WBONO001070
WBON0001070
From: "Gribben, Jonathan
To: "Westbrook, Mark}
Ce: "Keating, Lewis!
Subject: RE: Bramble - Phase 2
Date: Thu, 19 Jan 2017 09:34:10 +0000
Importance: Normal
Inline-Images: image001 jpg; image002.png; image003.png; image004.png
Hi Mark,
Thanks for this. Understood and agreed re your para. 1 (i.e. this additional work was triggered by both issues). Re
your para. 2, we need to understand the audit store checks in relation to non-Counter transactions. As things stand
we don't really get the header / footer point so it needs to be described in more detail and then tested to see whether
(i) it actually offers some protection against errors/tampering and (ii) it is actually used in practice.
Thanks
Jonny
From: Westbrook, Mark!” GRO.
Sent: 18 January 2017 14:12
To: Gribben, Jonathan.
Cc: Keating, Lewis I
Subject: RE: Bramble - Phase 2
Sorry I should have been clearer in my phrasing - I meant for my bracket to apply to the whole
sentence that preceded not just the second half.
To try and be as clear as possible - Counter transactions have integrity checking built in from initiation
to Audit Store. By contrast non-counter have no built in integrity checks from initiation through to Audit
Store, beyond the discrete control points we have started the journey of trying to understand.
Mark
Mark Westbrook
Senior Manager I Deloitte LLP
I www. deloitte.co.uk
WBD_000940.000001
WBONO001070
WBON0001070
From: Gribben, Jonathan [mailto GRO
Sent: 18 January 2017 14:07
To: Westbrook, Mark,
Ce: Keating, Lewis! GRO
Subject: RE: Bramble - Phase 2
GRO
Thanks Mark.
I think that the trigger for this additional piece of work was non-Counter transactions being more vulnerable to
tampering once on the BRDB, but I'll discuss with Andy to clarify. I'll also speak to him about the controls when pulled
from the audit store piece, as I recall that we didn’t think this was covered in the original report.
Noted re the SOW.
Thanks
Jonny
Jonathan Gribben
Managing Associate
Bond Dickinson LLP
Follow Bond Dickinson:
www.bonddickinson.com
@) arse
Best Legal Adviser
SD 01617 ‘
OVERALL BEST
LEGAL ADVISER
From: Westbrook, Mark (UK - Manchester) [mailto;
Sent: 18 January 2017 13:59 ~
WBD_000940.000002
WBONO001070
WBON0001070
To: Gribben, Jonathan
Cc: Keating, Lewis’
Subject: RE: Bramble - Phase 2
Hi Jonny,
Yes that is our understanding - they follow the same data flow from that point on as counter initiated
transactions, but they don’t have the protection of JSNs etc, meaning they are more vulnerable to
tampering once on the BRDB and in the process flows beforehand (which I believe was the trigger
behind this additional piece of work).
I don’t think Phase 2 will cover the controls when pulled from the audit store as there is no difference
to counter initiated transactions in that regard (i.e. we’ve already looked at this).
We haven't issued the summary of the call yet, but will do shortly (and will include you on the
distribution). I’m hoping the SOW will be signed first, before we start releasing any documentation.....
Thanks,
Mark
Mark Westbrook
Senior Manager I Deloitte LLP
deloitte.co.uk
From: Gribben, Jonathan [mailto?
Sent: 18 January 2017 13:52
To: Westbrook, Mark
Ce: Keating, Lewis! GRO
Subject: Bramble - Phase"3
Hi Mark,
WBD_000940.000003
WBONO001070
WBON0001070
Thanks for dealing with my question about what happens to non-Counter transactions after TAs are accepted in
branch on the call yesterday. Just so that I am clear, are we saying that from this point non-Counter transactions are
dealt with in the same way as Counter transactions (save that non-Counter transactions don’t have JSNs)? Further,
am I right in thinking that Phase 2 will cover the controls and checks that apply when non-Counter transaction records
are pulled from the audit store? I know you mentioned that the headers and footers in the interface files are apparently
checked at that point.
Also, would you mind copying me in on any emails with Fujitsu, particularly the attendance note/action plan from
yesterday's call, so that I’m in the loop?
Thanks
Jonny
Jonathan Gribben
Managing Associate
Bond Dickinson LLP
Follow Bond Dickinson:
www.bonddickinson.com
@) arse
Best Legal Adv
22> ae “er
OVERALL BEST
LEGAL ADVISER
Please consider the environment! Do you need to print this email?
The information in this e-mail and any attachments is confidential and, ged and protected by law. markwestbrookd Fpnly is authorised to
mail and any attachments. Ifyou are not markwestbrook’ GRO} please notify jonathan gribbenf-. GRO 3s s00i ai possible and delete any
access this
ached to this e-mail will have been checked by us with virus detection software before transmission, Bond Dickinson LLP accepts no liability for any loss or
may be caused by software viruses and you should carry out your own virus checks before opening any attachment
Content of this email which does not relate to the official business of Bond Dickinson LLP, is neither given nor endorsed by it.
This email is sent by Bond Dickinson LLP which is a limited liability partnership registered in England and Wales under number 0C317661. Our registered office is 4 More
London Riverside, London, SEI 2AU, where a list of members’ names is open to inspection, We use the term partner to refer to a member of the LLP, or an employee ot
consultant who is of equivalent standing. Our VAT registration number is GB123393627.
Bond Dickinson LLP is authorised and regulated by the Solicitors Regulation Authority.
IMPORTANT NOTICE
This communication is from Deloitte LLP, a limited liability partnership registered in England and Wales with registered number 0C303675. Its registered office is 2, New
Street Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private
company limited by guarantee, whose member firms are I
structure of DTTL and its member firms,
es. Please see www.del
ally separate and independent enti
co.uk/about for a detailed description of the legal
WBD_000940.000004
WBONO001070
WBON0001070
‘This communication contains information which
recipient(s), please (1) notify it,security.uki ~ vy forwarding this email and delete all copies from your system and (2) note that disclosure, distribution, copying
or use of this communication is strictly proh ‘ommunications cannot be guaranteed to be secure or free from error or viruses. All emails sent to or from a Deloitte
UK email account are securely archived and stored by an extemal supplier within the European Union.
-onfidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended
To the extent permitted by law, Deloitte LLP does not accept any liability for use of or reliance on the contents of this email by any person save by the intended recipient(s) to
the extent agreed in a Deloitte LLP engagement contract.
Opinions, conclusions and other information in this email which have not been delivered by way of the business of Deloitte LLP are neither given nor endorsed by it.
WBD_000940.000005