A data classification study question

I was in a meeting last week where two CISSPs were battling wits, and one challenged the other with a question. I elbowed my boss and said that’s a great CISSP or CISM study question. He agreed. So I’ll repeat it here, with explanation.

Which of the following is classification primarily concerned with?
A. Integrity
B. Availability
C. Confidentiality
D. Information Assurance

This question was not on my CISSP test, and if it had been, it would have been among the easiest on my test, but I still think it’s an excellent study and example question. We’ll go through each possible answer.

The answer is not D, Information Assurance. Information Assurance is a fairly generic phrase meaning security in general. In fact, the three tenets of security–and thus, information assurance–are the other three answers. Security’s aim is to provide the perfect balance of confidentiality, integrity, and availability. I can unplug a computer and put it on a shelf behind a locked door and achieve perfect confidentiality and integrity, but it’s bad information assurance because the people who need the data can’t get it. That’s my throwaway response.

The answer also is not B, Availability. Availability is the idea that a system is reachable when its users need it. That’s why it’s generally not a good idea to buy $299 Emachines and use them as production servers, though I’ve seen people do it. I always snickered as I walked past that rack. Availability is immensely important, but has nothing to do with classification. Call it another throwaway response.

The answer also is not A, Integrity. This was the basis of their argument. In the security sense, integrity is the idea that when you write data, you will read back an identical, unchanged copy. And when you transmit data, the data received will arrive unchanged, exactly duplicating the original. Integrity of classified information is extremely important–you want to keep it accurate as it sits at rest on a system and as it traverses the wire–but not the primary concern. In this case, it’s the second-best answer. Unquestionably the second-best answer, but still second best.

The best answer is C, Confidentiality. Confidentiality is the idea that a computer system will only allow authorized people to view data. When unauthorized people gain access to classified information, bad things happen. In the worst case scenario, people die or companies go out of business. There was an old Navy poster that said, “Loose lips sink ships.” So a security professional dealing with classified information–whether it’s government classification or private-sector classification–has to take confidentiality extremely seriously.

If you found this post informative or helpful, please share it!