February 2008 report to the Legislative Assembly
Report to the Legislative Assembly; Reports; PublicationNT
2008
Made available via the Publications (Legal Deposit) Act 2004 (NT).
Date:2008-02
English
Northern Territory. Auditor-General's Office -- Periodicals; Finance, Public -- Northern Territory -- Accounting -- Periodicals; Northern Territory -- Appropriations and expenditures -- Periodicals
Northern Territory Auditor-General's Office
Darwin
1323-7128
Check within Publication or with content Publisher.
https://hdl.handle.net/10070/223559
https://hdl.handle.net/10070/686148
60 Auditor-General for the Northern Territory February 2008 Report Department of Health and Community Services cont Improvement opportunities were noted regarding Ascribe application security management A number of improvement opportunities were noted regarding Ascribe application security management. Requests to create or modify a users account were sent via an email to the Business Analyst, who then created or modified an account as required. No record of these requests was retained. In addition, no formal register of who could approve Ascribe system access could be produced. No formal mechanism was in place to notify Ascribe system administrators when an employee had left the organisation or changed roles within the organisation. In addition, an inspection of Ascribe users found three of 37 active RDH accounts and one of nine active Gove accounts belonged to former employees. No formal access reviews had taken place for Ascribe to determine whether access was still appropriate for each users job function. A review of management and operation of application servers performed by Stanton International in July 2007 found that interviewees were unaware of when the Cipher lock PIN code for the computer room had been last changed, or which employees had swipe-card access to the room. Weak security processes and application controls increases the risk of inappropriate/ unauthorised access to key information assets. Specific risks include: Without a formal record of approval regarding the creation or modification of Ascribe users, there is a risk that users could be created without appropriate approval or given access rights beyond that required for their job role. If records are not retained, then it is impossible to determine whether accounts were appropriately approved prior to creation or modification. If accounts are not disabled when a user leaves the organisation, there is a risk that the account could be inappropriately used before it expires. Without periodic access reviews, there is a risk that users who have inappropriate access rights are not detected. In addition, this should also detect inappropriate use of a departed employees account.