Protect your data from manipulation
Make sure sensitive or official information cannot leave your entity's network without authority or detection.
The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information. Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale of a potential breach.
Why this countermeasure matters
Allowing data within systems or prefilled forms to be manipulated by clients, staff or third parties may allow fraudsters to:
- submit false claims using manipulated information or evidence
- conceal or erase information or evidence
- facilitate fraudulent payments
- update information without authority
- improperly influence decisions using false and manipulated information.
How you might apply this countermeasure
Some ways to implement this countermeasure include making sure:
- a system's source code or audit logs cannot be altered in production environments
- pre-fill data cannot be changed on forms
- reports are 'read only' to prevent manipulation
- data is coded directly into systems and cannot be manually altered
- updates to production data is restricted by system parameters
- not allowing a system's source code to be altered outside a prescribed change management process
- original records or data being stored in a separate file or location
- adhering to the requirements under the Protective Security Policy Framework.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- review procedures or guidance to confirm it clearly specifies how data should be protected from manipulation or misuse
- review controls and policies to see if they conform to the Protective Security Policy Framework
- confirm protections are in place to prevent data being manipulated or misused
- confirm protections are always applied
- review a sample of completed data requests to confirm appropriate protections and classifications were applied
- undertake quantitative analysis to check data has not been manipulated such as reconciling audit logs
- review a sample to confirm data has not been manipulated
- ask staff about data protections to make sure they have a consistent and correct understanding
- undertake pressure testing or a process walk-through to confirm that data cannot be manipulated or misused
- confirm that someone cannot override or bypass protections even when pressure or coercion is applied
- check if reporting, reconciliation or change management processes exist for changes to data.
Match data with the authoritative source and verify relevant details or supporting evidence. Services such as the Identity Matching Service can be used to verify identity credentials back to the authoritative source when the information is an Australian or state and territory government issued identity credential. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Audit logging is system-generated audit trails of staff, client or third-party interactions that help with fraud investigations.