Certified Information Systems Auditor (CISA) — Question 377

An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:

Answer options

• A. based on the business requirements for confidentiality of the information.
• B. aligned with the organization's segregation of duties requirements.
• C. based on the results of an organization-wide risk assessment.
• D. based on the business requirements for authentication of the information.

Correct answer: C

Explanation

The correct choice is C because a thorough organizational risk assessment provides insights into potential vulnerabilities and threats, guiding the classification standards effectively. Options A and D focus on specific aspects of information but do not consider the broader risk context, while B pertains to operational controls rather than data classification.