CISA Certified Information Systems Auditor – Question1434

The FIRST step in data classification is to:

A.
establish ownership.
B. perform a criticality analysis.
C. define access rules.
D. create a data dictionary.

Correct Answer: A

Explanation:

Explanation:
Data classification is necessary to define access rules based on a need-to-do and need-to- know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. The other choices are incorrect. A criticality analysis is required for protection of data, which takes input from data classification. Access definition is complete after data classification and input for a data dictionary is prepared from the data classification process.