CISM · Question #107
CISM Question #107: Real Exam Question with Answer & Explanation
The correct answer is D: Data classification. When determining service level requirements for an outsourced application, data classification is most helpful as it dictates the necessary security controls and availability levels.
Question
Which of the following is MOST helpful to an information security manager when determining service level requirements for an outsourced application?
Options
- ASupplier business continuity plan (BCP)
- BInformation security policy
- CApplication capabilities
- DData classification
Explanation
When determining service level requirements for an outsourced application, data classification is most helpful as it dictates the necessary security controls and availability levels.
Common mistakes.
- A. The supplier's BCP is important for resilience, but data classification is a prerequisite for defining what resilience (and other security) levels are needed in the first place.
- B. An information security policy sets overall organizational standards, but data classification translates those policies into specific, measurable requirements for a particular application and its data.
- C. Application capabilities describe what the application does, not the security or service level requirements for the data it handles.
Concept tested. Data classification for SLAs
Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
Topics
Community Discussion
No community discussion yet for this question.