Principle #4: Information is accessible unless

Information is accessible unless

This is the forth blog of a series regarding Information Management principles: Information is accessible unless. Information hoarding can be a major challenge for co-workers to find information they need to do the work. Even if you have implemented principles #2 – one version of the truth and #3 – one location well, there can still be significant hurdles because there are access controls in place that prevent accessing information. Typically resulting in a quest to find a person that has access, and get a copy by e-mail which undermines principles #2 and #3.


Sometimes these access controls are necessary for example for personal data, confidential information and payment card information. However in many cases access controls should be unnecessary. The majority of the information should not be sensitive and pose little to no risk when exposed to an outsider or someone within an organisation.

Typically only co-workers can determine the sensitivity and therefore primarily co-workers need to classify the information. Many organisations have an information (security) classification with levels such as public, internal, confidential, personal confidential and secret. Co-workers need to be made aware how to apply the information classification and what the impact this should have regarding access controls. A cultural change towards openness and trust may be needed as well.

In order to make the classification really effective, the IT systems must make the application of access controls in accordance with the information classification as easy as possible for the user. For example the IT systems ideally restricts access rights automatically when the information classification is set to anything other than public or internal. This probably requires some upfront investment during the implementation however this will increase the compliance to information security significantly.

This will result in a situation where more information is accessible and therefore co-workers can find information more efficiently. This also leads to less support calls for access privileges, co-workers being granted too much rights (because it is too difficult to find out the right set of privileges) and more time to focus on the information that really needs to be protected.