none

Complete I.T. Blog

The Importance of Principle of Least Privilege

by | Jun 29, 2021 | GDPR

The Importance of Principle of Least Privilege

The Principle of Least Privilege (PoLP) is a concept in information security and data protection that states a user should be given the minimum amount of access required to do their job. This is important because:

  • Users should not have access to something they should not see,
  • If their accounts are compromised then you are minimising the amount of information at risk.

Practically speaking, this does not always work as it could put restrictions on a user’s ability to work so it is all about understanding the risk.

Using our helpdesk team as an example, the PoLP should mean that each helpdesk team should only see their own clients. This would be a major headache when the High Wycombe helpdesk teams are in a meeting and other offices, such as Bristol, Manchester and Swindon need to cover their calls.  It is a risk to Complete I.T. that we do not lock down these permissions but it is an acceptable risk because the work to grant permissions each time to the different offices would not be realistic.

One of the biggest challenges to ensuring PoLP is new starters, team members changing roles, and people leaving a business. Permissions and access rights will get set/changed for all these instances so ensuring that each person has the correct access is a critical task.

It is important that checks are completed and documented on a regular basis and cover all systems/permissions that the business has.

Using Complete I.T. as an example, we have identified 12 key systems which we will check on a regular basis. Each system has a designated owner who is responsible for undertaking these checks. We then make a record of what systems we have reviewed, how we reviewed it and what actions were taken. These checks are not only for our own peace of mind but would be invaluable in the event of an information security incident as evidence that we have a well-maintained system that follows the PoLP.

Website Pop up - Have you registered yet data protection Webinar

Get In Touch

Contact Us

Head Office 01628 243 057
Email info@complete-it.co.uk


Peterborough – 01733 731 367
Swindon – 01793 934 307
Oxford – 01865 800 008
Bristol – 01172 420 786
High Wycombe – 01628 243 057
London – 02078 462 332
Manchester – 01618 234 107
Birmingham –01214 610 315

x