POL00149655 - Email chain including Mark Underwood (POL); Andrew Parsons (WBD); Tom Wechsler (POL) & Others Re: Remote access by Fujitsu

Evidence on official site

POL00149655
POL00149655

From: Mark Underwood!i

Sent: Tue 25/11/2014 2:49:35 PM (UTC)

To: Parsons, André

Ce: Tom Wechsler,

Subject: RE: Remote access - papers and plan [BD-4A.FID26231777]

Thanks Andy — I will forward on.
Mark

From: Parsons, Andrew [mailta
Sent: 25 November 2014 14:37
To: Mark Underwood1

Cc: Tom Wechsler; Patrick Bourke

Subject: RE: Remote access - papers and plan [BD-4A.FID26231777]

Mark

I'm happy with the draft paper. I haven't received any comments from Andy H — probably best to send on to FJ as
they will pick up any technical points anyway.

Kind regards
Andy

Andrew Parsons
Managing Associate

Direct: }

movie: GRO
Fax:

Follow Bond Dickinson:

www.bonddickinson.com

From: Mark Underwood! [mailto?
Sent: 20 November 2014 13:42
To: Parsons, Andrew

Cc: Tom Wechsler; Patrick Bourke
Subject: FW: Remote access - papers and plan

Hi Andy — Sorry for the delay with this, things have been a bit manic recently.

Please see the below email trail for context and a plan of action for putting this to bed. With respect to the plan
detailed in the below email, are you able to:

e Take a look at the attached papers and see if you agree with:

o The track changes I have made to your paper, which by the way I thought was excellent — particularly
the definition going forward for the question being posed.
POL00149655
POL00149655

o The Q&A in my high level bullets

¢ Could you also incorporate any changes Andy Holt may have sent you as I remember you requesting him to
do so a few weeks ago.

Then I will forward on to FJ and try and get this finalised asap.

The only additional detail I intend to include in your paper is a short reference to standard operating procedures in
branch in relation to sharing user ID’s and passwords . Though the content will be similar to the below extract, Iam
just waiting on being sent over a copy of the latest manual so will incorporate at a later stage.

The Security Operations Manual v2 from January 2008 states;

“All users of the Horizon system must never:

- log on as another person

- allow anyone else to use their User ID and password

- use an informal name, pseudonym or nickname as an identity

- continue to use Horizon or the data on it if you or they are no longer authorised to do so

- allow a User ID or password to be re-used by another person (ie, if you replace a current user with another, the new “

Many thanks

Mark

From: Mark Underwood1

Sent: 20 November 2014 10:49

To: Tom Wechsler

Cc: Patrick Bourke

Subject: Remote access - papers and plan

Hi Tom,
Note drafted to get my mind straight and to try and agree a process to push this to conclusion.
I have attached two docs:
1) A paper produced by AP with my proposed track changes. PB envisages this as the all-encompassing paper,
that going forward we can refer to in response to claims in, for example, draft CRRs of transactions

mysteriously appearing in SPMRs accounts.

2) Amuch shorter bulleted high level list of what can / cannot be done with regards to remote access. To be
used in, for example public rebuttals.

Whenever we have spoken to FJ about this issue, they seem puzzled as to why we are so concerned citing ‘data
integrity’ However I think we are now of the opinion it is a semantics issue. By ‘data integrity’ FJ are, I think, referring
to ‘audit trail’ — in that, whatever is done leaves a clear and identifiable audit trail behind it and thus — if there is no
‘remote access car’ in the branch’s data — it simply did not happen. This therefore allows us to prove the negative.

On a call — FJ confirmed they already had downloaded all the branch data available for the 150 scheme cases and
performed searches for any such ‘scars’.
POL00149655
POL00149655

As such, everything appears to be golden. We just need FJ to confirm this once and for all.
In terms of process, I would think it seems sensible to:

1) Send the attached papers to AP for his approval — particularly as I have changed his paper in parts. We also
need to incorporate any changes Andy Holt sent AP.
2) Then, with the below disclaimer (crafted by AP) — send to FJ to answer the questions posed in the attached

wrhis aren aoeanienteanaany

3) Send to SS for their approval as they are quoted as agreeing AP’s paper (or remove that reference as,
although nice to have, we don’t need their approval)
4) Finalise

Once you have digested — lets catch up
Mark

Mark Underwood
Initial Complaint and Mediation Scheme

This email and any attachments are confidential and intended for the addressee only. If you are not the named
recipient, you must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have
received this in error, please contact the sender by reply email and then delete this email from your system. Any views
or opinions expressed within this email are solely those of the sender, unless otherwise specifically stated.

POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET,
LONDON EC1V 9HQ.

Please consider the environment! Do you need to print this email?

2 only is authorised to

ble and delete any

The information in this e-m ial and may b

and any attachments is confide: be legally priv

6 SOON as pos

access this e-mail and any n
copies. Unauthorised use, dissemination, distribution, publication or c awful

Any ed to this e-mail will have been checked by us w cepts no liability for any loss or
which may be caused by sol ruses and you should carry 0 ment

number OC317661. Our reg
fhe term partner to refer to a member of

ames is open to inspection,

employee or consultant who is of equivalent standing. Our VAT registration number is GB123393627,

the LLP, ora

Bond Dickinson LLP is authorised and regulated by the Solicitors Regulation Authority
POL00149655
POL00149655

This email and any attachments are confidential and intended for the addressee only. If you are not the named recipient, you
must not use, disclose, reproduce, copy or distribute the contents of this communication. If you have received this in error,
please contact the sender by reply email and then delete this email from your system. Any views or opinions expressed within
this email are solely those of the sender, unless otherwise specifically stated.

POST OFFICE LIMITED is registered in England and Wales no 2154540. Registered Office: 148 OLD STREET, LONDON
EC1V 9HQ.