A Performance Audit
An Audit Report on Information Technology Services at the Health Professions Council
The Health Professions Council (Council) had a significant weakness in its data security controls that allowed at least one participating agency to view another agency’s confidential data. The Council also had weaknesses in its user access and authentication processes.
The Council had change management processes in place and implemented some processes to ensure that it administers information technology support services (ITSS) in accordance with applicable requirements. However, the Council should strengthen its processes regarding the help desk support system and contract monitoring, and it should provide guidance to agencies regarding the identification and classification of sensitive information.
The Council Had a Significant Weakness in Data Security Controls That Allowed at Least One Participating Agency to Observe Another Agency’s Confidential Information
The Council did not ensure that information in Versa was properly segregated for participating agencies. Auditors observed at least one agency that could access the confidential information of another participating agency. After auditors brought the data security weakness to its attention, the Council worked with the vendor to address it. On May 9, 2018, the vendor implemented a fix, which the Council reviewed. Auditors observed that the fix corrected the data segregation issue.
While the Council Had Some Policies and Processes for Account Management and Authentication, It Should Strengthen Controls to Protect Data from Unauthorized Access
The Council lacked controls to ensure that user access, user access review, and authentication were appropriate. Auditors identified (1) accounts that belonged to former employees and (2) user access that did not align with business needs. The Council had password controls appropriately configured at the Versa application and Linux server levels. However, the Council did not establish appropriate password settings for some systems. Physical access controls were adequate to protect against unauthorized access.
The Council implemented controls and processes governing the management of program code changes to Versa, and it ensured those processes were consistently followed.
The Council Performed Some Monitoring Related to the Contract; However, It Should Strengthen Its Processes to Include Reviewing Key Deliverables
The Council did not have formal processes in place to ensure compliance with significant contractual requirements. The Council did not monitor ticket resolution times, availability of hosted services and statements on standards for attestation engagement.
In addition, while the Council’s statement of work contained most of the required elements in the State of Texas Contract Management Guide, it did not contain elements for monitoring the vendor for compliance with key provisions, such as provisions related to hosted services and the help desk.
The Council Provided Support Services in Accordance with Applicable Requirements; However, It Should Strengthen Its Process for Documenting and Monitoring Help Desk Tickets and Provide Guidance to Participating Agencies on User Access and Data Classification
The Council provided information technology support services (ITSS) in accordance with its memorandum of understanding with participating agencies. However, the Council did not have documented policies and procedures providing guidance to participating agencies on (1) user access levels for the network and supported applications and (2) identifying and classifying sensitive data.
In addition, auditors determined that the Council’s help desk ticket data in its Spiceworks application was not reliable. There were 167 (7.6 percent) duplicate tickets from a population of 2,210 closed tickets from September 1, 2016, through January 31, 2018. In addition, the data contained inaccurate information in key system fields.
Graphics, Media, Supporting documents