Set up controls for sensitive information

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Limit access to sensitive information and records. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Why this countermeasure matters

Not controlling access to sensitive information and records can lead to individuals:

accessing, manipulating or releasing sensitive information without authority
using sensitive information to improperly influence decisions
using sensitive information to coerce others to act in an involuntary manner
stealing physical records.

How to put this countermeasure in place

Some ways to implement this countermeasure include:

restricting and monitoring access to the records of high profile individuals
restricting and monitoring access to sensitive information
storing protected information in secure environments.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure using the following methods:

Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
- sensitive and classified information
- access to information
- safeguarding information from cyber threats
- robust ICT systems
- physical security for entity resources
- entity facilities.
Confirm the existence of additional controls for more sensitive information.
Review procedures or guidance to confirm it clearly specifies what constitutes sensitive information.
Obtain and review requirements for who can access sensitive information.
Confirm the existence of a request and approvals process for accessing sensitive information.
Confirm request and approvals processes are consistently applied.
Review procedures for requesting access to sensitive information, confirm the processes are robust and actively test them if required.
Review the need for Security Clearances for accessing sensitive information and confirm staff have the minimum level of clearance.
Undertake testing or a process walk-through to confirm that someone cannot get around access processes.
Undertake checks to confirm compliance with clear desk policies.
Confirm access to sensitive information is regularly reviewed and reconciled.

Related countermeasures

This type of countermeasure is supported by:

Create procedural instructions or guidance

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Require the completion of declarations or acknowledgements

Use declarations or acknowledgments to both communicate and confirm that a person understands their obligations and the consequences for non-compliance. The declaration could be written or verbal, and should encourage compliance and deter fraud.

Set up self-disclosure and reporting processes

Require and support staff and third parties to self-disclose gifts, benefits, incidents, mistakes and real or perceived conflicts of interest.

Rotate staff and contractors

Rotate staff and contractors in and out of roles to avoid familiarity. Staff and contractors can become too familiar with processes, customers or vendors, which can lead to insider threats.

Require a specific form, process or system to be used

Make sure requests or claims use a specific form, process or system for consistency.

Use system or physical access controls to limit access

Limit access to systems, data, information, physical documents, offices and assets.

Set up user permissions

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Authenticate identity during each interaction

Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access.

Protect your data from manipulation or misuse

Put protections in place to prevent data from being manipulated or misused.

Limit the number of staff who process requests or claims

Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.

Enforce ongoing compliance, performance and contract reviews

Require clients, staff and third parties to have ongoing compliance, performance and contract reviews.

Create and use blacklists, whitelists and greylists

Create lists to quickly compare information to automate or require further actions.

Set up automatic prompts and alerts

Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.

Set up privileged access restrictions and monitoring

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Set up change management processes

Change management processes make sure that changes do not create risks or weaken existing countermeasures.

Conduct system testing

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Protect your data from being lost or stolen

Make sure sensitive or official information cannot leave your entity's network without authority or detection.

Train and support staff to identify and report fraud and corruption

Train and support staff to identify red flags to detect fraud, know what to do if they suspect fraud and know how to report it. Fraudsters can take advantage if staff and contractors are not aware of what constitutes fraud and corruption.

Set up automatic notifications of high-risk events and transactions

Automatically notify clients or staff about high-risk events or transactions. This can alert them to potential fraud and avoid delays in investigating and responding to fraud.

Create processes to receive and review complaints

Allow clients, staff and third parties to lodge complaints about actions or decisions they disagree with. This may help identify fraud or corruption, such as failure to receive an expected payment.

Report on activities

Prepare summary reports on activities for clients, managers or responsible staff.

Report incidents or breaches for further investigation

Report on incidents or breaches to help identify if further investigation is required. Clients, public officials or contractors can take advantage of a lack of reporting and transparency to commit fraud, act corruptly and avoid exposure.

Conduct internal or external audits or reviews

Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Apply fraud detection software programs and processes

Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.

Set up video or electronic surveillance

Capture video or other electronic evidence of activities to support a fraud investigation and prosecution.