POL00148311 - Email from Steve Timmins to Julie George cc’d Mark Westbrook, Gareth James and others re: Progress Update

Evidence on official site

POL00148311
POL00148311

Message

From: Timmins, Steve (UK - Manchester)

Sent: 13/05/2014 12:59:02

To:

cc: s, Gareth (UK - Manchester)
Rodric Williams

Subject: Progress Update

Further to the update I provided following my call with Pete Newsome I have the following updates;

1. Ihave not been able to make contact with Will Russell. I have left Will a voice mail message and email
message

2. Ihave reviewed the documents that Dave King has provided and I need to arrange a call with Dave as
the information provided does not appear to provide the assurance which I was looking for. For
example in response to the request for the original requirements with business signoff a Non-functional
Requirements document was provided. The request was attempting to show the link between the
business requirements, where the business users signoff these requirements, through to business
signoff of the test results, for example how transactions are input and processed through the system
Where the test scripts and results which directly relate to the requirements, including business signoff
were requested a set of technical test scripts were provided relating to the bespoke counter
infrastructure code.

I will try to contact Dave to discuss further.

Regards
Steve.

Steve Timmins
Deloitte
Direct:
www.deloitte.com

From: Timmins, Steve (UK - Manchester)

Sent: 13 May 2014 11:56

To: Julie George

Cc: Westbrook, Mark (UK - Manchester); James, Gareth (UK - Manchester); Lesley J Sewell; Rodric Williams
Subject: RE: will.russell

Julie,

Pete Newsome has just come back to me and believes between Bill Membery and Gareth Jenkins they should
be able to provide answers to the defined list of questions.

Pete confirmed that Fujitsu store all requirement definitions, signoffs and associated test scripts, results and
signoffs.

Pete also confirmed that HNG-X did not impact the requirements of the Audit Store or Branch database.
Pete believes the testing of HNG-X was undertaken solely by the Post Office and Fujitsu.
Bill Membery looks after audit information and as such has access to all the requirements and testing

information we need. Pete was confident Bill would be able to provide the information we require, but Bill will
need a few days to pull it all together.
POL00148311
POL00148311

Gareth Jenkins will be able to answer the more technical questions, but is not available until tomorrow.

Pete will come back to me later today to provide details of when Bill will be able to provide the information.
Pete will speak to Gareth tomorrow and then confirm when he can provide his responses.

Regards
Steve.

Steve Timmins
Deloitte LLP

From: Julie George f
Sent: 13 May 2014 09:17
To: Timmins, Steve (UK - Manchester)

Cc: Westbrook, Mark (UK_- Mat H

Subject: RE: will.russell(”

What do Ernst and Young do to test logical access control objectives within the ISAE3402 report,
1 I and does this testing include database administrator rights to the branch database?

mes, Gareth (UK - Manchester); Lesley J Sewell; Rodric Williams

“GRO =I

How is the sequence number allocated to each message generated by a branch — is it driven by
2. I the branch infrastructure or by a check to the next sequential number on the central server?
Assuming the HNG-X project did not change the Audit Store or the Branch Database need the
3 I following

Original Horizon system requirements catalogue/definition, which would include the

4 requirements for the Audit store and Branch Database. Evidence of business input and signoff
Evidence of testing of the original Horizon system against the original requirements including
5 business sign off

Statement as to whether there has ever been any changes made to the Audit Store and/or
Branch Database? If changes have been made I need

e The associated requirements and business sign off
6 e The associated testing and business sign off

It is assumed Project HNG-X requirements catalogue/definition did not include any definition for
the Audit Store or Branch Database, but it is expected that there should have been regression
testing undertaken to make sure the Audit Store and Branch Database still functioned as prior to
7 project HNG-X. Evidence required of regression testing of these areas and business signoff

8 Project HNG-X Requirements catalogue/definition. Evidence of business signoff.

Project HNG-X Test scripts and results, which directly relate to the requirements. Evidence of

9 business acceptance

Confirmation that the HNG-X project followed the Harmony Delivery Lifecycle at a high level.
Confirmation that the detailed project process followed on HNG-X could not be determined by
10 I reference to the Harmony framework?

Confirmation that only the Post Office and Fujitsu were involved in the definition and execution
11. ‘I of the testing of HNG-X?

Confirmation that a third party, Wipro, completed an assurance exercise on the performance
12 I test approach, not an assurance exercise on the overall HNG-X test process

I have sent a request for information to Chris Taylor (who is now with Atos) and asked Dave King and Mark Pearce to
point in right direction for the information or provide the documentation.
POL00148311
POL00148311

If you are able to ‘cross off’ any of the above questions please let us know and we will not expend further time our end.
Julie

Julie George FBCS I Head of Information Security and Assurance Group

2° Floor, 148 Old Street, London, EC1V 9HQ

From: Timmins, Steve (UK - Manchester),
Sent: 13 May 2014 09:05
To: Julie George
Subject: RE: will.russelli

Julie,

Thanks for providing contact details for Will.

Would it be possible to have Will’s mobile number? I have left him a voice mail on his landline and also sent
him an email, but thought it would be worth trying his mobile number if at all possible

Many Thanks
Steve.

Steve Timmins

Senior Manager I Audit Advisory I Technology
Deloitte LLP

PO Box

feet, Manchester, M60 2AT, United Kingdom
Direct i

Mobile:

Please consider the environment before printing,

UK Futures

How can UK business drive growth?
http://www. deloitte.co.uk/ukfutures

IMPORTANT NOTICE

This communication is from Deloitte LLP, a limited liability partnership registered in England and Wales with registered number 0C303675. Its registered office is 2, New Street
Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL"}, a UK private company limited by
guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and
its member firms.

This communication contains informatio tial and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended
recipient(s), please (1) notify it.security.ulf y forwarding this email and delete all copies from your system and (2) note that disclosure, distribution, copying or
Use of this communication is strictly prohibited. Email communications cannot be guaranteed to be secure or free from error or viruses. All emails sent to or from a Deloitte UK
email account are securely archived and stored by an external supplier within the European Union.

To the extent permitted by law, Deloitte LLP does not accept any liability for use of or reliance on the contents of this email by any person save by the intended recipient(s) to
the extent agreed in a Deloitte LLP engagement contract.
Opinions, conclusions and other information in this email which have not been delivered by way of the business of Deloitte LLP are neither given nor endorsed by it.

From: Westbrook, Mark (UK - Manchester)
Sent: 13 May 2014 08:27
POL00148311
POL00148311

lodgkinson, Sean (UK - Manchester)

To: Timmins, Steve (UK -
Subject: FW: will.russell GRO

From: Julie George § GRO, }
Sent: 13 May 2014 08:26

To: Westbrook, Mark (UK - Manchester)

Cc: James, Gareth (UK - Manchester); Lesley ] Sewell

Subject: will.russelk

> ee ot x trom R

1 High importance

af = FeO neo wones I “rit” ene I 8 towimpontance
From > julie. george@postoffice.co.uk ‘Select Nemes: Global Address List fia)
= To.
sen
«
a Will Russell

Migration Principal

General I oxgenzeton I Phaneetes I Menber OF I Emel Accesses

Julie George FBCS I H tom
Fest was at: Russa

EReaa mitt I oety co] se inet feze, Somat ne
sewer
— von icod
Company: Pou ‘Mord Delivery OFF)
feintbene 9 =
inet Roe t
dest
tow
(Co) Cees
Geo) Comet) [oo
Clekonapototose 5

Julie George FBCS I Head of Information Security and Assurance Group

I. ECIV 9HQ

This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient,
you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in
error, please contact the sender by reply email and then delete this email from your system. Any views or opinions
expressed within this email are solely those of the sender, unless otherwise specifically stated.

POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.

JER SO IOI IORI ISO ODIO IODIDE IOI IIIB III AIDA III AI IOI III
POL00148311
POL00148311

This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient,
you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in
error, please contact the sender by reply email and then delete this email from your system. Any views or opinions
expressed within this email are solely those of the sender, unless otherwise specifically stated.

POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.