Certified Information Systems Auditor (CISA) — Question 1298

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

Answer options

• A. Conduct awareness presentations and seminars for information classification policies.
• B. Use automatic document classification based on content.
• C. Have IT security staff conduct targeted training for data owners.
• D. Publish the data classification policy on the corporate web portal.

Correct answer: A

Explanation

Conducting awareness presentations and seminars for information classification policies is the most effective way to ensure that all staff understand the importance of proper data classification. While targeted training for data owners (option C) and automated classification (option B) can help, they may not reach the entire organization effectively. Publishing the policy (option D) does not actively educate staff on the significance of data classification.