System or physical access controls

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost-effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

decorative prevention countermeasures

Summary

Limit access to systems, data, information, physical documents, offices and assets. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Why this countermeasure matters

Not controlling access to systems, data, information, physical documents, offices and assets can lead to fraudsters:

  • accessing or manipulating systems without authority
  • facilitating fraudulent payments
  • processing fraudulent requests or claims for themselves or another person
  • accessing, manipulating or disclosing official information without authority
  • stealing money or physical assets.

How you might apply this countermeasure

Some ways to implement this countermeasure include:

  • requiring a log-on ID and password to access systems
  • requiring staff to provide an approved business case to receive access to internal systems
  • requiring two-factor authentication to access an online account
  • restricting access to different parts of a building
  • providing access to an online provider system only to registered providers
  • stopping staff from accessing online email servers on work computers
  • storing classified documents in secure cabinets.

How to check if your countermeasures are effective

Here are some ways to measure the effectiveness of this type of countermeasure:

  • confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
    • sensitive and classified information
    • access to information
    • safeguarding information from cyber threats
    • robust ICT systems
    • physical security for entity resources
    • entity facilities
  • obtain and review requirements for who can access systems, data, information, documents or offices
  • review procedures for requesting access, confirm the request processes are strong and actively test them if required
  • review accesses to confirm only those who require access have the access
  • confirm accesses are regularly reported on and reconciled and confirm that this process would identify and remove unneeded access
  • undertake testing or a process walk-through to confirm that access controls cannot be avoided
  • confirm access controls are consistently applied
  • identify how access request and reconciliation processes are communicated
  • confirm that someone cannot get past standard process requirements even when subject to pressure or coercion
  • confirm the existence of a blacklist/whitelist and that this is regularly reviewed and reconciled
  • review any past access breaches to identify how they were allowed to occur
  • perform or review the results of technical tests of access controls.

Related countermeasures

This type of countermeasure is supported by:

Protect data from loss

Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach. To better protect personal information, the minimal data required for a transaction should be collected, used and retained. Make sure sensitive or official information cannot leave your entity's network without authority or detection.

User permissions in systems

Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Authenticate identity

Authenticate customer or third-party identities during each interaction to confirm the person owns the identity record they are trying to access.

Clear and specific eligibility requirements

Clear eligibility requirements and only approve requests or claims that meet the criteria. This can include internal requests for staff access to systems or information.

Internal escalation procedures

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Parameters and limits

Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.

Prompts and alerts

Set up system prompts and alerts to warn users when information is inconsistent or irregular, which either requires acceptance or denies further actions.

Related Fraudster Personas

This countermeasure helps prevent, detect or respond to the following Fraudster Personas:

The Exploiter

The Exploiter uses something for a wrongful purpose to dishonestly gain personal benefits.

The Coercer

The Coercer influences, manipulates or bribes another person to act in a desired way to dishonestly gain personal benefits.

The Impersonator

The Impersonator pretends they are another person or entity to dishonestly gain personal benefits.

Was this page helpful?