Not quite specific enough definition for "principle of least privilege"

[carols10cents]

In 20.3.4 Insecure Storage, you say:

In general, you want to follow the principle of least privilege, ensuring that only authorized users have access to any related data.

"Any related data" is pretty general and doesn't really convey the difference between this and generic confidentiality. The definition in the glossary is awesome though:

Principle of Least Privilege: The principle that states that users should have the minimal amount of access to the system necessary to do their jobs. For example, a developer should not (in general) have access to payroll data, and HR personnel should not have access to source code.

So maybe incorporate a bit of the glossary definition into the paragraph in that section?

[carols10cents]

Actually, you define it better in the Social Engineering section:

Limiting users to the minimal amount of access that they need to do their job is called the principle of least privilege.

which seems a bit redundant since you mentioned it before (except that this definition is better).

[laboon]

OK, fixed this up in commit afe126e7b011b6c911cad3943e3fa5ebedf94dfc. Thanks!