A multinational manufacturer is establishing a data classification scheme and is debating the difference between data sensitivity and data criticality. Which statement best describes how these two attributes drive different control choices?
- ASensitivity and criticality are interchangeable terms that both express the harm caused by unauthorised disclosure of the data.
- BSensitivity is assigned by the data custodian based on storage cost, while criticality is assigned by the data owner based on regulatory class.
- CSensitivity applies only to structured data in databases, while criticality applies only to unstructured data such as documents and media files.
- DSensitivity reflects the impact if confidentiality is lost, while criticality reflects the impact on the business if the asset becomes unavailable or corrupted. Correct
Why A is wrong: This conflates the two concepts. Many candidates treat the words as synonyms because both relate to impact, but sensitivity speaks to disclosure harm while criticality speaks to availability and operational impact.
Why B is wrong: Both attributes are owner-led judgements aligned to business impact, not storage cost or regulatory class alone. Candidates may confuse this with role responsibilities, but classification ownership rests with the data owner in both cases.
Why C is wrong: Both attributes apply to any information asset regardless of structure. The structured or unstructured nature affects discovery and tagging mechanisms, not the attribute itself.
Why D is correct: Sensitivity is a confidentiality concept used to determine handling and labelling controls, whereas criticality is an availability and integrity concept used to drive recovery objectives and resilience controls. The two attributes can differ for the same asset.