A server administrator is tasked with implementing a new data protection plan for several systems but has a limited budget for high-end security controls like advanced encryption and real-time replication. To ensure the most critical assets are protected first, the administrator performs a business impact analysis. Which of the following systems should be prioritized for the highest level of security controls?
An internal file server containing marketing materials and departmental documents.
A server hosting the customer relationship management (CRM) database containing personally identifiable information (PII).
A public-facing web server that hosts the company's static marketing website.
A development server used by the in-house programming team for testing new application features.
The correct answer is the server hosting the CRM database with PII. Data value prioritization requires evaluating the business impact if data is compromised. Data containing PII has the highest value and represents the greatest risk due to severe regulatory fines (e.g., GDPR, CCPA), legal liability, and significant reputational damage from a breach. Therefore, it must be the top priority for advanced security controls. The development server contains test data, the internal file server has a lower operational impact, and the public web server contains data that is already public. While the availability of these other systems is important, the data they contain is of significantly lower value and risk compared to customer PII.