Restricting access to sensitive information on a 'need to know' basis is correct because it reduces the probability of unauthorized disclosure by ensuring only authorized personnel who need the information to perform their job functions have access to it. This is aligned with the principle of 'least privilege' which is a key concept in internal risk management to minimize insider threats. Conversely, encrypting data is a technical control that safeguards data at rest or in transit, but would not necessarily prevent unauthorized internal access if encryption keys are broadly available. Implementing an intrusion detection system (IDS) is a security measure to monitor network or system activities for malicious activities or policy violations; it does not prevent internal unauthorized disclosures. Lastly, enforcing password complexity might improve the strength of authentication but does not directly address the issue of employees improperly accessing and handling sensitive data.