CISSP · Question #420
Which of the following is the PRIMARY security consideration for how an organization should handle Information Technology (IT) assets?
The correct answer is D. The classification of the data on the asset. The primary security consideration for handling IT assets is determined by the sensitivity and classification of the data they store or process, which drives all subsequent security decisions.
Question
Which of the following is the PRIMARY security consideration for how an organization should handle Information Technology (IT) assets?
Options
- AThe monetary value of the asset
- BThe controls implemented on the asset
- CThe physical form factor of the asset
- DThe classification of the data on the asset
How the community answered
(43 responses)- A7% (3)
- B14% (6)
- C5% (2)
- D74% (32)
Why each option
The primary security consideration for handling IT assets is determined by the sensitivity and classification of the data they store or process, which drives all subsequent security decisions.
Monetary value does not determine security requirements; a low-cost USB drive containing classified data requires far more stringent controls than an expensive server holding only public information.
Controls are implemented as a result of the data classification decision, not the primary consideration itself; controls are the response to the security requirement, not the driver of it.
Physical form factor (e.g., laptop vs. server vs. mobile device) may influence certain security measures but is not the primary determinant of how an asset should be protected; the data it holds takes precedence.
Data classification (e.g., public, internal, confidential, restricted) determines the required level of protection for an IT asset, dictating handling procedures, access controls, storage requirements, and disposal methods. An asset containing highly classified or sensitive data must be protected accordingly regardless of its physical form or monetary value. This principle is foundational in frameworks like NIST SP 800-60 and ISO 27001, where data sensitivity drives asset security policy.
Concept tested: IT asset handling based on data classification
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf
Topics
Community Discussion
No community discussion yet for this question.