A set of computer files are classified as confidential. Which of the following is the most critical control to enforce security policies that emphasize confidentiality? (Wentz QOTD)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Labeling.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Labeling and marking are defined in NIST SP 800-53 R4 as follows:
- Labeling refers to the association of security attributes with subjects and objects represented by internal data structures within organizational information systems, to enable information system-based enforcement of information security policies. (NIST SP 800-53 R4)
- Marking refers to the association of security attributes with objects in a human-readable form, to enable organizational process-based enforcement of information security policies. (NIST SP 800-53 R4)
A computer file classified as confidential is processed by information systems that enforce the information security policies. However, labeling can be used to cover the idea of marking, e.g., ISO 27001 Annex: A.8.2.2 Labeling of Information.
Classification is a method of sorting assets into categories based on the classification scheme. Per Executive Order 12356, National security information (hereinafter “classified information”) shall be classified at one of the following three levels:
(1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.
(2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.
(3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
In this regard, classification implies assets are classified based on confidentiality.
Categorization of assets can be based on more general criteria. For example, the first step of NIST RMF, Categorize System, categorizes an information system based on the high watermark of the impact of confidentiality, integrity, and availability of information types it processes.
- Media Marking and Media Labeling
- ISO 27001 Annex : A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
一組電腦檔案被歸類為機密。 以下哪項是強化以機密性為主的安全策略的最關鍵控制？(Wentz QOTD)
A. 標記 (Marking)
B. 記錄 (Journaling)
C. 標籤 (Labeling)
D. 分類 (Categorization)