Need-to-know is part of a larger program of identifying (or classifying) information as confidential/sensitive and determining who as access to that data within your business. Why is this important?
Look at it this way. A business generates a lot of information. There is banking information, clients, vendors, income, expenses, information technology, etc. Each of these items should be afforded some form of protection from people that do not require access to perform their job. How do you protect it?
Classify the information. Look at the information you have. Determine its value to your business. The following example is roughly based on the construct the government uses to classify information. Take a look at your information in this manner.
1. Sensitive – Information (client credit card information, HIPAA, etc) or proprietary information that if released to the public or competitors would likely cause you to have shut your doors and go out of business. $$$$
2. Private – Information that if released could cause your business to lose some customers, provide insight into the business’ finances or potentially cause the business some embarrassment. $$
3. Public – Information releasable to the general public.
Now that you have classified the information, you need to determine who has the need-to-know that information. For example, you run a chocolate shop and make your own chocolates. You have a secret recipe handed down from grandma that you have classified (using the previous guide) as being sensitive. It would inappropriate for the recipe to be known by the cashier, the delivery guy, accountant, or your customers. So who has the need to know? The employees that you have placed a special trust in and make the chocolate using that recipe. Because the employee makes the chocolate, they “need-to-know” the recipe. Without it they cannot make it.
Special trust is similar to the clearance system the government uses to determine if a person has the trust of the government to a certain level of information. In the example above, you may have a special trust in your accountant. However it is the need-to-know that prevents the accountant from knowing the secret chocolate recipe.
As part of the need to know process you have those employees that have access sign a non-disclosure agreement to ensure the secret recipe remains a secret. This provides you legal recourse should the secret recipe be released to your competitors or the public.
So as you can see, not everything in Information Security is directly tied to a computer. However because this information may be processed on an Information Technology device, you need to protect those systems according to how you classified information.
Our next article will discuss how to protect the secret recipe from intruders coming from the Internet.