Requests or claims are randomly allocated for processing
Randomly allocate requests or claims to staff for processing. This removes the option for staff to select which claims to process.
Why this countermeasure matters
Allowing staff to 'cherry-pick' which requests or claims to process themselves increases the risk of:
- staff deliberately processing fraudulent requests or claims
- staff being coerced to process fraudulent requests or claims by others.
How to put this countermeasure in place
One way to implement this countermeasure includes making sure systems or processes randomly allocate work to processing staff.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Confirm random allocation processes are always applied.
- Review workload management specifications and system requirements.
- Review reports of work allocation, such as by location and staff user ID.
- Undertake pressure testing or a process walk-through to confirm that allocation processes cannot be ignored even when pressure or coercion is applied.
- Review approvals process and make sure there is a separation of duties.
- Confirm monitoring and reporting processes exist for allocation, and confirm this would identify abnormal processing patterns.
This type of countermeasure is supported by:
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Make sure requests or claims use a specific form, process or system for consistency.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.