6.4 Common Traps in Protection of Information Assets

Roles, Classification, and DLP Traps

A recurring trap confuses data-ownership roles. The data owner (a business executive) is accountable for the asset, sets its classification, and approves access. The data custodian (often IT) implements the protection the owner specifies — backups, encryption, access enforcement — but does not decide classification. The data user follows acceptable-use rules. On the exam, if a stem asks who should classify data or approve access, the answer is the owner, not IT.

Data classification drives everything downstream. A typical scheme runs Public, Internal, Confidential, Restricted (or government Unclassified through Top Secret). Once data is labeled, controls follow the label: who may access it, whether it must be encrypted, how it is retained, and how it is destroyed. Data loss prevention (DLP) then enforces the policy in motion — scanning email, web uploads, and removable media to block sensitive data from leaving. A trap offers DLP as protection for integrity when its real job is preventing unauthorized disclosure (confidentiality).

Matching the control to the CIA objective

When two answers are plausible, eliminate the one that fixes the wrong objective — offering a backup (availability) for a disclosure problem (confidentiality) is the classic miss.

Human, Physical, and Privacy Traps

Social engineering (phishing, pretexting, tailgating, baiting) exploits people, so technical filters alone are insufficient. The trap answer relies only on email filtering; the strongest control combines technical filtering with ongoing security awareness training so users recognize and report attacks. Training effectiveness is itself auditable — phishing-simulation click rates and completion metrics are evidence.

Physical and environmental controls are easy to underrate. The exam expects you to recognize mantraps (one person, two interlocking doors — defeats tailgating), badge and biometric access, CCTV, and security guards for facility access; and environmental controls for availability: uninterruptible power supply (UPS) and generators for power, HVAC for temperature and humidity, water/smoke detection, and fire suppression. For data centers, clean-agent or FM-200/inert-gas suppression is preferred over water sprinklers because water destroys equipment; if water is used, a dry-pipe system reduces accidental discharge.

Privacy

Privacy governs the lawful, fair handling of personally identifiable information (PII). The auditor confirms the organization collects only what it needs, uses it for stated purposes, retains it no longer than necessary, and honors data-subject rights. Classification, encryption, access control, and DLP are the controls that enforce privacy policy; a privacy impact assessment (PIA) evaluates risk before a new system processes personal data. A trap treats privacy and security as identical — security is a means, privacy is the obligation about how personal data is used, even by authorized parties.

• Verify the data owner, not IT, sets classification and approves access.
• Match the control to the threatened CIA (or accountability) objective.
• Prefer layered controls; never rely on a single technical fix for a human problem.
• For data-center environmental risk, prefer clean-agent suppression over water.

Distractor Patterns the Exam Rewards Catching

Domain 5 distractors are predictable once you name the pattern. Overgeneralizing a rule is the first trap: a control that fits one context (MAC for classified data) is offered for a context that does not need it (a small public marketing site). Always confirm the scenario's actual classification and risk before applying the heavyweight control.

Choosing the fastest action over the most defensible is the second. The exam usually rewards the answer that is controlled, documented, and auditable even when a quicker option exists — granting temporary broad access "to get it done" is rarely the best answer when a least-privilege path is available.

Ignoring downstream impact is the third. A weak access control does not just risk one record; it threatens accountability, privacy, and compliance across every system that trusts that identity. The best answer often prevents recurrence at the root rather than patching the visible symptom.

A decision checklist for trap-heavy items

When two answers both look right

Narrow the field by specificity and defensibility. Prefer the answer that is specific to the stated task over the generically true one, that is preventive over merely detective when prevention is feasible, and that preserves accountability. If an option is a real security control but addresses a different layer or a different CIA objective than the stem describes, eliminate it — being a valid control elsewhere does not make it the best answer here.