Sensitive information control
Control sensitive or official information to ensure it cannot leave your organisation's network without authority or detection.
This control targets internal fraud risks.
Examples
Examples of this control include:
- scanning and quarantining suspect emails sent to an external destination
- limiting access to collaboration websites that enable documents to be uploaded
- controlling access to supporting ICT systems, networks (including remote access), infrastructure and applications
- controlling the use of removable and portable storage media and unapproved connected devices, e.g. USB flash drives
- network management practices and procedures to identify and address network structure or configuration vulnerabilities
- using encryption, particularly when transferring information.
Risks from control gap
Allowing information to leave your organisation's network without authority or detection can lead to employees or contractors:
- publicly releasing official, sensitive or classified information
- providing sensitive or classified information to others for dishonest gain, e.g. helping a company win a government contract
- selling sensitive or classified information to criminals and scammers
- using sensitive or classified information to commit fraud themselves.
Assessing effectiveness
Methods to evaluate the effectiveness of this control include:
- conducting pressure testing to assess if sensitive information release would be prevented or detected by current controls
- consulting subject matter experts about information loss protection controls
- conducting a process walkthrough by sitting with an employee while they show you how the controls work
- reviewing the controls to determine if they would prevent or detect different methods of information disclosure
- validating that information protection controls meet the Protective Security Requirements expectations
- confirming controls are always on and automatically applied
- confirming that detection tolerances or parameters are appropriate
- confirming that detection parameters or thresholds are not widely known
- arranging or reviewing results of technical testing to confirm controls are working to specifications
- confirming that the systems or processes underlying the information loss protection controls are adequate and reliable
- confirming that information or data breaches go to the most appropriate employees or team for review
- reviewing a sample of detected incidents
- analysing reports related to information loss protection controls, e.g. how many breaches are reported and how often
- reviewing who has access to change the controls
- confirming that someone cannot manipulate the information loss protection controls and testing this if required
- checking what other reporting occurs, e.g. whether executives review information or data disclosure reports during committee meetings.
Complementary controls
Other capability, prevention, detection and response controls that can enhance this control’s effectiveness:
Related fraudster personas
Types of behaviour this control is designed to mitigate:
The corrupt
|
The enabler
|
The exploiter
|
The organised
|
Download the complete fraud control catalogue
Explore a range of controls that can be put in place to reduce the risk of fraud happening in your organisation.
More information
- Minimise the opportunities for fraudsters to exploit your government-funded initiative
- Gain insights into employees’ perceptions of your organisation’s fraud exposure and fraud management actions
- Find out more about what the Counter Fraud Centre offers public sector organisations to help build their counter fraud capability
- See how a robust pre-employment screening process is one of the most effective ways to reduce the risk of employee fraud and corruption in your organisation