POL00122928
POL00122928
From: Christopher G Knight}
Sent: Tue 08/10/2013 4:25:15 PM (UTC)
To:
Ce:
Subject: RE: PCI Audit
Attachment: Security Investigations Data Handling Process v1 0.doc.
Rob / Dave,
I have attached the ARQ process written by Moyn. The PCI audit in the main was dealing with the storage of Credit
Card information. We explained from the beginning we rarely had that info in our data.
The concerns focused on the data / discs, how they are distributed, where they are stored and when / how they are
destroyed. A robust audit trail.
The audit was conducted in Bolton. I do not know the results.
I don’t recall anything about Investigators requesting discs for other people. As I say my involvement was merely to
add the Investigator’s use of ARQ discs.
Regards,
Christopher Knight I Security Manager
rs, Chesterfield S49 1PF
L jo!
christopher.g.knigh'
From: Rob King
Sent: 08 October 2013 10:18
To: Christopher G Knight
Subject: FW: PCI Audit
Hello Chris,
Can you shed some light on this please
Thanks
Rob
From: Andrew Wise
Sent: 08 October 2013 10:17
To: Rob King
Cc: Jayne Bradbury; Andy Hayward; Dave Posnett; Elaine Spencer; Helen Dickinson; Andrew Daley; Christopher G
Knight
Subject: RE: PCI Audit
Hi Rob,
POL00122928
POL00122928
It was Chris Knight and Dave Pardoe who was involved on the day of the audit not myself so I am not sure what was
discussed and I have not seen any process come from this.
Regards
Andrew
Andrew Wise I Security Manager
) 4" Floor, 120 Bark St, Bolton, BL1 2AX
©
© andrew.wisel
(=) Post Office stories
3) @postofficenews
From: Rob King
Sent: 08 October 2013 10:05
To: Andrew Wise
Cc: Jayne Bradbury; Andy Hayward; Dave Posnett; Elaine Spencer; Helen Dickinson; Andrew Daley
Subject: FW: PCI Audit
Andrew,
To avoid confusion, and to seek clarification, could you advise what was agreed at the recent PCI audit and is there a
memo or guide outlining who should be doing what ie Case File management/Security Managers. I understand a date
has been set for the Case file management workshop; any ambiguity in respect of this or other issues can be sorted
then.
Regards
Rob
From: Dave Z Wood
Sent: 07 October 2013 19:03
To: Dave Posnett; Post Office Security; Rob King; Dave Pardoe; Mark Dinsdale
Cc: Jayne Bradbury; Elaine Spencer
Subject: RE: PCI Audit
Dave, in the absence of Dave P, I will chase as not exactly sure of the answer myself.
Regards
Dave Wood I Senior Security Programme Manager
) Grapevine, Bradford
3) Post Office stories
®
® @postofficenews
From: Dave Posnett
Sent: 07 October 2013 18:26
To: Post Office Security; Rob King; Dave Pardoe; Dave Z Wood; Mark Dinsdale
Subject: FW: PCI Audit
All,
As per previous email.
Regards,
Dave Posnett I Accredited Financial Investigator
Security Team,
2™ Floor Banner Wing, 148 Old St, London, EC1V 9HQ
Postlit
dave.posneti
dave.posnet{ ___
4
From: Dave Posnett
Sent: 26 September 2013 11:37
POL00122928
POL00122928
POL00122928
POL00122928
Rob/Dave,
I believe the PCI audit was conducted recently and one possibility moving forwards is that any external
requests for Fujitsu data must come through an Investigator ... and the Investigator engages with the
requestor, assesses the request, submits the request, receives the data, supplies it to the requestor, etc..
Not sure if I’m getting the wrong end of the stick here, but if this is the case then I must say I do not agree
with it. Whilst it may provide a better audit trail and probity for PCI purposes, I really don’t think
Investigators should be embroiled in this process ... it will create more work (especially in view of unfilled
vacancies), isn’t part of their usual remit and is/has traditionally been a Casework Team responsibility.
Unless things have changed, the Casework Team also manage the Fujitsu contract and relationship within
Security (i.e. we have a quota of data requests per year, a quota of witness statements, and a quota of
court attendance). It seems like an additional middle-man approach may be being considered here.
For info, I get still requests from LEAs and others (as do probably others in the team) and supply them with
the associated contacts in Casework and indicate they should submit a DPA request.
Apologies if I’m wrong in my understanding, but I wanted to raise my views before anything was set in
stone.
Regards,
Dave Posnett I Accredited Financial Investigator
1g, 148 Old St, London, EC1V 9HQ