360 Degree Cyber Security, LLC

Protecting Grandma’s Secret Recipe

Protecting Grandma’s Secret Recipe


Need-to-know is part of a larger program of identifying (or classifying) information as confidential/sensitive and determining who as access to that data within your business.  Why is this important?

Look at it this way.  A business generates a lot of information.  There is banking information, clients, vendors, income, expenses, information technology, etc.  Each of these items should be afforded some form of protection from people that do not require access to perform their job.  How do you protect it?
Classify the information.  Look at the information you have.  Determine its value to your business.  The following example is roughly based on the construct the government uses to classify information.  Take a look at your information in this manner.
1.       Sensitive – Information (client credit card information, HIPAA, etc) or proprietary information that if released to the public or competitors would likely cause you to have shut your doors and go out of business. $$$$
2.       Private – Information that if released could cause your business to lose some customers, provide insight into the business’ finances or potentially cause the business some embarrassment. $$
3.       Public – Information releasable to the general public.
Now that you have classified the information, you need to determine who has the need-to-know that information.  For example, you run a chocolate shop and make your own chocolates.  You have a secret recipe handed down from grandma that you have classified (using the previous guide) as being sensitive.  It would inappropriate for the recipe to be known by the cashier, the delivery guy, accountant, or your customers.  So who has the need to know?  The employees that you have placed a special trust in and make the chocolate using that recipe.  Because the employee makes the chocolate, they “need-to-know” the recipe.  Without it they cannot make it.
Special trust is similar to the clearance system the government uses to determine if a person has the trust of the government to a certain level of information.  In the example above, you may have a special trust in your accountant.  However it is the need-to-know that prevents the accountant from knowing the secret chocolate recipe.
As part of the need to know process you have those employees that have access sign a non-disclosure agreement to ensure the secret recipe remains a secret.  This provides you legal recourse should the secret recipe be released to your competitors or the public.
So as you can see, not everything in Information Security is directly tied to a computer.  However because this information may be processed on an Information Technology device, you need to protect those systems according to how you classified information.
Our next article will discuss how to protect the secret recipe from intruders coming from the Internet.

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Leave a Reply