A performance audit into the integrity of the data held by the Births, Deaths and Marriages Register (BD&M) has found that while the Registry has controls in place to prevent and detect unauthorised access to its records, it was not doing enough to protect them.
In her report, Integrity of data in the Births, Deaths and Marriages Register, Auditor-General, Margaret Crawford made nine recommendations aimed at strengthening BD&M’s controls to prevent and detect unauthorised access to, and activity in, the register.
Ms Crawford said BD&M had processes in place to ensure that the information entered in the Register was accurate and that amendments to the Register were validated.
“However, there are significant gaps in these controls,” Ms Crawford said.
She said BD&M authorised access to the Register and carried out regular access reviews to ensure users were current and had the appropriate level of access.
“There are audit trails of all user activity,” she said, “but BD&M does not routinely monitor these.”
“Unauthorised access to, or misuse of the information in the Register can lead to fraud or identity theft.
“For these reasons it is important that there are sufficient controls in place to protect the information.”
She found that at the time of the audit, BD&M also failed to monitor activity by privileged users who could make unauthorised changes to the Register.
“Not monitoring this activity created a risk that unauthorised activity in the Register would not be detected,” Ms Crawford said.
The Auditor concluded there were insufficient controls to prevent the distribution of information in the Register as well as gaps in the controls to prevent and detect unauthorised access to databases and servers.
She said that as a matter of urgency the Registry should work with the Department of Communities and Justice (DCJ) to ensure it complies with the DCJ policy on password settings.
The Auditor-General’s 25-page report can be accessed at this PS News link.
