Exam CISM topic 1 question 149 discussion

Selected Answer: B If you read the question carefully it say mitigate the risk of "CONFIDENTIAL" data. This means already data classification is already done. So it RBAC controls which can mitigate the risk.

B. Implement role-based access controls. The most effective way to mitigate the risk of confidential data leakage to unauthorized stakeholders is to implement role-based access controls (RBAC). RBAC ensures that access to information is based on the user's role within the organization, limiting access rights for individuals to only what is necessary to perform their jobs. This approach directly addresses the risk of data leakage by preventing unauthorized access to sensitive information and thus reducing the likelihood that confidential data will be accessed by those without the proper authority. (Option A) is important for identifying which data is confidential and requires protection, it doesn't inherently restrict access to that data. (Option C) is a basic security measure but does not consider the varying levels of access needed based on an individual's role. (Option D) is critical for educating employees about the importance of data security but does not provide a systematic, enforceable method of controlling access to data like RBAC does.

Option A is not right. Creating a data classification policy is essential for categorizing and identifying sensitive data, but it doesn't prevent data leakage on its own.

Mitigate = implement control. Implementing RBAC limits access to particular information to specific individuals with specific roles.

B is the correct answer here. The key words in the question are "Leakage to unauthorized stakeholders". Imagine payroll or financial information leaking to marketing personnel or another department, that would be bad. The goal is to make sure only authorized personnel can have access to that dat which is best implemented using RBAC (Role-Based Access Control).

Guess a

B. Implement role-based access controls. The MOST effective way to mitigate the risk of confidential data leakage to unauthorized stakeholders is to implement role-based access controls (RBAC). RBAC is a security measure that restricts access to data and systems based on a user's role or job function within the organization.

data is confidential, so classification is done it seems RBAC is most effective in this case

B. RBAC. This has been discussed in CRISC manual and QAE if I remember it correctly.

"A" is NOT because already mentioned that the data is Confidential

Role Based Access Controls is a form mitigation for data leakage. Data Classification will not mitigate data leakage.

B. Implement role-based access controls.

Role-based access controls (RBAC) are a widely recognized and effective approach to managing access to sensitive data. RBAC ensures that individuals are granted access rights based on their roles and responsibilities within the organization. This means that only authorized personnel who require access to confidential data for their job functions will have permission to view or manipulate it. By implementing RBAC, organizations can enforce the principle of least privilege and reduce the risk of data leakage to unauthorized stakeholders.

The correct answer is (B.) Implement role-based access controls. This is because (B) is the only one that takes confidentially, authorization, mitigation, and stakeholders into account. Without these components, access control wouldn't work. Rationale: (A.) Create a data classification policy is not correct cause it doesn't provide for any enforcement. (C.) Require the use of login credentials and passwords is not correct cause it is only providing for authentication and not authorization. (D.) Conduct information security awareness training is great for education, but it does not provide for any way to enforce the authorization of the correct stakeholders

RBAC ensures that users are only granted access to the data and resources that are necessary for them to perform their job functions. By limiting access to sensitive data and resources, RBAC reduces the risk of unauthorized access and data leakage.

classifying data correctly makes it more likely that data will be handled apprpriately therefore A is correct. ya tu sabes

Implement role-based access controls. Role-based access controls (RBAC) provide a mechanism for ensuring that only authorized individuals have access to sensitive information.