Need-to-know is one of the most
fundamental security principles. The practice of need-to-know limits the damage that can
be done by a trusted insider who betrays our trust. Failures in implementing the
need-to-know principle can cause serious damage to our organization.
Need-to-know imposes a dual responsibility on
you and all other authorized holders of protected information:
- When doing your job, you are expected to limit
your requests for information to that which you have a need-to-know. Under some
circumstances, you may be expected to explain and justify your need-to-know when asking
others for information.
- Conversely, you are expected to ensure that
anyone to whom you give protected information has a legitimate need to know that
information. In some cases you may need to ask the other person for sufficient information
to enable you to make an informed decision about their need-to-know.
Buying me a beer does not give you a need to know.
- You are expected to refrain from discussing
protected information in hallways, cafeterias, elevators, rest rooms or smoking areas
where the discussion may be overheard by persons who do not have a need-to-know the
subject of conversation.
You should report to your security office any
co-worker who repeatedly violates the need-to-know principle.
Need-to-know is difficult to implement as it conflicts with our
natural desire to be friendly and helpful. It also requires a level of personal
responsibility that many of us find difficult to accept. The importance of limiting
sensitive information to those who have a need to know is underscored, however, every time
a trusted insider is found to have betrayed that trust.
Here are some specific circumstances when you
need to be particularly careful:
- Difficult situations sometimes arise when
talking with friends who used to work with the same protected information that you are now
working with. The friend does not have a "need" to keep up to date on sensitive
developments after moving to a different assignment.
- The need-to-know principle also applies to
placing protected information on an internal computer network as well as to sending it via
the Internet. Before doing so, make sure it is appropriate for this information to be seen
by all persons with access to the system. Although every individual with access to a
particular computer network is approved for that system, they may not have a need to know
all of the information coming across the system.