Which security principle involves restricting access to sensitive data on a need-to-know basis?

The principle of least privilege is fundamental in cybersecurity as it dictates that individuals should only have access to the information and resources necessary for them to perform their job functions. This means that users are granted the minimum level of access — or privileges — needed to carry out their tasks effectively. By adhering to this principle, organizations can significantly reduce the risk of unauthorized access to sensitive data, as individuals cannot access information that is beyond their specific role or requirements.

This approach not only helps protect sensitive information from potential misuse or breach but also aids in maintaining data integrity and confidentiality. In the context of an organization, implementing least privilege ensures that in the event of a compromised user account, the attacker has limited access to sensitive data, thus minimizing the potential impact of a security incident.

In contrast, other concepts like ownership, mandatory access, or data governance do not focus exclusively on restricting access based on necessity to perform a job. Ownership pertains to who has the rights over a particular data set, mandatory access relates to rules enforced at the system level for controlling access, and data governance involves broader policies and practices for managing data throughout its lifecycle. While all are important in a comprehensive security strategy, the essence of the question specifically aligns with the principle of least privilege.