Exam CISM topic 1 question 322 discussion

Classification of data always done by data owner. In this case data in CRM system is certainly owned by sales function. IT function just supports the custodian role and should not be classifying the data so the most appropriate option is A sales department.

Business owner. In this case, CRM own by sales.

A is the clear choice, Sales people will provide the customers so they provide the majority of input of their sales to be entered into the DB.

Option A - Sales dept

B. Information security Information security teams are responsible for ensuring the confidentiality, integrity, and availability of data, especially sensitive data like customer information. They are well-equipped to define data classification standards and access controls to protect CRM data from unauthorized access or breaches. While other departments such as Sales or IT may have a role in using or maintaining the CRM system, the primary responsibility for data classification and security should rest with the Information Security department to ensure compliance with data protection regulations and best practices.

IMHO is A because is the process owner that know how to classificate the system/application

The correct answer is B. Information security. Explanation: The responsibility for classifying customer relationship management (CRM) system data on a database server maintained by IT should fall under the purview of the information security department. Here's why: B. Information security: Information security is responsible for ensuring the confidentiality, integrity, and availability of sensitive data, including customer data stored in CRM systems. Classifying data and determining appropriate access controls and security measures to protect that data is a core function of the information security department.

Well we can all agree the bloody sales department doesn't classify people's data. personal data is amongst the most sensitive data you can manage so this would fall to the IT Sec B

The keyword here is "classifying" which would imply the setting up of the data fields and marking them as HBI, MBI, LBI, etc. Sales just fills in the data as it's gathered...but the setting up of the CRM and linking the backend to it, and classifying all the data involved wouldn't be a function of the sales team.

So typically Sales department is in control of the CRM (Customer Relation Manager) which is software used to track customer acquisition to move along with buying the product. Thinking along that they will typically hand it down to IT and information security but overall the Sales team would be the first line hence being the data owner. They will label the classifications and move them down the line.

vote IT

The responsibility for classifying customer relationship management (CRM) system data on a database server maintained by IT typically lies with the information security department. Answer B, "Information security", is the department that is typically responsible for overseeing and managing the classification and protection of data, including customer data, within an organization's IT systems. This includes determining the appropriate classification levels for data based on the organization's data classification policy, defining access controls and permissions, implementing encryption and other security measures, and monitoring and auditing data access and usage. While other departments such as Sales, HR, and IT may have input or involvement in the process, the information security department is typically responsible for ensuring that appropriate data classification practices are in place for CRM system data and other sensitive data within an organization.

Why not IT? They are responsible of the DB and therefore that the classification is applied within the CRM?