Loading...
Menu

CISA Exam-Testing Concept-Classification of Information Assets (Domain-5)

p<>{color:#000;}.

Domain-5

Testing Concept-Classification of Information Asset

Hemang Doshi

CISA, ACA,DISA,FIII

Details about this E-Book:

The objective of this e-book is to ensure that CISA candidate get adequate knowledge of concepts on ‘Classification of Information Asset’. Concepts have been simplified for easy reference of CISA candidates.

Question Answer and Explanation (QAE) on concepts are designed in accordance with CISA exam pattern.

 

 

 

Point to remember for CISA Exam:

 

(1)In any given scenario, following are the logical steps for data classification:

 

-First step is to have inventory of Information Assets.

-Second step is to establish ownership.

-Third step is classification of IS resources.

-Fourth step is labelling of IS resources.

-Fifth step is creation of access control list.

 

(2) In any given scenario, data owner/system owner is ultimately responsible for defining the access rules.

 

(3)In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner.

 

(4)In any given scenario, greatest benefit of well defined data classification policy is decreased cost of control.

 

(5)In any given scenario, most important objective of data protection is to (i) ensure integrity/confidentiality of data and (ii) establish appropriate access control guidelines.

 

(6)Data classification must take into account following requirements:

 

-Legal/Regulatory/Contractual

-Confidentiality

-Integrity

-Availability

 

(7)In any given scenario, it is very important for data owner and data custodian to have knowledge and awareness about data classification policy of the company. This ensures proper classification of data as per organizational requirement.

 

(8)Following table summarize the above provisions:

 

 

 

 

 

 

Question, Answer & Explanation on ‘Classification of Information Assets’ Concept:

Below QAE are solely on the above mentioned concept. Questions have been designed as per CISA Exam pattern. Candidates are advised to attempt below questions multiple times. More emphasis to be given on explanation part for better understanding.

 

 

Responsibility for the maintenance of proper control measures over information resources resides with the:

 

A. database administrator

B. security administrator

C. data and systems owners

D. systems operations group

 

Answer: C. data and systems owners

 

Explanation:

In any given scenario, accountability for the maintenance of security controls over information assets resides with the data owner/system owner. Even though owner may delegate responsibities to other specialized functions, owners remain accountable for the maintenance of appropriate security measures. Management should ensure that all information resources to have an appointed owner who makes decisions about classification and access rights.

 

 

(2) An IS auditor is evaluating data classification policy of an organisation. The FIRST step in data classification is to:

 

A. the labeling of IS resources

B. establish ownership

C. perform a impact analysis

D. define access control rules

 

Answer: B. establish ownership

 

Explanation:

In any given scenario, following are the logical steps for data classification:

 

-First step is to have inventory of IS resources

-Second step is to establish ownership

-Third step is classification of IS resources

-Fourth step is labelling of IS resources

-Fifth step is creation of access control list

 

In the above question, step with respect to inventory of IS resource is not in option. Hence second logical step i.e establishing ownership will be our answer. The data owner is responsible for defining the access rules; hence, establishing ownership is very critical.

 

 

(3) An IS auditor is evaluating access control policy of an organisation. The implementation of access controls FIRST requires:

 

A. creation of an access control list

B. an inventory of IS resources

C. perform a impact analysis

D. labelling of IS resources

 

Answer: B. an inventory of IS resources

Explanation:

In any given scenario, following are the logical steps for data classification and implementation of access control:

 

-First step is to have inventory of IS resources

-Second step is to establish ownership

-Third step is classification of IS resources

-Fourth step is labelling of IS resources

-Fifth step is creation of access control list

 

The first step in implementing access controls is an inventory of IS resources.

 

 

Which of the following is the MOST important objective of data protection?

 

A. creation of an access control list

B. ensuring the integrity of information

C. reduction in cost of control

D. to comply with risk management policy

 

Answer: B. ensuring the integrity of information

 

Explanation:

In any given scenario, most important objective of data protection is to ensure integrity/confidentiality of data.

The choices are steps and benefits of data protection.

 

 

Proper classification and labelling for system resources are important for access control because they:

 

A. help to avoid ambiguous resource names

B. reduce the number of rules required to adequately protect resources

C. serve as stringent access control

D. ensure that internationally recognized names are used to protect resources

 

Answer:B. reduce the number of rules required to adequately protect resources.

 

Explanation:

Proper classification and labelling for system resources are important for the efficient administration of

security controls. Proper labelling reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules makes it easier to provide access. Proper classification and labelling does not necessarily ensures option A, C and D.

 

 

In co-ordination with database administrator, granting access to data is the responsibility of:

 

A. data owners

B. system engineer

C. security officer

D. librarians

 

Explanation: A. data owners

 

Explanation:

In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner. Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners.

 

 

An IS auditor is reviewing data classification policy of an organisation. From a control perspective, the PRIMARY objective of classifying information assets is to:

 

A. ensure that all assets are insured against losses.

B. to assist in risk assessment

C. establish appropriate access control guidelines

D. ensure all information assets have access controls

 

Answer: C. establish appropriate access control guidelines

 

Explanation:

First step of establishing access control is to ensure well defined information assets classification policy. By assigning levels of criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. Hence from control perspective, primary objective of classification is to establish appropriate access control guidelines. All assets are not required to be insured. Also access control may not be required for all assets. Classification helps in risk assessment however same is not prime objective.

 

 

From control perspective, access to application data should be given by:

 

A. database administrator

B. data custodian

C. data owner

D. security administrator

 

Answer: C. data owner

 

Explanation:

In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner. The ultimate responsibility for data resides with the data owner.

Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. The DBA is responsible for managing the database.

 

 

(9) An IS auditor is reviewing access control policy of an organisation. Which of the following is responsible for authorizing access rights to production data and systems?

 

A. Process owner

B. Data owner

C. Data custodian

D. security administrator

 

Answer: B. Data owner

 

Explanation:

In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner. The ultimate responsibility for data resides with the data owner.

Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. Process owners have greater knowledge of the process objectives; however, they are not the best suited to authorize access to specific data.

 

 

(10) An IS auditor is reviewing access control policy of an organisation. Which of the following is the BEST basis for determining the appropriate levels of information resource protection?

 

A. Classification of Information Assets

B. Data owner

C. Threat Assessment

D. Cost of Information Assets

 

Answer: A. Classification of Information Assets

 

Explanation:

Classification of Information Asset on the basis of criticality and sensitivity provides the best basis for assigning levels of information resource protection.

Threat assessment alone does not take into account criticality or sensitivity, which is the basis for assigning levels of information resource protection. Cost of assets is not an adequate basis for determining the needed level of protection. An asset can be negligible from a cost standpoint, but extremely critical to operations or sensitive if exposed.

 

The MOST important benefit of having data classification policy is:

 

A.data classification ensures accurate inventory of information assets.

B.data classification helps to decrease cost of controls.

C.data classification helps in vulnerability assessment.

D.data classification helps in appropriate alignment with data owners.

 

Answer: B.data classification helps to decrease cost of controls.

 

Explanation:

In any given scenario, greatest benefit of well-defined data classification policy is decreased cost of control. Other choices are direct or indirect benefits of well-defined data classification policy but greatest benefit will be reduction of cost.

For appropriate data classification, the MOST important requirement is:

 

A.Knowledge of technical controls for protection of data.

B.Awareness and training about organizational polices and standards.

C.Use of automatic data control tools.

D.Understanding the requirements of data user.

 

Answer: B.Awareness and training about organizational polices and standards.

 

Explanation:

In any given scenario, it is very important for data owner and data custodian to have knowledge and awareness about data classification policy of the company. This ensures proper classification of data as per organizational requirement.

Other options are also important for well- defined data classification policy but most important requirement is knowledge about organizational polices and standards.

 

Other CISA Exam- Study Material

 

table<>. <>. |<>.
p={color:#000;}. Sr.No.

<>.
p={color:#000;}. Testing Concept
<>.
p={color:#000;}. Video Tutorial
<>.
p={color:#000;}. E-Book
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.
<>.

 

 

 

 


CISA Exam-Testing Concept-Classification of Information Assets (Domain-5)

Point to remember for CISA Exam: (1)In any given scenario, following are the logical steps for data classification: -First step is to have inventory of Information Assets. -Second step is to establish ownership. -Third step is classification of IS resources. -Fourth step is labelling of IS resources. -Fifth step is creation of access control list. (2) In any given scenario, data owner/system owner is ultimately responsible for defining the access rules. (3)In any given scenario, accountability for the maintenance of proper security controls over information assets resides with the data owner/system owner. (4)In any given scenario, greatest benefit of well defined data classification policy is decreased cost of control. (5)In any given scenario, most important objective of data protection is to (i) ensure integrity/confidentiality of data and (ii) establish appropriate access control guidelines. (6)Data classification must take into account following requirements: -Legal/Regulatory/Contractual -Confidentiality -Integrity -Availability

  • Author: Hemang Doshi
  • Published: 2016-10-01 09:20:08
  • Words: 1775
CISA Exam-Testing Concept-Classification of Information Assets (Domain-5) CISA Exam-Testing Concept-Classification of Information Assets (Domain-5)