Privileged access restrictions and monitoring
Access to privileged access roles are tightly restricted and monitored.
The Protective Security Policy Framework articulates the government protective security policies that underpin this control. In particular:
Entities must restrict administrative privileges to operating systems and applications based on user duties by ensuring that:
- the use of privileged accounts is controlled and auditable
- controls are in place to prevent privileged accounts from being used to read emails, browse the web or obtain files via internet sources.
Some examples of this type of countermeasure include:
- Staff must have an appropriate security clearance to access privileged roles/accounts.
- Privileged system accesses are only granted on a temporary, as-needed, basis.
- Accesses to privileged roles and accounts are regularly reviewed.
- Staff with privileged system access, such as Admin access, are subject to increased monitoring.
- The use of privileged accounts is audit logged and regularly reported.
Purpose of this countermeasure
Staff or contractors can abuse their position of trust to process fraudulent requests or claims for themselves or another person. Staff and contractors can also be coerced to process fraudulent requests or claims for another person or entity, e.g. pressured to pay a fraudulent invoice.
Staff or contractors can also abuse their position of trust to access and disclose official information without authority.
Acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.
Restricting administrative privileges is one of the most effective ways to safeguard ICT systems. Failing to tightly restrict and monitor access to privileged access roles can lead to:
- dysfunctional and obscure processes, and
- poor management of decision-making and risk.
Fraudsters could use privileged access to make unauthorised changes in systems to:
- facilitate fraudulent payments,
- access, manipulate or release sensitive information, and
- erase records of their activities.
This type of control is supported by:
- Governance, accountability and oversight
- Integrity checks and suitability reviews
- Staff are trained to apply correct processes and decisions
- Procedural instructions or guidance
- Managerial, independent or expert oversight
- A specific form, process or system must be used
- System or physical access controls
- User permissions
- Sensitive information controls
- Change management processes
- System testing
- Staff are trained and supported to identify and report fraud and corruption
- Quality assurance checks
- Activity reporting
- Exception reporting
- Internal or external audits or reviews
- Automatic notification of high-risk activities and transactions
- Fraud detection programs
- Audit logging
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
- Sensitive and classified information
- Access to information
- Safeguarding information from cyber threats
- Robust ICT systems
- Confirm the use of privileged accounts is controlled and auditable.
- Review procedures or guidance to confirm it clearly specifies how privileged accounts are limited and monitored.
- Obtain and review requirements for who should have access to privileged accounts.
- Confirm the existence of a request and approvals process for obtaining privileged accounts. Confirm processes are consistently applied.
- Review procedures for requesting privileged accounts. Confirm the request processes are robust. Actively test them if required.
- Confirm that someone cannot bypass standard process requirements even when subject to pressure or coercion.
- Confirm that privileged accounts are subject to segregation of duties requirements.
- Review the need for Security Clearances for privileged accounts.
- Review a sample of circumstances where privileged accounts were used.
- Undertake analysis to confirm only those who require privileged accounts have them.
- Undertake testing or a process walk-through to confirm that the limits and monitoring of privileged accounts work correctly and cannot be circumvented.
- Confirm the existence of a review and reconciliation process. Review the reports.
- Review any past breaches or fraud related to the use of privileged accounts. Identify how this was allowed to occur.