ISC2 CISSP Practice Question

The correct answer is implementing tiered protection controls based on information sensitivity levels. This approach ensures that security measures are proportional to the value and sensitivity of different types of information. By categorizing information (such as Public, Internal, Confidential, and Restricted) and then applying appropriate controls to each tier, an organization can balance security requirements with operational needs. More sensitive information receives stronger protections while less sensitive information remains accessible with appropriate but less stringent controls.

Applying uniform encryption across corporate assets would create unnecessary overhead for less sensitive information and potentially impact system performance and usability. Requiring management authorization for information retrieval would create significant operational bottlenecks and isn't practical for day-to-day operations. Implementing network segmentation addresses the network architecture but doesn't specifically target the information assets themselves based on their varying sensitivity levels.