System or physical access controls
Limit access to systems, data, information, physical documents, offices and assets. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Why this countermeasure matters
Not controlling access to systems, data, information, physical documents, offices and assets can lead to fraudsters:
- accessing or manipulating systems without authority
- facilitating fraudulent payments
- processing fraudulent requests or claims for themselves or another person
- accessing, manipulating or disclosing official information without authority
- stealing money or physical assets.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- requiring a log-on ID and password to access systems
- requiring staff to provide an approved business case to receive access to internal systems
- requiring two-factor authentication to access an online account
- restricting access to different parts of a building
- providing access to an online provider system only to registered providers
- stopping staff from accessing online email servers on work computers
- storing classified documents in secure cabinets.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
- sensitive and classified information
- access to information
- safeguarding information from cyber threats
- robust ICT systems
- physical security for entity resources
- entity facilities
- obtain and review requirements for who can access systems, data, information, documents or offices
- review procedures for requesting access, confirm the request processes are strong and actively test them if required
- review accesses to confirm only those who require access have the access
- confirm accesses are regularly reported on and reconciled and confirm that this process would identify and remove unneeded access
- undertake testing or a process walk-through to confirm that access controls cannot be avoided
- confirm access controls are consistently applied
- identify how access request and reconciliation processes are communicated
- confirm that someone cannot get past standard process requirements even when subject to pressure or coercion
- confirm the existence of a blacklist/whitelist and that this is regularly reviewed and reconciled
- review any past access breaches to identify how they were allowed to occur
- perform or review the results of technical tests of access controls.
This type of countermeasure is supported by:
Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach. To better protect personal information, the minimal data required for a transaction should be collected, used and retained. Make sure sensitive or official information cannot leave your entity's network without authority or detection.
Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Authenticate customer or third-party identities during each interaction to confirm the person owns the identity record they are trying to access.
Clear eligibility requirements and only approve requests or claims that meet the criteria. This can include internal requests for staff access to systems or information.
Make sure forms or system controls require mandatory information to support claims or requests.
Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.
Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.
Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.
Make sure sensitive or official information cannot leave your entity's network without authority or detection. The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information. Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale of a potential breach.
Capture video or other electronic evidence of activities to support a fraud investigation and prosecution.