QUESTIONS ON DELOITTE’S “BRAMBLE” DRAFT REPORT DATED 7 OCTOBER 2016
POL00408731
POL00408731
Cond Diccingow
Section of Report
BD Question
Deloitte Response
1 1.2.1 (page 3) and
Appendix 6 (page
41)
Do some or all of the “No Relevant Exceptions Noted” comments in
section 1.2.1 need to be amended in light of the findings in Appendix
6?
2 I 1.2.1 (page 4)
In relation to the Fujitsu quote regarding access to both HNG-X
environments:
e what are the auditing controls in place?
e what does “technical controls around not being able to
change audit items” mean?
3 I 1.2.1 (page 4)
In the bullet point regarding analytics procedures, is it 18 or 20
branches?
4 I 1.2.2 (page 5)
Similar in 4.3.3,
finding 4 (page 24)
Regarding the comment:
‘The control wording is not accurate. A small number of users are
granted extended privileges which enable them to update / delete
records. However the control is operating in line with management's
expectations. Access to the privileged role is restricted to users
explicitly authorised for this access. User actions are audit logged,
and not proactively reviewed.’
e what does “in line with management's expectations” mean?
e what does not “proactively reviewed” mean and would you
expect this access to be proactively reviewed?
5 I 1.2.3 (page 7)
Regarding the comment:
‘Review of the audit settings for the Audit Server noted that the audit
policy change which relates to change of user rights was set to log
success events only, with failure not enabled.’
e would you expect this to log failures?
[DOCPROPERTY DocRef \* MERGEFORMAT I
POL-BSFF-0233196
POL00408731
POL00408731
« do we know whether this has always been the case?
6 I 2.1 (page 11) and
5.1 (page 32)
Should references to suspense accounts be deleted?
7 I 3.2.1 (pages 12
and 13)
Can references to “previous “Bramble” work” be deleted (may give
rise to waiver of privilege issues)?
8 I 4.2.1 (page 14)
Does “the level of comfort that can be gained over such controls
provides a view on the inherent risk of such errors” mean that the
more robust the controls are, the lower the risk of errors?
9 I 4.2.1 ii) a. ii) (page
15)
“The Audit Store extraction routines check for this at the point of
extraction” — what would happen if the extraction routines found an
invalid signature?
10 I 4.2.1 ili) (page 15)
Are these two tranches of data analytics work the work summarised in
Appendix 6?
11 I 4.2.3, finding 3
(page 18)
e Can we state how far back the case data goes?
e Is it 18 or 20 branches (same as point 3 above)?
12 I 4.2.3, finding 6e
(page 19)
e What is an EDAPC transaction?
¢ What does “no rollbacks or roll-forwards” mean?
e Do we know how many products this relates to?
13 I 4.3.1 b (page 22)
Is it possible to set out the “various layers of the Horizon infrastructure
[where] there exist accounts with privileged access rights..."?
If a transaction was inserted “directly onto the backend”, would that
be visible to the Subpostmaster and would it cause a discrepancy in
the branch accounts?
14 I 4.3.1 b vii) (page
22)
Have these data analytics procedures been done?
15 I 4.3.2 (page 23)
This summary table relates to Scope Area 1 not Scope Area 2 —
please provide for Scope Area 2.
[DOCPROPERTY DocRef \* MERGEFORMAT I
POL-BSFF-0233196_0001
POL00408731
POL00408731
16 I 4.3.3, finding 5 (2A) I What does “Users to not have the ability to bypass this role restriction
by running SUDO command” mean? What restriction is being
referred to?
17 I 4.4 Dii) (page 28) Which POL staff duties are segregated?
18 I 4.4 Diii) (page 28) I Can we give examples of the checks carried out by POL staff?
19 I 4.4.3 (page 31) This needs to be in landscape — please provide a complete version of
the table.
20 I Appendix 3, Ref B What does “written to standard output’ mean?
(page 36)
21 I Appendix 3,RefC I What does “There also needs to be a level of obfuscation to ensure
(page 36) that the audit mechanism is robust” mean?
22 I Appendix 6 (page Please delete reference to QC's Advice
41)
23 I Appendix 6a, This seems to be a significant number of gaps. Is that the case?
Analytic 1 What are such gaps indicative of?
24 I Appendix 6a, What are such gaps indicative of?
Analytic 2
25 I Appendix 6a, This seems to be a significant number of transactions with a quantity
Analytic 5 not equal to zero. Is that the case? What is this indicative of?
26 I Appendix 6a, What inherent system controls mean that this should not be possible?
Analytic 6
27 I Appendix 6a, As these 17 users are global users, does this mean that they did not
Analytic 7 enter these transactions remotely.
[DOCPROPERTY DocRef \* MERGEFORMAT I
POL-BSFF-0233196_0002