T 2.7 Unauthorised use of rights

Rights such as physical, system, and data access authorisations are used as organisational safeguards to ensure the information, business processes, and IT systems are protected against unauthorised access. If such rights are granted to the wrong person or such a right is exercised without authorisation, then a number of threats may be posed that place the confidentiality and integrity of data or the availability of computing power at risk.

Examples:

• While the archive manager was absent, a work planner who was not authorised to have access to the data media archives removed some magnetic tapes from the archive to restore data from the backup copies on the tapes. Due to the uncontrolled removal of the media from the archive, the inventory list of the data media archive was not updated and the tapes could not be located during this time.
• An employee became ill. A colleague working in the same room as the employee knew where he stored the note with his password written on it based on past observations and used it to gain access to the other employee's computer. Since he recently overheard in a telephone conversion that the employee still needed to hand in an expert opinion report, he took over this task in the name of the other employee without authorisation even though he was not up-to-date on the subject matter of the report. The requirements specifications for a tender document created in the administration department based on this report then contained requirements for hardware components that were obsolete because the employees in the administration department unconditionally trusted the expert opinion of the more experienced colleague.