Certified Information Systems Auditor (CISA) — Question 487

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if:

Answer options

• A. the information owner is required to approve access to the asset.
• B. senior IT managers are identified as information owners.
• C. the security criteria are clearly documented for each classification.
• D. each information asset is assigned to a different classification.

Correct answer: C

Explanation

The correct answer is C because clear documentation of security criteria for each classification ensures that data is handled properly according to its sensitivity. Options A and B, while important, do not directly impact the effectiveness of the classification scheme itself. Option D is not necessarily true, as some assets may share classifications without compromising security.