Protect your data from manipulation
Make sure sensitive or official information cannot leave your entity's network without authority or detection.
The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information. Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale of a potential breach.
Why this countermeasure matters
Allowing data within systems or prefilled forms to be manipulated by clients, staff or third parties may allow fraudsters to:
- submit false claims using manipulated information or evidence
- conceal or erase information or evidence
- facilitate fraudulent payments
- update information without authority
- improperly influence decisions using false and manipulated information.
How you might apply this countermeasure
Some ways to implement this countermeasure include making sure:
- a system's source code or audit logs cannot be altered in production environments
- pre-fill data cannot be changed on forms
- reports are 'read only' to prevent manipulation
- data is coded directly into systems and cannot be manually altered
- updates to production data is restricted by system parameters
- not allowing a system's source code to be altered outside a prescribed change management process
- original records or data being stored in a separate file or location
- adhering to the requirements under the Protective Security Policy Framework.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- review procedures or guidance to confirm it clearly specifies how data should be protected from manipulation or misuse
- review controls and policies to see if they conform to the Protective Security Policy Framework
- confirm protections are in place to prevent data being manipulated or misused
- confirm protections are always applied
- review a sample of completed data requests to confirm appropriate protections and classifications were applied
- undertake quantitative analysis to check data has not been manipulated such as reconciling audit logs
- review a sample to confirm data has not been manipulated
- ask staff about data protections to make sure they have a consistent and correct understanding
- undertake pressure testing or a process walk-through to confirm that data cannot be manipulated or misused
- confirm that someone cannot override or bypass protections even when pressure or coercion is applied
- check if reporting, reconciliation or change management processes exist for changes to data.