CISSP Insights - Need to Know and Least Privilege

Date: 21 May 2016

Featured Image
Let us learn today what is key difference between Least Privilege and Need to Know access principles.
 
 
Need to Know - Example
 
  
A mathematics teacher could be authorised to access Maths Exam previous years' question papers for all classes in the school. This is what he wants to know and no harm in giving him access to old exam question papers. This is decided on the basis of "Need to Know".  In terms of IT, the example would be say you work in HR, you will have access to all general HR-related files and data. 
 
New call-to-action
  
 
Least Privilege  - Example
 
A mathematics teachers on the basis of "Need to Know" was authorised to access Maths Exam previous years' question papers for all classes in the school. But, his "least privilege" principle says that he can only write new Maths Exam questions papers for the classes he teaches. Another example, his "Least Privilege" principle restricts his "Need to Know" principle allowing him to check/mark the exam sheets only for the classes he teaches. In terms of IT, the example would be say you work in HR, "Need to Know" authorises you with general HR-related data, but "Least Privilege" will control access to update only specific HR-related files, for which you are the data owner. 
 
 
Conclusion - 
 
Need to Know is more fundamental authorisation whereas Least Privilege is more granular. You could have a "view" access at the "Need to Know" principle level but then the "Least Privilege" principle mainly governs with "Write" and "Execute" bits. 
 
New call-to-action
  

Author –

The author is a professional CISSP trainer trainer within CMA training pool. He is CMA’s CISSP/CISA/ISO 27001/SOX/Information Risk Management/SAP Cyber Security trainer.

CISSP Online Training Session - Every Saturday UK 10.30am, Dubai 1.30pm and India 3.00pm Click here to register

You can also follow us on twitter – https://twitter.com/cm_alliance

And connect with us on linkedin – https://uk.linkedin.com/in/cyber-management-alliance-9922b411b

And subscribe to our Cyber video series at https://www.brighttalk.com/channel/14185

Visit our CISSP Mentorship Page Click Here

 VISIT OUR CISSP FAQS PAGE CLICK HERE

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422