Set up user permissions
Summary
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Why this countermeasure matters
Not controlling system functionality with user permissions can lead to:
- staff facilitating fraudulent payments
- staff accessing, manipulating and disclosing information without a business need
- staff processing fraudulent requests or claims for themselves or another person
- criminals coercing staff into providing information.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- limiting access to functionality within systems to specific permissions
- requiring a business case and approval to obtain specific permissions
- making sure only certain teams have access to certain functions, such as only payroll staff having access to payroll functions and information
- blocking staff from accessing their own records
- making sure only authorised representatives can perform functions on a client’s record.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure using the following methods:
- Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
- sensitive and classified information
- access to information
- safeguarding information from cyber threats
- robust ICT systems.
- Confirm the existence of permissions and limits within the system.
- Review procedures or guidance to confirm it clearly specifies where permissions should be limited.
- Obtain and review requirements for who should have certain user permissions.
- Confirm the existence of a request and approvals process for obtaining specific permissions.
- Confirm request and approvals processes are consistently applied.
- Review procedures for requesting user permissions, confirm the request processes are robust and actively test them if required.
- Confirm that someone cannot get around standard process requirements even when subject to pressure or coercion.
- Confirm that user permissions consider separation of duties requirements.
- Review the need for Security Clearances for some permissions.
- Review reports of user permissions to confirm only those who require permissions have the permissions.
- Undertake testing or a process walk-through to confirm that permissions within systems work correctly and cannot be ignored.
- Confirm the existence of a review and reconciliation process and review the reports.
- Review any past access breaches to identify how they were allowed to occur.
Related countermeasures
This type of countermeasure is supported by:
Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.
Use declarations or acknowledgments to both communicate and confirm that a person understands their obligations and the consequences for non-compliance. The declaration could be written or verbal, and should encourage compliance and deter fraud.
Make sure requests or claims use a specific form, process or system for consistency.
Limit access to systems, data, information, physical documents, offices and assets.
Limit access to sensitive information and records.
Authenticate client or third party identities during each interaction to confirm the person owns the record they are trying to access.
Have clear and specific eligibility requirements and only approve requests or claims that meet the criteria. This can include internal requests for staff access to systems or information.
Make sure forms or system controls require mandatory information to support claims or requests.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Put protections in place to prevent data from being manipulated or misused.
Only allow certain types of claims to be processed by staff with a specific type of user permission or skillset.
Verify any requests or claim information you receive with an independent and credible source.
Require clients, staff and third parties to have ongoing compliance, performance and contract reviews.
Create lists to quickly compare information to automate or require further actions.
Separate duties by allocating tasks and associated privileges for a business process to multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Systems help to enforce the strong separation of duties. This is also known as segregation of duties.
Use system workflows to make sure all requests, claims or activities are approved only by the appropriate decision-maker.
Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.
Change management processes make sure that changes do not create risks or weaken existing countermeasures.
Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.
Have processes in place to properly archive or dispose of old or unnecessary systems, assets, staff positions and accesses, client accounts and records.
Prepare summary reports on activities for clients, managers or responsible staff.
Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Fraud detection software programs automatically analyse data to detect what is different from what is standard, normal or expected and may indicate fraud or corruption.