​​​​​​​
You are here: Skip breadcrumbAttorney-General's Department >> Integrity >> Counter fraud >> Fraud countermeasures >> User permissions

 User permissions

Prevention shield icon Previous page Next page

Summary

Functionality within systems is limited/controlled by user permissions, which are assigned to users based on specific business needs; for example, high-risk functions are limited to specialised users.

The Protective Security Policy Framework articulates the government protective security policies that underpin this control.

Examples

Some examples of this type of countermeasure include:

  • Access to functionality within systems is limited to specific permissions.
  • Specific permissions require a business case and approval to obtain.
  • Only centralised areas have access to certain functions, e.g. only payroll staff have access to payroll functions and information.
  • Staff are blocked from accessing their own programme record.
  • Authorised representatives can only perform limited functions on a customer's record.

Purpose of this countermeasure

Staff or contractors can abuse their position of trust to:

  • process fraudulent requests or claims for themselves or another person, and
  • access, manipulate or disclose official information without authority.

Staff and contractors can also be coerced to commit fraud for the benefit of another person or entity; e.g. coerced to provide information or pay a claim.

Abuse of public office, acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.

Failing to control a system user's ability to access information or complete transactions can lead to fraudsters exploiting weaknesses to:

  • facilitate fraudulent payments, or
  • access, manipulate and disclose information without a business need.

Dependencies

This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
    • Sensitive and classified information
    • Access to information
    • Safeguarding information from cyber threats
    • Robust ICT systems
  • Confirm the existence of permissions and limits within the system.
  • Review procedures or guidance to confirm it clearly specifies where permissions should be limited.
  • Obtain and review requirements for who should have certain user permissions.
  • Confirm the existence of a request and approvals process for obtaining specific permissions.
  • Confirm request and approvals processes are consistently applied.
  • Review procedures for requesting user permissions. Confirm the request processes are robust. Actively test them if required.
  • Confirm that someone cannot bypass standard process requirements even when subject to pressure or coercion.
  • Confirm that user permissions consider segregation of duties requirements.
  • Review the need for Security Clearances for some permissions, if applicable.
  • Undertake quantitative and qualitative analysis of user permissions to confirm only those who require permissions have the permissions.
  • Undertake testing or a process walk-through to confirm that permissions within systems work correctly and cannot be circumvented.
  • Confirm the existence of a review and reconciliation process. Review the reports.
  • Review any past access breaches to identify how they were allowed to occur.

Back to top

Previous page Next page​​

​​​​Commonwealth Fraud Prevention Centre logo​​​​​