Set up change management processes
Summary
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Why this countermeasure matters
Changes to systems outside a transparent change management process can lead to:
- new or increased fraud and corruption risks
- unintended removal of existing countermeasures
- vulnerabilities in existing countermeasures
- fraudsters hiding changes in systems to create loopholes (defects) for:
- facilitating fraudulent payments
- accessing, manipulating or releasing sensitive information
- erasing records of their activities.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- undertaking and updating fraud risk assessments when there is a substantial change in the structure, functions or activities of the entity or program
- making sure changes must go through a rigorous and transparent change management process
- consulting fraud control teams about program and system changes
- undergoing a change impact assessment when major changes occur to consider the potential impacts on existing fraud controls
- logging all system changes through a change management system
- controlling all updates to access controls and source code through layered environments
- adhering to the requirements under the Protective Security Policy Framework for any system changes
- referring to the Australian Government Information Security Manual for guidelines on system and change management.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this type of countermeasure by using the following methods:
- Undertake a desktop review of change management policies and processes to confirm that clear and consistent processes exists.
- Confirm that change management processes align with existing policies.
- Confirm that change impact assessments and risk plans are completed, and review the documentation.
- Confirm that risk plans are actually used and updated.
- Consult subject matter experts on change processes to evaluate their understanding and thoughts about fraud risk.
- Confirm that change processes would effectively identify and manage fraud risks.
- Confirm that fraud control teams are engaged as a stakeholder during change processes.
- Confirm that risks are properly treated.
- Review how changes are reported, such as asking if change management plans are reviewed and signed-off by a project board.
- Confirm that post-implementation reviews occur.
- Undertake a staff census and include questions relevant to change management.
- Review APSC Census Results if you are Commonwealth entity.
Related countermeasure
Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.
Provide staff with adequate training to increase likelihood that correct and consistent processes and decisions will be applied.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Make sure requests or claims use a specific form, process or system for consistency.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision-maker.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Put protections in place to prevent data from being manipulated or misused.
Train and support staff to identify red flags to detect fraud, know what to do if they suspect fraud and know how to report it. Fraudsters can take advantage if staff and contractors are not aware of what constitutes fraud and corruption.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard.
Reconcile records to make sure that 2 sets of records (usually the balances of 2 accounts) match. Reconciling records and accounts can detect if something is different from what is standard, normal, or expected, which may indicate fraud.
Report on incidents or breaches to help identify if further investigation is required. Clients, public officials or contractors can take advantage of a lack of reporting and transparency to commit fraud, act corruptly and avoid exposure.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Audit logging is system-generated audit trails of staff, client or third-party interactions that help with fraud investigations.