A water department cashier extracts residents' personal information from a database and then sells that data. A municipal court employee improperly accesses the system to alter values for citations issued.

Everyday reliance upon technology makes it possible for so many fraudulent schemes to unfold. The Computer Security Institute (CSI), an educational organization for information security professionals, conducted its 13th Annual Computer Crime and Security Survey in 2008. The survey found that financial fraud ranked as the costliest type of IT incident, with an average reported cost of $500,000 per incident.

In its 2008 Report to the Nation on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE), a national society of fraud investigation professionals, reported that government organizations were the victims in 18 percent of 959 fraud cases its members investigated between February 2006 and January 2008.

Technology presents so many opportunities for fraud to occur. Fortunately it also offers many capabilities for combating fraud. In a preventive role, technology enforces defined segregations of duties. It restricts IT access, and limits functions individuals may perform.

Technology also helps officials more promptly detect and respond to potential incidents. The ACFE reports that a typical fraud scheme goes undetected for two years. So much is lost then and never recovered. Continuous monitoring technology, however, alerts managers whenever any suspicious IT-related activity occurs, thereby limiting the ensuing damage.

Public-sector entities vary immensely in the specific IT systems they deploy, but the following universal concepts aid in addressing and combating technology-related fraud.

General Fraud Prevention IT Controls

By continually emphasizing the importance of ethical behavior, public officials create an internal culture that values maintaining trust and safeguarding public assets. That culture sustains all fraud prevention concepts and controls. Public CIOs can control and prevent IT fraud in the following ways:

1. Logical Security

How easily can an individual gain unauthorized IT access to manipulate or extract data? Logical security measures address that concern.

Firewalls and software for blocking spyware and viruses provide network perimeter security against common external attacks. Virtual private networks (VPN) and various white list approaches that allow only authorized applications to run on any hardware provide additional malware defense.

Within the network, authorization and authentication policies that go beyond standard login/password practices provide greater security for crucial files and applications.

Passwords and logins should require regularly updated alphanumeric and special character combinations that cannot be easily guessed.

Personal authentication practices provide an additional layer of protection. Authentication measures include challenge questions, smart cards or portable electronic tokens that store a PIN, digital signature, fingerprint or other form of unique identification information. That information transmits to a desktop PC, laptop or mobile device via a card reader, RFID, USB port or Bluetooth wireless technology.

User provisions define what IT access rights individuals need to perform work-related duties. Those user provisions encompass specific application functions and modules, and enable organizations to enforce defined segregations of duties as they relate to IT needs.

IT directories maintain employee groupings and IT access levels granted to each individual, based on assigned user provisions. Microsoft's Active Directory manages and monitors provisioning within Windows server systems. AS 400, IBM and other server platforms incorporate similar oversight through the distribution of access.

When someone attempts to sign on for any IT function, access is granted or denied, based on the login, password and the IT directory user provision information.

2. Change Management

To commit fraud, someone may install unauthorized software or make unapproved changes to an existing network component, thereby compromising or disabling security settings.

Sound change management policies must direct any IT installations or modifications.