End of life processes
Processes undertaken to dispose of archaic or surplus systems, HR positions, assets or information to prevent misappropriation.
NB: This may include archiving information or ceasing a customer identity.
This control is underpinned by:
- The National Archives of Australia's Information Management Standards; and
- the Protective Security Policy Framework.
Some examples of this type of countermeasure include:
- Documents are disposed of in accordance with the relevant Records Authority.
- Expired building passes must be surrendered to the issuing authority.
- Vacant HR positions are regularly reviewed and removed if no longer required.
- Returned unclaimed mail is handled and destroyed appropriately.
- Redundant ICT stock is effectively sanitised and disposed of.
- Deceased customer records are protected from misuse, e.g. made read-only.
- Redundant providers/supplier accounts are protected from misuse, e.g. made read-only.
Purpose of this countermeasure
Staff or contractors can abuse their position of trust to:
- process fraudulent requests or claims for themselves or another person,
- access, manipulate or disclose official information without authority, and
- steal physical assets.
Staff and contractors can also be coerced to commit fraud for the benefit of another person or entity, e.g. coerced to provide information.
Abuse of public office, obtaining property by deception or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Failing to effectively dispose of surplus systems, HR positions, assets or information leave them vulnerable to misappropriation. For example, a fraudster could:
- use old HR positions to make fraudulent payroll payments
- continue to receive payments for a deceased customer
- steal surplus assets, or
- release information held in legacy systems.
This type of control is supported by:
- Governance, accountability and oversight
- Managerial, independent or expert oversight
- Procedural instructions or guidance
- Staff are trained to apply correct processes and decisions
- A specific form, process or system must be used
- System or physical access controls
- User permissions
- Change management processes
- Internal or external audits or reviews
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Review policies and processes. Confirm that a clear and consistent process exists.
- Consult subject matter experts on processes and systems. Evaluate their understanding and thoughts about fraud control policies.
- System or process walkthrough – have staff show you the process.
- Review who has access to perform end of life processes.
- Confirm that records cannot be manipulated. Test this if required.
- Analyse data to confirm archaic or surplus systems, HR positions, assets or information are being properly disposed of.
- Review a sample of documentation to confirm compliance with policies and processes.
- Check if and how end of life processes are reported.