Enforce Need-to-Know Access in Databases
Only authorised users can access database contents by using specific privileges, roles, and techniques to protect the data.
Plain language
This control ensures that only the right people can access the information in your databases. Just like you wouldn't want everyone reading your private diary, businesses need to protect sensitive data from being seen by those without a good reason. If it's not done, unauthorised access could lead to data leaks, hurting your business's reputation and potentially resulting in financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The need-to-know principle is enforced for database contents through the application of minimum privileges, database views, database roles and data tokenisation.
Why it matters
Without database need-to-know controls (least privilege, roles/views, tokenisation), users may access sensitive records outside their duties, increasing breach risk.
Operational notes
Review database roles and privileges, enforce access via least-privilege roles and views, and apply tokenisation to limit exposure of sensitive fields to authorised users.
Implementation tips
- The database administrator should identify which users genuinely need access to specific parts of the database. They can do this by meeting with each department to understand their data needs and then restricting access to just that required information.
- IT security staff should set up database views to limit what data users can see. This involves creating tailored, read-only windows that show only the necessary information for jobs, keeping other data hidden.
- The IT team should assign roles within the database software that match job responsibilities. They can do this by mapping organisational roles to database roles, ensuring each person only has the access they need to do their job.
- Database administrators should implement data tokenisation to protect sensitive information. They can replace sensitive data with tokens or placeholders and keep the actual data in a secure location, only revealing it to those with special access.
- Managers should regularly review and update access permissions. This involves scheduling regular check-ins with the IT team to ensure that access rights are current and that no one has access to more information than they need.
Audit / evidence tips
-
Aska list of user access privileges: Request a document that lists all database users and their level of access
GoodClear evidence that each user's access matches their role and responsibilities, and unnecessary access has been removed
-
Askto see the database view configurations: Request examples of how database views have been set up
GoodConfigurations should show only the essential information, with sensitive data obscured
-
Askrecords of role assignments: Request documentation of role mappings and assignments
GoodDocumentation should clearly map database roles to organisational roles, with approvals for any changes
-
Askevidence of tokenisation methods: Request records of how tokenisation is implemented for sensitive data
GoodEvidence of ongoing use of tokenisation methods, with appropriate safeguards in place
-
Askminutes from recent access reviews: Request minutes or notes from meetings where access permissions were reviewed
GoodMinutes show regular reviews with actions taken to adjust access as needed
Cross-framework mappings
How ISM-1268 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.11 | Annex A 8.11 requires organisations to apply data masking for sensitive information in line with access control policy, business needs, a... | |
| handshake Supports (3) expand_less | ||
| Annex A 5.12 | ISM-1268 requires enforcing need-to-know to database contents through privileges, roles/views, and tokenisation to ensure only authorised... | |
| Annex A 5.18 | ISM-1268 requires enforcing need-to-know for database contents using minimum privileges, database roles/views, and tokenisation | |
| Annex A 5.34 | ISM-1268 requires enforcing need-to-know for database contents and includes controls like minimum privileges and tokenisation to limit ex... | |
| link Related (1) expand_less | ||
| Annex A 8.3 | Annex A 8.3 requires restricting access to information and assets based on an established access control policy | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML3.1 | E8-RA-ML3.1 requires limiting privileged access to systems, applications, and data repositories to only what is necessary for duties | |
| handshake Supports (1) expand_less | ||
| E8-MF-ML3.1 | ISM-1268 requires enforcing need-to-know access within databases using minimum privileges, roles/views, and tokenisation so only authoris... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.