POL00123286
POL00123286
From:
Sent:
To:
Ce: Andy Hayward.
Subject: FW: Fujitsu ARQ requests
Attachment: Security Investigations Data Handling Process v1 0.doc
All... FYI.
Regards,
Dave Posnett I Accredited Financial Investigator
bill Row Wing, 148 Old St, London, EC1V 9HQ
From: Jayne Bradbury
Sent: 02 May 2014 16:27
To: Helen Dickinson; Dave Posnett
Cc: Simon I Hutchinson; Andy Hayward
Subject: Fujitsu ARQ requests
Hello,
In line with the process that was agreed by Info Sec, and our compliance to this was subject to passing the
strict PCI/ISO audit, I would like to reinforce a couple of things.
Project Sparrow, quite understandably, have used up a substantial amount of the Fujitsu allocation for disc
data. Therefore, we need to be really mindful of not adding additional costs unnecessarily. Can you please
bear in mind the following when placing any requests:-
Fujitsu requests should only be requested if there is a case raised — we cannot order ARQ requests
for Police or other outside agencies to assist with their enquires, this is a legislation from Info Sec at
the last PCI/ISO audit.
— We should not be requesting ARQ data to support/defend SPMR/Contract Managers i.e supporting
transaction corrections (this is not a tool to be used as evidence to support SMPR or Contract
Managers)
— When requesting data, please ensure that you have fully investigated and understand the data
requirements prior to the request. The request must be very specific to your needs and there
should not be subsequent requests for the same enquiry. Each request is a minimum of £600, and
multiple months data will increase this.
— You must have exhausted all other sources to obtain the data — Credence data is available for the
last 3 months, Statements can be provided with using Credence as evidence.
POL00123286
POL00123286
— Ifastatement is required from Fujitsu it should be requested at the time of the ARQ request.
— Special requests should only be used in exceptional circumstances and again need to be very
specific to the requirements of the enquiry. These cannot come out of the allocation and will always
incur additional costs.
Can I also remind you that when requesting data via an email, please do not include full account numbers
and PAN number in the body of an e mail as this is not DPA compliant — the numbers must be encrypted or
password protected.
Helen - Steve Bradshaw is really good at looking at the requests, can I suggest that Steve is the point of
contact for looking at “Special requests” prior to these being requested.
Please can you cascade this to your teams.
Kind regards
Jayne Bradbury I Security Manager