Set up change management processes
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Why this countermeasure matters
Changes to systems outside a transparent change management process can lead to:
- new or increased fraud and corruption risks
- unintended removal of existing countermeasures
- vulnerabilities in existing countermeasures
- fraudsters hiding changes in systems to create loopholes (defects) for:
- facilitating fraudulent payments
- accessing, manipulating or releasing sensitive information
- erasing records of their activities.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- undertaking and updating fraud risk assessments when there is a substantial change in the structure, functions or activities of the entity or program
- making sure changes must go through a rigorous and transparent change management process
- consulting fraud control teams about program and system changes
- undergoing a change impact assessment when major changes occur to consider the potential impacts on existing fraud controls
- logging all system changes through a change management system
- controlling all updates to access controls and source code through layered environments
- adhering to the requirements under the Protective Security Policy Framework for any system changes
- referring to the Australian Government Information Security Manual for guidelines on system and change management.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this type of countermeasure by using the following methods:
- Undertake a desktop review of change management policies and processes to confirm that clear and consistent processes exists.
- Confirm that change management processes align with existing policies.
- Confirm that change impact assessments and risk plans are completed, and review the documentation.
- Confirm that risk plans are actually used and updated.
- Consult subject matter experts on change processes to evaluate their understanding and thoughts about fraud risk.
- Confirm that change processes would effectively identify and manage fraud risks.
- Confirm that fraud control teams are engaged as a stakeholder during change processes.
- Confirm that risks are properly treated.
- Review how changes are reported, such as asking if change management plans are reviewed and signed-off by a project board.
- Confirm that post-implementation reviews occur.
- Undertake a staff census and include questions relevant to change management.
- Review APSC Census Results if you are Commonwealth entity.