An analyst has been asked to provide feedback regarding the controls required by a revised regulatory framework.
At this time, the analyst only needs to focus on the technical controls.
Which of the following should the analyst provide an assessment of?
Click on the arrows to vote for the correct answer
A. B. C. D. E.A.
The question is asking which of the following technical controls the analyst should assess in response to the revised regulatory framework. Technical controls are security measures that are implemented through technology, such as software or hardware, to protect information systems and data.
A. Tokenization of sensitive data: This is a security measure that replaces sensitive data with a token or a random string of characters. This can be used to protect data in transit, data at rest, or data in use. The analyst should assess whether the tokenization process is properly implemented, and if the tokenization technology used is appropriate for the sensitivity of the data being protected.
B. Establishment of data classifications: Data classification is the process of organizing data into categories based on its sensitivity, value, and criticality. This can help organizations apply appropriate security controls based on the sensitivity of the data. The analyst should assess whether the organization has properly established data classifications and if the security controls implemented are appropriate for each category of data.
C. Reporting on data retention and purging activities: Data retention and purging activities are used to ensure that data is kept only for as long as necessary and that it is securely deleted when no longer needed. The analyst should assess whether the organization has implemented proper retention and purging policies and whether the policies are being followed. Additionally, the analyst should assess whether there are proper reporting mechanisms in place to track data retention and purging activities.
D. Formal identification of data ownership: Data ownership refers to the individual or group responsible for the management and protection of data. Formal identification of data ownership can help ensure that responsibilities are clearly defined and that appropriate security controls are implemented. The analyst should assess whether the organization has properly identified data ownership and whether the individuals or groups responsible for data management have the necessary resources and authority to implement appropriate security controls.
E. Execution of NDAs: NDAs (Non-Disclosure Agreements) are legal agreements used to protect confidential information. The execution of NDAs is not a technical control, but rather a legal control. The analyst should not be assessing the execution of NDAs in response to a revised regulatory framework focused on technical controls.
In summary, the analyst should provide an assessment of A, B, C, and D, but not E.