Certified Information Systems Auditor (CISA) — Question 1263

Which of the following should be done FIRST when creating a data protection program?

Answer options

• A. Test logical access controls for effectiveness.
• B. Perform classification based on standards.
• C. Implement data loss prevention (DLP) controls.
• D. Deploy intrusion detection systems (IDS).

Correct answer: B

Explanation

The correct answer is B because classifying data based on standards is fundamental to understanding what needs protection and how to prioritize resources. The other options, while important, should follow after data classification to ensure that protections are appropriately aligned with the sensitivity and value of the data.