CISM Information Asset Classification

Questions and Answers

Which of the following would be the BEST indicator of an asset's value to an organization?

Risk assessment

Certification

Classification (correct)

Security audit

Which of the following tasks should the information security manager do FIRST when business information has to be shared with external entities?

Review the information classification (correct)

Establish a secure communication channel

Execute a nondisclosure agreement

Enforce encryption of information

Which of the following is the BEST indicator of the level of acceptable risk in an organization?

The ratio of business insurance coverage to its cost (correct)

The percentage of assets that have been classified

The percentage of the IT budget allocated to security

The proportion of identified risk that has been remediated

The PRIMARY objective of asset classification is to:

Determine protection level

The PRIMARY objective of getting the information security manager's approval is to ensure that:

Risk from proposed changes is managed

Which of the following actions is involved when conducting a business impact analysis?

Listing critical business resources

Who should generally determine the classification of an information asset?

The asset owner

Which of the following is the MOST important element of information asset classification?

Potential impact

Asset classification should be MOSTLY based on:

Business value

Which of the following is the MOST important prerequisite to undertaking asset classification?

Impact assessment

The information classification scheme should:

Consider possible impact of a security breach

Which of the following choices BEST helps determine appropriate levels of information resource protection?

Asset classification

Which of the following is the MOST important to keep in mind when assessing the value of information?

The potential financial loss

After performing an asset classification, the information security manager is BEST able to determine the:

Requirements for control strength

The aspect of governance that is MOST relevant to setting security baselines is:

Standards

Which of the following poses the GREATEST challenge to an organization seeking to prioritize risk management activities?

An inaccurate valuation of information assets

Which of the following choices would be the MOST useful in determining the possible consequences of a major compromise?

Asset valuation

What is the PRIMARY deficiency in using annual loss expectancy to predict the annual extent of losses?

It is based on at least some subjective information.

Which of the following is the BEST method to determine classification of data?

Assessment of impact associated with compromise of data by the data owner

Which of the following factors BEST helps determine the appropriate protection level for an information asset?

The criticality of the business function supported by the asset

Which of the following is MOST important to achieve proportionality in the protection of enterprise information systems?

Asset classification

The classification level of an asset must be PRIMARILY based on which of the following choices?

Criticality and sensitivity

Tightly integrated IT systems are MOST likely to be affected by:

Cascading risk

What is the FIRST step of performing an information risk analysis?

Take an asset inventory

After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. What should the information security manager recommend?

Accepted

Which of the following steps in conducting a risk assessment should be performed FIRST?

Identify business assets

Why is asset classification important to a successful information security program?

It determines the appropriate level of protection to the asset

Which of the following is the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?

Potential impact of the data loss

A business impact analysis is the BEST tool for determining:

Priority of restoration

Which of the following is the MOST important consideration when performing a risk assessment?

Assets have been identified and appropriately valued

Which of the following is the BEST source for determining the value of information assets?

Individual business managers

The PRIMARY reason for classifying information resources according to sensitivity and criticality is to:

Define the appropriate level of access controls

What is the PRIMARY benefit of performing an information asset classification?

It links security requirements to business objectives

Which of the following is the BEST basis for determining the criticality and sensitivity of information assets?

An impact assessment

For risk management purposes, the value of a physical asset should be based on:

Replacement cost

Which of the following types of information would the information security manager expect to have the LOWEST level of security protection in a publicly traded, multinational enterprise?

Previous financial results

Because a company developed a breakthrough technology, which policy would FIRST govern how this information is to be protected?

Data classification policy

Who is responsible for ensuring that information is classified?

The data owner

Which of the following BEST helps calculate the impact of losing frame relay network connectivity for 18-24 hours?

Financial losses incurred by affected business units

Which of the following would be the MOST relevant factor when defining the information classification policy?

Requirements of data owners

Which of the following would be MOST useful in developing a series of recovery time objectives?

Business impact analysis

Which of the following roles is PRIMARILY responsible for determining the information classification levels for a given information asset?

Owner

Which of the following is the PRIMARY prerequisite to implementing data classification within an organization?

Identifying data owners

Who should be assigned as data owner for sensitive customer data that is used only by the sales department?

The head of the sales department

Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures?

Risk analysis results

Which program element should be implemented FIRST in asset classification and control?

Valuation

Which of the following is the BEST indicator of the level of acceptable risk in an organization?

The ratio of business insurance coverage to its cost

The PRIMARY objective of asset classification is to:

Determine protection level

The PRIMARY objective of getting the information security manager's approval is to ensure that:

Risk from proposed changes is managed

Which of the following actions is involved when conducting a business impact analysis?

Listing critical business resources

Who should generally determine the classification of an information asset?

The asset owner

Which of the following is the MOST important element of information asset classification?

Potential impact

Asset classification should be MOSTLY based on:

Business value

Which of the following is the MOST important prerequisite to undertaking asset classification?

Impact assessment

The information classification scheme should:

Consider possible impact of a security breach

Which of the following choices BEST helps determine appropriate levels of information resource protection?

Asset classification

Which of the following is the MOST important to keep in mind when assessing the value of information?

The potential financial loss

After performing an asset classification, the information security manager is BEST able to determine the:

Requirements for control strength

The aspect of governance that is MOST relevant to setting security baselines is:

Standards

Which of the following poses the GREATEST challenge to an organization seeking to prioritize risk management activities?

An inaccurate valuation of information assets

Which of the following choices would be the MOST useful in determining the possible consequences of a major compromise?

Asset valuation

What is the PRIMARY deficiency in using annual loss expectancy to predict the annual extent of losses?

It is based on at least some subjective information

Which of the following is the BEST method to determine classification of data?

Assessment of impact associated with compromise of data by the data owner

Which of the following factors BEST helps determine the appropriate protection level for an information asset?

The criticality of the business function supported by the asset

Which of the following is MOST important to achieve proportionality in the protection of enterprise information systems?

Asset classification

The classification level of an asset must be PRIMARILY based on which of the following choices?

Criticality and sensitivity

Tightly integrated IT systems are MOST likely to be affected by:

Cascading risk

Classification is the process of determining criticality and sensitivity of information resources. What does this aim to achieve?

Providing appropriate protection

Study Notes

Information Asset Classification and Risk Management

• Asset Inventory: Establishing ownership and evaluating risk begins with an inventory of assets to categorize and assess potential threats.
• Mitigation Costs: If the cost to mitigate risks exceeds the potential losses, the information security manager should recommend accepting the risk.
• Risk Assessment Steps: The first step in risk assessment involves identifying business assets before assessing threats and vulnerabilities.

Importance of Asset Classification

• Protection Levels: Asset classification determines the appropriate level of protection based on the asset's value to the organization.
• Comparison and Benchmarking: Classification schemes vary by organization and are not reliable for benchmarking against peers.
• Sensitive Information: In case of data loss, the potential impact of lost sensitive data is more significant than the equipment replacement cost.

Roles and Responsibilities

• Business Impact Analysis (BIA): BIA prioritizes the restoration of applications but does not address ownership or total costs.
• Determining Value of Assets: Individual business managers are best suited to evaluate the value of information assets due to their direct knowledge of operations.

Sensitivity and Criticality

• Classification Criteria: Assigning sensitivity and criticality influences access control measures but does not dictate overall security budget allocation.
• Impact Assessments: Proper assessments help in understanding the criticality and sensitivity of information assets based on potential impacts.

Financial Considerations

• Asset Valuation for Risk Management: The replacement cost should be used to assess the value of physical assets for risk management purposes.
• Loss of Connectivity: Financial impacts from connectivity loss are based on the financial losses incurred by affected business units.

Policy Implementation

• Data Classification Policy: Data classification policies regulate protection levels based on asset value and are essential for determining encryption and access controls.
• Responsibility for Classification: The data owner, typically the individual with decision-making authority, is primarily responsible for information classification levels.

Identifying Owners and Roles

• Data Ownership: Sensitive data ownership should reside with department heads that benefit the most from the data, ensuring responsibility aligns with business necessity.
• Identifying Data Owners: Identifying data owners is crucial before implementing data classification to ensure proper governance.

Resource Management

• Resource Allocation: Risk analysis provides critical insights for allocating resources to mitigate risks effectively.
• Classification Objective: The primary function of asset classification is to determine appropriate protection levels, contributing to overall resource management and IT policy compliance.

Security Policy Changes

• Impact of IT Changes: Changes to IT infrastructure can affect security policies, thus security managers must ensure that alterations do not weaken the security posture of the organization.### Change Management and Security
• Rollback to a current state can lead to security risks and is a component of change management.
• Change requests must obtain approval from the asset owner and the information security manager.
• The primary goal of the security manager's approval is to ensure changes adhere to security policy and manage risks.

Business Impact Analysis (BIA)

• Security threat identification is part of a risk assessment, not the BIA.
• Key outcomes of a BIA include identifying critical resources, disruption impacts, allowable outage times, and recovery priorities.

Information Asset Classification

• The asset custodian enforces the protection of assets based on classification; the asset owner is responsible for classifying assets.
• Classification should be informed by the business value impacting revenue or risk of loss/disclosure, rather than initial costs or book value.

Risk Assessment and Control

• Impact assessments determine an asset's criticality and sensitivity, which are crucial for proper classification.
• Annual loss expectancy (ALE) is limited due to its reliance on subjective information rather than concrete historical data.

Prioritization in Risk Management

• An incomplete catalog of information assets is a significant challenge for effectively prioritizing risk management activities.
• Accurate asset valuation is essential for justifying risk prioritization and management strategies.

Information Asset Protection

• Evaluation of criticality, sensitivity, and business value guides the establishment of protection levels for information assets.
• Data classification should primarily consider the potential impact of loss or compromise by the data owner.

Systemic and Operational Risk

• Tightly integrated IT systems are prone to cascading risk due to the interconnected nature of components, leading to potential widespread failure.

Information Sharing Security Measures

• Prior to sharing information externally, an information security manager must review the classification and assess associated risks, followed by determining the need for secure communication and encryption protocols.

Description

Test your knowledge on the fundamentals of information asset classification essential for CISM certification. This quiz covers the crucial first steps in performing an information risk analysis. Understand the importance of asset inventory and ownership before delving into risk evaluation.