Set up automatic prompts and alerts
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Why this countermeasure matters
A lack of automatic prompts and alerts can lead to:
- fraudsters feeling more confident their actions will not be detected
- individuals deliberately or accidently not disclosing information that would affect entitlements
- individuals deliberately or accidently providing false information or evidence to support a request or claim
- insiders deliberately or accidently accessing information or systems they should not be accessing.
How to put this countermeasure in place
Some ways to implement this countermeasure include setting up prompts and alerts like:
- informing users or claimants up front about their obligations
- alerting the user when the cheapest available fare is not selected
- prompting the applicant to provide the correct information
- warning staff if inconsistent or erroneous information is recorded.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure by using the following methods:
- Confirm the existence of prompts and alerts.
- Review the type of prompts and alerts that exist.
- Confirm that prompts and alerts are consistently applied.
- Undertake pressure testing or a process walk-through to confirm that prompts and alerts exist.
- Review reports to identify the number of incorrect actions completed despite prompts and alerts.
- Analyse behavioural changes caused by prompts and alerts, such as claims or requests abandoned following the prompt or alert.
- Review historical data to measure if the introduction of prompts and alerts improved compliance.
- Consult system users about the prompts or alerts to discover if they notice them.
- Consult behavioural insights experts on the prompts and alerts to find out if they influence behaviour and deter fraud.
This type of countermeasure is supported by:
Make sure requests or claims use a specific form, process or system for consistency.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Have clear and specific eligibility requirements and only approve requests or claims that meet the criteria. This can include internal requests for staff access to systems or information.
Make sure forms or system controls require mandatory information to support claims or requests.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
Automatically match data with another internal or external source to obtain or verify relevant details or supporting evidence. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Create lists to quickly compare information to automate or require further actions.
Separate duties by allocating tasks and associated privileges for a business process to multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Systems help to enforce the strong separation of duties. This is also known as segregation of duties.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Put protections in place to prevent data from being manipulated or misused.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.