CompTIA Security+ (SY0-601) — Question 680

A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which of the following should be performed FIRST?

Answer options

• A. Retention
• B. Governance
• C. Classification
• D. Change management

Correct answer: C

Explanation

The first step in implementing a DLP solution is to classify the documents, as this allows the organization to identify which documents contain PHI that need protection. Without proper classification, the company cannot effectively apply governance or retention policies, making the other options less relevant at this stage.