of days to 15000. This would not include the DWP requests, as they
should only have a need for data for the next year or so and so to include their requests may be an
unnecessary cost which could ore easily be dealt with by taking them out of our numbers and asking
Fujitsu to deal with and charge for them separately, on an ad hoc basis.
! can't promise that the figures we have given are in any way more than a guesstimate, as we
discussed earlier but I do believe that the numbers quoted above would allow us the flexibility to
ensure that we do not have to close down cases early simply because we cannot obtain the evidence
we require.
We are of course seeking a longer term solution of having direct access to all audit data, but
understandably that will take a little longer to achieve.
Thanks for your help, it was nice to have such a positive response to a problem that has grown
steadily more of an issue in recent months
I would be happy to meet up and discuss further if you think it would be helpful
Regards
Tony Utting
Internal Crime Policy and Standards Manager
Post Office Limited
POL00114566
POL00114566
.. Graham C Ward To: TonyR Utting/e/POSTOFFICE(
4 ce:
23/04/2004 16:01 Subject: Horizon data
Tony
as discussed & following the latest DWP request for 6 months data (which was originally 13 months
and may still be depending on the Judge's order), here is a forecast predicting likely numbers for the
year. If we continue at this rate we will use up all our requests within 7 months.
Thus far we have 54 requests in place totalling 694 days, 41 submitted and 13 waiting to go on the 01
May. This does not include the further 6 requests for the DWP which cover 182 more days. Adding all
these together comes to 60 requests - 876 days as of the 23/04/04.
If we continue at this rate we will be submitting approx : 952 requests this year which is 622 over the
contractual limit. We will also likely exceed the numbers of days (4620 per year), but this more difficult
to predict as some people want 31 days per request, others just a single day.
It is difficult to predict, but I would think that exercising the clause in the contract allowing Post Office
Ltd to increase its numbers of requests, would be a sensible option at this point in time.
Regards
Graham
Casework Manager
Operations
Post Office Ltd Security
PO BOX 1
Croydon
CRO 1WN
STD Phone: ¢
External Email: graham.
POL00114566
POL00114566
¢ CP Graham c Ward To: Tony R Utting/e/POSTOFFICEL
. 7 ce
cw 22/04/2004 16:04 Subject: Horizon data
Tony
as discussed & following the latest DWP request for 6 months data (which was originally 13 months
and may still be depending on the Judge's order), here is a forecast predicting likely numbers for the
year. If we continue at this rate we will use up all our requests within 7 months.
Thus far we have 54 requests in place totalling 694 days, 41 submitted and 13 waiting to go on the 01
May. This does not include the further 6 requests for the DWP which cover 182 more days. Adding all
these together comes to 60 requests - 876 days as of the 23/04/04.
If we continue at this rate we will be submitting approx : 952 requests this year which is 622 over the
contractual limit. We will also likely exceed the numbers of days (4620 per year), but this more difficult
to predict as some people want 31 days per request, others just a single day.
It is difficult to predict, but I would think that exercising the clause in the contract allowing Post Office
Ltd to increase its numbers of requests, would be a sensible option at this point in time.
Regards
Graham
Casework Manager
Operations
Post Office Ltd Security
PO BOX 1
Croydon
CR9 1WN
STD Phone: Fax: {
External Email: graham.c.ward@ _
POL00114566
POL00114566
x} SOhag ule ls
rer Gays [f Se obics KOOL RQ 9 ES
Ria, WiSuantr KM BSiat wWwoca
Satad — Sauce Darcs(Hen ~~ (es/see/a)
Ho Vals He TOSCinnneg Aorta duce Lacasd
Quetta cad Od format Gueter wKer FS IS
Loesiad dy Cara se AL dathan Qui
Be cui Marogesment Chae har AWeates
do NBS Gat ecard Grammer Shalt
vetisgd pe CIO Fo whee hav heyicod
max rerun WIL eee Qiam te cama dare
Shor Kea fyi Gad MEK mom Che corres
oie hue
2 Mus (s Yound sa able 2 Q ~Qtascchne I
charger Fable Sins cobad Se ayety May Ser uicg.
Pree ie dhaso (GS tha dee € Cargo I ES fasd
5 .-, co “ & ee we eve
bo das Giues elbtrsar nates Ge OC cotimnadei
Gras &Q hess tx Skee il saad as - be
‘s—- Galdsyod
2 ¢ WOoa m Hot a
enn
POL00114566
Oe POLOO114568
Cy fentc dese IS = Per s4oQ5 .
=
Bas dacbocadOee,
= S cost. Fs I Qa
mafic & «3s by
— quely
tSca fe)
chosegd of Cont = ((o34
Be esss tr eR