Need to Know is a term that applies to sensitive and often classified information. It is a methodology used by government and defense contractor organizations dealing with highly sensitive and sometimes classified information. Under “Need to Know” restrictions, a user must have official approval (security clearance, admin credentials) to access confidential or classified information. No-one is to be given knowledge of, possession, or access to sensitive “Need-to-Know” information based upon their position, clearance level, or the office they represent.
While it may seem that “Need to Know” applies only to government entities, SMB’s can use these their principles to protect the data. When setting up file permissions on your Human Resources directory, apply “Need to Know” permissions and grant access based upon the individuals in HR that need such access and no-one else.
Train your employees on the principle of Need to Know and insider threats. Perhaps vigilant employees may be able to spot someone in your company behaving suspiciously who may ultimately turn out to be a malicious insider.
When having cell phone conversations, consider the topic you’re discussing and the location of your phone call. Ask yourself, do the people on this train, in line at this coffee shop, or at the local Walmart, need to know what I’m taking about? Discretion may be appropriate.
Related Terms: Availability, Confidentiality, Integrity, Least Privilege
Source: Feynman, Richard (1997)