Certified Information Systems Auditor (CISA) — Question 100

Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?

Answer options

• A. Create the DLP policies and templates.
• B. Conduct a threat analysis against sensitive data usage.
• C. Conduct a data inventory and classification exercise.
• D. Identify approved data workflows across the enterprise.

Correct answer: C

Explanation

The first step in developing a DLP solution is to conduct a data inventory and classification exercise, as this provides a clear understanding of what sensitive data exists and how it is categorized. Without this foundational knowledge, creating policies or analyzing threats would be ineffective, as there would be no clarity on the data that needs protection. Identifying workflows is important but comes after understanding the data landscape.