Protect your data from being lost or stolen
Summary
Make sure sensitive or official information cannot leave your entity's network without authority or detection.
The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information. Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale of a potential breach.
Why this countermeasure matters
Allowing data to leave your entity's network without authority or detection can lead to staff or contractors:
- publicly releasing official, sensitive or classified information
- providing sensitive or classified information to others for dishonest gain, such as helping a company win a government contract
- selling sensitive or classified information to criminals and scammers
- using sensitive or classified information to commit fraud themselves.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- scanning emails sent to or from external email addresses and setting aside any that contain sensitive information for further checks
- limiting access to collaboration websites that enable documents to be uploaded
- controlling access to supporting ICT systems, networks (including remote access), infrastructure and applications
- controlling the use of removable storage media and unapproved connected devices
- network management practices and procedures to identify and address network structure or configuration vulnerabilities
- using encryption particularly when transferring information
- adhering to the requirements under the Protective Security Policy Framework
- referring to guidelines in the Australian Government Information Security Manual and the Australian Cyber Security Centre’s Strategies to Mitigate Cyber Security Incidents.
How do I know if my countermeasures are effective?
Measure the effectiveness of this countermeasures by using the following methods:
- Conduct pressure testing to test if fraudulent activity would be prevented or detected.
- Consult subject matter experts about data loss protection controls.
- Confirm that information security requirements comply with requirements of the Protective Security Policy Framework and other national frameworks and guidelines, including the Australian Government Information Security Manual and Strategies to Mitigate Cyber Security Incidents.
- Conduct a process walk through by sitting with a staff member while they show you how the controls work.
- Review the controls to determine if it would prevent or detect different methods of information disclosure.
- Confirm controls are always on and automatically applied.
- Confirm that detection tolerances or parameters are appropriate.
- Confirm that detection parameters or thresholds are not widely known.
- Arrange or review results of technical testing to conform controls are working to specifications.
- Confirm that the systems/processes underlying the data loss protection controls are adequate and reliable.
- Confirm that data/information breaches go to the most appropriate staff/team for review.
- Review a sample of detected incidents.
- Analyse reports related to the data loss protection controls such as how many breaches are reported and how often.
- Review who has access to change the controls.
- Confirm that someone cannot manipulate the data loss protection controls and test this if required.
- Check what other reporting occurs such as if executives review data/information disclosure reports during committee meetings.
Related countermeasures
Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.
Assess the integrity of new employees, contractors or third parties such as by having entry level checks, probationary periods, suitability assessments or security vetting.
Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.
Require and support staff and third parties to self-disclose gifts, benefits, incidents, mistakes and real or perceived conflicts of interest.
Make sure a manager, independent person or expert oversees actions and decisions. Involving multiple people in actions and decisions increases transparency and reduces the opportunity for fraud.
Provide staff with adequate training to increase likelihood that correct and consistent processes and decisions will be applied.
Make sure requests or claims use a specific form, process or system for consistency.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Limit access to sensitive information and records.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Put protections in place to prevent data from being manipulated or misused.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Train and support staff to identify red flags to detect fraud, know what to do if they suspect fraud and know how to report it. Fraudsters can take advantage if staff and contractors are not aware of what constitutes fraud and corruption.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.
Prepare summary reports on activities for clients, managers or responsible staff.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Automatically notify clients or staff about high-risk events or transactions. This can alert them to potential fraud and avoid delays in investigating and responding to fraud.
Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.