Skip to main content

Use system or physical access controls to limit access

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

Summary

Limit access to systems, data, information, physical documents, offices and assets. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Why this countermeasure matters

Not controlling access to systems, data, information, physical documents, offices and assets can lead to fraudsters:

  • accessing or manipulating systems without authority
  • facilitating fraudulent payments
  • processing fraudulent requests or claims for themselves or another person
  • accessing, manipulating or disclosing official information without authority
  • stealing money or physical assets.

How to put this countermeasure in place

Some ways to implement this countermeasure include:

  • requiring a log-on ID and password to access systems
  • requiring staff to provide an approved business case to receive access to internal systems
  • requiring two-factor authentication to access an online account
  • restricting access to different parts of a building
  • providing access to an online provider system only to registered providers
  • stopping staff from accessing online email servers on work computers
  • storing classified documents in secure cabinets.

How to measure this countermeasure's effectiveness

Measure the effectiveness of this countermeasure using the following methods:

  • Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
    • sensitive and classified information
    • access to information
    • safeguarding information from cyber threats
    • robust ICT systems
    • physical security for entity resources
    • entity facilities.
  • Obtain and review requirements for who can access systems, data, information, documents or offices.
  • Review procedures for requesting access, confirm the request processes are strong and actively test them if required.
  • Review accesses to confirm only those who require access have the access.
  • Confirm accesses are regularly reported on and reconciled and confirm that this process would identify and remove unneeded access.
  • Undertake testing or a process walk-through to confirm that access controls cannot be avoided.
  • Confirm access controls are consistently applied.
  • Identify how access request and reconciliation processes are communicated.
  • Confirm that someone cannot get past standard process requirements even when subject to pressure or coercion.
  • Confirm the existence of a blacklist/whitelist and that this is regularly reviewed and reconciled.
  • Review any past access breaches to identify how they were allowed to occur.
  • Perform or review the results of technical tests of access controls.

Related countermeasures

This type of countermeasure is supported by:

Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.

Clearly document decision-makers using delegations, authorisations and instructions. Clearly defined decision-making powers increase transparency and reduce the opportunity for fraud and corruption.

Use declarations or acknowledgments to both communicate and confirm that a person understands their obligations and the consequences for non-compliance. The declaration could be written or verbal, and should encourage compliance and deter fraud.

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs such as making high-risk functions limited to specialised users.

Make sure to confirm the identity (an attribute or set of attributes that uniquely describe a subject within a given context) of the person making the request or claim using evidence.

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.

Separate duties by spreading tasks and associated privileges for a business process among multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Strong separation of duties controls are enforced by systems. It is also known as segregation of duties.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Conduct system testing to identify vulnerabilities prior to release. Untested systems can allow vulnerabilities to be released into production environments.

Prepare summary reports on activities for clients, managers or responsible staff.

Establish exception reports to identify activities that are different from the standard, normal, or expected process and should be further investigated.

Conduct internal or external audits or reviews to evaluate the process, purpose and outcome of activities. Clients, public officials or contractors can take advantage of weaknesses in government programs and systems to commit fraud, act corruptly, and avoid exposure.

Related Fraudster Personas

Was this page helpful?