POL00396890
POL00396890
Royal Mail Group
Presentation For Audit Committee
IT Governance Review, September 2008
CONFIDENTIAL,
POL00396890
POL00396890
Executive Summary
Scope and Approach
We have asked PwC to perform a follow up review of the initial IT benchmarking exercise completed in May 2008 as part of their on-
going support to the IT governance and controls enhancement programme. This activity is ongoing, and we summaries key actions
and progress since the May Audit Committee update. Attached is the updated IT controls benchmarking table which highlights
progress. Management assessed that the circled areas should receive our initial focus and significant progress has been achieved in
the last quarter.
PwC has independently assessed our progress in these areas through detailed interviews and review of key documentation. The
summary findings are documented below:
Summary Findings
The IT organisational structure has significantly changed since the beginning of 2008. This has positively influenced staffing and key
processes within Group Technology. Significant progress has been made in the recruitment of new staff into key positions. In the past
3 months, 41 verbal offers have been accepted, with 17 new members having already commenced employment. This does not include
the recruitment of 5 out of the 7 REMCO previously vacant positions within IT.
One of the key actions following restructuring has been to develop a more comprehensive process for capturing, managing and
mitigating IT risks. This change programme is ongoing with key focus being on embedding the new organisational structures and
where appropriate the recruitment of additional key skills by Q4 2008.
The initial review of the control environment identified a number of weaknesses which were grouped into the 4 key areas below.
Recent significant initiatives that have enhanced the specific control environment in these areas have also been documented:
¢ Access Control
- Disk encryption is being rolled out to the laptop and desktop environment. This project is expected to be completed in
October.
- Personal firewalls are being rolled out to Royal Mail laptops in a phased approach.
= SSS SSS
CONFIT“NTIAL PAGE 2 Royal Mail Group
POL00396890
POL00396890
Executive Summary
Summary Findings (continued)
¢ IT Policies, Standards and Procedures
- The review of the information security policy framework and document set has been presented to the CIO anda
refresh of existing policies has been commissioned (targeted for completion by the end of September 2008).
~ The roll out of a standard project methodology has been initiated with the design and communication of the Harmony
approach.
© Business Continuity and Disaster Recovery
- An application conformance project has been instigated to ensure that all critical applications adhere to a specific set
of minimum resilience standards
- Amirroring architecture design for the data centres has been implemented allowing for substantially increased
resilience.
- Critical batches are now covered by the key business function process, ensuring that all errors and incomplete
batches are identified and resubmitted.
¢ New Technology and Systems
- Tracked Plus, the roll out of hand held devices for delivery staff, has reached stage 1 of its deployment strategy.
- Discussions are underway for new web channel architecture and tech refresh strategy
2 ene STEN SET EE HOSE EL TS CT ER
CONFIDENTIAL PAGE 3 Royal Mail Group
POL00396890
POL00396890
Executive Summary
Next Steps
In addition to the completed work highlighted by PwC, there are other areas where performance improvement is being progressed.
The most significant is work underway by CSC in their service improvement “30-60-90 day” plan. This is primarily focused on service
delivery and is monitored on a regular basis through defined critical success factors. A high level overview of progress made to date is
detailed in appendix A. Further actions by priority area are listed below:
¢ A review of the monitoring of third parties’ SLAs against agreed Royal Mail minimum standards.
- Analysis and identification of all relevant third party contracts has substantially been completed by the commercial
delivery group within Service Delivery. In parallel an assessment of adherence to Royal Mail standards has been
initiated with findings due in Q3 2008.
Review and possible redesign of the critical IT systems prioritisation list and agreed escalation routes. This should include a
review of the current accepted response times and system ownership.
- Alignment of change management controls with COBIT has commenced and is planned to be completed by the end of
December 08.
¢ The implementation of a process to assess the impact of system changes on existing systems through the introduction of a
revised Project Management Methodology.
- The first iteration of Harmony has been rolled out and is being applied across the group.
- The revised gating methodology has been completed in June and applied to the major programmes of work in August.
¢ The implementation of group wide data standards, including key ownership and compliance with legislative and regulatory
processes
- Work has not yet been commenced in this area
SEE SR ST TP A IS BT EP TIN EE EE PDE SOD TT
CONFI" ~NTIAL PAGE 4 Royal Mail Group
POL00396890
POL00396890
— Compared to 14 Large UK Consumer Products and
ing
Services Companies (April and August 2008 Scores)
IT Controls Benchmark’
Controls over IT activities
mi juewebevew
uoganposqu
ABOUYIeL “yz
juewebeuen
yessy euempieH “ez
queweBeuey
yessy asemyos ‘zz
uoqueres 818g “1Z
I juewe6_uewAyend
eG ‘0z
juewaBeuel
Ayed paul 6)
yoloud 11 “8h
HSH LITEGOID “Lh
Auanyep eames °9}
dog/Asenooes
saqse8i0 ‘SL
dua jo uoddng “py,
‘suognios/ABayeqs
dua enjoeya “eb
“oye sjeayspeaids
yoasn ZL
yo uojeBei6ag™
swajshs
‘Bunsixe 0} seBueUD ‘OF
Ayinoes
Aunoeg anueg eG "8
Buryojeg Aunoeg “2
6u660)
queng Auinoag “9
swasks
0} $s@998 Je!
quewebeuew Ayinoes “y
sjuewesnbes
ye6ej yim eoueydwog “¢
juswebevew
aouewoped 11:
ogewojut
queweBeuew 41°)
N_ ry =
25 4
(p-0) e095
°
]
I
§
\@
iB
2
A
8
=
3
I
§
&
8
é
=
I
is)
g
&
I
—_ Critical points of focus with some actions underway
Royal Mail Group
CONFIDENTIAL PAGE 5
POL00396890
POL00396890
Appendix A — Service Transformation Program Achievements — April to June
RR MNO ESE AR
'MQ Series _MQSeries ‘WebSphere upgraded as part of Infomail implementation. (April ¥
‘AS400 "Additional server introduced to improve stability for S&C applications. ‘May y
Networks RMG Firewalls now managed by CSC are fully backed up and added to the established 24 x7 network monitoring tools May iv
Datacentre Copenhagen: Extensive invest mentin Facilities (UPS, Power and Cooling) now complete resulting in increased resilience at data centre level May y
Servers Copenhagen: Commissioned IBM and SUN to do complete health checks on ali Unixservers ‘May ¥
- ‘Sun Complete /IBM In Progress
Monitoring "Node down’ alerting in place for all Unix servers (except those behind firewalls) ‘June v
'Project initiated to implement RCCM tool on the account - improves monitoring and reporting of many aspects of service performance ‘June ¥
Active Directory All Domain Controllers upgraded 7 June ¥
Architecture Review of server virulaisation opportunities June v
Storage HDS and NETAPP have completed full health checks of the relevant storage environments. May ¥
‘Fully resilient paths between e-Bizz servers and SAN now instated and resilient. - - ‘June id
"I Development NETAPP storage device replaced with latest model. ‘iJune v
a on oan : ” ory into Production to provide additional eras an interim _ meme . June ¥
‘Manual monitoring of service introduced until automated solution available ‘June y
Proposal to RMG to reintroduce regular maintenance schedule ‘une
Proposal to RMG to provide additional resilience/redundancyin service IJune y
Notes Extra HDS storage capacity added at NDC/Huthwaite to allow for immediate Notes data growth. jJune ¥
Pegasus Stabilisation — including enhancements to Application SQL, database configuration and additional memory and CPUs for SQL d/b servers ¥
SAP SAP Batch Run reduced (01:30 finish - final stage of saving of over 4 hours) im
implemented Standard maintenance window [Y
Formal review of all CRs 7
Siebel Fixfrom Oracle identified and implementation planned ik
IManual monitoring of batch introduced until automated solution available
‘Organisation INew service management organisation introduced
Chan: view and approval regime implemented including greater Architectural support
‘Aelivities in place to reduce volume and frequency of changes
‘Additional approval levels required for Alert changes:
Greater focus on addressing root cause of any failed changes
__Imminent changes now reviewed at DSR meetings to ensure all support teams aware
jore Change Manager to join account on 30/06 to consolidate progress and provide additional coaching to off-shore Change Team
‘Release ‘Forward schedule of releases now in place with visibility o RMG and CSC
Release (Production Integration) and Change much more closely aligned
Problem INew Problem Manager appointed. (April) oo
[2008 RCA’s and follow up actions reviewed.
‘Analysis of trens introduced
IIncident I Major: focus on effectiveness on notification and escalation. 3 hour limit introduced for escalation to Gavin Larkings for any Sev 1 incident.
DSR [DSR revamped to ensure all support teams have helicopter visibility of account service landscape each day
"Previous and current days changes reviewed
‘Status of Sev incidents updated
SLA [Overview of month to date SLA performance reviewed and additional emphasis placed on atrisk services
CONFIPFNTIAL PAGE 6 Royal Mail Group
POLO0396890
POL00396890
Appendix B — List of Key Documents Reviewed to Provide Benchmark Assessment
1. Information Security Review (Bearingpoint)
2. Results of Penetration Testing
3. Security Survey Parameters , Version 3 , March 2008
4, AP Duplicate Payments Management Letter, 25 July 2007
5. IGF Presentation for Data forum, version 3, 13 September 2007
6. Information Management Policy vFinal, March 2008 & Information / Data Strategy Forum 10 January 2008
A Information Security Policies, Information Security Policy Framework, Version 3, RAG status
8. Ernst & Young IT General Controls Review 2007 Presentation - 2008 Kick off Meeting 14 January 2008
% Ernst & Young Current Update current issues - email to Paul Kelsall 8th March 2008
10. Royal Mail Group Audit 2008 - Open Items worksheet
11. introduction to Governance, risk & Control in Royal Mail Presentation - 19 November 2007
12. 8Group Technology Strategic Risk Profile, Executive Update January 2008
13. CSC - Computer Sciences corporation SAS 70, 1 January 2007 - 30 September 2007
14. Harmony Redbook, Harmony Implementation in Royal Mail Letters V 1.12, 13 APRIL 2008
15. Outsourcing SLAs
16. Technology Governance Meetings v1 28 March 2008
17. Dial Den Pictures Document
18. GT Draft Risk Register, 10 January 2008
19. Internal Audit & Risk Management Update, 20 March 2008
20. Royal Mail Group Technology Risk & Internal Control Report Year Ended 30th March 2008
21. Royal Mail Letters, Information Management Roadmap, v 1, 16th March 2007
22. RML IS-IT Strategy Data Model View V3
23. ROYAL MAIL GROUP plc, RISK & CONTROL SELF-ASSESSMENT SIGN-OFF -Year Ended 30th March 2008
24, Change Request Process_v6
25. Change Control Stats Sept 07
26. Security improvement phase 1, Security Improvement phase 2, 12 February 2008.
27. Project Delivery Framework.
28. Weekly / fortnightly reports examples.
29. PMO KPI Dashboard
sn eR SSS SE SS A ESE ESSE TS RCD EE A ESTEE
CONFIDENTIAL PAGE 7 Royal Mail Group