Data loss protections
Official information, such as aggregated data, cannot leave your organisation's network without authority or detection
NB: This may also be a detection countermeasure.
The Protective Security Policy Framework articulates the government protective security policies that underpin this control.
Some examples of this type of countermeasure include:
- Scanning and quarantining suspect emails sent to an external destination.
- Limiting access to collaboration websites that enable documents to be uploaded.
- Controlling access to supporting ICT systems, networks (including remote access), infrastructure and applications.
- Controlling the use of portable storage devices such as USB flash drives.
- Network management practices and procedures to identify and address network structure or configuration vulnerabilities.
- Using encryption, particularly when transferring information.
Purpose of this countermeasure
Staff or contractors can abuse their position of trust to access, manipulate or disclose official information without authority.
Staff and contractors can also be coerced to disclose official information.
Abuse of public office, acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Allowing staff or contractors to release data without authority and appropriate control can lead to fraudsters:
- publicly releasing sensitive information,
- selling information to using the information to improperly influence decisions, and
- using the information to coerce others to act in an involuntary manner.
The way data is aggregated and stored together increases the scale of a potential breach.
Personal and Government information is highly sought after by several different types of perpetrators, including organised criminals.
This type of control is supported by:
- Governance, accountability and oversight
- Integrity checks and performance reviews
- Legislation and Policy
- Self-disclosure and reporting mechanisms
- Managerial, independent or expert oversight
- Staff are trained to apply correct processes and decisions
- A specific form, process or system must be used
- System or physical access controls
- User permissions
- Sensitive information controls
- Privileged access restrictions and monitoring
- Data protected from manipulation or misuse
- Change management processes
- System testing
- Staff are trained and supported to identify and report fraud and corruption
- Quality assurance checks
- Activity reporting
- Exception reporting
- Internal or external audits or reviews
- Automatic notification of high-risk activities and transactions
- Fraud detection programs
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Conduct vulnerability testing – test if fraudulent activity would be prevented or detected.
- Consult subject matter experts about the data loss protection controls.
- Confirm that the data loss protection controls comply with requirements of the Protective Security Policy Framework.
- Process walk through - sit with a staff member while they show you how the controls work.
- Review the controls to determine if it would prevent or detect different methods of information disclosure.
- Confirm controls are 'always on' and automatically applied.
- Confirm that detection tolerances or parameters are appropriate.
- Confirm that detection parameters or thresholds are not widely known.
- Arrange or review results of technical testing to conform controls are working to specifications.
- Confirm that the systems/processes underlying the data loss protection controls are adequate and reliable.
- Confirm that data/information breaches go to the most appropriate staff/team for review.
- Review a sample of detected incidents.
- Undertake analysis of data related to the data loss protection controls; e.g. how many breaches are reported? How often?
- Review who has access to the controls.
- Confirm that someone cannot manipulate the data loss protection controls. Test this if required.
- Check what other reporting occurs, e.g. do executives review data/information disclosure reports during committee meetings?