When reviewing an organization's data protection practices, an IS auditor should be MOST concerned with a lack of:

A. a security team.
B. data classification.
C. training manuals.
D. data encryption.