Data protected from manipulation or misuse
Protections are in place to prevent data being manipulated or misused. For example, a system's source code or audit logs cannot be altered in production environments.
Some examples of this type of countermeasure include:
- Pre-fill data cannot be changed on forms.
- Reports are 'read only' to prevent manipulation.
- Data is coded directly into systems and cannot be manually altered. privileged
- Updates to production data is restricted by system parameters.
- A system's source code cannot be altered outside a prescribed change management process.
- Audit logs cannot be altered.
Purpose of this countermeasure
Someone can provide false information to support a request or claim, or fail to disclose changes or information that would affect their entitlement.
Staff or contractors can also abuse their position of trust to access and manipulate information without authority.
Acting dishonestly and providing false or misleading information or forged documents to commit fraud are offences under the Criminal Code Act 1995.
Allowing customers, staff or third parties to manipulate data with impunity within systems or on forms can lead to fraudsters:
- facilitating fraudulent payments,
- manipulating information without authority
- improperly influencing decisions.
This type of control is supported by:
- Managerial, independent or expert oversight
- A specific form, process or system must be used
- System or physical access controls
- User permissions
- Sensitive information controls
- Data matching
- Privileged access restrictions and monitoring
- Change management processes
- System testing
- Quality assurance checks
- Internal or external audits or reviews
- Fraud detection programs
- Audit logging
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Review procedures or guidance to confirm it clearly specifies how data should be protected from manipulation or misuse.
- Confirm protections are in place to prevent data being manipulated or misused.
- Confirm protections are always applied.
- Review a sample of completed data requests to confirm appropriate protections and classifications were applied.
- Undertake quantitative analysis, such as reconciling audit logs, to check data has not been manipulated.
- Review a sample to confirm data has not been manipulated.
- Ask staff about data protections to ensure they have a consistent and correct understanding.
- Undertake vulnerability testing or a process walk-through to confirm that data cannot be manipulated or misused.
- Confirm that someone cannot override or bypass protections, even when pressure or coercion is applied.
- Check if reporting, reconciliation or change management processes exist for changes to data.