Privileged system access
Limit and monitor privileged system access that allows employees, contractors and providers to perform special functions or override system and application controls.
This control targets internal fraud risks.
Examples
Examples of this control include:
- only assigning privileged roles or accounts to employees who have an appropriate level of authority or security clearance
- only granting privileged system access on a temporary or as-needed basis
- regularly reviewing access to privileged roles and accounts
- increasing monitoring of employees with privileged system access, e.g. administrative access
- audit logging and regularly reporting on the use of privileged accounts
- adhering to requirements under the:
- Protective Security Requirements
- New Zealand Information Security Manual
- Minimum Cyber Security Standards
- NCSC Cyber Security Framework.
Risks from control gap
A lack of tightly restricted and monitored access can lead to:
- fraudsters gaining access and using it to conceal their activities or expand their access across systems
- uncertainty around how employees are using administrative privileges
- poor management of decision making and risk related to administrative privileges
- employees or contractors abusing their position of trust to process fraudulent requests or claims for themselves or another person
- employees or contractors abusing their position of trust to access and disclose official information without authority
- employees or contractors being coerced by others to use their administrative privileges for dishonest purposes
- employees or contractors using privileged access to make unauthorised changes to systems or databases to:
- bypass approvals
- access, manipulate or release sensitive information
- erase records of their activities.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- confirming controls comply with the Protective Security Requirements
- confirming the use of privileged accounts is controlled and auditable
- obtaining and reviewing requirements for who should have access to privileged accounts
- confirming the existence of a request and approvals process for obtaining privileged accounts
- confirming that someone cannot bypass standard process requirements, even when subject to pressure or coercion
- confirming that privileged accounts are subject to segregation of duties requirements
- reviewing the need for security clearances for privileged accounts
- reviewing a sample of circumstances where privileged accounts were used
- reviewing reports to confirm privileged accounts are only assigned to employees that require them
- undertaking testing or a process walkthrough to confirm that the limits and monitoring of privileged accounts work correctly and cannot be circumvented
- confirming that the use of accounts are reviewed and reconciled and checking the reports
- reviewing any past breaches or fraud related to the use of privileged accounts and identifying how they occurred.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The corrupt
|
The enabler
|
The exploiter
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- Learn how employees, contractors, vendors or business partners can harm an organisation from within
- Find out more about the real impacts of public sector fraud, beyond just financial
- See how a robust pre-employment screening process is one of the most effective ways to reduce the risk of employee fraud and corruption in your organisation
- Learn how to reduce the risk of fraud and corruption in procurement