Confirm identity using evidence
Make sure to confirm the identity (an attribute or set of attributes that uniquely describe a subject within a given context) of the person making the request or claim using evidence. This control is supported by the National Identity Proofing Guidelines and the Trusted Digital Identity Framework.
Why this countermeasure matters
Whole-of-Government policies require a high level of confidence in the identity of a customer when providing government services and payments. Lack of identify confirmation for claims or requests can lead to fraudsters:
- impersonating customers or third parties to receive fraudulent payments or gain access to information
- providing false or misleading information or stolen evidence of identity to support a request or claim
- using false identities to receive fraudulent payments or gain access to information.
How to put this countermeasure in place
Some ways to implement this countermeasure include requiring:
- policies, rules, processes and systems to make sure only known, authorised people gain access to networks, systems and information
- all program applicants to provide certified copies of primary and secondary identification (passport, birth certificates, driver's licences) – verify these using Identity Matching Services (DVS and FVS)
- the use of myGovID to confirm an individual’s identity online
- the use of Relationship Authorisation Manager to confirm the identity of someone acting on behalf of a business online
- entry level checks to confirm the identity of staff and contractors
- service providers to provide evidence of the identity of all company directors.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Review identity confirmation controls and policies to see if they conform to legislation and the National Identity Proofing Guidelines.
- Confirm the existence of reference and guidance material.
- Confirm processes are consistently applied both within channels and across channels.
- Check how evidence of identity is verified.
- Review a sample of completed claims to confirm correct processes were undertaken.
- Ask staff about the identity processes and systems to make sure they have a consistent and correct understanding.
- Undertake pressure testing or a process walk-through to confirm that someone cannot get around processes.
- Identify how the requirements are communicated to staff, customers and third parties.
- Review identified cases of fraud involving the use of a false or stolen identity.
This type of countermeasure is supported by: