0      0

(ISC)2 Security Congress 2022

SC2277 - The Principle of Need to Have Available

Oct 11, 2022 2:45pm ‐ Oct 11, 2022 3:45pm


Of 101 major cyber incidents last year, 62% would have been prevented if organizations had followed one specific principle. The Principle of Need to Have Available describes surrendering permissions not required for the next set of defined tasks. We compare this with the Principle of Need to Know and show how more than half of recent major cyberattacks could have their impact limited. This principle helps protect against ransomware and for longer campaigns requires attackers to work harder to get to all the data. Unfortunately, applying this principle is not just a case of updating your information security policy because it has several disadvantages for which we provide a critique. As an example of such critique, given not all work within the organization can be broken into premeditated tasks, the principle cannot be applied to all roles and ranks without prior impact evaluations. Still to protect your organization, the Principle Need to Have Available provides an addition to your arsenal worthy of considering.


You must be logged in and own this session in order to post comments.