Dispose of old or unnecessary systems, records and assets
Have processes in place to properly archive or dispose of old or unnecessary:
- ICT systems
- staff position numbers and access controls
- client account
This control is supported by the National Archives of Australia's Information Management Standards and the Protective Security Policy Framework.
Why this countermeasure matters
Keeping old or unnecessary ICT systems, staff position numbers and access controls, client accounts, assets or records may allow fraudsters to:
- use old HR position numbers to make fraudulent payroll payments
- receive payments for deceased customers
- impersonate government officials
- steal surplus assets
- access and release information held in old or unused systems or hardware
- use stolen records to make fraudulent requests or claims.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- archiving information or ceasing a client identity
- disposing of documents in accordance with the relevant records authority
- making sure expired building passes are surrendered to the issuing authority
- regularly reviewing vacant HR position numbers and removing them if no longer required
- appropriately handling and destroying returned unclaimed mail
- effectively disposing of redundant ICT stock
- withdraw access to ICT systems and resources upon separation of personnel
- withdraw privileged access to ICT systems when no longer required
- protecting deceased client records from misuse such as by making them read-only
- protecting redundant provider/supplier accounts from misuse such as by making them read-only
- checking physical assets, such as safes and furniture, before disposal.
How to check if your countermeasures are effective
Some ways to measure the effectiveness of this type of countermeasure:
- review policies and processes to confirm that clear and consistent processes exists
- consult subject matter experts on processes and systems to evaluate their understanding and thoughts about fraud control policies
- conduct a process walkthrough by having staff show you the archive or disposal process
- review who has access to perform archive or disposal processes
- confirm that archived records cannot be manipulated and test this if required
- analyse data or reports to confirm old or unnecessary systems, staff positions and accesses, client accounts, assets or records are being properly archived or disposed of
- review a sample of documentation to confirm compliance with policies and processes
- check if and how archive or disposal processes are reported.
Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Provide staff with adequate training to increase likelihood that correct and consistent processes and decisions will be applied.
Make sure requests or claims use a specific form, process or system for consistency.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.