You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are preparing the data policy and considering the data classification scheme. You prefer the classification criteria that cover widespread concerns. Which of the following classification criteria best meets your requirement?
C. Business value
D. Recovery cost
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Business value.
Asset classification is the process of a systematic arrangement of assets by assigning an asset to a named class (group, category, tier, or level) based on criteria such as legal or regulatory requirements, sensitivity, criticality, impact, or business value to determine its protection needs.
A classification scheme refers to the named classes, criteria, and procedures used for classification.
Sensitivity is “a measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.” (NIST SP 800-60 Vol. 1 R1)
However, the importance is typically measured in terms of the degree of impact to the security objective of confidentiality resulting from loss or unauthorized access to sensitive data.
Criticality is “a measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.” (NIST SP 800-60 Vol. 1 R1)
Criticality is typically evaluated in terms of the security objective of availability.
Value is anything of importance, significance, use, or benefit. Business value expands the concept of value beyond economic value to include other forms of value, many of which are not directly measured in monetary worth.
In terms of information security, the business value may include considerations of asset value, sensitivity, criticality, impact level, legal or regulatory requirements, and so forth.