Certified Information Systems Auditor (CISA) — Question 1456

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

Answer options

• A. Provide notification to employees about possible email monitoring.
• B. Develop an information classification scheme.
• C. Develop an acceptable use policy for end-user computing (EUC).
• D. Require all employees to sign nondisclosure agreements (NDAs).

Correct answer: B

Explanation

The correct answer is B because developing an information classification scheme helps to identify and categorize sensitive data, which is essential for implementing effective email controls. Options A, C, and D, while important, do not directly address the need to understand what information needs protection before controls can be established.