As the head of research and development, you are classifying assets based on the corporate asset classification guideline. Which of the following is least likely to happen?
A. Identify the original purchase cost
B. Evaluate the impact of data compromises
C. Establish the classification scheme in terms of business value
D. Determine the security level to support mandatory access control
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Establish the classification scheme in terms of business value.
The classification scheme is applied organization-wide. It’s inappropriate for the RD head to define one. Moreover, since an asset classification guideline is released, it implies the classification scheme as an organizational standard has been done.
- There are many types of assets; data is just one of them. An asset purchased at the cost of one million dollars is apparently more valuable than a two-thousand one and worthy of more protection measures.
- An asset that may cause the loss of one million dollars requires more security controls than one with a two-thousand loss does.
- Mandatory access control (MAC) is commonly implemented in government departments; few or some private businesses may implement it. However, in Windows Vista and later versions, Microsoft provides the Mandatory Integrity Controls (MIC), an implementation of MAC that enforces integrity, in which all subjects and objects are given MIC labels as the following image shows.
“Asset classification is the process of a systematic arrangement of assets by assigning an asset to a named class (group, category, tier, or level) based on criteria such as legal or regulatory requirements, sensitivity, criticality, impact, or business value to determine its protection requirements. A classification scheme refers to the named classes, criteria, and procedures used for classification.” (Wentz Wu, The Effective CISSP: Security and Risk Management) Executive Order 12356 is a good example of the classification scheme in terms of confidentiality.
Executive Order 12356
Section 1.1 Classification Levels.
(a) National security information (hereinafter “classified information“) shall be classified at one of the following three levels:
(1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.
(2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.
(3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
- The Effective CISSP: Security and Risk Management
- Executive Order 12356–National security information
- Mandatory Integrity Control in Windows 10
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
C. 根據業務價值建立分類表(classification scheme)