Set up internal escalation procedures
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Why this countermeasure matters
A lack of internal processes to escalate non-standard requests or claims can lead to:
- disorganised or inconsistent practices and decision-making
- fraudsters using confusion and deception to exploit processes
- fraudsters receiving payments or services they are not entitled to
- fraudsters accessing information or systems without a business need
- fraudsters providing false or misleading information or evidence to support a request or claim
- fraudsters concealing information that would affect their entitlement.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- having an escalation point, such as a policy team or ICT helpdesk, for more complex requests or claims
- escalating claims that exceed a certain monetary threshold for further scrutiny
- having a separate policy team review and action complex, uncommon or late claims.
How do I know if my countermeasures are effective?
Measure the effectiveness of this countermeasure by using the following methods:
- Review the policies and procedures for escalating requests or claims.
- Confirm non-standard requests and claims are escalated to someone with sufficient delegation, independence or expertise.
- Confirm escalation processes are consistently applied.
- Analyse statistics of non-standard requests or claims to discover what percentage of claims fall in this category and if it aligns with the number of escalations.
- Review a sample of non-standard requests or claims to confirm correct escalation processes were followed.
- Ask staff about internal escalation processes to make sure they have a consistent and correct understanding.
- Identify how escalation requirements are communicated to staff.
- Confirm that someone cannot bypass escalation processes or systems even when subject to pressure or coercion.
- Review the training staff receive to make sure it includes information about escalation procedures.
This type of countermeasure is supported by:
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Provide staff with adequate training to increase likelihood that correct and consistent processes and decisions will be applied.
Make sure requests or claims use a specific form, process or system for consistency.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.
Limit access to systems, data, information, physical documents, offices and assets.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.