Certified Information Systems Auditor (CISA) — Question 1036

Which of the following should an IS auditor do FIRST when assessing an organization's ability to effectively secure its data?

Answer options

• A. Ensure that data is accessible to key personnel.
• B. Ensure that high-risk data has been encrypted and secured.
• C. Ensure management has identified the data and where it resides.
• D. Ensure management has properly classified the data.

Correct answer: C

Explanation

The correct answer is C because identifying the data and its locations is fundamental for any security assessment. Without this knowledge, it is impossible to determine the necessary security measures or to classify and encrypt the data appropriately. Options A, B, and D are important but come after ensuring that management has a clear understanding of what data exists and where it is stored.