Properly dispose of old or unnecessary systems, records and assets
Have processes in place to properly archive or dispose of old or unnecessary:
- ICT systems
- staff position numbers and access controls
- client account
Why this countermeasure matters
Keeping old or unnecessary ICT systems, staff position numbers and access controls, client accounts, assets or records may allow fraudsters to:
- use old HR position numbers to make fraudulent payroll payments
- receive payments for deceased customers
- impersonate government officials
- steal surplus assets
- access and release information held in old or unused systems or hardware
- use stolen records to make fraudulent requests or claims.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- archiving information or ceasing a client identity
- disposing of documents in accordance with the relevant records authority
- making sure expired building passes are surrendered to the issuing authority
- regularly reviewing vacant HR position numbers and removing them if no longer required
- appropriately handling and destroying returned unclaimed mail
- effectively disposing of redundant ICT stock
- withdraw access to ICT systems and resources upon separation of personnel
- withdraw privileged access to ICT systems when no longer required
- protecting deceased client records from misuse such as by making them read-only
- protecting redundant provider/supplier accounts from misuse such as by making them read-only.
How do I know if my countermeasures are effective?
Measure the effectiveness of this countermeasure by using the following methods:
- Review policies and processes to confirm that clear and consistent processes exists.
- Consult subject matter experts on processes and systems to evaluate their understanding and thoughts about fraud control policies.
- Conduct a process walkthrough by having staff show you the archive or disposal process.
- Review who has access to perform archive or disposal processes.
- Confirm that archived records cannot be manipulated and test this if required.
- Analyse data or reports to confirm old or unnecessary systems, staff positions and accesses, client accounts, assets or records are being properly archived or disposed of.
- Review a sample of documentation to confirm compliance with policies and processes.
- Check if and how archive or disposal processes are reported.