Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released when the system goes live.
Why this countermeasure matters
Fraudsters could take advantage of untested systems to create loopholes (defects) for:
- facilitating fraudulent payments
- accessing, manipulating or releasing sensitive information
- erasing records of their activities to avoid detection.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- testing all new systems or system updates as part of the ICT systems lifecycle or change management process
- conducting user acceptance testing to test for fraud risks or control vulnerabilities
- adhering to the requirements under the Protective Security Policy Framework
- referring to the Australian Government Information Security Manual for guidelines on system and change management
- performing vulnerability assessments and penetration testing on systems.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- undertake a desktop review of testing policies and processes to confirm that clear and consistent processes exists
- confirm that testing processes meet accepted policies and standards
- confirm that the results of system testing is documented and review the documentation
- consult subject matter experts on testing processes and systems to evaluate their understanding and thoughts about fraud control
- confirm that testing processes would identify specific types of vulnerabilities such as malicious code
- conduct a system walkthrough by having staff show you the process.
- review who has access to perform testing
- review the system permissions needed to perform testing
- confirm that testing environments accurately replicate production environments
- review how the results of system testing is reported
- confirm that defects or other issues are adequately resolved
- confirm that post-production testing also occurs.
Adequately resourced prevention and compliance areas enable entities to perform effective countermeasures.
Match data with the authoritative source and verify relevant details or supporting evidence. Services such as the Identity Matching Service can be used to verify identity credentials back to the authoritative source when the information is an Australian or state and territory government issued identity credential. This countermeasure is supported by the Office of the Australian Information Commissioner's Guidelines on data matching in Australian government administration.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Internal or external audits or reviews evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.
Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach. To better protect personal information, the minimal data required for a transaction should be collected, used and retained. Make sure sensitive or official information cannot leave your entity's network without authority or detection.
Conduct quality assurance activities to confirm that processes are being followed correctly and to a high standard and/or that material or goods are what they are claimed to be. Quality assurance checks not only improve processing standards, they can also detect potentially fraudulent activity and are a significant deterrent to fraud.