February 2008 report to the Legislative Assembly
Report to the Legislative Assembly; Reports; PublicationNT
Made available via the Publications (Legal Deposit) Act 2004 (NT).
Northern Territory. Auditor-General's Office -- Periodicals; Finance, Public -- Northern Territory -- Accounting -- Periodicals; Northern Territory -- Appropriations and expenditures -- Periodicals
Northern Territory Auditor-General's Office
Check within Publication or with content Publisher.
Auditor-General for the Northern Territory February 2008 Report 61 Department of Health and Community Services cont A lack of robust physical controls increases the risk of inappropriate access to DHCS application servers (including Ascribe). The following was recommended to the Agency: Implementation of a more formalised procedure for adding and modifying users in the Ascribe application. This procedure should include appropriate management authorisation, with documentation retained. This process could potentially leverage off existing processes such as E-Pass or forms used for CareSys. At a minimum, existing emails sent to the Business Analyst should be retained; Implementation of a mechanism where relevant system owners or delegates are notified when an employee leaves the organisation. Accounts should then be disabled as soon as possible; Periodic review of system accounts to determine whether access is restricted to appropriate individuals and in line with their current job function; and Continue to address physical access findings raised by Stanton International in July 2007. The system owner advised agreement with the findings and indicated that the following actions to address the recommendations will be taken: The current clinical system access request template will be modified so that it can also be used to include requests for Ascribe access. The expanded form will include roles, responsibilities and the requirement for manager approval before an account is created. Forms will then be retained. They will investigate the options available to implement a mechanism to notify system administrators when an employee leaves the organisation. Ascribe version 9 is capable of generating a report of users and their respective roles. Proactive reviews will be initiated by the Business Analyst and performed periodically (e.g. every two months). Action is currently being taken to address the issues raised by Stanton International. This includes removing the PIN access and installing new swipe card locks. Swipe card access will be granted through Information and Communications Technology (ICT) services.