Use system or physical access controls to limit access
Limit access to systems, data, information, physical documents, offices and assets. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.
Why this countermeasure matters
Not controlling access to systems, data, information, physical documents, offices and assets can lead to fraudsters:
- accessing or manipulating systems without authority
- facilitating fraudulent payments
- processing fraudulent requests or claims for themselves or another person
- accessing, manipulating or disclosing official information without authority
- stealing money or physical assets.
How to put this countermeasure in place
Some ways to implement this countermeasure include:
- requiring a log-on ID and password to access systems
- requiring staff to provide an approved business case to receive access to internal systems
- requiring two-factor authentication to access an online account
- restricting access to different parts of a building
- providing access to an online provider system only to registered providers
- stopping staff from accessing online email servers on work computers
- storing classified documents in secure cabinets.
How to measure this countermeasure's effectiveness
Measure the effectiveness of this countermeasure using the following methods:
- Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
- sensitive and classified information
- access to information
- safeguarding information from cyber threats
- robust ICT systems
- physical security for entity resources
- entity facilities.
- Obtain and review requirements for who can access systems, data, information, documents or offices.
- Review procedures for requesting access, confirm the request processes are strong and actively test them if required.
- Review accesses to confirm only those who require access have the access.
- Confirm accesses are regularly reported on and reconciled and confirm that this process would identify and remove unneeded access.
- Undertake testing or a process walk-through to confirm that access controls cannot be avoided.
- Confirm access controls are consistently applied.
- Identify how access request and reconciliation processes are communicated.
- Confirm that someone cannot get past standard process requirements even when subject to pressure or coercion.
- Confirm the existence of a blacklist/whitelist and that this is regularly reviewed and reconciled.
- Review any past access breaches to identify how they were allowed to occur.
- Perform or review the results of technical tests of access controls.
This type of countermeasure is supported by: