Limit the number of staff who process requests or claims
Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.
Why this countermeasure matters
Allowing all staff to process any type of request or claim increases the risk of:
- staff deliberately processing fraudulent requests or claims
- staff being coerced to process fraudulent requests or claims by others.
How to put this countermeasure in place
Some ways to implement this countermeasure include having:
- one centralised team to process international travel
- a small-dedicated team to manage high value high risk claims
- only one centralised team with the ability to create vendors in the system.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Confirm the specific type of request can only be allocated to a limited number of staff.
- Confirm a specific type of user permission, skillset or position is required to process the request or claim.
- Review reports of who processes specific requests or claims.
- Undertake pressure testing or a process walk-through to confirm that requests or claims cannot be processed by staff without a specific type of user permission, skillset or position.
- Confirm the existence of monitoring and reporting, and confirm this will identify actions that are different from what is standard, normal or expected.
- Confirm there is a regular review of user permissions, skillsets or positions.
This type of countermeasure is supported by: