Queensland Audit Office

Technological advances now enable departments to use a range of services that combine into wider technology ecosystems. This involves departments expanding their internal information technology (IT) services to link with external systems and external partners connecting with internal systems. For example, using a programming interface to automate processing of vendor invoices.

Extending into ecosystem technology means that there is a higher exposure to threats, such as leakage of sensitive information and the security, confidentiality, integrity, and availability of IT systems. This may lead to material misstatements in the financial statements, identity theft, reputation loss and financial loss through fraud.

Why do we need to secure our IT systems?

Departments’ IT systems store sensitive and critical information. This includes personally identifiable information about citizens of Queensland, government employees and vendors/suppliers. These systems also store information about confidential contracts, health records, student data, and criminal history, for example.

The impact of a security breach of sensitive and critical data can be catastrophic and can include loss of public confidence and trust. Threats to sensitive and critical data and information can come from sources external or internal (for example employees, contractors, service providers) to an entity. Therefore, it is important to keep security policies, procedures and standards up-to-date and to have robust systems to mitigate risks of unauthorised access, data loss and IT security breaches. In this article, we discuss one of these key areas—user access management.

What are key controls in managing user access?

Managing user access levels plays an important part in securing IT services. It includes several aspects.

Establish user authentication

Entities should implement strong password requirements and two-factor authentication to be consistent with the sensitivity and criticality of the systems. Setting strong password requirements through system configuration does not stop users from using passwords such as ‘Welcome01’ or ‘Password1234’. Hackers are often able to use simple techniques for breaching IT systems. Users need to be regularly trained in choosing strong passwords.

Adopt the principle of least privileges

Entities should ensure that a user’s access levels are in line with their day-to-day job responsibilities.

Provision of user access

Entities should only process system access requests when duly approved by an authorised officer, who is trained in understanding the level of access they are approving.

Periodically review user accounts

Entities should ensure authorised officers review user access levels regularly to ensure they are appropriate, taking into account higher duties or change in jobs.

Revoke user access

Entities must promptly remove user access when no longer needed—in particular, when employees leave the organisation or return from higher duties.

Enable audit logging

Entities should use audit logging to record sensitive or critical activities.

Monitor and review audit logs

Entities should monitor and review audit log reports for sensitive transactions and use of privileged accounts to ensure these are authorised activities. 

Finally, it is important to understand that securing your system is the responsibility of everyone in the organisation. Security is like a chain—one weak link can disrupt the integrity of the whole chain. So, communicate and enforce the responsibilities of users, security administrators, and system owners for maintaining effective system access controls.

Related article

As technology opens doors for increased efficiency, connectivity and sharing, it opens our work and home to cyber risk.