There are a number of ways to classify applications in order to assess business risks and assign
appropriate security policies. Which of the following is not described as a primary means to
classify an application?
A.
by the user community it serves, such as HR, finance, all employees, general public, and so on
B.
by the information it handles, such as classified information, personal information, publicly
availableinformation, and so on
C.
by business criticality, such as revenue-generating applications versus informational
applications
D.
by technology and/or vendor, such as .NET versus Java, and so on
E.
by the applicability of existing laws and regulations pertaining to privacy, auditing, and access
control
Explanation:
Applications can be classified in a number of ways, such as:
* By the user community it serves, such as HR, Finance, company executives, all
employees, all persons working on behalf of the company (includes contractors
and temporary workers), general public, etc. (not A)
* Based on information confidentiality. Some applications process personal
information while others do not. Likewise, in military terms, an application might
be targeted towards individuals with a specific level of clearance. (not B)
* Based on business criticality. Some applications may have a direct and severe
contribution or impact to revenue. Examples include order processing, credit card
processing, call processing, securities trading, and travel reservations. Others may
have little or no impact. (not C)
* Based on the applicability of existing laws and regulations. For example, HIPPA
puts more security emphasis on patient records than would otherwise exist. (not E)
* Based on network exposure. Levels might include: locked down (no network
access), secure production environment access, general organization-wide intranet
access, partner access, Internet access limited to a specific user community, and
Internet access open to the public.
Reference: Oracle Reference Architecture,Security, Release 3.1