Protect your data from manipulation or misuse

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Put protections in place to prevent data from being manipulated or misused.

Why this countermeasure matters

Allowing data within systems or prefilled forms to be manipulated by clients, staff or third parties may allow fraudsters to:

submit false claims using manipulated information or evidence
conceal or erase information or evidence
facilitate fraudulent payments
update information without authority
improperly influence decisions using false and manipulated information.

How to put this countermeasure in place

Some ways to implement this countermeasure include making sure:

a system's source code or audit logs cannot be altered in production environments
pre-fill data cannot be changed on forms
reports are 'read only' to prevent manipulation
data is coded directly into systems and cannot be manually altered
updates to production data is restricted by system parameters
a system's source code cannot be altered outside a prescribed change management process
audit logs cannot be altered
the requirements under the Protective Security Policy Framework are adhered to.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

Review procedures or guidance to confirm it clearly specifies how data should be protected from manipulation or misuse.
Review controls and policies to see if they conform to the Protective Security Policy Framework.
Confirm protections are in place to prevent data being manipulated or misused.
Confirm protections are always applied.
Review a sample of completed data requests to confirm appropriate protections and classifications were applied.
Undertake quantitative analysis to check data has not been manipulated such as reconciling audit logs.
Review a sample to confirm data has not been manipulated.
Ask staff about data protections to make sure they have a consistent and correct understanding.
Undertake pressure testing or a process walk-through to confirm that data cannot be manipulated or misused.
Confirm that someone cannot override or bypass protections even when pressure or coercion is applied.
Check if reporting, reconciliation or change management processes exist for changes to data.

Related countermeasures

Make sure there is managerial, independent or expert oversight

Make sure a manager, independent person or expert oversees actions and decisions. Involving multiple people in actions and decisions increases transparency and reduces the opportunity for fraud.

Require a specific form, process or system to be used

Make sure requests or claims use a specific form, process or system for consistency.

Use system or physical access controls to limit access

Limit access to systems, data, information, physical documents, offices and assets.

Set up user permissions

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Set up controls for sensitive information

Limit access to sensitive information and records.

Match data against similar data points

Automatically match data with another internal or external source to obtain or verify relevant details or supporting evidence. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.

Set up privileged access restrictions and monitoring

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Set up change management processes

Change management processes make sure that changes do not create risks or weaken existing countermeasures.

Conduct system testing

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Conduct quality assurance checks

Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.

Reconcile records

Reconcile records to make sure that 2 sets of records (usually the balances of 2 accounts) match. Reconciling records and accounts can detect if something is different from what is standard, normal, or expected, which may indicate fraud.

Conduct internal or external audits or reviews

Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Apply fraud detection software programs and processes

Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.

Audit logging

Audit logging is system-generated audit trails of staff, client or third-party interactions that help with fraud investigations.