This preview shows page 1. Sign up to view the full content.
Unformatted text preview: g and is outputted from an application. For instance, if a loan processor is entering information for a customer’s loan of $100,000, but instead enters $150,000 and
then moves the extra approved money somewhere else, this would be a case of data
diddling. Another example is if a cashier enters an amount of $40 into the cash register,
but really charges the customer $60 and keeps the extra $20.
There are many reasons to enter false information into a system or application, but
the usual reason is to overstate revenue and assets and understate expenses and liabilities. Sometimes managers do this to deceive shareholders, creditors, superiors, and
This type of crime is common and one of the easiest to prevent by using access and
accounting controls, supervision, auditing, separation of duties, and authorization limits. This is just one example of how insiders can be more dangerous than outsiders. Excessive Privileges
Excessive privileges is a common security issue that is extremely hard to control in vast
and complex environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks she needs to fulfill. If a user ch10.indd
ch10.indd 903 12/4/2009 11:39:13 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 904
only needs to be able to read and print materials on the file server, she should not be
granted full control. A common example of this is when a manager in accounting is
granted full control of all files on a specific server, including payroll information. When
this person is moved from accounting to the research department, his rights should be
revoked or at least reduced, but most companies do not have procedures in place to
make sure this happens. (This is referred to as authorization creep.) Now he has full
control over the account records and the research records, and thus has excessive privileges. If he ever becomes disgruntled with the company for one reason or...
View Full Document
- Fall '12