Evaluate Data Classification And Handling Requirements
Help Questions
CPA Information Systems and Controls (ISC) › Evaluate Data Classification And Handling Requirements
A data classification policy typically assigns sensitivity levels to data to determine appropriate handling requirements. Which of the following is the correct purpose of data classification?
To assign monetary values to the organization's data assets for financial reporting.
To determine which employees are permitted to use the organization's IT systems.
To categorize data based on its sensitivity and criticality so that proportionate security controls can be applied.
To establish the physical locations where data may be stored.
Explanation
Data classification enables organizations to apply controls commensurate with the sensitivity of the data - higher-sensitivity data receives stronger protections. Answer D is correct. User access decisions (A) are informed by classification but are not its purpose. Physical location restrictions (B) are a handling requirement that flows from classification. Monetary valuation (C) is a separate data asset management concept.
An organization's data classification policy has four levels: Public, Internal Use Only, Confidential, and Restricted. An HR file containing employee social security numbers would most appropriately be classified as:
Confidential - a mid-level classification sufficient for most sensitive data.
Restricted - the highest sensitivity level, requiring the strongest access controls, encryption, and handling requirements.
Internal Use Only - since the data is used internally by HR staff.
Public - since social security numbers are sometimes used in public documents.
Explanation
Employee social security numbers are personally identifiable information (PII) with significant regulatory and fraud risk implications. They warrant the highest classification (Restricted) and corresponding controls. Answer A is correct. 'Confidential' (B) may apply to some sensitive data but not the most sensitive PII. Internal use (C) and Public (D) classifications are wholly inappropriate for SSNs.
Which of the following best describes 'data handling requirements' associated with a confidential classification?
The data must be deleted after 30 days regardless of business need.
The data must be encrypted when stored or transmitted, access must be limited to authorized personnel, and it must not be shared externally without authorization.
The data can be freely shared with any employee upon request.
The data must be printed and stored in physical filing cabinets rather than digital systems.
Explanation
Confidential data handling requirements include encryption at rest and in transit, access restrictions to authorized users, and controls on external sharing - proportionate to the data's sensitivity. Answer D is correct. Free sharing (A) violates confidentiality. Arbitrary deletion (B) may conflict with retention requirements. Physical-only storage (C) is not a standard handling requirement.
An organization requires all employees to label emails containing confidential information with a 'CONFIDENTIAL' header before sending. The primary purpose of this labeling requirement is:
To make recipients aware of the data's sensitivity and the handling requirements that apply, supporting informed data stewardship.
To enable the IT department to block confidential emails from leaving the organization.
To comply with a specific regulatory requirement mandating email labeling.
To ensure emails are automatically encrypted by the email system.
Explanation
Data labeling communicates sensitivity level to recipients so they know what handling controls apply - a foundational element of data classification programs. Answer B is correct. Labeling alone does not trigger encryption (A). While regulations may require labeling, the primary purpose is awareness (C). DLP tools may use labels but labeling itself does not block emails (D).
A company's data handling policy requires that restricted data be encrypted using AES-256 when stored on portable devices. During an audit, the auditor finds that several laptops containing restricted customer data use only BitLocker with a 128-bit key. The auditor should:
Accept this as compliant since BitLocker is an industry-standard encryption tool.
Accept this since the laptops are company-issued devices.
Accept this since 128-bit encryption is sufficient for all practical purposes.
Flag this as a policy non-compliance - the encryption strength does not meet the AES-256 requirement specified for restricted data.
Explanation
The policy specifically requires AES-256 for restricted data. Using 128-bit encryption - regardless of its practical security - does not meet the stated policy requirement. Answer B is correct. The policy requirement sets the standard, not industry norms (A), practical adequacy arguments (C), or device ownership (D).
Which of the following data types would typically be classified at the highest sensitivity level in most organizations?
Employee work schedules and internal meeting agendas.
General industry research reports used for strategic planning.
Published product specifications and customer-facing pricing sheets.
Unpublished merger and acquisition plans, trade secrets, and government-classified information.
Explanation
Unpublished M&A plans and trade secrets represent the organization's most sensitive strategic information - unauthorized disclosure could cause severe competitive, legal, and financial harm. Answer A is correct. Work schedules (B) and publicly shared information (C, D) are lower sensitivity.
Under most data classification frameworks, who is primarily responsible for classifying data?
External auditors, who independently assess data sensitivity.
The IT department, since it manages the systems where data is stored.
The internal audit function, since it has visibility across all business processes.
The data owner - typically the business unit manager responsible for the data and its use - who understands its sensitivity and business context.
Explanation
Data owners are business leaders who understand the value, sensitivity, and regulatory context of the data they create and use - making them best positioned to classify it. Answer C is correct. IT manages data technically but lacks business context for classification (A). Internal audit provides assurance but is not a data owner (B). External auditors do not classify organizational data (D).
Data handling requirements for 'internal use only' data typically include which of the following?
The data may be shared among employees for business purposes but should not be disclosed externally without authorization.
The data must be encrypted using military-grade algorithms and stored in air-gapped systems.
The data must be deleted within 90 days of creation.
The data requires board-level approval before it can be accessed by any employee.
Explanation
Internal-use-only data is generally unrestricted within the organization for business purposes but protected from external disclosure. Answer B is correct. Military-grade encryption (A) is excessive for internal data. Mandatory deletion (C) may conflict with retention needs. Board approval (D) would be impractical and disproportionate.
A technology company stores source code for its proprietary products. Which data classification level is most appropriate for this data?
Restricted or Confidential - proprietary source code is a trade secret whose unauthorized disclosure would cause significant competitive harm.
Unclassified - source code is technical data that does not require classification.
Internal Use Only - source code is used by employees and should be available broadly across the organization.
Public - source code is often published as open source.
Explanation
Proprietary source code is one of a technology company's most sensitive assets - its unauthorized disclosure could enable competitors to copy products, undermining the company's competitive position. Answer A is correct. Broad internal access (B) risks insider theft. Not all source code is open source (C). All data requires classification (D).
An organization's data handling policy requires that all printed documents containing confidential data be shredded rather than placed in regular waste bins. This policy addresses which data protection risk?
Unauthorized electronic access to confidential data.
Physical dumpster diving - retrieving confidential information from improperly disposed documents.
Unauthorized modification of confidential records.
Data loss during electronic transmission.
Explanation
Shredding requirements prevent confidential data from being recovered by unauthorized individuals who search through trash - a social engineering and physical security attack known as dumpster diving. Answer D is correct. Electronic access (A), transmission security (B), and data modification (C) are not mitigated by physical shredding policies.