Difference between revisions of "Need-to-know basis"
(Created page with 'File:lighterstill.jpgright|frame The term "'''need to know'''", when used by government and other organizations (particularly those relate...') |
m (Text replacement - "http://" to "https://") |
||
| Line 5: | Line 5: | ||
As with most [[security]] [[mechanisms]], the aim is to make it [[difficult]] for unauthorized access to occur, without inconveniencing legitimate access. Need-to-know also aims to discourage "browsing" of [[sensitive]] [[material]] by [[limiting]] access to the smallest possible [[number]] of people. | As with most [[security]] [[mechanisms]], the aim is to make it [[difficult]] for unauthorized access to occur, without inconveniencing legitimate access. Need-to-know also aims to discourage "browsing" of [[sensitive]] [[material]] by [[limiting]] access to the smallest possible [[number]] of people. | ||
| − | The [ | + | The [https://en.wikipedia.org/wiki/Operation_Overlord Battle of Normandy] in 1944 is an example of a need-to-know restriction. Though thousands of military personnel were involved in planning the invasion, only a small [[number]] of them knew the entire scope of the operation; the rest were only informed of data needed to complete a small part of the plan. |
==Problems and criticism== | ==Problems and criticism== | ||
It has been alleged that need-to-know (like other [[security]] measures) can be misused by some personnel who wish to refuse others [[access]] to information they hold in an attempt to increase their [[personal]] [[power]], or to prevent unwelcome review of their [[work]]. | It has been alleged that need-to-know (like other [[security]] measures) can be misused by some personnel who wish to refuse others [[access]] to information they hold in an attempt to increase their [[personal]] [[power]], or to prevent unwelcome review of their [[work]]. | ||
| Line 11: | Line 11: | ||
The need to know principle is at odds with most [[purposes]] of [[intelligence]] and [[research]]. While one part of an [[institution]] may have [[knowledge]] of some [[data]], the rest of this institution as well as other institutions remain ignorant. Since [[experience]] shows that data shows its most valuable [[information]] only when freely [[connected], the need to know is in [[fact]] putting a limit on [[information]] that [[intelligence]] agencies can gather (even if there are no limits to the amount of data). | The need to know principle is at odds with most [[purposes]] of [[intelligence]] and [[research]]. While one part of an [[institution]] may have [[knowledge]] of some [[data]], the rest of this institution as well as other institutions remain ignorant. Since [[experience]] shows that data shows its most valuable [[information]] only when freely [[connected], the need to know is in [[fact]] putting a limit on [[information]] that [[intelligence]] agencies can gather (even if there are no limits to the amount of data). | ||
==In computer technology== | ==In computer technology== | ||
| − | The discretionary [[access]] [[control]] [[mechanisms]] of some [ | + | The discretionary [[access]] [[control]] [[mechanisms]] of some [https://en.wikipedia.org/wiki/Operating_system operating systems] can be used to enforce need to know. In this case, the owner of a file determines whether another [[person]] should have access. Need to know is often concurrently applied with mandatory access control schemes, in which the lack of an official approval (such as a clearance) may [[absolutely]] prohibit a [[person]] from accessing the [[information]]. This is because need to know can be a [[subjective]] assessment. Mandatory access control schemes can also audit accesses, in order to determine if need to know has been violated. |
| − | The term is also used in the [[concept]] of [ | + | The term is also used in the [[concept]] of [https://en.wikipedia.org/wiki/Graphical_user_interface graphical user interface design] where computers are controlling [[complex]] equipment such as airplanes. In this usage, when many [[different]] pieces of data are [[dynamically]] [[competing]] for finite UI space, safety-related messages are given priority. |
==See also== | ==See also== | ||
| − | *[ | + | *[https://trinitize.blogspot.com/2007/03/revelation-evolution.html Revelation & Evolution] |
| − | * [ | + | * [https://en.wikipedia.org/wiki/Principle_of_least_privilege Principle of least privilege] |
| − | * [ | + | * [https://en.wikipedia.org/wiki/Security_through_obscurity Security through obscurity] |
[[Category: Political Science]] | [[Category: Political Science]] | ||
Latest revision as of 01:22, 13 December 2020
The term "need to know", when used by government and other organizations (particularly those related to the military or espionage), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if one has all the necessary official approvals (such as a security clearance) to access certain information, one would not be given access to such information, or read into a clandestine operation, unless one has a specific need to know; that is, access to the information must be necessary for the conduct of one's official duties.
As with most security mechanisms, the aim is to make it difficult for unauthorized access to occur, without inconveniencing legitimate access. Need-to-know also aims to discourage "browsing" of sensitive material by limiting access to the smallest possible number of people.
The Battle of Normandy in 1944 is an example of a need-to-know restriction. Though thousands of military personnel were involved in planning the invasion, only a small number of them knew the entire scope of the operation; the rest were only informed of data needed to complete a small part of the plan.
Problems and criticism
It has been alleged that need-to-know (like other security measures) can be misused by some personnel who wish to refuse others access to information they hold in an attempt to increase their personal power, or to prevent unwelcome review of their work.
The need to know principle is at odds with most purposes of intelligence and research. While one part of an institution may have knowledge of some data, the rest of this institution as well as other institutions remain ignorant. Since experience shows that data shows its most valuable information only when freely [[connected], the need to know is in fact putting a limit on information that intelligence agencies can gather (even if there are no limits to the amount of data).
In computer technology
The discretionary access control mechanisms of some operating systems can be used to enforce need to know. In this case, the owner of a file determines whether another person should have access. Need to know is often concurrently applied with mandatory access control schemes, in which the lack of an official approval (such as a clearance) may absolutely prohibit a person from accessing the information. This is because need to know can be a subjective assessment. Mandatory access control schemes can also audit accesses, in order to determine if need to know has been violated.
The term is also used in the concept of graphical user interface design where computers are controlling complex equipment such as airplanes. In this usage, when many different pieces of data are dynamically competing for finite UI space, safety-related messages are given priority.
