Insight: The Principle of Least Privileged
What is the Principle of Least Privileged?
In plain English, the Principle of Least Privileged describes accessibility to data/information or more broadly resources where everyone starts with access to nothing and is given access on a need-to-know basis. This idea stems from the fields of information security and computer science and can be found today deeply embedded across health, finance and many other industries across the globe to enhance information system stability and security.
Why is this relevant to my business/organisation?
Whether you are a Chief Risk Officer of a multinational conglomerate with reach across multiple industries, a managing director of a medium sized regional recruitment agency or a small business owner running an online fishing equipment retail business, if your business involves collection, process, usage or storage of personal data, adequate and suitable application of the Least Privileged Principle can mitigate greatly the risk exposure of your business or organisation’s information systems.
To give some examples, here are a couple of descriptions of the Least Privileged Principle in some IT security standards and laws in existence today:
(1) The Hong Kong’s Office of Government Chief Information Officer (OGCIO) has published an IT security guidelines, namely, OGCIO-G3 IT Security Guidelines, and has recommended government bureaus and departments to follow the principle of least privilege when designing their access controls and management protocols:-
“[Bureaus or Departments] shall ensure that the least privilege principle is followed when assigning resources and privileges of information systems to users as well as technical support staff. This includes restricting a user’s access (e.g. to data files, to IT services and facilities, or to computer equipment) or type of access (e.g. read, write, execute, delete) to the minimum necessary to perform his or her duties.” (para. 11.1(a))
(2) Under the International Organisation for Standardization (ISO) information security standard, i.e. ISO-27001:2013, a global leading specification guidelines for information security management, the guidelines specifically recommend that as part of good ‘access control’ management, businesses should have a user access management policy which ensures authorised user access and to prevent unauthorised access to systems and services (A.9.2):-
“A.9.2.3 Management of privileged access rights Control: The allocation and use of privileged access rights shall be restricted and controlled.”
(3) Article 25(2) of the EU’s General Data Protection Regulation (GDPR) states that:-
“The [data controller] shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.” (Emphasis added)
While it is true that the Personal Data (Privacy) Ordinance, Cap. 486 (PDPO) does not have express requirements for businesses to implement technical measures in line with the Principle of Least Privileged, the Data Protection Principles (DPPs) especially DPP4 (i.e. appropriate security measures to be applied to personal data) prescribed by the PDPO is relevant in the context of IT security.
Furthermore, as the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) has indicated plans to develop a more robust framework to align with global expectations, businesses should adopt a higher IT security standard, such as, designing access control policy in line with the Principle of Least Privileged.
The current data governance and privacy regulation landscape is a minefield of legal and compliance requirements. This coupled with the continuously fast-paced evolutionary nature of the laws means businesses and organisations will have to invest strategically to keep up with the changes and requirements when it comes to data.
To ensure your business complies with the latest regulations and laws on data governance and privacy, businesses may engage with third party auditing firms to receive advice and feedback on their current processes and internal policies.
Bridging the gap between compliance and technology.
At Aurum, our mission is to mitigate the compliance and technological risks for businesses and communities of those undertaking the course of digital transformation. We are proud to have specialists from legal and compliance backgrounds, as well as technology specialists who has the technical knowhow to help businesses to not only mitigate their risk exposure, but to also execute technical implementation for success in the digital age.
If you would like to understand more about the Least Privileged Principle and how this can be implemented into your business or have questions about data governance and privacy regulations in general, please reach out to us today via firstname.lastname@example.org or Tel: +852 3725 4806.