We're building the future of Supply Chain Security. View Roles

19) Does your organisation restrict employee access to business information based upon the principle of least privilege?

August 31, 2022 Security Governance Least Privilege

Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).

What is it?

Quite simply, not everyone needs access to all information. The more people have access of information, not only is it more exposed, but the higher the risk of it being shared, lost, or compromised in an inadvertent or malicious incident.

Just like it’s important to limit access to your systems and data to authorised individuals and to have auditability for their actions, it’s equally important to limit the access there is in more a granular fashion so that staff, contractors, suppliers, partners, clients, and more only have access to the information needed for their specific role.

Why should I have it?

Obviously the more granular access can be defined and therefore limited, the safer information and systems are. This applies both to data and systems, and helps provide assurance (both to yourself and potential customers) that data is only exposed to, and the ability to copy or modify that data is only available to, those with a business need.

How to implement the control:

Implementing granular access controls first requires understanding how information is processed and stored in your organisation, and what access each individual or role needs, both in terms of access to what and what kind of privileges are required (such as read-only, write, administrative, etc.)

Only once these are understood can accounts with the right levels of access and privilege be provisioned. These should be defined by role and provisioned as part of the joiners, movers, and leavers processes in terms of being granted, modified, and terminated, respectively, in collaboration with HR.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Leave a public comment

Please do not submit your answer on the knowledge base.