Sensitive information access

This control targets internal fraud risks.

Examples

Examples of this control include:

restricting and monitoring access to records of high-profile individuals
restricting and monitoring access to sensitive information, e.g. commercial in-confidence information
security classified information being stored in secure environments.

Allowing customers, employees or third parties to access sensitive information and records without authority or a business need can lead to:

the public release of sensitive information
fraudsters using the information to improperly influence decisions
fraudsters using the information to coerce others to act, e.g. blackmail
employees or contractors accessing, manipulating or disclosing sensitive information without authority
employees or contractors stealing physical documents or records.

Methods to evaluate the effectiveness of this control include:

confirming that employees understand what sensitive information is
confirming that processes comply with the Protective Security Requirements
confirming that there is a process for requesting and approving access to sensitive information
confirming that employees are aware of the processes to limit access to sensitive information
confirming procedures for requesting access to sensitive information are robust and actively testing them
confirming that employees have the right level of security clearance to access sensitive information, if applicable
confirming through testing or a process walkthrough that access controls or processes cannot be circumvented.

Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:

Types of behaviour this control is designed to mitigate:

Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.