Learn the most appropriate procedure organizations should use to classify data and ensure information security. Understand the roles of data owners, business impact analysis, and more.
Table of Contents
Question
Which of the following is the MOST appropriate procedure for an organization to use when classifying data?
A. Have the information security manager assign data classification levels.
B. Review data classification questionnaires completed by data owners.
C. Use results from business impact analyses to classify data.
D. Publish data classification templates on the corporate intranet.
Answer
The MOST appropriate procedure for an organization to use when classifying data is:
B. Review data classification questionnaires completed by data owners.
Explanation
Data owners are the individuals who are most familiar with the specific data assets and understand their value, sensitivity, and criticality to the business. They are in the best position to accurately classify the data based on the organization’s data classification policy and guidelines.
Having data owners complete standardized data classification questionnaires is an effective way to gather the information needed to assign the appropriate classification levels (e.g. public, internal, confidential, restricted). The questionnaires typically cover aspects like the type of data, how it is used, who needs access to it, legal/compliance requirements, and the impact to the business if the data was compromised.
Reviewing the completed questionnaires allows the information security team to validate the proposed classifications, ensure consistency across the organization, and compile an inventory of classified data assets. This process helps ensure data is classified comprehensively and accurately.
The other options are not ideal as the primary classification procedure:
A) Having the information security manager unilaterally assign classifications would not leverage the data owners’ knowledge and could result in inaccurate classifications.
C) While business impact analyses are valuable inputs, they don’t capture all the information needed to comprehensively classify data.
D) Simply publishing templates would not ensure that data actually gets classified. Proactive outreach to and participation from data owners is needed.
In summary, having data owners complete classification questionnaires that are then reviewed by information security is the most thorough and appropriate way to classify an organization’s data. This procedure leverages the knowledge of those most familiar with the data while providing oversight to validate classifications.
ISACA CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the ISACA CISA exam and earn ISACA CISA certification.