Question 19 – When using the formal approval process, what is required to access data? CISSP and Formal Approval Process for Data Access

• ​

  Permission from the data owner.
• ​

  Higher clearance than the object requires and data owner approval.
• ​

  Appropriate clearance and data owner approval.

  (Correct)
• ​

  Appropriate clearance.

CISSP and Formal Approval Process for Data Access

The CISSP (Certified Information Systems Security Professional) is the world’s leading information security certification. It is designed to ensure that information security professionals have the skills and knowledge to protect organizations from a wide range of threats.

One of the key areas of information security is data protection. Organizations must protect their data from unauthorized access, use, disclosure, disruption, modification, or destruction. To do this, organizations need to have a formal process for approving data access.

The formal approval process for data access in CISSP is typically as follows:

1. The data owner identifies who needs access to the data and what level of access they need. This is typically done by conducting a risk assessment to identify the potential threats to the data and the safeguards that need to be put in place.
2. The data owner submits a formal access request to the appropriate approver. This request should include the following information:
   • The identity of the person requesting access
   • The level of access being requested
   • The purpose for requesting access
   • The justification for requesting access
3. The approver reviews the access request and determines whether or not to grant access. The approver should consider the following factors when making their decision:
   • The sensitivity of the data
   • The need to know
   • The trustworthiness of the person requesting access
   • The risks associated with granting access
4. If the approver grants access, they will typically issue a formal approval notice. This notice should specify the level of access granted, the purpose of access, and any restrictions on access.
5. The data owner will then grant the person access to the data. This may involve creating a user account, granting permissions, or providing physical access to the data.

What is required to access data in CISSP

The specific requirements for accessing data in CISSP will vary depending on the organization’s security policies and procedures. However, some common requirements include:

• Need to know: The person requesting access must have a legitimate business need to access the data.
• Authorization: The person requesting access must be authorized to access the data by the appropriate approver.
• Authentication: The person requesting access must be able to authenticate their identity.
• Auditing: The person’s access to the data should be audited to ensure that they are only accessing the data that they are authorized to access.

In addition to these requirements, organizations may also require people to sign a non-disclosure agreement (NDA) or confidentially agreement before they are granted access to sensitive data.

Conclusion

The formal approval process for data access in CISSP is designed to protect sensitive data from unauthorized access, use, disclosure, disruption, modification, or destruction. By following this process, organizations can help to ensure that their data is only accessed by people who have a legitimate need to access it and who are authorized to do so.