Need-to-know

Need-to-know principles apply for the access to sensitive documents and information. In a business environment, data should always be treated as business secret. As a consequence, need-to-know restrictions should be applied to each serious venture.

Under need-to-know principles, each member of a team or organization receives all the knowledge, possession of, or access to the information he/she needs in sufficient time and in a sufficient quantity. This has to be assured by organizational and structural means.

However, need-to-know is also one of the most fundamental security principles. Under such restrictions, knowledge, possession of, or access to classified information shall not be afforded to any individual solely by virtue of the individual’s office, position, or security clearance. In other words, the authorized holder of information shares this information under two conditions:

  1. The requester is authorized to get such information, and (in addition)
  2. the requester has the need to know.

To determine “need-to-know” is the responsibility of the individual who possesses the classified information. The knowledge, possession of, or access to such data or documents has to be provided only

  • as far as there is a need to know,
  • at the time when there is a need to know, and
  • as long as there is a need to know.

#PUGASSIST strictly applies need-to-know principles to all information, data, and documents. #pugassist