CISSP Exam - Question 68

B. official study guide, P182. data classification only protects data confidentiality and integrity, it has nothing to do with availability. A data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity.

C would be right if it aligns with the risk tolerance of the organization, why ensure the CIA if it does not align with your goals? the best choice is B

The correct answer is B Data classification is important to enable security controls that align with an organization's risk appetite, so option B is correct. Properly classifying data allows applying security controls at levels commensurate with the data's sensitivity and criticality to the business. This ensures controls match the organization's priorities and risk profile. Option A is a benefit of classification but not the core purpose. Option C states generic goals rather than strategic alignment. Option D is also a secondary advantage, not the primary driver.

B Think like a manager, or perhaps a CISO.

CIA is why we classify data-Simple.

B. To ensure security controls align with organizational risk appetite is one of the reasons why data classification control is important to an organization. By classifying data based on its sensitivity and criticality, an organization can ensure that appropriate security controls are implemented to protect that data. This helps the organization to align its security efforts with its overall risk appetite and risk management strategy. Additionally, C. To ensure its integrity, confidentiality and availability is also a reason why data classification control is important. By classifying data, the organization can ensure that the appropriate level of protection is applied to the data to maintain its confidentiality, integrity, and availability. D. To control data retention in alignment with organizational policies and regulation is also a reason why data classification control is important. By classifying data, the organization can ensure that data is retained and disposed of in accordance with legal, regulatory, and organizational requirements.

I think is D for C the data classification can't address the availability and integrity For appetite not make sense, beacause the security strategy must driven by the business address (remember think first in human life, second in the business) for D the data retention involve a business process (example match with PCI regulation) so the business need to classify the data in orden to know with which data and if this data address with a regulation importan to the business

The only thing that makes sense is D , C although its the most popular makes no sense .how can data classification achieve CIA ? E.g in Biba or Bell lapadula do you have all 3s from CIA ? Makes no sense .

Data classification, public data, internal data, confidential data, and restricted data Data classification helps organizations understand the sensitivity and criticality of their data. By classifying data based on its importance, organizations can align their security controls and measures with their risk appetite. This ensures that appropriate security controls are applied to protect data according to its classification level.

Option B, "To ensure security controls align with organizational risk appetite," is indeed a valid reason for why data classification control is important to an organization. Data classification helps organizations align their security controls with their risk appetite by enabling them to identify and prioritize the protection of sensitive or critical data. It allows organizations to allocate resources and apply appropriate security measures based on the classification of data and the associated risks. By classifying data, organizations can determine the level of security controls and safeguards needed for each classification category. This ensures that security measures are proportionate to the level of risk associated with the data. It helps organizations focus their efforts and resources on protecting the most sensitive or high-risk data, while also ensuring that less critical data receives appropriate levels of protection. So, both option B ("To ensure security controls align with organizational risk appetite") and option C ("To ensure its integrity, confidentiality, and availability") are valid reasons for the importance of data classification control.

though C sounds good, data classification contribute to confidentiality and integrity and less for availability, therefore I think "To ensure security controls align with organizational risk appetite" is the better answer

B. because it's all about Risk when comes to protecting the Data = values. Risk appetite in NIST definition is "The types and amount of risk, on a broad level, [an organization] is willing to accept in its pursuit of value."

C. To ensure its integrity, confidentiality and availability

Answer B) Data classification helps you provide the right level of protection based on the data's value, sensitivity, and the risk posed to the organization if that data is lost, stolen, or exposed

Cissp 9th official guide chapter 5.1.2 page 157. The description of classification. It mentioned classification recognize the value of the data. It is important to protect the data integrity and confidentiality.

Correct answer is B you do not need data classification to protect the CIA. But you need it to adapt the appropriate controls to the level of sensitivity you classified the asset

Getting us back on the right course. B. To ensure security controls align with organizational risk appetite This is correct. ive seen different flavors of this same question. Data classification is primarily used to determine the appropriate security controls on it that align with the business risk appetite. this is the correct answer every time. Simply classifying it doesnt ensure jack anything. you need the controls. B