4: Classification of information assetys

Question 1

Objectives/benefits for data classification

Answer 1

To reduce RISK of under protection of information assets

To reduce COST of over protection of information assets

Question 2

Logical steps for data classification

Answer 2

1- Inventory of information Assets
2-Establish ownership for each information Assets
3-Classification of information Assets (public/private/sensitive)
4-Labeling of information Assets
5- Creation of Access control list

Question 3

With whom resides the accountability for the maintenance of proper security controls over assets

Answer 3

With the data owner/system owner

Question 4

Who is ultimately responsible for defining the access rules

Answer 4

Data owner/system owner

Question 5

What are the requirements that data classification must take into account

Answer 5

• Legal/Regulatory/Contractual
• Confidential
• Integrity
• Availability

Question 6

Why should data owner and data custodian have knowledge and awareness about data classification policy of the company

Answer 6

To ensure proper classification of data as per organizational requirement.

Question 7

First step in classification of information assets

Answer 7

Inventory of information assets

Question 8

(1)Responsibility for the maintenance of proper control measures over information resources resides
with the:

A. database administrator
B. security administrator
C. data and systems owners
D. systems operations group

Answer 8

Answer: C. data and systems owners

Explanation:
In any given scenario, accountability for the maintenance of security controls over information
assets resides with the data owner/system owner. Even though owner may delegate responsibilities
to other specialized functions, owners remain accountable for the maintenance of appropriate
security measures. Management should ensure that all information resources to have an appointed
owner who makes decisions about classification and access rights.

Question 9

(2)An IS auditor is evaluating data classification policy of an organization. The FIRST step in data classification is to:

A. the labelling of IS resources
B. establish ownership
C. perform a impact analysis
D. define access control rules

Answer 9

Answer: B. establish ownership

Explanation:
In any given scenario, following are the logical steps for data classification:
-First step is to have inventory of IS resources
-Second step is to establish ownership
-Third step is classification of IS resources
-Fourth step is labelling of IS resources
-Fifth step is creation of access control list
In the above question, step with respect to inventory of IS resource is not in option. Hence second
logical step i.e. establishing ownership will be our answer. The data owner is responsible for
defining the access rules; hence, establishing ownership is very critical.

Question 10

(3)An IS auditor is evaluating access control policy of an organization. The implementation of access controls FIRST requires:

A. creation of an access control list
B. an inventory of IS resources
C. perform a impact analysis
D. labelling of IS resources

Answer 10

Answer: B. an inventory of IS resources
.
Explanation:
In any given scenario, following are the logical steps for data classification and implementation of
access control:
-First step is to have inventory of IS resources
-Second step is to establish ownership
-Third step is classification of IS resources
-Fourth step is labelling of IS resources
-Fifth step is creation of access control list
The first step in implementing access controls is an inventory of IS resources.

Question 11

(4)Which of the following is the MOST important objective of data protection?

A. creation of an access control list
B. ensuring the integrity of information
C. reduction in cost of control
D. to comply with risk management policy

Answer 11

Answer: B. ensuring the integrity of information

Explanation:
In any given scenario, most important objective of data protection is to ensure
integrity/confidentiality of data.

Question 12

(5)Proper classification and labelling for system resources are important for access control because
they:

A. help to avoid ambiguous resource names
B. reduce the number of rules required to adequately protect resources
C. serve as stringent access control
D. ensure that internationally recognized names are used to protect resources

Answer 12

Answer:B. reduce the number of rules required to adequately protect resources.

Explanation:
Proper classification and labelling for system resources are important for the efficient administration of security controls. Proper labelling reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules makes it easier to provide access. Proper classification and labelling does not necessarily ensures option A, C and D.

Question 13

(6)In co-ordination with database administrator, granting access to data is the responsibility of:

A. data owners
B. system engineer
C. security officer
D. librarians

Answer 13

Explanation: A. data owners

Explanation:
In any given scenario, accountability for the maintenance of proper security controls over
information assets resides with the data owner/system owner. Data owners are responsible for the
use of data. Written authorization for users to gain access to computerized information should be
provided by the data owners.

Question 14

(7)An IS auditor is reviewing data classification policy of an organization. From a control perspective, the PRIMARY objective of classifying information assets is to:
A. ensure that all assets are insured against losses.
B. to assist in risk assessment
C. establish appropriate access control guidelines
D. ensure all information assets have access controls

Answer 14

Answer: C. establish appropriate access control guidelines

Explanation:
First step of establishing access control is to ensure well defined information assets classification
policy. By assigning levels of criticality to information resources, management can establish
guidelines for the level of access controls that should be assigned. Hence from control perspective,
primary objective of classification is to establish appropriate access control guidelines. All assets are
not required to be insured. Also access control may not be required for all assets. Classification
helps in risk assessment however same is not prime objective

Question 15

(8)From control perspective, access to application data should be given by:

A. database administrator
B. data custodian
C. data owner
D. security administrator

Answer 15

Answer: C. data owner

Explanation:
In any given scenario, accountability for the maintenance of proper security controls over
information assets resides with the data owner/system owner. The ultimate responsibility for data
resides with the data owner.
Data owners should have the authority and responsibility for granting access to the data and
applications for which they are responsible. Data custodians are responsible only for storing and
safeguarding the data. The DBA is responsible for managing the database.

Question 16

(9)An IS auditor is reviewing access control policy of an organization. Which of the following is responsible for authorizing access rights to production data and systems?

A. Process owner
B. Data owner
C. Data custodian
D. security administrator

Answer 16

Answer: B. Data owner

Explanation:
In any given scenario, accountability for the maintenance of proper security controls over
information assets resides with the data owner/system owner. The ultimate responsibility for data
resides with the data owner. Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. Process owners have greater knowledge of the process objectives; however, they are not the best suited to authorize access to specific data.

Question 17

(10)An IS auditor is reviewing access control policy of an organization. Which of the following is the BEST basis for determining the appropriate levels of information resource protection?

A. Classification of Information Assets
B. Data owner
C. Threat Assessment
D. Cost of Information Assets

Answer 17

Answer: A. Classification of Information Assets
Explanation:

Classification of Information Asset on the basis of criticality and sensitivity provides the best basis
for assigning levels of information resource protection. Threat assessment alone does not take into
account criticality or sensitivity, which is the basis for assigning levels of information resource
protection. Cost of assets is not an adequate basis for determining the needed level of protection.
An asset can be negligible from a cost standpoint, but extremely critical to operations or sensitive if
exposed.

Question 18

(11)The MOST important benefit of having data classification policy is:

A. data classification ensures accurate inventory of information assets.
B.data classification helps to decrease cost of controls.
C.data classification helps in vulnerability assessment.
D.data classification helps in appropriate alignment with data owners

Answer 18

Answer: B.data classification helps to decrease cost of controls.

Explanation:
In any given scenario, greatest benefit of well-defined data classification policy is decreased cost of
control. Other choices are direct or indirect benefits of well-defined data classification policy but
greatest benefit will be reduction of cost.

Question 19

(12)For appropriate data classification, the MOST important requirement is:

A.Knowledge of technical controls for protection of data.
B.Awareness and training about organizational polices and standards.
C.Use of automatic data control tools.
D.Understanding the requirements of data user

Answer 19

Answer: B.Awareness and training about organizational polices and standards