Once your network is configured, you and your employees will start using it in a way which results in sensitive information residing on servers and workstations. One of the best ways to protect this information is enforcement of the principles of least privilege and need-to-know.
Least privilege dictates users should have only the rights and permissions necessary to do their jobs. For example, a network administrator will probably need full access to servers and network devices using an administrator-level account. However, business users are granted access to servers only at a level necessary to access shares or applications.
Need-to-know supports least privilege by ensuring that once users gain access to an application, for example, they only see information related to their jobs. ePHI security is a good example of this. The HIPAA requires that users may only see information on patients they directly work with. So a nurse working in a hospital, for instance, shouldn’t see records for patients not under her care.
In another example, there is no reason for someone working in building services to have access to employee payroll information.
Both least privilege and need-to-know are implemented and managed via administrative, technical, and physical access controls. Each of these is further divided into preventive, detective, and corrective.