Controlled Access Based on the Need to Know
CIS Control 14
The processes and tools used to track/control/prevent/correct secure access to critical assets (i.e., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
Why is this Critical?
Many organizations are not careful enough when it comes to restricting access levels to their most critical and sensitive data. In many cases, employees can access even the most sensitive information including financial, operational, and personal data. While some data is leaked or lost as a result of theft or espionage, a vast majority of these problems are a result of poor data practices, a lack of effective policy architectures, and user error.
This CIS Control is intended to enforce controlled access based on the principle of giving employees access to information needed to perform their jobs. For organizations moving data to the cloud, it is important to understand security controls applied to data in the cloud multi-tenant environment and determine the best course of action for application of encryption controls and security of keys. By implementing network segmentation, encrypted communications and other types of access control, organizations can prevent attackers from easily accessing sensitive assets, performing malicious activities, and disrupting operations.