Exam CISM topic 1 question 574 discussion

I beg to differ, must be C. Only a data owner could tell which classification is the information and if needs encryption

Option D is not the right answer. Encryption is an important, but by far not the only control to be considered. Requirements from the data owner must be gathered as they can give information about the sensitivity & criticality of the data (e.g., classification). Based on this, appropriate measures can be identified and implemented, including encryption.

"its sensitive database"

the keyword is 'sensitive', so it's D. C does not say anything about the classification, it could be operations and business. people are putting too much on their own opinions.

Only Data owner would be able to tell the classification of data and what sort of encryption is required and if the encryption key is managed by the organization or by the cloud hoster.

Right to audit clause - without it, you have no way to assure that security controls in the cloud are what cloud provider is saying they are. The role of the security manager is to ensure that appropriate controls are included in the contract. In the absence of a well-defined contractual agreement, the organization cannot enforce security requirements. The right to audit is one of the controls to be included in the contract.

The key word "sensitive" --> Encryption

When an organization is moving portions of its sensitive database to the cloud, all the options listed are important in ensuring the security and integrity of the data. However, the MOST important consideration may vary depending on the specific context and requirements of the organization. That being said, if we have to choose the option that is generally considered crucial in such a scenario, it would be: A. The conversion has been approved by the information security team. Obtaining approval from the information security team ensures that the migration process aligns with the organization's security policies and standards. The security team assesses the potential risks and mitigations associated with moving sensitive data to the cloud, and their approval indicates that the necessary security measures have been implemented or planned. This helps in minimizing the chances of data breaches or unauthorized access during and after the migration.

D. Data encryption is used in the cloud hosting solution. Data encryption ensures that even if unauthorized access occurs, the data remains protected and unreadable without the appropriate decryption keys. While the other options are also important in the context of cloud migration, such as approval from the information security team, a right to audit clause in the contract, and input from data owners, data encryption is the fundamental security measure that safeguards sensitive information from potential breaches or data leaks in a cloud environment. It forms a critical layer of security for data at rest and in transit in the cloud, and it should be a top priority when moving sensitive data to the cloud.

D. Data encryption is used in the cloud hosting solution.

When an organization is moving portions of its sensitive database to the cloud, the MOST important thing to ensure is that data encryption is used in the cloud hosting solution.

The most important thing to ensure when an organization is moving portions of its sensitive database to the cloud is that data encryption is used in the cloud hosting solution.

encryption is important for sensitive data.