POL00380823
POL00380823
Follow Up Review of Key System
Horizon Controls in Horizon
System
Controls = 4 : Post Office Limited
Assurance Review
Report: AR12/050a May 2013
AAAS AAA TT Internal Audit & Risk Management LAA AAA ATT
POL00380823
POL00380823
Context and Objectives
The Post Office Limited (POL) network consists of approximately 11,000 branches which process client and business transactions in excess of £100 billion annually.
The majority of transactions are conducted on behalf of other parties, for example, receiving payment for domestic utility bills and paying out National Savings.
Customer transactions are captured through the Horizon electronic point of sale system in branches and transmitted to central systems (utility payment, external
banking and POL finance systems) throughout the day.
This assignment is part of a comprehensive review of all agreed recommendations raised by Internal Audit & Risk Management throughout 2012/13 and has been
agreed with the POL Audit & Risk Committee as part of the 2013/14 audit plan. This is to ascertain which items are still outstanding as the POL Internal Audit Team
takes over with effect from 1 July 2013. The specific objective of our review was to assess the degree to which the five recommended actions raised in our December
2012 ‘Review of Key System Controls in Horizon’ (report reference AR12/050) have been implemented.
Key Findings and Conclusi
Two of the five recommended actions have been implemented, or the risk of not implementing the recommendation has been accepted by the POL Risk &
Compliance Committee. Management have commenced discussions with Fujitsu to address the remaining three recommendations which had a January 2013 target
completion date. At the time of our review these discussions are ongoing and as such the recommendations have not yet been fully implemented. Management
expect to have implemented these actions by 31 July 2013, the reason for the delayed implementation is that management are reliant on Fujitsu actioning the actual
recommendations. These three actions relate to password parameters, specifically:
Password parameters:
1. To fully align the Horizon Security Policy (the ‘Community Information Security Policy’ (CISP) with Fujitsu) with the Windows AD password parameters in place;
2. To work with Fujitsu to ensure that the process for manually changing privileged account passwords on the Oracle databases and Linux operating systems is
documented within the CISP; and
3. To continue discussion with Fujitsu to define key password parameters which should then be reviewed on a periodic basis.
Control Environment Rating: Recommended Actions Partially Implemented
Management Response
We agree with this report and its findings, and we have already begun to progress the agreed action plan within the agreed timescales. - Lesley J Sewell
AAAS SATS Internal Audit & Risk Management eed
Confidential Page 2 of 5
ummary Findings
POL00380823
POL00380823
The summary findings from our review are noted below, showing the status of implementation of recommended actions as at 1 May 2013.
Planned
Recommended Action Remediation Work Performed Findings
date
1 I Management should set out the reasons for! Nov 2012 We reviewed the R&CC meeting minutes from I The evidence reviewed confirmed that the risk
having generic privileged accounts on 26 November 2012 to confirm the status of the I associated with the use of generic privileged
Horizon and present this to the Risk & action to review generic privileged accounts by I accounts was considered, and accepted, by the
Compliance Committee (‘R&CC’) for review. the R&C. R&CC during the meeting which took place on
26 November 2012.
Priority 2 We also reviewed Paper Fourteen - EY
Management Letter Update RCC Nov 12 v2 I complete
Andy Jones Appendix B and observed specific reference to
the acceptance of the risk of generic privileged
accounts on Horizon.
2 I Management should set out the reasons for! Nov 2012 We reviewed the R&CC meeting minutes from I The evidence reviewed confirmed that the R&CC
operating two Information Security Policies, 26 November 2012 to confirm the status of the were satisfied that the current use of two
covering Horizon and POLSAP, and present action to review the use of two Information I Information Security Policies, one for Horizon
this to the Risk & Compliance Committee for Security Policies by the R&CC. and one for POLSAP, was acceptable, and hence
review. no further action was required.
We also reviewed Paper Fourteen - EY
Priority 2 Management Letter Update RCC Nov 12 v2 Complete
Appendix B.
Andy Jones
3 I Ensure that the CISP is reviewed and Jan 2013 We reviewed the CISP with Fujitsu on screen The CISP with Fujitsu remains inconsistent with
changed to reflect the configuration of the with Mark Pearce to confirm whether it had the implemented Windows AD policy which
password parameters detailed within been updated as per the recommended action. I controls Horizon logical access parameters. The
Appendix A of report AR12/050. Windows AD parameters currently utilised result
in access lockout after 6 failed attempts,
Priority 2 whereas the CISP refers to a lockout after 3
failed attempts.
Mark Pearce
Ongoing - Target date July 2013 eta
CAA A
Confidential
Internal Audit & Risk Management
Page 3 of S
POL00380823
POL00380823
Ensure that the process for manually Jan 2013 Update obtained through discussion with Mark I The process for manually changing privileged
changing privileged account passwords on Pearce. account password on Oracle and Linux is not
the Oracle databases and Linux operating yet documented within the CISP, although the
systems is documented within the CISP. process of engaging with Fujitsu to implement
this amendment is underway.
Priority 2
Ongoing - Target date July 2013
Mark Pearce
Define key password parameters to be Jan 2013 Update obtained through discussion with Mark I A definition of password parameters to be
reviewed on a periodic basis. Once defined,
management should perform a review of
key password parameters to ensure that theI
third party supplier is implementing the
CISP..
Priority 2
Mark Pearce
Pearce.
reviewed on a periodic basis is currently under
discussion with Fujitsu. Once identified, a
process will be implemented to review these
parameters on a periodic basis.
Ongoing - Target date July 2013
Rating:
CAA A
Confidential
Internal Audit & Risk Management
Page 4 of S
POL00380823
POL00380823
Agreed Actions
The following actions have been agreed with management to address the remaining open recommendations from the original report:
Password parameters
1. Continue discussion with Fujitsu and other stakeholders regarding aligning the relevant CISP “number of failed attempts before account lockout”
parameter (3 attempts) with the actual Windows AD policy implemented (6 attempts). (July 2013 - Mark Pearce) — Priority 2
2. Continue discussion with Fujitsu to ensure that the process for manually changing privileged account passwords on the Oracle databases and Linux
operating systems is documented within the CISP. (July 2013 — Mark Pearce) — Priority 2
3. Continue discussion with Fujitsu to define key password parameters to be reviewed on a periodic basis. Once defined, management should perform a
review of key password parameters to ensure that the third party supplier is implementing the CISP. (July 2013 — Mark Pearce) — Priority 2
Circulation List
Susan Crichton, Legal and Compliance Director Derek K Foster, Internal Audit & Risk Management Director, RMG
Christopher Day, Chief Financial Officer Justin Thornton, Head of Risk & Assurance, RMG
Kevin Gilliand, Network and Sales Director Ernst & Young, External Auditors
Andy J Jones, Quality and Standards Manager
Mark R Pearce, Head of Information Security
Lesley J Sewell, Chief Information Officer
Paula Vennells, Chief Executive
Malcolm Zack, Head of Internal Audit
Julie George, Head of Information Security
AAAS SATS Internal Audit & Risk Management LAAT SA
Confidential Page S of 5