Exam CISM topic 1 question 38 discussion

I go for C

Going with C. While both C and D are correct, I feel the "more correct" is C. IMO, D is less correct because it's not the labeling that affects the consequences, but the data classification (regardless of whether the data is labeled or not). Having labels decreases the chances of people accidentally mishandling data since the label is staring them in the face. However, labeled or not, if you mishandle top secret doc, there WILL be consequences. :)

Labeling information with a security classification indicates the sensitivity or confidentiality level of the information. This classification then dictates how the information should be handled, shared, and protected. The consequences for mishandling or disclosing information may vary based on its security classification. For example, mishandling highly classified information may result in more severe consequences than mishandling information with a lower classification. While labeling information can contribute to enhancing the likelihood of people handling information securely (option C), it doesn't necessarily reduce the need to identify baseline controls for each classification (option A) or reduce the number and type of countermeasures required (option B). The primary impact is on influencing the consequences associated with the security handling of the information.

D. Information Classification is done to prioritize, therefore affect the impact (consequences) of the assets

C. enhances the likelihood of people handling information securely.

A and B are incorrect as labelling information has no effect on these. D is in correct as the information is classified and will have consequences associated with it regardless of labelling. C is correct as it lets the users know how classified the information is so they can handle it responsibly.

C is correct

security label is useful for users too.

D. affects the consequences if information is handled insecurely.