POL00149488
POL00149488
Message
From:
Sent: 11/11/2014 14:55:55
To: Mark Underwood1 j _
Subject: RE: Horizon questions
Mark
I think these are great — can we meet tomorrow though ? I’m conscious that we may need to change tack on the scheme
as a whole, so keen to get low down from Belinda and, to be honest, I have a cracking headache too.
Pp
From: Mark Underwood1
Sent: 11 November 2014 13:37
To: Patrick Bourke
Subject: RE: Horizon questions
Further to the below note.
I think AP’s paper deals with the various scenarios that enable transactions to be added / injected into a Branch’s
account and the what these entail (process, sign off etc). I think ours should be very high level and focus almost purely
on the audit trail that is left when such additions / injections take place.
Then, and this is why I believe FJ mean ‘audit trail’ when they talk about ‘data integrity’, it allows us to bat off any
accusation of remote access.
i.e. the logic is that — there are only 3 ways transactions can be added to a Branch’s account, such additions leave
‘identifiable scars’ that are easily searchable and thus, if any SPMR feels they have been subject to ‘remote access’ — we
can search for said ‘identifiable scars’. If they are not in the Branch’s accounts, we can categorically say this set of Branch
accounts has not had any transactions added to it by FJ or POL.
On the call FJ said they had already downloaded all the data for Branch’s in the scheme and performed the necessary
searches. Thus, we should already be able to say the above statement (once finessed somewhat).
If you agree, potential line of questioning for our QA below:
1. Once a transaction is recorded in a Branch’s accounts, can it to be edited, manipulated or removed?
Answer: No, once a transaction is recorded in Branch by a SPMR or member of their staff, it cannot
under any circumstance be edited, manipulated or removed. That transaction, against the user ID of the
branch staff member who recorded it, will remain in the Branch accounts for ever and leave behind it a
clear and identifiable audit trail.
2. How can transactions be added to a Branch’s accounts?
Answer: Though existing transactions cannot be edited, manipulated or removed, new transactions can
be added to branch accounts, but only in the following three ways:
In Branch
TAs & TCs
Balancing Transaction Process
POL00149488
POL00149488
3. What clear and identifiable audit trail is left when Post Office employees log on to a branch terminal locally
(i.e. by being physically in a branch) and add transactions to a Branch’s accounts?
4. What clear and identifiable audit trail is left when TAs are added to a Branch’s accounts?
5. What clear and identifiable audit trail is left when TCs are added to a Branch’s accounts?
6. What clear and identifiable audit trail is left when a FJ inject a new transaction into a Branch’s accounts using
the BTP?
From: Mark Underwood1
Sent: 07 November 2014 17:43
To: Patrick Bourke
Subject: RE: Horizon questions
Hi Patrick —in prep for Monday...
Below is my first stab at some words for what can / cannot be done in terms of the editing and manipulation of
transactional Branch data by FJ and POL, both remotely and on site.
It is based upon the 3 scenarios included in AP’s paper but I think focuses more on the point of regardless of what
happens to branch accounts; there is a clear audit trail left that is easily searchable by unique user and transactional ID’s.
lam pretty sure FJ said this on their call and I think the audit trail bit is what FJ actually mean by data integrity — so this
may tie in with their thinking?
Attaching so much weight to the supposed audit trail, means we will of course then be asked to search the data for the
136 cases. Again, I am pretty sure on the call that FJ explicitly said that as part of their investigations, where they could
(e.g. retention periods) they already had all of the data for each of the cases and had performed such a search.
So, if this is all correct, in the one circumstance whereby the ‘balancing transaction’ was inserted, we need to establish
audit trail it did leave and illustrate that. I am also still a bit un clear on the difference between adding a transaction and
injecting one? But that is probably due to my ignorance behind exactly how TC’s work which will hopefully be cleared up
in AP’s paper.
I am not sure ‘add’ and ‘inject’ are the right words and perhaps a little more detail in terms of the process whereby the
new transactions enter the branch and their respective purposes is needed?
Whilst you ponder.....Draft words below:
Once a transaction is recorded in Branch by a SPMR or member of their staff, it cannot under any circumstance be
edited, manipulated or removed. That transaction, against the user ID of the branch staff member who recorded it,
will remain in the Branch accounts for ever and leave behind it a clear and identifiable audit trail. Though existing
transactions cannot be edited, manipulated or removed, new transactions can be added to branch accounts, but only
in the following three ways:
1) There is the capability for Post Office employees to log on to a branch terminal locally (i.e. by being physically in a
branch) using a unique user ID different to that of any branch staff. Such additional transactions, once recorded will
remain in the Branch accounts for ever and leave behind them clear and identifiable audit trails.
POL00149488
POL00149488
2) POL can add transaction acknowledgements (TA) or transaction corrections (TC) into branch accounts. TAs are used
to record transactions that have been processed in branch through other systems (e.g. the sale of Lottery products on
the Camelot terminal) and TCs correct errors made by branches. Both, once added, will remain in the Branch
accounts for ever and leave behind them clear and identifiable audit trails.
3) Balancing transactions. Where an error cannot be corrected through a TA or TC, Fujitsu can inject a new transaction
into branch accounts using the balancing transaction process. This process has only been used once since the
introduction of Horizon online, is attributed a unique transaction ID and once injected, will remain in the Branch
accounts for ever and leave behind it a clear and identifiable audit trail.
From: Patrick Bourke
Sent: 07 November 2014 11:55
To: Mark Underwood1
Subject: RE: Horizon questions
Mark
Cheers — that’s fine — I may have a tinker today and we can catch up on Monday.
And yes, your understanding is the same as mine.
P
From: Mark Underwood1
Sent: 07 November 2014 11:49
To: Patrick Bourke
Subject: RE: Horizon questions
Yep no problem — am pretty tied up today, but will make a start on it on Monday — that ok?
My current understanding is that there is no functionality that allows FJ to edit, remove or manipulate a transaction
remotely in any way. Any change, takes the form of an insertion with distinct ID that is easily identifiable in the audit
trail it leaves. — that your understanding as well?
Mark
From: Patrick Bourke
Sent: 07 November 2014 11:45
To: Mark Underwood1
Subject: Horizon questions
Hi Mark
We somehow took away the action to draft up a few plain English questions on the wretched remote access issue
following yesterday’s meeting. I think we may have done that, broadly speaking, in our heads at least.
I think we’re aiming for 2 distinct products — one is a relatively detailed paper which Andy is working on (and which I
sent you yesterday); this would be designed to be a somewhat alpha-and-omega paper which can be referred to in
future comments on CRRs etc and is part of the suite of documents designed to address the ‘thematic issues’ which
POL00149488
POL00149488
Second Sight have identified. The other is our piece, which is a more straightforward statement, with more of a
communications bent, about what it is and what it is not possible to do with Horizon when one is not using a SMPR’s
user ID. This is, I think, just capturing what Fujitsu confirmed for us yesterday and drawing on the chart you prepared in
advance of yesterday’s meeting.
I don’t want to seem as though I am palming this off on you, so shout if you can’t, but otherwise how would you feel
about doing a draft ?
Best
Patrick