New desktop audit process to be introduced from December 2017
Over the last two years we have carried out a number of on-site User Audits, to ensure that Users are compliant with the Claims Portal User Agreement. Many of the provisions in the User Agreement are there to enhance security, prevent or inhibit unauthorised access to confidential information and to prevent fraud.
The results of these audits, has proved useful in helping us and Users to understand which areas Users need to manage and adapt so that they can take steps to remain compliant with the User Agreement. In order to reach a wider User base and to conduct the audits in a way that is more convenient to Users, the next cycle of audits, which will commence in December 2017, will use a new desktop pilot audit process, after which a small sample, where necessary, will be followed up with an on-site visit.
Demystifying the audit process:
If your organisation hasn’t previously been audited here are the primary objectives and top tips to remain compliant:
Audit Objectives and Scope
The primary objectives of the User Access audits are to:
- Identify the extent of compliance with and departures from the User Access provisions, set out in the User Agreement;
- Prevent un-authorised users from attempting to access the Portal via legitimate users;
- To assist your organisation comply with User Agreements by recommending any security improvements and Portal Access Control issues identified.
The audit approach involves a risk-based assessment of the systems, processes and controls in place with the User agreement in four different areas:
- Company information and knowledge;
- Profile management;
- Data access and monitoring; and
- Third party compliance.
Top tips to remaining compliant:
Each User accessing the Portal should do so having reviewed the Portal agreement and with the relevant training required to carry out the activities they need to complete on the Portal. Further guidance on the use of the Portal can also be found in the dedicated self-service User guides on the Claims Portal website www.claimsportal.org.uk
Each Portal User should have their own password credentials, which must not be shared with ANY other Users.
Housekeeping – User profile updates and disabling expired Users
Where a User no longer requires access or has left the organisation their User account details should be disabled by the Administrator.
Those organisations who demonstrated the greatest audit compliance have implemented internal processes to regularly review and update their User profile(s) and in particular disabling of access to Users no longer requiring it by implementing a quarterly review.
Chair, Claims Portal Ltd