Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

19) Does your organisation restrict employee access to business information based upon the principle of least privilege?

August 30, 2022
Security Governance
Least Privilege
Small Framework

Answer yes if you only give each employee access to the business information that they require to complete their job role (this is known as the principle of least privilege).

What is it?

Quite simply, not everyone needs access to all information. The more people have access of information, not only is it more exposed, but the higher the risk of it being shared, lost, or compromised in an inadvertent or malicious incident.

Just like it’s important to limit access to your systems and data to authorised individuals and to have auditability for their actions, it’s equally important to limit the access there is in more a granular fashion so that staff, contractors, suppliers, partners, clients, and more only have access to the information needed for their specific role.

Why should I have it?

Obviously the more granular access can be defined and therefore limited, the safer information and systems are. This applies both to data and systems, and helps provide assurance (both to yourself and potential customers) that data is only exposed to, and the ability to copy or modify that data is only available to, those with a business need.

How to implement the control

Implementing granular access controls first requires understanding how information is processed and stored in your organisation, and what access each individual or role needs, both in terms of access to what and what kind of privileges are required (such as read-only, write, administrative, etc.)

Only once these are understood can accounts with the right levels of access and privilege be provisioned. These should be defined by role and provisioned as part of the joiners, movers, and leavers processes in terms of being granted, modified, and terminated, respectively, in collaboration with HR.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.