Skip to main content

Set up privileged access restrictions and monitoring

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls).

The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Why this countermeasure matters

User accounts with administrative privileges are an attractive target because they have a high level of access to an entity’s systems. Restricting administrative privileges is an effective way to safeguard information that ICT systems process, store or communicate. Lack of tightly restricted and monitored access can lead to:

  • fraudsters gaining access and spreading or hiding their existence
  • uncertainty around how staff are using administrative privileges
  • poor management of decision-making and risk related to administrative privileges
  • staff or contractors abusing their position of trust to process fraudulent request or claims for themselves or another person
  • staff or contractors abusing their position of trust to access and disclose official information without authority
  • staff or contractors being coerced by others to use their administrative privileges for dishonest purposes
  • staff or contractors using privileged access to make unauthorised changes to systems or databases to:
    • bypass approvals
    • access, manipulate or release sensitive information, or
    • erase records of their activities.

How to put this countermeasure in place

Some ways to implement this countermeasure include:

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure by using the following methods:

  • Confirm controls comply with the Protective Security Policy Framework including security requirements for:
    • sensitive and classified information
    • access to information
    • safeguarding information from cyber threats
    • robust ICT systems.
  • Confirm the use of privileged accounts is controlled and auditable.
  • Obtain and review requirements for who should have access to privileged accounts.
  • Confirm the existence of a request and approvals process for obtaining privileged accounts.
  • Confirm that someone cannot bypass standard process requirements even when subject to pressure or coercion.
  • Confirm that privileged accounts are subject to separation of duties requirements.
  • Review the need for security clearances for privileged accounts.
  • Review a sample of circumstances where privileged accounts were used.
  • Review reports to confirm privileged accounts are only assigned to staff that require them.
  • Undertake testing or a process walk-through to confirm that the limits and monitoring of privileged accounts work correctly and cannot be circumvented.
  • Confirm the use of accounts are reviewed and reconciled, and check the reports.
  • Review any past breaches or fraud related to the use of privileged accounts and identify how this was allowed to occur.

Related countermeasures

Establish governance, accountability and oversight of processes by using delegations and requiring committees and project boards to oversee critical decisions and risk. Good governance, accountability and oversight increases transparency and reduces the opportunity for fraud.

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs such as making high-risk functions limited to specialised users.

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Reconcile records to make sure that two sets of records (usually the balances of two accounts) match. Reconciling records and accounts can detect if something is different from what is standard, normal, or expected, which may indicate fraud.

Prepare summary reports on activities for clients, managers or responsible staff.

Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.

Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Audit logging is system-generated audit trails of staff, client or third party interactions that help with fraud investigations.

Related Fraudster Personas

Was this page helpful?