You are the head of the research and development (R&D) department. As the data owner of R&D data sets, you are responsible for classifying data and accountable for the results. Which of the following is the best criterion that justifies your classification decision?
A. The importance or meaning to stakeholders
B. The risk of the unauthorized disclosure of information
C. The risk of the unauthorized modification or destruction of information
D. The risk of the disruption of access to or use of information or an information system

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. The importance or meaning to stakeholders.

Data classification is a process of evaluating the business value of data or its importance and meaning to stakeholders to determine the appropriate level of protection based. The business value of data can be evaluated from various perspectives, such as confidentiality, integrity, availability, loss of revenue, purchase cost, opportunity cost, etc. The classification scheme, TOP SECRET, SECRET, CONFIDENTIAL, is a regulatory requirement (Executive Order 12356) solely in terms of confidentiality.

• The unauthorized disclosure of information means confidentiality.
• The unauthorized modification or destruction of information means integrity.
• The disruption of access to or use of information or an information system means availability.

Reference

• Foreign Ownership Control or Influence: Supplemental FOCI Data Sheet
• CMMI: The DoD Perspective
• What is CMMI? A model for optimizing development processes
• Understanding and Leveraging a Supplier’s CMMI® Efforts: A Guidebook for Acquirers (Revised for V1.3)

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您是研發(R&D)部門的主管。 作為研發資料的資料所有者(data owner)，您負責對資料進行分類並對其結果負責。 以下哪項是支持您資料分類決策合理性的最佳準則？
A. 對利害關係人的重要性或意義
B. 未經授權披露資訊的風險
C. 未經授權修改或破壞資訊的風險
D. 破壞資訊或資訊系統的存取或使用的風險