CISA Certified Information Systems Auditor – Question0495

An IS audit of an organization’s data classification policies finds some areas of the policies may not be up-to-date with new data privacy regulations. What should management do FIRST to address the risk of noncompliance?

A.
Conduct a privacy impact assessment to identify gaps
B. Reclassify information based on revised information classification labels
C. Mandate training on the new privacy regulations
D. Perform a data discovery exercise to identify all personal data

Correct Answer: A