5.4: Classification of information Assets (Doshi)

Question 1

Objectives/benefits for data classification

Answer 1

(1) To reduce RISK of under protection of information assets

(2) To reduce COST of over protection of information assets

Question 2

5 Logical steps for data classification:

Answer 2

(1) Inventory of information Assets
(2) Establish ownership for each information Assets
(3) Classification of information Assets (public/private/sensitive)
(4) Labeling of information Assets
(5) Creation of Access control list

Question 3

With whom does the ACCOUNTABILITY reside for the MAINTENANCE of proper security controls over assets?

Answer 3

the Data owner/System owner

Question 4

Who is ULTIMATELY responsible for defining the access rules?

Answer 4

Data owner/System owner

Question 5

What are the requirements that data classification must take into account?

Answer 5

(1) Legal/Regulatory/Contractual
(2) Confidential
(3) Integrity
(4) Availability

Question 6

Why should data owner and data custodian have knowledge and awareness about data classification policy of the company?

Answer 6

To ensure proper classification of data as per organizational requirement.

Question 7

FIRST step in classification of information assets:

Answer 7

Inventory of information assets

Question 8

Responsibility for the maintenance of proper control measures over information resources resides with the:

A. database administrator
B. security administrator
C. data and systems owners
D. systems operations group

Answer 8

C. data and systems owners

In any given scenario, accountability for the maintenance of security controls over information assets resides with the data owner/system owner. Even though owner may delegate responsibilities to other specialized functions, owners remain accountable for the maintenance of appropriate security measures. Management should ensure that all information resources to have an appointed owner who makes decisions about classification and access rights.

Question 9

An IS auditor is evaluating data classification policy of an organization. The FIRST step in data classification is to:

A. the labelling of IS resources
B. establish ownership
C. perform a impact analysis
D. define access control rules

Answer 9

B. establish ownership

In any given scenario, following are the logical steps for data classification:
-First step is to have inventory of IS resources
-Second step is to establish ownership
-Third step is classification of IS resources
-Fourth step is labelling of IS resources
-Fifth step is creation of access control list
In the above question, step with respect to inventory of IS resource is not in option. Hence second logical step i.e. establishing ownership will be our answer. The data owner is responsible for defining the access rules; hence, establishing ownership is very critical.

Question 10

An IS auditor is evaluating access control policy of an organization. The implementation of access controls FIRST requires:

A. creation of an access control list
B. an inventory of IS resources
C. perform a impact analysis
D. labelling of IS resources

Answer 10

B. an inventory of IS resources

In any given scenario, following are the logical steps for data classification and implementation of access control:

-First step is to have inventory of IS resources
-Second step is to establish ownership
-Third step is classification of IS resources
-Fourth step is labelling of IS resources
-Fifth step is creation of access control list
The first step in implementing access controls is an inventory of IS resources.

Question 11

Which of the following is the MOST important objective of data protection?

A. creation of an access control list
B. ensuring the integrity of information
C. reduction in cost of control
D. to comply with risk management policy

Answer 11

B. ensuring the integrity of information

In any given scenario, most important objective of data protection is to ensure integrity/confidentiality of data.

Question 12

Proper classification and labelling for system resources are important for access control because they:

A. help to avoid ambiguous resource names
B. reduce the number of rules required to adequately protect resources
C. serve as stringent access control
D. ensure that internationally recognized names are used to protect resources

Answer 12

B. reduce the number of rules required to adequately protect resources.

Proper classification and labelling for system resources are important for the efficient administration of security controls. Proper labelling reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules makes it easier to provide access. Proper classification and labelling does not necessarily ensures option A, C and D.

Question 13

In co-ordination with database administrator, granting access to data is the responsibility of:

A. data owners
B. system engineer
C. security officer
D. librarians

Answer 13

A. data owners

In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner. Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners.

Question 14

An IS auditor is reviewing data classification policy of an organization. From a CONTROL perspective, the PRIMARY objective of classifying information assets is to:

A. ensure that all assets are insured against losses.
B. to assist in risk assessment
C. establish appropriate access control guidelines
D. ensure all information assets have access controls

Answer 14

C. establish appropriate access control guidelines

First step of establishing access control is to ensure well defined information assets classification policy. By assigning levels of criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. Hence from control perspective, primary objective of classification is to establish appropriate access control guidelines. All assets are not required to be insured. Also access control may not be required for all assets. Classification helps in risk assessment however same is not prime objective

Question 15

From control perspective, access to application data should be given by:

A. database administrator
B. data custodian
C. data owner
D. security administrator

Answer 15

C. data owner

In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner. The ultimate responsibility for data resides with the data owner. Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. The DBA is responsible for managing the database.

Question 16

An IS auditor is reviewing access control policy of an organization. Which of the following is responsible for authorizing access rights to production data and systems?

A. Process owner
B. Data owner
C. Data custodian
D. security administrator

Answer 16

B. Data owner

In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner. The ultimate responsibility for data resides with the data owner. Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. Process owners have greater knowledge of the process objectives; however, they are not the best suited to authorize access to specific data.

Question 17

An IS auditor is reviewing access control policy of an organization. Which of the following is the BEST basis for determining the appropriate levels of information resource protection?

A. Classification of Information Assets
B. Data owner
C. Threat Assessment
D. Cost of Information Assets

Answer 17

A. Classification of Information Assets

Classification of Information Asset on the basis of criticality and sensitivity provides the best basis for assigning levels of information resource protection. Threat assessment alone does not take into account criticality or sensitivity, which is the basis for assigning levels of information resource protection. Cost of assets is not an adequate basis for determining the needed level of protection. An asset can be negligible from a cost standpoint, but extremely critical to operations or sensitive if exposed.

Question 18

The MOST important benefit of having data classification policy is:

A. data classification ensures accurate inventory of information assets.
B. data classification helps to decrease cost of controls.
C. data classification helps in vulnerability assessment.
D. data classification helps in appropriate alignment with data owners

Answer 18

B. data classification helps to decrease cost of controls.

In any given scenario, greatest benefit of well-defined data classification policy is decreased cost of control. Other choices are direct or indirect benefits of well defined data classification policy but greatest benefit will be reduction of cost.

Question 19

For appropriate data classification, the MOST important requirement is:

A. Knowledge of technical controls for protection of data.
B. Awareness and training about organizational polices and standards.
C. Use of automatic data control tools.
D. Understanding the requirements of data user

Answer 19

B. Awareness and training about organizational polices and standards

Question 20

OBJECTIVE of classification of information assets

Answer 20

(1) ENSURE integrity and confidentiality of data
(2) ESTABLISH appropriate access control guidelines
(3) REDUCTION in costs in protecting information assets

Question 21

MOST important requirement for correct/ appropriate data classification policy

Answer 21

awareness and training about organizational policies and standards

Question 22

An IS auditor is evaluating data classification policy of an organization. The FIRST step in data classification is to:

A. the labelling of IS resources
B. establish ownership
C. taking an inventory of data assets
D. define access control rules

Answer 22

C. taking an inventory of data assets

Question 23

In any given scenario, following are the logical steps for data classification:

Answer 23

• First step is to have inventory of Information Assets.
• Second step is to establish ownership.
• Third step is classification of IS resources.
• Fourth step is labelling of IS resources.
• Fifth step is creation of access control list.

Question 24

In any given scenario, data owner/system owner is

Answer 24

ultimately responsible for defining the access rules.

Question 25

In any given scenario, accountability for the maintenance of proper security controls over information assets resides

Answer 25

with the data owner/system owner.

Question 26

In any given scenario, greatest benefit of well defined data classification policy is

Answer 26

decreased cost of control.

Question 27

In any given scenario, most important objective of data protection is

Answer 27

to (i) ensure integrity/confidentiality of data and (ii) establish appropriate access control guidelines.

Question 28

Data classification must take into account following requirements:

Answer 28

• Legal/Regulatory/Contractual
• Confidentiality
• Integrity
• Availability