Tackling Public-Sector IT Fraud

Five ways CIOs can prevent and control government IT fraud.

by / February 9, 2010

A water department cashier extracts residents' personal information from a database and then sells that data. A municipal court employee improperly accesses the system to alter values for citations issued.

Everyday reliance upon technology makes it possible for so many fraudulent schemes to unfold. The Computer Security Institute (CSI), an educational organization for information security professionals, conducted its 13th Annual Computer Crime and Security Survey in 2008. The survey found that financial fraud ranked as the costliest type of IT incident, with an average reported cost of $500,000 per incident.

In its 2008 Report to the Nation on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE), a national society of fraud investigation professionals, reported that government organizations were the victims in 18 percent of 959 fraud cases its members investigated between February 2006 and January 2008.

Technology presents so many opportunities for fraud to occur. Fortunately it also offers many capabilities for combating fraud. In a preventive role, technology enforces defined segregations of duties. It restricts IT access, and limits functions individuals may perform.

Technology also helps officials more promptly detect and respond to potential incidents. The ACFE reports that a typical fraud scheme goes undetected for two years. So much is lost then and never recovered. Continuous monitoring technology, however, alerts managers whenever any suspicious IT-related activity occurs, thereby limiting the ensuing damage.

Public-sector entities vary immensely in the specific IT systems they deploy, but the following universal concepts aid in addressing and combating technology-related fraud.

General Fraud Prevention IT Controls

By continually emphasizing the importance of ethical behavior, public officials create an internal culture that values maintaining trust and safeguarding public assets. That culture sustains all fraud prevention concepts and controls. Public CIOs can control and prevent IT fraud in the following ways:

1. Logical Security

How easily can an individual gain unauthorized IT access to manipulate or extract data? Logical security measures address that concern.

Firewalls and software for blocking spyware and viruses provide network perimeter security against common external attacks. Virtual private networks (VPN) and various white list approaches that allow only authorized applications to run on any hardware provide additional malware defense.

Within the network, authorization and authentication policies that go beyond standard login/password practices provide greater security for crucial files and applications.

Passwords and logins should require regularly updated alphanumeric and special character combinations that cannot be easily guessed.

Personal authentication practices provide an additional layer of protection. Authentication measures include challenge questions, smart cards or portable electronic tokens that store a PIN, digital signature, fingerprint or other form of unique identification information. That information transmits to a desktop PC, laptop or mobile device via a card reader, RFID, USB port or Bluetooth wireless technology.

User provisions define what IT access rights individuals need to perform work-related duties. Those user provisions encompass specific application functions and modules, and enable organizations to enforce defined segregations of duties as they relate to IT needs.

IT directories maintain employee groupings and IT access levels granted to each individual, based on assigned user provisions. Microsoft's Active Directory manages and monitors provisioning within Windows server systems. AS 400, IBM and other server platforms incorporate similar oversight through the distribution of access.

When someone attempts to sign on for any IT function, access is granted or denied, based on the login, password and the IT directory user provision information.

2. Change Management

To commit fraud, someone may install unauthorized software or make unapproved changes to an existing network component, thereby compromising or disabling security settings.

Sound change management policies must direct any IT installations or modifications. File integrity agents detect all file changes, and not just the most recent modification. Regularly comparing those findings to an authorized change log helps administrators more easily detect improper alterations.

3. Database Administration

Databases house crucial information that can lead to immense losses when altered or stolen. Database administration controls define and enforce individual action, object and constraint rights.

An action includes insert, read, modify or delete responsibilities. Granting authorization only for work-required actions could deter a state transportation department's regional supervisor from inserting a record for a nonexistent vendor.

Object limitations restrict the types of database records someone can access. With object restrictions, a public hospital administrator, for example, could not access individual patients' records.

Constraint restrictions assign limitations for authorized actions. Based on assigned constraints, a public utility employee would face dollar restrictions in crediting a resident's account.

4. Data Storage

Where does critical data reside? Is it on a workstation or laptop hard drive, a secure or unprotected server, within a data warehouse, or in an offsite repository?

Data storage considerations need to reflect the data's nature, with more crucial information requiring more secure storage and tighter access restrictions. Police 911 calls and ambulance response reports need to reside on a secure file server in a searchable directory.

A register of deeds office may hold thousands of building permit files. A secure data warehouse may be the best location for those records. Data that needs to be archived, such as death certificates from past decades, should reside in an offsite storage repository. Nonpublic information not needed for future purposes should be properly disposed of to alleviate data security concerns.

5. Data Encryption

Various methods of data encryption assure that crucial information remains in an unusable format if access controls fail. For online transmissions, secure sockets layer (SSL) encryption is commonly used to keep intercepted data from being read.

Within the network, data encryption technologies enable managers to protect vital information while retaining common file management practices. Data encryption, for example, secures driver's license numbers while maintaining the metadata and existing file system view.

Such general IT controls provide a first line of defense against fraud and are supplemented by automated detective systems that immediately call out or suspend questionable IT-related activities.

The Power of Segregation

Segregation of duties is a crucial fraud prevention concept. A CIO or CISO must align IT access restrictions with segregated work roles and responsibilities. This enables managers to deploy application controls and other automated, preventive measures in the most effective manner.

User provisions provide the foundation for establishing and enforcing segregation of duties within IT systems. The user provision incorporates the least privilege concept, which restricts a person's IT access rights to components required for defined, segregated duties.

IT directories maintain employee groupings and IT access levels granted to each individual. When someone logs on to any IT element, access is granted or denied, based on login, password and user provision information.

In conjunction with the IT directories, user provisions automatically ensure that segregation of duties remains in place for all processes requiring IT access.

DAM Good Detection

Even with the best preventive measures, individuals may still find ways to commit fraud. Preventive IT controls cannot fully protect against collusion. Someone may misuse granted authorization or share access information, while another individual may devise means to circumvent preventive controls.

Various methods of detecting inappropriate or unexpected activity exist. Exception reports identify data anomalies or changes to protected data. Data analysis compares data sets to identify transactions -- based on rules -- that indicate incongruent or inappropriate activity.

Newer technologies also incorporate instant detection and notification capabilities. Database activity monitors (DAM), for example, continuously oversee all database activity and issue alerts whenever uncommon or improper activity occurs.

Security information and event management (SIEM) systems also automatically send notifications whenever unusual transactions, security infractions or other suspicious activities happen. That SIEM oversight may cover a lone application or numerous programs, as well as other IT components.

Administrator-defined business rules and standards of normal IT activity determine when DAM or SIEM systems provide alerts. An alert may occur when someone spends too much time viewing a read-only file containing students' Social Security numbers. Managers may also get alerts when the monthly volume of closed traffic citations exceeds normal averages, or when a public safety officer's work shift hours exceed the legally allowed limit.

Screen shot files and audit trail features document activity sequences. Some systems also immediately suspend user activity whenever suspicious actions unfold. Such immediate detection eliminates the costly time lags and other potential difficulties associated with manually evaluating IT logs to detect anomalies or exceptions.

Maintaining Continual Vigilance

The public sector faces constant internal change in personnel, processes and the IT systems they use. Keeping pace with such change and providing optimal fraud protection requires continual vigilance.

Sustaining that vigilance takes money and time, but those cumulative costs are generally less than the expenses associated with just one incident of fraud discovery. The resources committed to preventing and detecting fraud function as a form of insurance that saves so much potential taxpayer expense and provides immediate peace of mind.

Alyssa G. Martin Contributing Writer
Alyssa G. Martin, CPA, MBA, is the Dallas executive partner and the firmwide partner in charge of the Risk Advisory Services group at Weaver and Tidwell LLP, an independent certified public accounting firm in the Southwest. Martin can be contacted at (817) 332-7905 or (972) 448-6975.