ExamGecko
Question list
Search
Search

Related questions











Question 648 - CISA discussion

Report
Export

Which of the following should be an IS auditor's GREATEST concern when a data owner assigns an incorrect classification level to data?

A.
Controls to adequately safeguard the data may not be applied.
Answers
A.
Controls to adequately safeguard the data may not be applied.
B.
Data may not be encrypted by the system administrator.
Answers
B.
Data may not be encrypted by the system administrator.
C.
Competitors may be able to view the data.
Answers
C.
Competitors may be able to view the data.
D.
Control costs may exceed the intrinsic value of the IT asset.
Answers
D.
Control costs may exceed the intrinsic value of the IT asset.
Suggested answer: A

Explanation:

The answer A is correct because the greatest concern for an IS auditor when a data owner assigns an incorrect classification level to data is that controls to adequately safeguard the data may not be applied. Data classification is the process of categorizing data assets based on their information sensitivity and business impact. Data classification helps organizations to identify, protect, and manage their data according to their value and risk. Data owners are the individuals or entities who have the authority and responsibility to define, classify, and control the access and use of their data.

Data classification typically involves assigning labels or tags to data assets, such as public, internal, confidential, or restricted. These labels indicate the level of protection and handling required for the data. Based on the data classification, organizations can implement appropriate controls to safeguard the data, such as encryption, access control lists, audit logs, backup policies, etc. These controls help to prevent unauthorized access, disclosure, modification, or loss of data, and to ensure compliance with relevant laws and regulations.

If a data owner assigns an incorrect classification level to data, it can result in either underprotection or overprotection of the data. Underprotection means that the data is classified at a lower level than it should be, which exposes it to higher risks of compromise or breach. For example, if a data owner classifies personal health information (PHI) as public instead of confidential, it may allow anyone to access or share the data without proper authorization or consent. This can violate the privacy rights of the data subjects and the compliance requirements of regulations such as HIPAA (Health Insurance Portability and Accountability Act). Overprotection means that the data is classified at a higher level than it should be, which limits its availability or usability. For example, if a data owner classifies marketing materials as restricted instead of public, it may prevent potential customers or partners from accessing or viewing the data. This can reduce the business value and opportunities of the data.

Therefore, an IS auditor should be concerned about the accuracy and consistency of data classification by data owners, as it affects the security and efficiency of data management. An IS auditor should review the policies and procedures for data classification, verify that the data owners have adequate knowledge and skills to classify their data, and test that the data classification labels match with the actual sensitivity and impact of the data.

Data Classification: What It Is and How to Implement It

What Is Data Classification? - Definition, Levels & Examples ...

Data Classification: A Guide for Data Security Leaders

asked 18/09/2024
Min Soe Aye
40 questions
User
Your answer:
0 comments
Sorted by

Leave a comment first