Protect your data from manipulation or misuse
Put protections in place to prevent data from being manipulated or misused.
Why this countermeasure matters
Allowing data within systems or prefilled forms to be manipulated by clients, staff or third parties may allow fraudsters to:
- submit false claims using manipulated information or evidence
- conceal or erase information or evidence
- facilitate fraudulent payments
- update information without authority
- improperly influence decisions using false and manipulated information.
How to put this countermeasure in place
Some ways to implement this countermeasure include making sure:
- a system's source code or audit logs cannot be altered in production environments
- pre-fill data cannot be changed on forms
- reports are 'read only' to prevent manipulation
- data is coded directly into systems and cannot be manually altered
- updates to production data is restricted by system parameters
- a system's source code cannot be altered outside a prescribed change management process
- audit logs cannot be altered
- the requirements under the Protective Security Policy Framework are adhered to.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Review procedures or guidance to confirm it clearly specifies how data should be protected from manipulation or misuse.
- Review controls and policies to see if they conform to the Protective Security Policy Framework.
- Confirm protections are in place to prevent data being manipulated or misused.
- Confirm protections are always applied.
- Review a sample of completed data requests to confirm appropriate protections and classifications were applied.
- Undertake quantitative analysis to check data has not been manipulated such as reconciling audit logs.
- Review a sample to confirm data has not been manipulated.
- Ask staff about data protections to make sure they have a consistent and correct understanding.
- Undertake pressure testing or a process walk-through to confirm that data cannot be manipulated or misused.
- Confirm that someone cannot override or bypass protections even when pressure or coercion is applied.
- Check if reporting, reconciliation or change management processes exist for changes to data.