Audit logging refers to system-generated audit trails of staff, client or third-party interactions that help with fraud investigations and deters fraud. This also includes IT audit trails. The Protective Security Policy Framework includes the government protective security policies that support this countermeasure.
Why this countermeasure matters
The prosecution must prove every element of an offence beyond reasonable doubt to convict someone. Poor or no audit logging may lead to:
- difficultly in detecting, analysing, investigating and disrupting fraudulent activity
- briefs of evidence being rejected by the Commonwealth Director of Public Prosecutions.
How to put this countermeasure in place
Some ways to implement this countermeasure include setting up audit logging by capturing information like:
- access to production systems
- changes to production data and who made the changes
- access to sensitive information
- access and use of high-risk accounts and transactions.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods.
- Confirm that audit logging is switched on.
- Confirm audit logging complies with the Australian Government Investigations Standards and other national guidelines and frameworks.
- Consult with investigators about what evidence is required.
- Review the logs to confirm they capture enough evidence to support an investigation.
- Review the logs to confirm they capture meaningful information to support detection or an investigation.
- Check the method of logging is reliable.
- Confirm and test (if required) audit logs are stored securely.
- Confirm that audit logs are available to investigators.
- Confirm that audit logs cannot be switched-off, deleted or altered, even by staff with privileged access.
- If audit logs can be altered, confirm that these actions are also logged and that copies of originals are retained.
- Confirm that audit logs are retained as per the relevant records authority.
- Conduct random and targeted reviews of audit logs.
This type of countermeasure is supported by:
Make sure requests or claims use a specific form, process or system for consistency.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Put protections in place to prevent data from being manipulated or misused.
Capture documents and other evidence for requests, claims and activities to detect, analyse, investigate and disrupt fraudulent activity.