The most important things in a nutshell
Reading time 3 minutes
1. What is the Need-to-Know Principle?
The need-to-know principle states that a user should only have access to the information that his or her job function requires.
Fully implemented, with real-time need-to-know, this access principle even meets intelligence and military requirements.
In companies and in most public offices, one usually suffices with a
In practice, this is sufficient to ensure that users can only access data that is absolutely necessary for legitimate reasons.
2. Need to Know vs. principle of minimal rights
The difference between need to know and the principle of minimal rights lies in the scope of application: The need to know principle is about the persons who are allowed to see certain confidential or secret information. The principle of minimal rights refers to the privileged access rights of users and technical accounts.
3. Need to Know in use (selection).
ISO/IEC 27001/27002: In the Code of Practice of ISO/IEC 27002, the implementation of the need-to-know principle is required in section 9.1.1 Access control policy.
4. Why is the Need-to-Know Principle important?
Significant advantages in the resilience of the IT environment against internal and external attackers result from the consistent implementation of the need-to-know principle or the principle of minimal rights.
Reduction of damage in the event of ransomware incidents: The damage in the event of a ransomware attack arises from the encryption/destruction of the accessible data combined with the outflow of the data to the Internet. With a consistent implementation of the need-to-know principle, this damage can be minimised in the event of an incident.
5. Implementation of the Need-to-Know Principle in the Company
In order to effectively implement the need-to-know principle in the company, a series of measures must be implemented, which primarily concern the control of user access rights and the administration of administrative accounts.
Ensure the allocation of minimal access rights to data.
Ensure that minimal access rights are granted to sensitive areas of the building.
Minimum assignment of rights for accounts.
In addition, sufficiently strong authentication and authorisation concepts should be implemented.
Have we sparked your interest?
Just give us a call or write us a message!