A security analyst is classifying data based on input from data owners and other stakeholders.
The analyst has identified three data types: 1
Financially sensitive data 2
Project data 3
Sensitive project data The analyst proposes that the data be protected in two major groups, with further access control separating the financially sensitive data from the sensitive project data.
The normal project data will be stored in a separate, less secure location.
Some stakeholders are concerned about the recommended approach and insist that commingling data from different sensitive projects would leave them vulnerable to industrial espionage.
Which of the following is the BEST course of action for the analyst to recommend?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The security analyst is classifying data based on input from data owners and other stakeholders. The analyst has identified three data types: financially sensitive data, project data, and sensitive project data. The analyst proposes that the data be protected in two major groups, with further access control separating the financially sensitive data from the sensitive project data. The normal project data will be stored in a separate, less secure location. Some stakeholders are concerned about the recommended approach and insist that commingling data from different sensitive projects would leave them vulnerable to industrial espionage. The analyst needs to recommend the best course of action in this situation.
Option A: Conduct a quantitative evaluation of the risks associated with commingling the data and reject or accept the concerns raised by the stakeholders.
Conducting a quantitative evaluation of the risks associated with commingling the data can help the analyst identify the risks and their likelihood and impact. This approach can help the analyst assess whether the concerns raised by the stakeholders are valid or not. However, this approach may not address the stakeholders' concerns directly, and it may not be the best course of action in this situation.
Option B: Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks.
Meeting with the affected stakeholders can help the analyst understand their concerns and identify the security controls that can address the newly raised risks. This approach can help the analyst address the stakeholders' concerns directly and come up with a solution that satisfies their requirements. However, this approach may not be feasible in some situations, and it may not be the most effective way to address the issue.
Option C: Use qualitative methods to determine aggregate risk scores for each project and use the derived scores to more finely segregate the data.
Using qualitative methods to determine aggregate risk scores for each project can help the analyst identify the risks and their likelihood and impact. This approach can help the analyst segregate the data more finely and provide additional protection to sensitive projects. However, this approach may not address the stakeholders' concerns directly, and it may not be the best course of action in this situation.
Option D: Increase the number of available data storage devices to provide enough capacity for physical separation of non-sensitive project data.
Increasing the number of available data storage devices can help the analyst physically separate non-sensitive project data from other sensitive data. This approach can help the analyst provide additional protection to sensitive data and address the stakeholders' concerns directly. However, this approach may not be feasible in some situations, and it may not be the most effective way to address the issue.
Overall, Option B, meeting with the affected stakeholders and determining which security controls would be sufficient to address the newly raised risks, is the BEST course of action for the analyst to recommend. This approach can help the analyst address the stakeholders' concerns directly and come up with a solution that satisfies their requirements.