Which of the following is not a reason why data should be classified?
A.
Classification forces valuation which can be used to determine risk.
B.
Classification is required to determine appropriate access controls.
C.
Classification can be used to optimize security budget.
D.
Classification is required to develop secure systems.
Explanation:
Data classification is not a requirement of secure systems. Systems
can be made secure without any regard to the sensitivity of the data they will
handle. However, system investment can be optimized if the data classification,
representing its underlying value, is known. Systems handling low sensitivity
information, for instance, can require fewer or less rigorous security controls than
one that handles top secret information. Knowledge of data classification,
therefore, can optimize budgets on development projects, putting money where it is
most needed.