Need-to-know is one of the most fundamental security principles. The practice of need-to-know limits the damage that can be done by a trusted insider who betrays our trust. Failures in implementing the need-to-know principle can cause serious damage to our organization.

Need-to-know imposes a dual responsibility on you and all other authorized holders of protected information:

  • When doing your job, you are expected to limit your requests for information to that which you have a need-to-know. Under some circumstances, you may be expected to explain and justify your need-to-know when asking others for information.
  • Conversely, you are expected to ensure that anyone to whom you give protected information has a legitimate need to know that information. In some cases you may need to ask the other person for sufficient information to enable you to make an informed decision about their need-to-know.

Buying me a beer does not give you a need to know.

  • You are expected to refrain from discussing protected information in hallways, cafeterias, elevators, rest rooms or smoking areas where the discussion may be overheard by persons who do not have a need-to-know the subject of conversation.

You should report to your security office any co-worker who repeatedly violates the need-to-know principle.

bullet  Need-to-know is difficult to implement as it conflicts with our natural desire to be friendly and helpful. It also requires a level of personal responsibility that many of us find difficult to accept. The importance of limiting sensitive information to those who have a need to know is underscored, however, every time a trusted insider is found to have betrayed that trust.

Here are some specific circumstances when you need to be particularly careful:

  • Difficult situations sometimes arise when talking with friends who used to work with the same protected information that you are now working with. The friend does not have a "need" to keep up to date on sensitive developments after moving to a different assignment.
  • The need-to-know principle also applies to placing protected information on an internal computer network as well as to sending it via the Internet. Before doing so, make sure it is appropriate for this information to be seen by all persons with access to the system. Although every individual with access to a particular computer network is approved for that system, they may not have a need to know all of the information coming across the system.




The Chroma Group, Ltd.